From 4cd5e73a1146834ec3d5822b874ee93e0eea00c0 Mon Sep 17 00:00:00 2001
From: Jun Han <formulahendry@gmail.com>
Date: Sun, 20 Apr 2025 17:51:46 +0800
Subject: [PATCH 001/147] docs: add error handling when it fails to start HTTP
 server

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 200cfab6f..8ddc117a2 100644
--- a/README.md
+++ b/README.md
@@ -367,7 +367,11 @@ app.delete('/mcp', async (req: Request, res: Response) => {
 // Start the server
 const PORT = 3000;
 setupServer().then(() => {
-  app.listen(PORT, () => {
+  app.listen(PORT, (error) => {
+    if (error) {
+      console.error('Failed to start server:', error);
+      process.exit(1);
+    }
     console.log(`MCP Streamable HTTP Server listening on port ${PORT}`);
   });
 }).catch(error => {

From 52476aa29726cdf193b8d50b48e63feb5e1bff77 Mon Sep 17 00:00:00 2001
From: muzea <mr.muzea@gmail.com>
Date: Wed, 23 Apr 2025 14:41:58 +0800
Subject: [PATCH 002/147] fix: add windows env PROGRAMFILES, avoid some exe can
 not be found

---
 src/client/stdio.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/client/stdio.ts b/src/client/stdio.ts
index b83bf27c5..6572f0c03 100644
--- a/src/client/stdio.ts
+++ b/src/client/stdio.ts
@@ -56,6 +56,7 @@ export const DEFAULT_INHERITED_ENV_VARS =
         "TEMP",
         "USERNAME",
         "USERPROFILE",
+        "PROGRAMFILES",
       ]
     : /* list inspired by the default env inheritance of sudo */
       ["HOME", "LOGNAME", "PATH", "SHELL", "TERM", "USER"];

From 2deffb6c194154a2fb99dfcc3e53443debfda3a6 Mon Sep 17 00:00:00 2001
From: Christian Bromann <git@bromann.dev>
Date: Wed, 23 Apr 2025 22:10:12 -0700
Subject: [PATCH 003/147] test(server): add more tests forSSEServerTransport
 class

---
 package-lock.json      |   4 +-
 src/server/sse.test.ts | 153 ++++++++++++++++++++++++++++++++++++++++-
 src/server/sse.ts      |   2 +-
 3 files changed, 155 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 1165b7513..3c6e2d902 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.9.0",
+  "version": "1.10.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.9.0",
+      "version": "1.10.2",
       "license": "MIT",
       "dependencies": {
         "content-type": "^1.0.5",
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 2fd2c0424..11705fe42 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -7,6 +7,7 @@ const createMockResponse = () => {
     writeHead: jest.fn<http.ServerResponse['writeHead']>(),
     write: jest.fn<http.ServerResponse['write']>().mockReturnValue(true),
     on: jest.fn<http.ServerResponse['on']>(),
+    end: jest.fn<http.ServerResponse['end']>(),
   };
   res.writeHead.mockReturnThis();
   res.on.mockReturnThis();
@@ -14,6 +15,36 @@ const createMockResponse = () => {
   return res as unknown as http.ServerResponse;
 };
 
+const createMockRequest = ({ headers = {}, body }: { headers?: Record<string, string>, body?: string } = {}) => {
+  const mockReq = {
+    headers,
+    body: body ? body : undefined,
+    auth: {
+      token: 'test-token',
+    },
+    on: jest.fn<http.IncomingMessage['on']>().mockImplementation((event, listener) => {
+      const mockListener = listener as unknown as (...args: unknown[]) => void;
+      if (event === 'data') {
+        mockListener(Buffer.from(body || '') as unknown as Error);
+      }
+      if (event === 'error') {
+        mockListener(new Error('test'));
+      }
+      if (event === 'end') {
+        mockListener();
+      }
+      if (event === 'close') {
+        setTimeout(listener, 100);
+      }
+      return mockReq;
+    }),
+    listeners: jest.fn<http.IncomingMessage['listeners']>(),
+    removeListener: jest.fn<http.IncomingMessage['removeListener']>(),
+  } as unknown as http.IncomingMessage;
+
+  return mockReq;
+};
+
 describe('SSEServerTransport', () => {
   describe('start method', () => { 
     it('should correctly append sessionId to a simple relative endpoint', async () => { 
@@ -106,4 +137,124 @@ describe('SSEServerTransport', () => {
       );
     });
   });
-});
+
+  describe('handlePostMessage method', () => {
+    it('should return 500 if server has not started', async () => {
+      const mockReq = createMockRequest();
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+
+      const error = 'SSE connection not established';
+      await expect(transport.handlePostMessage(mockReq, mockRes))
+        .rejects.toThrow(error);
+      expect(mockRes.writeHead).toHaveBeenCalledWith(500);
+      expect(mockRes.end).toHaveBeenCalledWith(error);
+    });
+
+    it('should return 400 if content-type is not application/json', async () => {
+      const mockReq = createMockRequest({ headers: { 'content-type': 'text/plain' } });
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+      await transport.start();
+
+      transport.onerror = jest.fn();
+      const error = 'Unsupported content-type: text/plain';
+      await expect(transport.handlePostMessage(mockReq, mockRes))
+        .resolves.toBe(undefined);
+      expect(mockRes.writeHead).toHaveBeenCalledWith(400);
+      expect(mockRes.end).toHaveBeenCalledWith(expect.stringContaining(error));
+      expect(transport.onerror).toHaveBeenCalledWith(new Error(error));
+    });
+
+    it('should return 400 if message has not a valid schema', async () => {
+      const invalidMessage = JSON.stringify({
+        // missing jsonrpc field
+        method: 'call',
+        params: [1, 2, 3],
+        id: 1,
+      })
+      const mockReq = createMockRequest({
+        headers: { 'content-type': 'application/json' },
+        body: invalidMessage,
+      });
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+      await transport.start();
+
+      transport.onmessage = jest.fn();
+      await transport.handlePostMessage(mockReq, mockRes);
+      expect(mockRes.writeHead).toHaveBeenCalledWith(400);
+      expect(transport.onmessage).not.toHaveBeenCalled();
+      expect(mockRes.end).toHaveBeenCalledWith(`Invalid message: ${invalidMessage}`);
+    });
+
+    it('should return 202 if message has a valid schema', async () => {
+      const validMessage = JSON.stringify({
+        jsonrpc: "2.0",
+        method: 'call',
+        params: {
+          a: 1,
+          b: 2,
+          c: 3,
+        },
+        id: 1
+      })
+      const mockReq = createMockRequest({
+        headers: { 'content-type': 'application/json' },
+        body: validMessage,
+      });
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+      await transport.start();
+
+      transport.onmessage = jest.fn();
+      await transport.handlePostMessage(mockReq, mockRes);
+      expect(mockRes.writeHead).toHaveBeenCalledWith(202);
+      expect(mockRes.end).toHaveBeenCalledWith('Accepted');
+      expect(transport.onmessage).toHaveBeenCalledWith({
+        jsonrpc: "2.0",
+        method: 'call',
+        params: {
+          a: 1,
+          b: 2,
+          c: 3,
+        },
+        id: 1
+      }, {
+        authInfo: {
+          token: 'test-token',
+        }
+      });
+    });
+  });
+
+  describe('close method', () => {
+    it('should call onclose', async () => {
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+      await transport.start();
+      transport.onclose = jest.fn();
+      await transport.close();
+      expect(transport.onclose).toHaveBeenCalled();
+    });
+  });
+
+  describe('send method', () => {
+    it('should call onsend', async () => {
+      const mockRes = createMockResponse();
+      const endpoint = '/messages';
+      const transport = new SSEServerTransport(endpoint, mockRes);
+      await transport.start();
+      expect(mockRes.write).toHaveBeenCalledTimes(1);
+      expect(mockRes.write).toHaveBeenCalledWith(
+        expect.stringContaining('event: endpoint'));
+      expect(mockRes.write).toHaveBeenCalledWith(
+        expect.stringContaining(`data: /messages?sessionId=${transport.sessionId}`));
+    });
+  });
+});
\ No newline at end of file
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 03f6fefc9..164780eff 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -92,7 +92,7 @@ export class SSEServerTransport implements Transport {
     try {
       const ct = contentType.parse(req.headers["content-type"] ?? "");
       if (ct.type !== "application/json") {
-        throw new Error(`Unsupported content-type: ${ct}`);
+        throw new Error(`Unsupported content-type: ${ct.type}`);
       }
 
       body = parsedBody ?? await getRawBody(req, {

From b71e0965202ac89f5817da15ab38837f1e1b75ea Mon Sep 17 00:00:00 2001
From: Leonid Domnitser <lenny@retool.com>
Date: Mon, 28 Apr 2025 16:26:31 -0700
Subject: [PATCH 004/147] fix: add missing eventsource-parser dependency

---
 package-lock.json | 5 +++--
 package.json      | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 1165b7513..9a277c918 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,18 +1,19 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.9.0",
+  "version": "1.10.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.9.0",
+      "version": "1.10.2",
       "license": "MIT",
       "dependencies": {
         "content-type": "^1.0.5",
         "cors": "^2.8.5",
         "cross-spawn": "^7.0.3",
         "eventsource": "^3.0.2",
+        "eventsource-parser": "^3.0.0",
         "express": "^5.0.1",
         "express-rate-limit": "^7.5.0",
         "pkce-challenge": "^5.0.0",
diff --git a/package.json b/package.json
index f24053c5a..9b40c2b6f 100644
--- a/package.json
+++ b/package.json
@@ -50,6 +50,7 @@
     "cors": "^2.8.5",
     "cross-spawn": "^7.0.3",
     "eventsource": "^3.0.2",
+    "eventsource-parser": "^3.0.0",
     "express": "^5.0.1",
     "express-rate-limit": "^7.5.0",
     "pkce-challenge": "^5.0.0",

From 59fb4845d6e49bca6b63cb12a617872682d3133a Mon Sep 17 00:00:00 2001
From: Xiaofu Huang <xiaofhua@microsoft.com>
Date: Tue, 6 May 2025 17:25:38 +0800
Subject: [PATCH 005/147] fix: Expose the MCP child process PID as an
 accessible property in StdioClientTransport

---
 src/client/stdio.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/client/stdio.ts b/src/client/stdio.ts
index 9e35293d3..4f7f5f1b3 100644
--- a/src/client/stdio.ts
+++ b/src/client/stdio.ts
@@ -184,6 +184,10 @@ export class StdioClientTransport implements Transport {
     return this._process?.stderr ?? null;
   }
 
+  get pid(): number | undefined {
+    return this._process?.pid;
+  }
+
   private processReadBuffer() {
     while (true) {
       try {

From 7e134f259edbc0e0af897afc4c52154351e208d4 Mon Sep 17 00:00:00 2001
From: Xiaofu Huang <xiaofhua@microsoft.com>
Date: Tue, 6 May 2025 17:38:26 +0800
Subject: [PATCH 006/147] test: add ut of chile process pod in
 StdioClientTransport

---
 src/client/stdio.test.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/client/stdio.test.ts b/src/client/stdio.test.ts
index 646f9ea5d..96dd5648d 100644
--- a/src/client/stdio.test.ts
+++ b/src/client/stdio.test.ts
@@ -59,3 +59,12 @@ test("should read messages", async () => {
 
   await client.close();
 });
+
+test("should return child process pid", async () => {
+  const client = new StdioClientTransport(serverParameters);
+
+  await client.start();
+  expect(client.pid).toBeDefined();
+  await client.close();
+  expect(client.pid).toBeUndefined();
+});

From d154914db74627bb70bbaf1842a9eb937e67a103 Mon Sep 17 00:00:00 2001
From: root <root@CPC-xiaof-9ATXB.>
Date: Tue, 6 May 2025 10:13:09 +0000
Subject: [PATCH 007/147] fix: change pid return type from undefined to be null

---
 src/client/stdio.test.ts | 4 ++--
 src/client/stdio.ts      | 9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/client/stdio.test.ts b/src/client/stdio.test.ts
index 96dd5648d..b21324469 100644
--- a/src/client/stdio.test.ts
+++ b/src/client/stdio.test.ts
@@ -64,7 +64,7 @@ test("should return child process pid", async () => {
   const client = new StdioClientTransport(serverParameters);
 
   await client.start();
-  expect(client.pid).toBeDefined();
+  expect(client.pid).not.toBeNull();
   await client.close();
-  expect(client.pid).toBeUndefined();
+  expect(client.pid).toBeNull();
 });
diff --git a/src/client/stdio.ts b/src/client/stdio.ts
index 4f7f5f1b3..af29614ec 100644
--- a/src/client/stdio.ts
+++ b/src/client/stdio.ts
@@ -184,8 +184,13 @@ export class StdioClientTransport implements Transport {
     return this._process?.stderr ?? null;
   }
 
-  get pid(): number | undefined {
-    return this._process?.pid;
+  /**
+   * The child process pid spawned by this transport.
+   *
+   * This is only available after the transport has been started.
+   */
+  get pid(): number | null {
+    return this._process?.pid ?? null;
   }
 
   private processReadBuffer() {

From fd13cd93694e51f35ed38bee79f953f904bea505 Mon Sep 17 00:00:00 2001
From: Marco Pegoraro <marco.pegoraro@gmail.com>
Date: Thu, 8 May 2025 13:14:30 +0000
Subject: [PATCH 008/147] doc minimum node version requirment

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index c91022603..af3d2e29f 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,8 @@ The Model Context Protocol allows applications to provide context for LLMs in a
 npm install @modelcontextprotocol/sdk
 ```
 
+> ⚠️ MCP requires Node v18.x up to work fine.
+
 ## Quick Start
 
 Let's create a simple MCP server that exposes a calculator tool and some data:

From ae121a4bcca9af73a345116418e5bf13f537b512 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 May 2025 09:06:55 +0000
Subject: [PATCH 009/147] Bump formidable in the npm_and_yarn group across 1
 directory

Bumps the npm_and_yarn group with 1 update in the / directory: [formidable](https://github.com/node-formidable/formidable).


Updates `formidable` from 3.5.2 to 3.5.4
- [Release notes](https://github.com/node-formidable/formidable/releases)
- [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md)
- [Commits](https://github.com/node-formidable/formidable/commits)

---
updated-dependencies:
- dependency-name: formidable
  dependency-version: 3.5.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 44 ++++++++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 14 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ed986a694..fe738fcba 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1557,6 +1557,19 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@noble/hashes": {
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
+      "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^14.21.3 || >=16"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
     "node_modules/@nodelib/fs.scandir": {
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -1592,6 +1605,16 @@
         "node": ">= 8"
       }
     },
+    "node_modules/@paralleldrive/cuid2": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/@paralleldrive/cuid2/-/cuid2-2.2.2.tgz",
+      "integrity": "sha512-ZOBkgDwEdoYVlSeRbYYXs0S9MejQofiVYoTbKzy/6GQa39/q5tQU2IX46+shYnUkpEl3wc+J6wRlar7r2EK2xA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@noble/hashes": "^1.1.5"
+      }
+    },
     "node_modules/@sinclair/typebox": {
       "version": "0.27.8",
       "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.27.8.tgz",
@@ -3689,16 +3712,19 @@
       }
     },
     "node_modules/formidable": {
-      "version": "3.5.2",
-      "resolved": "https://registry.npmjs.org/formidable/-/formidable-3.5.2.tgz",
-      "integrity": "sha512-Jqc1btCy3QzRbJaICGwKcBfGWuLADRerLzDqi2NwSt/UkXLsHJw2TVResiaoBufHVHy9aSgClOHCeJsSsFLTbg==",
+      "version": "3.5.4",
+      "resolved": "https://registry.npmjs.org/formidable/-/formidable-3.5.4.tgz",
+      "integrity": "sha512-YikH+7CUTOtP44ZTnUhR7Ic2UASBPOqmaRkRKxRbywPTe5VxF7RRCck4af9wutiZ/QKM5nME9Bie2fFaPz5Gug==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
+        "@paralleldrive/cuid2": "^2.2.2",
         "dezalgo": "^1.0.4",
-        "hexoid": "^2.0.0",
         "once": "^1.4.0"
       },
+      "engines": {
+        "node": ">=14.0.0"
+      },
       "funding": {
         "url": "https://ko-fi.com/tunnckoCore/commissions"
       }
@@ -3953,16 +3979,6 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/hexoid": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/hexoid/-/hexoid-2.0.0.tgz",
-      "integrity": "sha512-qlspKUK7IlSQv2o+5I7yhUd7TxlOG2Vr5LTa3ve2XSNVKAL/n/u/7KLvKmFNimomDIKvZFXWHv0T12mv7rT8Aw==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",

From 04cbbfbb0d35d4038ac376effed0544a36985415 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 20 May 2025 15:10:40 +0100
Subject: [PATCH 010/147] elicitation example

---
 src/client/index.test.ts                    |  38 +++
 src/client/index.ts                         |   8 +
 src/examples/client/simpleStreamableHttp.ts | 211 ++++++++++++-
 src/examples/server/simpleStreamableHttp.ts | 153 +++++++++-
 src/server/index.test.ts                    | 313 ++++++++++++++++++++
 src/server/index.ts                         |  52 ++++
 src/shared/protocol.test.ts                 |   2 +
 src/types.ts                                | 116 ++++++++
 8 files changed, 891 insertions(+), 2 deletions(-)

diff --git a/src/client/index.test.ts b/src/client/index.test.ts
index bbfa80faf..abd0c34e4 100644
--- a/src/client/index.test.ts
+++ b/src/client/index.test.ts
@@ -14,6 +14,7 @@ import {
   ListToolsRequestSchema,
   CallToolRequestSchema,
   CreateMessageRequestSchema,
+  ElicitRequestSchema,
   ListRootsRequestSchema,
   ErrorCode,
 } from "../types.js";
@@ -597,6 +598,43 @@ test("should only allow setRequestHandler for declared capabilities", () => {
   }).toThrow("Client does not support roots capability");
 });
 
+test("should allow setRequestHandler for declared elicitation capability", () => {
+  const client = new Client(
+    {
+      name: "test-client",
+      version: "1.0.0",
+    },
+    {
+      capabilities: {
+        elicitation: {},
+      },
+    },
+  );
+
+  // This should work because elicitation is a declared capability
+  expect(() => {
+    client.setRequestHandler(ElicitRequestSchema, () => ({
+      action: "accept",
+      content: {
+        username: "test-user",
+        confirmed: true,
+      },
+    }));
+  }).not.toThrow();
+
+  // This should throw because sampling is not a declared capability
+  expect(() => {
+    client.setRequestHandler(CreateMessageRequestSchema, () => ({
+      model: "test-model",
+      role: "assistant",
+      content: {
+        type: "text",
+        text: "Test response",
+      },
+    }));
+  }).toThrow("Client does not support sampling capability");
+});
+
 /***
  * Test: Type Checking
  * Test that custom request/notification/result schemas can be used with the Client class.
diff --git a/src/client/index.ts b/src/client/index.ts
index 98618a171..53ef8c52b 100644
--- a/src/client/index.ts
+++ b/src/client/index.ts
@@ -303,6 +303,14 @@ export class Client<
         }
         break;
 
+      case "elicitation/create":
+        if (!this._capabilities.elicitation) {
+          throw new Error(
+            `Client does not support elicitation capability (required for ${method})`,
+          );
+        }
+        break;
+
       case "roots/list":
         if (!this._capabilities.roots) {
           throw new Error(
diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index 0328f0d24..63efdd2fa 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -14,7 +14,9 @@ import {
   ListResourcesResultSchema,
   LoggingMessageNotificationSchema,
   ResourceListChangedNotificationSchema,
+  ElicitRequestSchema,
 } from '../../types.js';
+import { Ajv } from 'ajv';
 
 // Create readline interface for user input
 const readline = createInterface({
@@ -54,6 +56,7 @@ function printHelp(): void {
   console.log('  call-tool <name> [args]    - Call a tool with optional JSON arguments');
   console.log('  greet [name]               - Call the greet tool');
   console.log('  multi-greet [name]         - Call the multi-greet tool with notifications');
+  console.log('  collect-info [type]        - Test elicitation with collect-user-info tool (contact/preferences/feedback)');
   console.log('  start-notifications [interval] [count] - Start periodic notifications');
   console.log('  list-prompts               - List available prompts');
   console.log('  get-prompt [name] [args]   - Get a prompt with optional JSON arguments');
@@ -114,6 +117,10 @@ function commandLoop(): void {
           await callMultiGreetTool(args[1] || 'MCP User');
           break;
 
+        case 'collect-info':
+          await callCollectInfoTool(args[1] || 'contact');
+          break;
+
         case 'start-notifications': {
           const interval = args[1] ? parseInt(args[1], 10) : 2000;
           const count = args[2] ? parseInt(args[2], 10) : 10;
@@ -183,15 +190,212 @@ async function connect(url?: string): Promise<void> {
   console.log(`Connecting to ${serverUrl}...`);
 
   try {
-    // Create a new client
+    // Create a new client with elicitation capability
     client = new Client({
       name: 'example-client',
       version: '1.0.0'
+    }, {
+      capabilities: {
+        elicitation: {},
+      },
     });
     client.onerror = (error) => {
       console.error('\x1b[31mClient error:', error, '\x1b[0m');
     }
 
+    // Set up elicitation request handler with proper validation
+    client.setRequestHandler(ElicitRequestSchema, async (request) => {
+      console.log('\n🔔 Elicitation Request Received:');
+      console.log(`Message: ${request.params.message}`);
+      console.log('Requested Schema:');
+      console.log(JSON.stringify(request.params.requestedSchema, null, 2));
+
+      const schema = request.params.requestedSchema;
+      const properties = schema.properties;
+      const required = schema.required || [];
+
+      // Set up AJV validator for the requested schema
+      const ajv = new Ajv({ strict: false, validateFormats: true });
+      const validate = ajv.compile(schema);
+
+      let attempts = 0;
+      const maxAttempts = 3;
+
+      while (attempts < maxAttempts) {
+        attempts++;
+        console.log(`\nPlease provide the following information (attempt ${attempts}/${maxAttempts}):`);
+
+        const content: Record<string, unknown> = {};
+        let inputCancelled = false;
+
+        // Collect input for each field
+        for (const [fieldName, fieldSchema] of Object.entries(properties)) {
+          const field = fieldSchema as {
+            type?: string;
+            title?: string;
+            description?: string;
+            default?: unknown;
+            enum?: string[];
+            minimum?: number;
+            maximum?: number;
+            minLength?: number;
+            maxLength?: number;
+            format?: string;
+          };
+
+          const isRequired = required.includes(fieldName);
+          let prompt = `${field.title || fieldName}`;
+
+          // Add helpful information to the prompt
+          if (field.description) {
+            prompt += ` (${field.description})`;
+          }
+          if (field.enum) {
+            prompt += ` [options: ${field.enum.join(', ')}]`;
+          }
+          if (field.type === 'number' || field.type === 'integer') {
+            if (field.minimum !== undefined && field.maximum !== undefined) {
+              prompt += ` [${field.minimum}-${field.maximum}]`;
+            } else if (field.minimum !== undefined) {
+              prompt += ` [min: ${field.minimum}]`;
+            } else if (field.maximum !== undefined) {
+              prompt += ` [max: ${field.maximum}]`;
+            }
+          }
+          if (field.type === 'string' && field.format) {
+            prompt += ` [format: ${field.format}]`;
+          }
+          if (isRequired) {
+            prompt += ' *required*';
+          }
+          if (field.default !== undefined) {
+            prompt += ` [default: ${field.default}]`;
+          }
+
+          prompt += ': ';
+
+          const answer = await new Promise<string>((resolve) => {
+            readline.question(prompt, (input) => {
+              resolve(input.trim());
+            });
+          });
+
+          // Check for cancellation
+          if (answer.toLowerCase() === 'cancel' || answer.toLowerCase() === 'c') {
+            inputCancelled = true;
+            break;
+          }
+
+          // Parse and validate the input
+          try {
+            if (answer === '' && field.default !== undefined) {
+              content[fieldName] = field.default;
+            } else if (answer === '' && !isRequired) {
+              // Skip optional empty fields
+              continue;
+            } else if (answer === '') {
+              throw new Error(`${fieldName} is required`);
+            } else {
+              // Parse the value based on type
+              let parsedValue: unknown;
+
+              if (field.type === 'boolean') {
+                parsedValue = answer.toLowerCase() === 'true' || answer.toLowerCase() === 'yes' || answer === '1';
+              } else if (field.type === 'number') {
+                parsedValue = parseFloat(answer);
+                if (isNaN(parsedValue as number)) {
+                  throw new Error(`${fieldName} must be a valid number`);
+                }
+              } else if (field.type === 'integer') {
+                parsedValue = parseInt(answer, 10);
+                if (isNaN(parsedValue as number)) {
+                  throw new Error(`${fieldName} must be a valid integer`);
+                }
+              } else if (field.enum) {
+                if (!field.enum.includes(answer)) {
+                  throw new Error(`${fieldName} must be one of: ${field.enum.join(', ')}`);
+                }
+                parsedValue = answer;
+              } else {
+                parsedValue = answer;
+              }
+
+              content[fieldName] = parsedValue;
+            }
+          } catch (error) {
+            console.log(`❌ Error: ${error}`);
+            // Continue to next attempt
+            break;
+          }
+        }
+
+        if (inputCancelled) {
+          return { action: 'cancel' };
+        }
+
+        // If we didn't complete all fields due to an error, try again
+        if (Object.keys(content).length !== Object.keys(properties).filter(name =>
+          required.includes(name) || content[name] !== undefined
+        ).length) {
+          if (attempts < maxAttempts) {
+            console.log('Please try again...');
+            continue;
+          } else {
+            console.log('Maximum attempts reached. Declining request.');
+            return { action: 'decline' };
+          }
+        }
+
+        // Validate the complete object against the schema
+        const isValid = validate(content);
+
+        if (!isValid) {
+          console.log('❌ Validation errors:');
+          validate.errors?.forEach(error => {
+            console.log(`  - ${error.instancePath || 'root'}: ${error.message}`);
+          });
+
+          if (attempts < maxAttempts) {
+            console.log('Please correct the errors and try again...');
+            continue;
+          } else {
+            console.log('Maximum attempts reached. Declining request.');
+            return { action: 'decline' };
+          }
+        }
+
+        // Show the collected data and ask for confirmation
+        console.log('\n✅ Collected data:');
+        console.log(JSON.stringify(content, null, 2));
+
+        const confirmAnswer = await new Promise<string>((resolve) => {
+          readline.question('\nSubmit this information? (yes/no/cancel): ', (input) => {
+            resolve(input.trim().toLowerCase());
+          });
+        });
+
+
+        if (confirmAnswer === 'yes' || confirmAnswer === 'y') {
+          return {
+            action: 'accept',
+            content,
+          };
+        } else if (confirmAnswer === 'cancel' || confirmAnswer === 'c') {
+          return { action: 'cancel' };
+        } else if (confirmAnswer === 'no' || confirmAnswer === 'n') {
+          if (attempts < maxAttempts) {
+            console.log('Please re-enter the information...');
+            continue;
+          } else {
+            return { action: 'decline' };
+          }
+        }
+      }
+
+      console.log('Maximum attempts reached. Declining request.');
+      return { action: 'decline' };
+    });
+
     transport = new StreamableHTTPClientTransport(
       new URL(serverUrl),
       {
@@ -362,6 +566,11 @@ async function callMultiGreetTool(name: string): Promise<void> {
   await callTool('multi-greet', { name });
 }
 
+async function callCollectInfoTool(infoType: string): Promise<void> {
+  console.log(`Testing elicitation with collect-user-info tool (${infoType})...`);
+  await callTool('collect-user-info', { infoType });
+}
+
 async function startNotifications(interval: number, count: number): Promise<void> {
   console.log(`Starting notification stream: interval=${interval}ms, count=${count || 'unlimited'}`);
   await callTool('start-notification-stream', { interval, count });
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 6c3311920..4ef504463 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -5,7 +5,7 @@ import { McpServer } from '../../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter } from '../../server/auth/router.js';
 import { requireBearerAuth } from '../../server/auth/middleware/bearerAuth.js';
-import { CallToolResult, GetPromptResult, isInitializeRequest, ReadResourceResult } from '../../types.js';
+import { CallToolResult, GetPromptResult, isInitializeRequest, PrimitiveSchemaDefinition, ReadResourceResult } from '../../types.js';
 import { InMemoryEventStore } from '../shared/inMemoryEventStore.js';
 import { setupAuthServer } from './demoInMemoryOAuthProvider.js';
 import { OAuthMetadata } from 'src/shared/auth.js';
@@ -84,6 +84,157 @@ const getServer = () => {
     }
   );
 
+  // Register a tool that demonstrates elicitation (user input collection)
+  // This creates a closure that captures the server instance
+  server.tool(
+    'collect-user-info',
+    'A tool that collects user information through elicitation',
+    {
+      infoType: z.enum(['contact', 'preferences', 'feedback']).describe('Type of information to collect'),
+    },
+    async ({ infoType }): Promise<CallToolResult> => {
+      let message: string;
+      let requestedSchema: {
+        type: 'object';
+        properties: Record<string, PrimitiveSchemaDefinition>;
+        required?: string[];
+      };
+
+      switch (infoType) {
+        case 'contact':
+          message = 'Please provide your contact information';
+          requestedSchema = {
+            type: 'object',
+            properties: {
+              name: {
+                type: 'string',
+                title: 'Full Name',
+                description: 'Your full name',
+              },
+              email: {
+                type: 'string',
+                title: 'Email Address',
+                description: 'Your email address',
+                format: 'email',
+              },
+              phone: {
+                type: 'string',
+                title: 'Phone Number',
+                description: 'Your phone number (optional)',
+              },
+            },
+            required: ['name', 'email'],
+          };
+          break;
+        case 'preferences':
+          message = 'Please set your preferences';
+          requestedSchema = {
+            type: 'object',
+            properties: {
+              theme: {
+                type: 'string',
+                title: 'Theme',
+                description: 'Choose your preferred theme',
+                enum: ['light', 'dark', 'auto'],
+                enumNames: ['Light', 'Dark', 'Auto'],
+              },
+              notifications: {
+                type: 'boolean',
+                title: 'Enable Notifications',
+                description: 'Would you like to receive notifications?',
+                default: true,
+              },
+              frequency: {
+                type: 'string',
+                title: 'Notification Frequency',
+                description: 'How often would you like notifications?',
+                enum: ['daily', 'weekly', 'monthly'],
+                enumNames: ['Daily', 'Weekly', 'Monthly'],
+              },
+            },
+            required: ['theme'],
+          };
+          break;
+        case 'feedback':
+          message = 'Please provide your feedback';
+          requestedSchema = {
+            type: 'object',
+            properties: {
+              rating: {
+                type: 'integer',
+                title: 'Rating',
+                description: 'Rate your experience (1-5)',
+                minimum: 1,
+                maximum: 5,
+              },
+              comments: {
+                type: 'string',
+                title: 'Comments',
+                description: 'Additional comments (optional)',
+                maxLength: 500,
+              },
+              recommend: {
+                type: 'boolean',
+                title: 'Would you recommend this?',
+                description: 'Would you recommend this to others?',
+              },
+            },
+            required: ['rating', 'recommend'],
+          };
+          break;
+        default:
+          throw new Error(`Unknown info type: ${infoType}`);
+      }
+
+      try {
+        // Use the underlying server instance to elicit input from the client
+        const result = await server.server.elicitInput({
+          message,
+          requestedSchema,
+        });
+
+        if (result.action === 'accept') {
+          return {
+            content: [
+              {
+                type: 'text',
+                text: `Thank you! Collected ${infoType} information: ${JSON.stringify(result.content, null, 2)}`,
+              },
+            ],
+          };
+        } else if (result.action === 'decline') {
+          return {
+            content: [
+              {
+                type: 'text',
+                text: `No information was collected. User declined to provide ${infoType} information.`,
+              },
+            ],
+          };
+        } else {
+          return {
+            content: [
+              {
+                type: 'text',
+                text: `Information collection was cancelled by the user.`,
+              },
+            ],
+          };
+        }
+      } catch (error) {
+        return {
+          content: [
+            {
+              type: 'text',
+              text: `Error collecting ${infoType} information: ${error}`,
+            },
+          ],
+        };
+      }
+    }
+  );
+
+
   // Register a simple prompt
   server.prompt(
     'greeting-template',
diff --git a/src/server/index.test.ts b/src/server/index.test.ts
index 7c0fbc51a..ce54247a0 100644
--- a/src/server/index.test.ts
+++ b/src/server/index.test.ts
@@ -10,6 +10,7 @@ import {
   LATEST_PROTOCOL_VERSION,
   SUPPORTED_PROTOCOL_VERSIONS,
   CreateMessageRequestSchema,
+  ElicitRequestSchema,
   ListPromptsRequestSchema,
   ListResourcesRequestSchema,
   ListToolsRequestSchema,
@@ -267,6 +268,318 @@ test("should respect client capabilities", async () => {
   await expect(server.listRoots()).rejects.toThrow(/^Client does not support/);
 });
 
+test("should respect client elicitation capabilities", async () => {
+  const server = new Server(
+    {
+      name: "test server",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        prompts: {},
+        resources: {},
+        tools: {},
+        logging: {},
+      },
+      enforceStrictCapabilities: true,
+    },
+  );
+
+  const client = new Client(
+    {
+      name: "test client",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        elicitation: {},
+      },
+    },
+  );
+
+  client.setRequestHandler(ElicitRequestSchema, (params) => ({
+    action: "accept",
+    content: {
+      username: params.params.message.includes("username") ? "test-user" : undefined,
+      confirmed: true,
+    },
+  }));
+
+  const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+  await Promise.all([
+    client.connect(clientTransport),
+    server.connect(serverTransport),
+  ]);
+
+  expect(server.getClientCapabilities()).toEqual({ elicitation: {} });
+
+  // This should work because elicitation is supported by the client
+  await expect(
+    server.elicitInput({
+      message: "Please provide your username",
+      requestedSchema: {
+        type: "object",
+        properties: {
+          username: {
+            type: "string",
+            title: "Username",
+            description: "Your username",
+          },
+          confirmed: {
+            type: "boolean",
+            title: "Confirm",
+            description: "Please confirm",
+            default: false,
+          },
+        },
+        required: ["username"],
+      },
+    }),
+  ).resolves.toEqual({
+    action: "accept",
+    content: {
+      username: "test-user",
+      confirmed: true,
+    },
+  });
+
+  // This should still throw because sampling is not supported by the client
+  await expect(
+    server.createMessage({
+      messages: [],
+      maxTokens: 10,
+    }),
+  ).rejects.toThrow(/^Client does not support/);
+});
+
+test("should validate elicitation response against requested schema", async () => {
+  const server = new Server(
+    {
+      name: "test server",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        prompts: {},
+        resources: {},
+        tools: {},
+        logging: {},
+      },
+      enforceStrictCapabilities: true,
+    },
+  );
+
+  const client = new Client(
+    {
+      name: "test client",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        elicitation: {},
+      },
+    },
+  );
+
+  // Set up client to return valid response
+  client.setRequestHandler(ElicitRequestSchema, (request) => ({
+    action: "accept",
+    content: {
+      name: "John Doe",
+      email: "john@example.com",
+      age: 30,
+    },
+  }));
+
+  const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+  await Promise.all([
+    client.connect(clientTransport),
+    server.connect(serverTransport),
+  ]);
+
+  // Test with valid response
+  await expect(
+    server.elicitInput({
+      message: "Please provide your information",
+      requestedSchema: {
+        type: "object",
+        properties: {
+          name: {
+            type: "string",
+            minLength: 1,
+          },
+          email: {
+            type: "string",
+            minLength: 1,
+          },
+          age: {
+            type: "integer",
+            minimum: 0,
+            maximum: 150,
+          },
+        },
+        required: ["name", "email"],
+      },
+    }),
+  ).resolves.toEqual({
+    action: "accept",
+    content: {
+      name: "John Doe",
+      email: "john@example.com",
+      age: 30,
+    },
+  });
+});
+
+test("should reject elicitation response with invalid data", async () => {
+  const server = new Server(
+    {
+      name: "test server",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        prompts: {},
+        resources: {},
+        tools: {},
+        logging: {},
+      },
+      enforceStrictCapabilities: true,
+    },
+  );
+
+  const client = new Client(
+    {
+      name: "test client",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        elicitation: {},
+      },
+    },
+  );
+
+  // Set up client to return invalid response (missing required field, invalid age)
+  client.setRequestHandler(ElicitRequestSchema, (request) => ({
+    action: "accept",
+    content: {
+      email: "", // Invalid - too short
+      age: -5, // Invalid age
+    },
+  }));
+
+  const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+  await Promise.all([
+    client.connect(clientTransport),
+    server.connect(serverTransport),
+  ]);
+
+  // Test with invalid response
+  await expect(
+    server.elicitInput({
+      message: "Please provide your information",
+      requestedSchema: {
+        type: "object",
+        properties: {
+          name: {
+            type: "string",
+            minLength: 1,
+          },
+          email: {
+            type: "string",
+            minLength: 1,
+          },
+          age: {
+            type: "integer",
+            minimum: 0,
+            maximum: 150,
+          },
+        },
+        required: ["name", "email"],
+      },
+    }),
+  ).rejects.toThrow(/does not match requested schema/);
+});
+
+test("should allow elicitation decline and cancel without validation", async () => {
+  const server = new Server(
+    {
+      name: "test server",
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        prompts: {},
+        resources: {},
+        tools: {},
+        logging: {},
+      },
+      enforceStrictCapabilities: true,
+    },
+  );
+
+  const client = new Client(
+    {
+      name: "test client", 
+      version: "1.0",
+    },
+    {
+      capabilities: {
+        elicitation: {},
+      },
+    },
+  );
+
+  let requestCount = 0;
+  client.setRequestHandler(ElicitRequestSchema, (request) => {
+    requestCount++;
+    if (requestCount === 1) {
+      return { action: "decline" };
+    } else {
+      return { action: "cancel" };
+    }
+  });
+
+  const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+  await Promise.all([
+    client.connect(clientTransport),
+    server.connect(serverTransport),
+  ]);
+
+  const schema = {
+    type: "object" as const,
+    properties: {
+      name: { type: "string" as const },
+    },
+    required: ["name"],
+  };
+
+  // Test decline - should not validate
+  await expect(
+    server.elicitInput({
+      message: "Please provide your name",
+      requestedSchema: schema,
+    }),
+  ).resolves.toEqual({
+    action: "decline",
+  });
+
+  // Test cancel - should not validate  
+  await expect(
+    server.elicitInput({
+      message: "Please provide your name",
+      requestedSchema: schema,
+    }),
+  ).resolves.toEqual({
+    action: "cancel",
+  });
+});
+
 test("should respect server notification capabilities", async () => {
   const server = new Server(
     {
diff --git a/src/server/index.ts b/src/server/index.ts
index 3901099e3..6a819db85 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -8,6 +8,9 @@ import {
   ClientCapabilities,
   CreateMessageRequest,
   CreateMessageResultSchema,
+  ElicitRequest,
+  ElicitResult,
+  ElicitResultSchema,
   EmptyResultSchema,
   Implementation,
   InitializedNotificationSchema,
@@ -18,6 +21,8 @@ import {
   ListRootsRequest,
   ListRootsResultSchema,
   LoggingMessageNotification,
+  McpError,
+  ErrorCode,
   Notification,
   Request,
   ResourceUpdatedNotification,
@@ -28,6 +33,7 @@ import {
   ServerResult,
   SUPPORTED_PROTOCOL_VERSIONS,
 } from "../types.js";
+import { Ajv } from "ajv";
 
 export type ServerOptions = ProtocolOptions & {
   /**
@@ -129,6 +135,14 @@ export class Server<
         }
         break;
 
+      case "elicitation/create":
+        if (!this._clientCapabilities?.elicitation) {
+          throw new Error(
+            `Client does not support elicitation (required for ${method})`,
+          );
+        }
+        break;
+
       case "roots/list":
         if (!this._clientCapabilities?.roots) {
           throw new Error(
@@ -294,6 +308,44 @@ export class Server<
     );
   }
 
+  async elicitInput(
+    params: ElicitRequest["params"],
+    options?: RequestOptions,
+  ): Promise<ElicitResult> {
+    const result = await this.request(
+      { method: "elicitation/create", params },
+      ElicitResultSchema,
+      options,
+    );
+
+    // Validate the response content against the requested schema if action is "accept"
+    if (result.action === "accept" && result.content) {
+      try {
+        const ajv = new Ajv({ strict: false, validateFormats: true });
+        
+        const validate = ajv.compile(params.requestedSchema);
+        const isValid = validate(result.content);
+        
+        if (!isValid) {
+          throw new McpError(
+            ErrorCode.InvalidParams,
+            `Elicitation response content does not match requested schema: ${ajv.errorsText(validate.errors)}`,
+          );
+        }
+      } catch (error) {
+        if (error instanceof McpError) {
+          throw error;
+        }
+        throw new McpError(
+          ErrorCode.InternalError,
+          `Error validating elicitation response: ${error}`,
+        );
+      }
+    }
+
+    return result;
+  }
+
   async listRoots(
     params?: ListRootsRequest["params"],
     options?: RequestOptions,
diff --git a/src/shared/protocol.test.ts b/src/shared/protocol.test.ts
index e0141da19..ac453b17d 100644
--- a/src/shared/protocol.test.ts
+++ b/src/shared/protocol.test.ts
@@ -339,6 +339,7 @@ describe("mergeCapabilities", () => {
       experimental: {
         feature: true,
       },
+      elicitation: {},
       roots: {
         newProp: true,
       },
@@ -347,6 +348,7 @@ describe("mergeCapabilities", () => {
     const merged = mergeCapabilities(base, additional);
     expect(merged).toEqual({
       sampling: {},
+      elicitation: {},
       roots: {
         listChanged: true,
         newProp: true,
diff --git a/src/types.ts b/src/types.ts
index ae25848ea..e5a544b52 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -218,6 +218,10 @@ export const ClientCapabilitiesSchema = z
      * Present if the client supports sampling from an LLM.
      */
     sampling: z.optional(z.object({}).passthrough()),
+    /**
+     * Present if the client supports eliciting user input.
+     */
+    elicitation: z.optional(z.object({}).passthrough()),
     /**
      * Present if the client supports listing roots.
      */
@@ -1088,6 +1092,107 @@ export const CreateMessageResultSchema = ResultSchema.extend({
   ]),
 });
 
+/* Elicitation */
+/**
+ * Primitive schema definition for boolean fields.
+ */
+export const BooleanSchemaSchema = z
+  .object({
+    type: z.literal("boolean"),
+    title: z.optional(z.string()),
+    description: z.optional(z.string()),
+    default: z.optional(z.boolean()),
+  })
+  .passthrough();
+
+/**
+ * Primitive schema definition for string fields.
+ */
+export const StringSchemaSchema = z
+  .object({
+    type: z.literal("string"),
+    title: z.optional(z.string()),
+    description: z.optional(z.string()),
+    minLength: z.optional(z.number()),
+    maxLength: z.optional(z.number()),
+    format: z.optional(z.enum(["email", "uri", "date", "date-time"])),
+  })
+  .passthrough();
+
+/**
+ * Primitive schema definition for number fields.
+ */
+export const NumberSchemaSchema = z
+  .object({
+    type: z.enum(["number", "integer"]),
+    title: z.optional(z.string()),
+    description: z.optional(z.string()),
+    minimum: z.optional(z.number()),
+    maximum: z.optional(z.number()),
+  })
+  .passthrough();
+
+/**
+ * Primitive schema definition for enum fields.
+ */
+export const EnumSchemaSchema = z
+  .object({
+    type: z.literal("string"),
+    title: z.optional(z.string()),
+    description: z.optional(z.string()),
+    enum: z.array(z.string()),
+    enumNames: z.optional(z.array(z.string())),
+  })
+  .passthrough();
+
+/**
+ * Union of all primitive schema definitions.
+ */
+export const PrimitiveSchemaDefinitionSchema = z.union([
+  BooleanSchemaSchema,
+  StringSchemaSchema,
+  NumberSchemaSchema,
+  EnumSchemaSchema,
+]);
+
+/**
+ * A request from the server to elicit user input via the client.
+ * The client should present the message and form fields to the user.
+ */
+export const ElicitRequestSchema = RequestSchema.extend({
+  method: z.literal("elicitation/create"),
+  params: BaseRequestParamsSchema.extend({
+    /**
+     * The message to present to the user.
+     */
+    message: z.string(),
+    /**
+     * The schema for the requested user input.
+     */
+    requestedSchema: z
+      .object({
+        type: z.literal("object"),
+        properties: z.record(z.string(), PrimitiveSchemaDefinitionSchema),
+        required: z.optional(z.array(z.string())),
+      })
+      .passthrough(),
+  }),
+});
+
+/**
+ * The client's response to an elicitation/create request from the server.
+ */
+export const ElicitResultSchema = ResultSchema.extend({
+  /**
+   * The user's response action.
+   */
+  action: z.enum(["accept", "decline", "cancel"]),
+  /**
+   * The collected user input content (only present if action is "accept").
+   */
+  content: z.optional(z.record(z.string(), z.unknown())),
+});
+
 /* Autocomplete */
 /**
  * A reference to a resource or resource template definition.
@@ -1227,6 +1332,7 @@ export const ClientNotificationSchema = z.union([
 export const ClientResultSchema = z.union([
   EmptyResultSchema,
   CreateMessageResultSchema,
+  ElicitResultSchema,
   ListRootsResultSchema,
 ]);
 
@@ -1234,6 +1340,7 @@ export const ClientResultSchema = z.union([
 export const ServerRequestSchema = z.union([
   PingRequestSchema,
   CreateMessageRequestSchema,
+  ElicitRequestSchema,
   ListRootsRequestSchema,
 ]);
 
@@ -1376,6 +1483,15 @@ export type SamplingMessage = Infer<typeof SamplingMessageSchema>;
 export type CreateMessageRequest = Infer<typeof CreateMessageRequestSchema>;
 export type CreateMessageResult = Infer<typeof CreateMessageResultSchema>;
 
+/* Elicitation */
+export type BooleanSchema = Infer<typeof BooleanSchemaSchema>;
+export type StringSchema = Infer<typeof StringSchemaSchema>;
+export type NumberSchema = Infer<typeof NumberSchemaSchema>;
+export type EnumSchema = Infer<typeof EnumSchemaSchema>;
+export type PrimitiveSchemaDefinition = Infer<typeof PrimitiveSchemaDefinitionSchema>;
+export type ElicitRequest = Infer<typeof ElicitRequestSchema>;
+export type ElicitResult = Infer<typeof ElicitResultSchema>;
+
 /* Autocomplete */
 export type ResourceReference = Infer<typeof ResourceReferenceSchema>;
 export type PromptReference = Infer<typeof PromptReferenceSchema>;

From a89f950222a4d129437f01731766fdb4ca7347b2 Mon Sep 17 00:00:00 2001
From: Basil Hosmer <basil@anthropic.com>
Date: Wed, 21 May 2025 17:12:42 -0400
Subject: [PATCH 011/147] post-rebase fixes

---
 src/examples/client/simpleStreamableHttp.ts | 6 +++---
 src/server/index.ts                         | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index 63efdd2fa..4bcaf94c0 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -16,7 +16,7 @@ import {
   ResourceListChangedNotificationSchema,
   ElicitRequestSchema,
 } from '../../types.js';
-import { Ajv } from 'ajv';
+import Ajv from "ajv";
 
 // Create readline interface for user input
 const readline = createInterface({
@@ -215,7 +215,7 @@ async function connect(url?: string): Promise<void> {
       const required = schema.required || [];
 
       // Set up AJV validator for the requested schema
-      const ajv = new Ajv({ strict: false, validateFormats: true });
+      const ajv = new Ajv();
       const validate = ajv.compile(schema);
 
       let attempts = 0;
@@ -352,7 +352,7 @@ async function connect(url?: string): Promise<void> {
         if (!isValid) {
           console.log('❌ Validation errors:');
           validate.errors?.forEach(error => {
-            console.log(`  - ${error.instancePath || 'root'}: ${error.message}`);
+            console.log(`  - ${error.dataPath || 'root'}: ${error.message}`);
           });
 
           if (attempts < maxAttempts) {
diff --git a/src/server/index.ts b/src/server/index.ts
index 6a819db85..506589d97 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -33,7 +33,8 @@ import {
   ServerResult,
   SUPPORTED_PROTOCOL_VERSIONS,
 } from "../types.js";
-import { Ajv } from "ajv";
+import Ajv from "ajv";
+import type { ValidateFunction } from "ajv";
 
 export type ServerOptions = ProtocolOptions & {
   /**
@@ -321,7 +322,7 @@ export class Server<
     // Validate the response content against the requested schema if action is "accept"
     if (result.action === "accept" && result.content) {
       try {
-        const ajv = new Ajv({ strict: false, validateFormats: true });
+        const ajv = new Ajv();
         
         const validate = ajv.compile(params.requestedSchema);
         const isValid = validate(result.content);

From eea1519994f78750b516f527dc135697a69f8eac Mon Sep 17 00:00:00 2001
From: Basil Hosmer <basil@anthropic.com>
Date: Wed, 21 May 2025 23:42:00 -0400
Subject: [PATCH 012/147] lint

---
 src/server/index.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/server/index.ts b/src/server/index.ts
index 506589d97..5d482d322 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -34,7 +34,6 @@ import {
   SUPPORTED_PROTOCOL_VERSIONS,
 } from "../types.js";
 import Ajv from "ajv";
-import type { ValidateFunction } from "ajv";
 
 export type ServerOptions = ProtocolOptions & {
   /**

From eefdcf5bf3f9e7228966c4978dd46f09b13ac39f Mon Sep 17 00:00:00 2001
From: dhodun <dhodun@anthropic.com>
Date: Fri, 23 May 2025 20:01:38 -0500
Subject: [PATCH 013/147] docs: Add clarifying comments for stateless
 streamable HTTP endpoints

Add inline comments explaining why GET and DELETE endpoints return 405 in stateless mode:
- GET: SSE notifications not supported without session management
- DELETE: Session termination not needed in stateless mode
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index f468969b5..0c954c412 100644
--- a/README.md
+++ b/README.md
@@ -347,6 +347,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
   }
 });
 
+// SSE notifications not supported in stateless mode
 app.get('/mcp', async (req: Request, res: Response) => {
   console.log('Received GET MCP request');
   res.writeHead(405).end(JSON.stringify({
@@ -359,6 +360,7 @@ app.get('/mcp', async (req: Request, res: Response) => {
   }));
 });
 
+// Session termination not needed in stateless mode
 app.delete('/mcp', async (req: Request, res: Response) => {
   console.log('Received DELETE MCP request');
   res.writeHead(405).end(JSON.stringify({

From 5f5180c4d32f1c53cd93f036f5ce3632cc064e15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Barthelet?=
 <frederic.barthelet@gmail.com>
Date: Sun, 25 May 2025 17:20:02 -0700
Subject: [PATCH 014/147] Register completions capabilities

---
 src/server/mcp.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 5b864b8b4..38c869c78 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -236,6 +236,10 @@ export class McpServer {
       CompleteRequestSchema.shape.method.value,
     );
 
+    this.server.registerCapabilities({
+      completions: {},
+    });
+
     this.server.setRequestHandler(
       CompleteRequestSchema,
       async (request): Promise<CompleteResult> => {

From 269c8caf8ec7a248693bc54f22e013ac6259fc8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Barthelet?=
 <frederic.barthelet@gmail.com>
Date: Sun, 25 May 2025 18:00:28 -0700
Subject: [PATCH 015/147] Remove server-specific capabilities definition from
 Client constructor in mcp tests

---
 src/server/mcp.test.ts | 271 +++++++++++------------------------------
 1 file changed, 72 insertions(+), 199 deletions(-)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 49f852d65..bef8ae028 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -913,18 +913,10 @@ describe("tool()", () => {
       name: "test server",
       version: "1.0",
     });
-
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool(
       "test",
@@ -1056,17 +1048,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema
     mcpServer.registerTool(
@@ -1169,17 +1154,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema that returns only content without structuredContent
     mcpServer.registerTool(
@@ -1233,17 +1211,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema that returns invalid data
     mcpServer.registerTool(
@@ -1308,17 +1279,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedSessionId: string | undefined;
     mcpServer.tool("test-tool", async (extra) => {
@@ -1364,17 +1328,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.tool("request-id-test", async (extra) => {
@@ -1423,17 +1380,10 @@ describe("tool()", () => {
       { capabilities: { logging: {} } },
     );
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedLogMessage: string | undefined;
     const loggingMessage = "hello here is log message 1";
@@ -1480,17 +1430,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool(
       "test",
@@ -1546,17 +1489,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool("error-test", async () => {
       throw new Error("Tool execution failed");
@@ -1598,17 +1534,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool("test-tool", async () => ({
       content: [
@@ -2401,17 +2330,10 @@ describe("resource()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.resource(
       "test",
@@ -2469,17 +2391,10 @@ describe("resource()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.resource(
       "test",
@@ -2540,17 +2455,10 @@ describe("resource()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.resource("request-id-test", "test://resource", async (_uri, extra) => {
@@ -3052,17 +2960,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt(
       "test",
@@ -3258,17 +3159,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt("test-prompt", async () => ({
       messages: [
@@ -3312,17 +3206,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt(
       "test-prompt",
@@ -3380,17 +3267,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt(
       "test-prompt",
@@ -3450,17 +3330,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.prompt("request-id-test", async (extra) => {

From 7e0521550b3bf21a5fe043d7ee62aacc0f8a8c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Barthelet?=
 <frederic.barthelet@gmail.com>
Date: Sun, 25 May 2025 19:07:26 -0700
Subject: [PATCH 016/147] Add tests for completions capability registration on
 template resource with completion or prompt completable argument registration

---
 src/server/mcp.test.ts | 85 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index bef8ae028..0ba1998d2 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -2321,6 +2321,48 @@ describe("resource()", () => {
     ).rejects.toThrow(/Resource test:\/\/nonexistent not found/);
   });
 
+  /***
+   * Test: Registering a resource template with a complete callback should update server capabilities to advertise support for completion
+   */
+  test("should advertise support for completion when a resource template with a complete callback is defined", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.resource(
+      "test",
+      new ResourceTemplate("test://resource/{category}", {
+        list: undefined,
+        complete: {
+          category: () => ["books", "movies", "music"],
+        },
+      }),
+      async () => ({
+        contents: [
+          {
+            uri: "test://resource/test",
+            text: "Test content",
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    expect(client.getServerCapabilities()).toMatchObject({ completions: {} })
+  })
+
   /***
    * Test: Resource Template Parameter Completion
    */
@@ -3197,6 +3239,49 @@ describe("prompt()", () => {
     ).rejects.toThrow(/Prompt nonexistent-prompt not found/);
   });
 
+
+  /***
+   * Test: Registering a prompt with a completable argument should update server capabilities to advertise support for completion
+   */
+  test("should advertise support for completion when a prompt with a completable argument is defined", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.prompt(
+      "test-prompt",
+      {
+        name: completable(z.string(), () => ["Alice", "Bob", "Charlie"]),
+      },
+      async ({ name }) => ({
+        messages: [
+          {
+            role: "assistant",
+            content: {
+              type: "text",
+              text: `Hello ${name}`,
+            },
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    expect(client.getServerCapabilities()).toMatchObject({ completions: {} })
+  })
+
   /***
    * Test: Prompt Argument Completion
    */

From adbacc63881908031914a527b44ab820523e7f57 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 29 May 2025 13:32:26 -0700
Subject: [PATCH 017/147] Add DNS rebinding protection for SSE transport

---
 package-lock.json      |   4 +-
 src/server/sse.test.ts | 240 ++++++++++++++++++++++++++++++++++++++++-
 src/server/sse.ts      |  66 +++++++++++-
 3 files changed, 306 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 40bad9fe2..ef5393822 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.11.4",
+  "version": "1.12.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.11.4",
+      "version": "1.12.1",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 2fd2c0424..38ba9e599 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -1,12 +1,14 @@
 import http from 'http'; 
 import { jest } from '@jest/globals';
-import { SSEServerTransport } from './sse.js'; 
+import { SSEServerTransport } from './sse.js';
+import { AuthInfo } from './auth/types.js'; 
 
 const createMockResponse = () => {
   const res = {
     writeHead: jest.fn<http.ServerResponse['writeHead']>(),
     write: jest.fn<http.ServerResponse['write']>().mockReturnValue(true),
     on: jest.fn<http.ServerResponse['on']>(),
+    end: jest.fn<http.ServerResponse['end']>().mockReturnThis(),
   };
   res.writeHead.mockReturnThis();
   res.on.mockReturnThis();
@@ -14,6 +16,12 @@ const createMockResponse = () => {
   return res as unknown as http.ServerResponse;
 };
 
+const createMockRequest = (headers: Record<string, string> = {}) => {
+  return {
+    headers,
+  } as unknown as http.IncomingMessage & { auth?: AuthInfo };
+};
+
 describe('SSEServerTransport', () => {
   describe('start method', () => { 
     it('should correctly append sessionId to a simple relative endpoint', async () => { 
@@ -106,4 +114,234 @@ describe('SSEServerTransport', () => {
       );
     });
   });
+
+  describe('DNS rebinding protection', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    describe('Host header validation', () => {
+      it('should accept requests with allowed host headers', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedHosts: ['localhost:3000', 'example.com'],
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          host: 'localhost:3000',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(202);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
+      });
+
+      it('should reject requests with disallowed host headers', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedHosts: ['localhost:3000'],
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          host: 'evil.com',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(403);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Invalid Host header: evil.com');
+      });
+
+      it('should reject requests without host header when allowedHosts is configured', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedHosts: ['localhost:3000'],
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(403);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Invalid Host header: undefined');
+      });
+    });
+
+    describe('Origin header validation', () => {
+      it('should accept requests with allowed origin headers', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedOrigins: ['http://localhost:3000', 'https://example.com'],
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          origin: 'http://localhost:3000',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(202);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
+      });
+
+      it('should reject requests with disallowed origin headers', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedOrigins: ['http://localhost:3000'],
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          origin: 'http://evil.com',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(403);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Invalid Origin header: http://evil.com');
+      });
+    });
+
+    describe('Content-Type validation', () => {
+      it('should accept requests with application/json content-type', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes);
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          'content-type': 'application/json',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(202);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
+      });
+
+      it('should accept requests with application/json with charset', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes);
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          'content-type': 'application/json; charset=utf-8',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(202);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
+      });
+
+      it('should reject requests with non-application/json content-type when protection is enabled', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes);
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          'content-type': 'text/plain',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(400);
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Error: Content-Type must start with application/json, got: text/plain');
+      });
+    });
+
+    describe('disableDnsRebindingProtection option', () => {
+      it('should skip all validations when disableDnsRebindingProtection is true', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedHosts: ['localhost:3000'],
+          allowedOrigins: ['http://localhost:3000'],
+          disableDnsRebindingProtection: true,
+        });
+        await transport.start();
+
+        const mockReq = createMockRequest({
+          host: 'evil.com',
+          origin: 'http://evil.com',
+          'content-type': 'text/plain',
+        });
+        const mockHandleRes = createMockResponse();
+
+        await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+        // Should pass even with invalid headers because protection is disabled
+        expect(mockHandleRes.writeHead).toHaveBeenCalledWith(400);
+        // The error should be from content-type parsing, not DNS rebinding protection
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Error: Unsupported content-type: text/plain');
+      });
+    });
+
+    describe('Combined validations', () => {
+      it('should validate both host and origin when both are configured', async () => {
+        const mockRes = createMockResponse();
+        const transport = new SSEServerTransport('/messages', mockRes, {
+          allowedHosts: ['localhost:3000'],
+          allowedOrigins: ['http://localhost:3000'],
+        });
+        await transport.start();
+
+        // Valid host, invalid origin
+        const mockReq1 = createMockRequest({
+          host: 'localhost:3000',
+          origin: 'http://evil.com',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes1 = createMockResponse();
+
+        await transport.handlePostMessage(mockReq1, mockHandleRes1, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes1.writeHead).toHaveBeenCalledWith(403);
+        expect(mockHandleRes1.end).toHaveBeenCalledWith('Invalid Origin header: http://evil.com');
+
+        // Invalid host, valid origin
+        const mockReq2 = createMockRequest({
+          host: 'evil.com',
+          origin: 'http://localhost:3000',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes2 = createMockResponse();
+
+        await transport.handlePostMessage(mockReq2, mockHandleRes2, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes2.writeHead).toHaveBeenCalledWith(403);
+        expect(mockHandleRes2.end).toHaveBeenCalledWith('Invalid Host header: evil.com');
+
+        // Both valid
+        const mockReq3 = createMockRequest({
+          host: 'localhost:3000',
+          origin: 'http://localhost:3000',
+          'content-type': 'application/json',
+        });
+        const mockHandleRes3 = createMockResponse();
+
+        await transport.handlePostMessage(mockReq3, mockHandleRes3, { jsonrpc: '2.0', method: 'test' });
+
+        expect(mockHandleRes3.writeHead).toHaveBeenCalledWith(202);
+        expect(mockHandleRes3.end).toHaveBeenCalledWith('Accepted');
+      });
+    });
+  });
 });
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 03f6fefc9..6ef2baefa 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -9,6 +9,29 @@ import { URL } from 'url';
 
 const MAXIMUM_MESSAGE_SIZE = "4mb";
 
+/**
+ * Configuration options for SSEServerTransport.
+ */
+export interface SSEServerTransportOptions {
+  /**
+   * List of allowed host header values for DNS rebinding protection.
+   * If not specified, host validation is disabled.
+   */
+  allowedHosts?: string[];
+  
+  /**
+   * List of allowed origin header values for DNS rebinding protection.
+   * If not specified, origin validation is disabled.
+   */
+  allowedOrigins?: string[];
+  
+  /**
+   * Disable DNS rebinding protection entirely (overrides allowedHosts and allowedOrigins).
+   * Default is false.
+   */
+  disableDnsRebindingProtection?: boolean;
+}
+
 /**
  * Server transport for SSE: this will send messages over an SSE connection and receive messages from HTTP POST requests.
  *
@@ -17,6 +40,7 @@ const MAXIMUM_MESSAGE_SIZE = "4mb";
 export class SSEServerTransport implements Transport {
   private _sseResponse?: ServerResponse;
   private _sessionId: string;
+  private _options: SSEServerTransportOptions;
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
@@ -28,8 +52,39 @@ export class SSEServerTransport implements Transport {
   constructor(
     private _endpoint: string,
     private res: ServerResponse,
+    options?: SSEServerTransportOptions,
   ) {
     this._sessionId = randomUUID();
+    this._options = options || {disableDnsRebindingProtection: true};
+  }
+
+  /**
+   * Validates request headers for DNS rebinding protection.
+   * @returns Error message if validation fails, undefined if validation passes.
+   */
+  private validateRequestHeaders(req: IncomingMessage): string | undefined {
+    // Skip validation if protection is disabled
+    if (this._options.disableDnsRebindingProtection) {
+      return undefined;
+    }
+
+    // Validate Host header if allowedHosts is configured
+    if (this._options.allowedHosts && this._options.allowedHosts.length > 0) {
+      const hostHeader = req.headers.host;
+      if (!hostHeader || !this._options.allowedHosts.includes(hostHeader)) {
+        return `Invalid Host header: ${hostHeader}`;
+      }
+    }
+
+    // Validate Origin header if allowedOrigins is configured
+    if (this._options.allowedOrigins && this._options.allowedOrigins.length > 0) {
+      const originHeader = req.headers.origin;
+      if (!originHeader || !this._options.allowedOrigins.includes(originHeader)) {
+        return `Invalid Origin header: ${originHeader}`;
+      }
+    }
+
+    return undefined;
   }
 
   /**
@@ -86,13 +141,22 @@ export class SSEServerTransport implements Transport {
       res.writeHead(500).end(message);
       throw new Error(message);
     }
+
+    // Validate request headers for DNS rebinding protection
+    const validationError = this.validateRequestHeaders(req);
+    if (validationError) {
+      res.writeHead(403).end(validationError);
+      this.onerror?.(new Error(validationError));
+      return;
+    }
+
     const authInfo: AuthInfo | undefined = req.auth;
 
     let body: string | unknown;
     try {
       const ct = contentType.parse(req.headers["content-type"] ?? "");
       if (ct.type !== "application/json") {
-        throw new Error(`Unsupported content-type: ${ct}`);
+        throw new Error(`Unsupported content-type: ${ct.type}`);
       }
 
       body = parsedBody ?? await getRawBody(req, {

From ebf2535b90ce4c81553f237f49450b6ea4f9ce71 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 29 May 2025 13:52:30 -0700
Subject: [PATCH 018/147] Add protections for streamable HTTP too

---
 README.md                         |  22 ++-
 src/server/streamableHttp.test.ts | 263 +++++++++++++++++++++++++++++-
 src/server/streamableHttp.ts      |  68 ++++++++
 3 files changed, 351 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c9e27c275..ccc627b27 100644
--- a/README.md
+++ b/README.md
@@ -251,7 +251,11 @@ app.post('/mcp', async (req, res) => {
       onsessioninitialized: (sessionId) => {
         // Store the transport by session ID
         transports[sessionId] = transport;
-      }
+      },
+      // DNS rebinding protection is disabled by default for backwards compatibility. If you are running this server
+      // locally, make sure to set:
+      // disableDnsRebindingProtection: true,
+      // allowedHosts: ['127.0.0.1'],
     });
 
     // Clean up transport when closed
@@ -386,6 +390,22 @@ This stateless approach is useful for:
 - RESTful scenarios where each request is independent
 - Horizontally scaled deployments without shared session state
 
+#### DNS Rebinding Protection
+
+The Streamable HTTP transport includes DNS rebinding protection to prevent security vulnerabilities. By default, this protection is **disabled** for backwards compatibility.
+
+**Important**: If you are running this server locally, enable DNS rebinding protection:
+
+```typescript
+const transport = new StreamableHTTPServerTransport({
+  sessionIdGenerator: () => randomUUID(),
+  disableDnsRebindingProtection: false,
+
+  allowedHosts: ['127.0.0.1', ...],
+  allowedOrigins: ['https://yourdomain.com', 'https://www.yourdomain.com']
+});
+```
+
 ### Testing and Debugging
 
 To test your server, you can use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector). See its README for more information.
diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index b961f6c41..68fe8ee7f 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -1293,4 +1293,265 @@ describe("StreamableHTTPServerTransport in stateless mode", () => {
     });
     expect(stream2.status).toBe(409); // Conflict - only one stream allowed
   });
-});
\ No newline at end of file
+});
+
+// Test DNS rebinding protection
+describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
+  let server: Server;
+  let transport: StreamableHTTPServerTransport;
+  let baseUrl: URL;
+
+  afterEach(async () => {
+    if (server && transport) {
+      await stopTestServer({ server, transport });
+    }
+  });
+
+  describe("Host header validation", () => {
+    it("should accept requests with allowed host headers", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedHosts: ['localhost:3001'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      // Note: fetch() automatically sets Host header to match the URL
+      // Since we're connecting to localhost:3001 and that's in allowedHosts, this should work
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response.status).toBe(200);
+    });
+
+    it("should reject requests with disallowed host headers", async () => {
+      // Test DNS rebinding protection by creating a server that only allows example.com
+      // but we're connecting via localhost, so it should be rejected
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedHosts: ['example.com:3001'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response.status).toBe(403);
+      const body = await response.json();
+      expect(body.error.message).toContain("Invalid Host header:");
+    });
+
+    it("should reject GET requests with disallowed host headers", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedHosts: ['example.com:3001'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      const response = await fetch(baseUrl, {
+        method: "GET",
+        headers: {
+          Accept: "text/event-stream",
+        },
+      });
+
+      expect(response.status).toBe(403);
+    });
+  });
+
+  describe("Origin header validation", () => {
+    it("should accept requests with allowed origin headers", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedOrigins: ['http://localhost:3000', 'https://example.com'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          Origin: "http://localhost:3000",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response.status).toBe(200);
+    });
+
+    it("should reject requests with disallowed origin headers", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedOrigins: ['http://localhost:3000'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          Origin: "http://evil.com",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response.status).toBe(403);
+      const body = await response.json();
+      expect(body.error.message).toBe("Invalid Origin header: http://evil.com");
+    });
+  });
+
+  describe("disableDnsRebindingProtection option", () => {
+    it("should skip all validations when disableDnsRebindingProtection is true", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedHosts: ['localhost:3001'],
+        allowedOrigins: ['http://localhost:3000'],
+        disableDnsRebindingProtection: true,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          Host: "evil.com",
+          Origin: "http://evil.com",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      // Should pass even with invalid headers because protection is disabled
+      expect(response.status).toBe(200);
+    });
+  });
+
+  describe("Combined validations", () => {
+    it("should validate both host and origin when both are configured", async () => {
+      const result = await createTestServerWithDnsProtection({
+        sessionIdGenerator: undefined,
+        allowedHosts: ['localhost:3001'],
+        allowedOrigins: ['http://localhost:3001'],
+        disableDnsRebindingProtection: false,
+      });
+      server = result.server;
+      transport = result.transport;
+      baseUrl = result.baseUrl;
+
+      // Test with invalid origin (host will be automatically correct via fetch)
+      const response1 = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          Origin: "http://evil.com",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response1.status).toBe(403);
+      const body1 = await response1.json();
+      expect(body1.error.message).toBe("Invalid Origin header: http://evil.com");
+
+      // Test with valid origin
+      const response2 = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          Origin: "http://localhost:3001",
+        },
+        body: JSON.stringify(TEST_MESSAGES.initialize),
+      });
+
+      expect(response2.status).toBe(200);
+    });
+  });
+});
+
+/**
+ * Helper to create test server with DNS rebinding protection options
+ */
+async function createTestServerWithDnsProtection(config: {
+  sessionIdGenerator: (() => string) | undefined;
+  allowedHosts?: string[];
+  allowedOrigins?: string[];
+  disableDnsRebindingProtection?: boolean;
+}): Promise<{
+  server: Server;
+  transport: StreamableHTTPServerTransport;
+  mcpServer: McpServer;
+  baseUrl: URL;
+}> {
+  const mcpServer = new McpServer(
+    { name: "test-server", version: "1.0.0" },
+    { capabilities: { logging: {} } }
+  );
+
+  const transport = new StreamableHTTPServerTransport({
+    sessionIdGenerator: config.sessionIdGenerator,
+    allowedHosts: config.allowedHosts,
+    allowedOrigins: config.allowedOrigins,
+    disableDnsRebindingProtection: config.disableDnsRebindingProtection,
+  });
+
+  await mcpServer.connect(transport);
+
+  const httpServer = createServer(async (req, res) => {
+    if (req.method === "POST") {
+      let body = "";
+      req.on("data", (chunk) => (body += chunk));
+      req.on("end", async () => {
+        const parsedBody = JSON.parse(body);
+        await transport.handleRequest(req as IncomingMessage & { auth?: AuthInfo }, res, parsedBody);
+      });
+    } else {
+      await transport.handleRequest(req as IncomingMessage & { auth?: AuthInfo }, res);
+    }
+  });
+
+  await new Promise<void>((resolve) => {
+    httpServer.listen(3001, () => resolve());
+  });
+
+  const port = (httpServer.address() as AddressInfo).port;
+  const serverUrl = new URL(`http://localhost:${port}/`);
+
+  return {
+    server: httpServer,
+    transport,
+    mcpServer,
+    baseUrl: serverUrl,
+  };
+}
\ No newline at end of file
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index dc99c3065..8feeac558 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -61,6 +61,24 @@ export interface StreamableHTTPServerTransportOptions {
    * If provided, resumability will be enabled, allowing clients to reconnect and resume messages
    */
   eventStore?: EventStore;
+
+  /**
+   * List of allowed host header values for DNS rebinding protection.
+   * If not specified, host validation is disabled.
+   */
+  allowedHosts?: string[];
+  
+  /**
+   * List of allowed origin header values for DNS rebinding protection.
+   * If not specified, origin validation is disabled.
+   */
+  allowedOrigins?: string[];
+  
+  /**
+   * Disable DNS rebinding protection entirely (overrides allowedHosts and allowedOrigins).
+   * Default is true for backwards compatibility.
+   */
+  disableDnsRebindingProtection?: boolean;
 }
 
 /**
@@ -109,6 +127,9 @@ export class StreamableHTTPServerTransport implements Transport {
   private _standaloneSseStreamId: string = '_GET_stream';
   private _eventStore?: EventStore;
   private _onsessioninitialized?: (sessionId: string) => void;
+  private _allowedHosts?: string[];
+  private _allowedOrigins?: string[];
+  private _disableDnsRebindingProtection: boolean;
 
   sessionId?: string | undefined;
   onclose?: () => void;
@@ -120,6 +141,9 @@ export class StreamableHTTPServerTransport implements Transport {
     this._enableJsonResponse = options.enableJsonResponse ?? false;
     this._eventStore = options.eventStore;
     this._onsessioninitialized = options.onsessioninitialized;
+    this._allowedHosts = options.allowedHosts;
+    this._allowedOrigins = options.allowedOrigins;
+    this._disableDnsRebindingProtection = options.disableDnsRebindingProtection ?? true;
   }
 
   /**
@@ -133,10 +157,54 @@ export class StreamableHTTPServerTransport implements Transport {
     this._started = true;
   }
 
+  /**
+   * Validates request headers for DNS rebinding protection.
+   * @returns Error message if validation fails, undefined if validation passes.
+   */
+  private validateRequestHeaders(req: IncomingMessage): string | undefined {
+    // Skip validation if protection is disabled
+    if (this._disableDnsRebindingProtection) {
+      return undefined;
+    }
+
+    // Validate Host header if allowedHosts is configured
+    if (this._allowedHosts && this._allowedHosts.length > 0) {
+      const hostHeader = req.headers.host;
+      if (!hostHeader || !this._allowedHosts.includes(hostHeader)) {
+        return `Invalid Host header: ${hostHeader}`;
+      }
+    }
+
+    // Validate Origin header if allowedOrigins is configured
+    if (this._allowedOrigins && this._allowedOrigins.length > 0) {
+      const originHeader = req.headers.origin;
+      if (!originHeader || !this._allowedOrigins.includes(originHeader)) {
+        return `Invalid Origin header: ${originHeader}`;
+      }
+    }
+
+    return undefined;
+  }
+
   /**
    * Handles an incoming HTTP request, whether GET or POST
    */
   async handleRequest(req: IncomingMessage & { auth?: AuthInfo }, res: ServerResponse, parsedBody?: unknown): Promise<void> {
+    // Validate request headers for DNS rebinding protection
+    const validationError = this.validateRequestHeaders(req);
+    if (validationError) {
+      res.writeHead(403).end(JSON.stringify({
+        jsonrpc: "2.0",
+        error: {
+          code: -32000,
+          message: validationError
+        },
+        id: null
+      }));
+      this.onerror?.(new Error(validationError));
+      return;
+    }
+
     if (req.method === "POST") {
       await this.handlePostRequest(req, res, parsedBody);
     } else if (req.method === "GET") {

From 41c7ed09954d63151c8f96ec8af96a827c399edf Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 29 May 2025 13:53:31 -0700
Subject: [PATCH 019/147] Revert package-lock change

---
 package-lock.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ef5393822..40bad9fe2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.12.1",
+  "version": "1.11.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.12.1",
+      "version": "1.11.4",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",

From 88c6098495522fc34d9554076998363862617df0 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 29 May 2025 13:54:49 -0700
Subject: [PATCH 020/147] Clean up

---
 src/server/sse.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/server/sse.ts b/src/server/sse.ts
index 6ef2baefa..65e8c7c89 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -27,7 +27,6 @@ export interface SSEServerTransportOptions {
   
   /**
    * Disable DNS rebinding protection entirely (overrides allowedHosts and allowedOrigins).
-   * Default is false.
    */
   disableDnsRebindingProtection?: boolean;
 }
@@ -156,7 +155,7 @@ export class SSEServerTransport implements Transport {
     try {
       const ct = contentType.parse(req.headers["content-type"] ?? "");
       if (ct.type !== "application/json") {
-        throw new Error(`Unsupported content-type: ${ct.type}`);
+        throw new Error(`Unsupported content-type: ${ct}`);
       }
 
       body = parsedBody ?? await getRawBody(req, {

From 970905c3131276d1f6b392f060faac91bddbf3fa Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 29 May 2025 14:01:36 -0700
Subject: [PATCH 021/147] Fix SSE content-type error message format

---
 src/server/sse.test.ts | 2 +-
 src/server/sse.ts      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 38ba9e599..9fb1f30c3 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -264,7 +264,7 @@ describe('SSEServerTransport', () => {
         await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
 
         expect(mockHandleRes.writeHead).toHaveBeenCalledWith(400);
-        expect(mockHandleRes.end).toHaveBeenCalledWith('Error: Content-Type must start with application/json, got: text/plain');
+        expect(mockHandleRes.end).toHaveBeenCalledWith('Error: Unsupported content-type: text/plain');
       });
     });
 
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 65e8c7c89..73c74bb3f 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -155,7 +155,7 @@ export class SSEServerTransport implements Transport {
     try {
       const ct = contentType.parse(req.headers["content-type"] ?? "");
       if (ct.type !== "application/json") {
-        throw new Error(`Unsupported content-type: ${ct}`);
+        throw new Error(`Unsupported content-type: ${ct.type}`);
       }
 
       body = parsedBody ?? await getRawBody(req, {

From be063e4bb8e4dcad3e7698a627f6efc9d7e4c065 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Diego=20Garc=C3=ADa?= <diego.garcia@postman.com>
Date: Fri, 30 May 2025 16:05:05 +0200
Subject: [PATCH 022/147] fix: extra Headers when they are a Headers object

---
 src/client/streamableHttp.test.ts | 31 +++++++++++++++++++++++++++++++
 src/client/streamableHttp.ts      | 23 ++++++++++++++++++++---
 2 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/src/client/streamableHttp.test.ts b/src/client/streamableHttp.test.ts
index f748a2be3..11dfe7d41 100644
--- a/src/client/streamableHttp.test.ts
+++ b/src/client/streamableHttp.test.ts
@@ -476,6 +476,37 @@ describe("StreamableHTTPClientTransport", () => {
     expect(global.fetch).toHaveBeenCalledTimes(2);
   });
 
+  it("should always send specified custom headers (Headers class)", async () => {
+    const requestInit = {
+      headers: new Headers({
+        "X-Custom-Header": "CustomValue"
+      })
+    };
+    transport = new StreamableHTTPClientTransport(new URL("http://localhost:1234/mcp"), {
+      requestInit: requestInit
+    });
+
+    let actualReqInit: RequestInit = {};
+
+    ((global.fetch as jest.Mock)).mockImplementation(
+      async (_url, reqInit) => {
+        actualReqInit = reqInit;
+        return new Response(null, { status: 200, headers: { "content-type": "text/event-stream" } });
+      }
+    );
+
+    await transport.start();
+
+    await transport["_startOrAuthSse"]({});
+    expect((actualReqInit.headers as Headers).get("x-custom-header")).toBe("CustomValue");
+
+    (requestInit.headers as Headers).set("X-Custom-Header","SecondCustomValue");
+
+    await transport.send({ jsonrpc: "2.0", method: "test", params: {} } as JSONRPCMessage);
+    expect((actualReqInit.headers as Headers).get("x-custom-header")).toBe("SecondCustomValue");
+
+    expect(global.fetch).toHaveBeenCalledTimes(2);
+  });
 
   it("should have exponential backoff with configurable maxRetries", () => {
     // This test verifies the maxRetries and backoff calculation directly
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 1bcfbb2d1..2bb0fdf4a 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -174,9 +174,12 @@ export class StreamableHTTPClientTransport implements Transport {
       headers["mcp-session-id"] = this._sessionId;
     }
 
-    return new Headers(
-      { ...headers, ...this._requestInit?.headers }
-    );
+    const extraHeaders = this._normalizeHeaders(this._requestInit?.headers);
+
+    return new Headers({
+      ...headers,
+      ...extraHeaders,
+    });
   }
 
 
@@ -242,6 +245,20 @@ export class StreamableHTTPClientTransport implements Transport {
 
   }
 
+    private _normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
+    if (!headers) return {};
+    
+    if (headers instanceof Headers) {
+      return Object.fromEntries(headers.entries());
+    }
+    
+    if (Array.isArray(headers)) {
+      return Object.fromEntries(headers);
+    }
+    
+    return { ...headers as Record<string, string> };
+  }
+
   /**
    * Schedule a reconnection attempt with exponential backoff
    *

From ab900839fbd450fbd86a1fb0034803a892048c29 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Fri, 30 May 2025 09:06:01 -0700
Subject: [PATCH 023/147] Invert variable to improve code readability

---
 README.md                         |  4 ++--
 src/server/sse.test.ts            | 12 +++++++++---
 src/server/sse.ts                 | 11 ++++++-----
 src/server/streamableHttp.test.ts | 22 +++++++++++-----------
 src/server/streamableHttp.ts      | 14 +++++++-------
 5 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index ccc627b27..32037f904 100644
--- a/README.md
+++ b/README.md
@@ -254,7 +254,7 @@ app.post('/mcp', async (req, res) => {
       },
       // DNS rebinding protection is disabled by default for backwards compatibility. If you are running this server
       // locally, make sure to set:
-      // disableDnsRebindingProtection: true,
+      // enableDnsRebindingProtection: true,
       // allowedHosts: ['127.0.0.1'],
     });
 
@@ -399,7 +399,7 @@ The Streamable HTTP transport includes DNS rebinding protection to prevent secur
 ```typescript
 const transport = new StreamableHTTPServerTransport({
   sessionIdGenerator: () => randomUUID(),
-  disableDnsRebindingProtection: false,
+  enableDnsRebindingProtection: true,
 
   allowedHosts: ['127.0.0.1', ...],
   allowedOrigins: ['https://yourdomain.com', 'https://www.yourdomain.com']
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 9fb1f30c3..aee6eaf69 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -125,6 +125,7 @@ describe('SSEServerTransport', () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedHosts: ['localhost:3000', 'example.com'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
@@ -144,6 +145,7 @@ describe('SSEServerTransport', () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedHosts: ['localhost:3000'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
@@ -163,6 +165,7 @@ describe('SSEServerTransport', () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedHosts: ['localhost:3000'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
@@ -183,6 +186,7 @@ describe('SSEServerTransport', () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedOrigins: ['http://localhost:3000', 'https://example.com'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
@@ -202,6 +206,7 @@ describe('SSEServerTransport', () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedOrigins: ['http://localhost:3000'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
@@ -268,13 +273,13 @@ describe('SSEServerTransport', () => {
       });
     });
 
-    describe('disableDnsRebindingProtection option', () => {
-      it('should skip all validations when disableDnsRebindingProtection is true', async () => {
+    describe('enableDnsRebindingProtection option', () => {
+      it('should skip all validations when enableDnsRebindingProtection is false', async () => {
         const mockRes = createMockResponse();
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedHosts: ['localhost:3000'],
           allowedOrigins: ['http://localhost:3000'],
-          disableDnsRebindingProtection: true,
+          enableDnsRebindingProtection: false,
         });
         await transport.start();
 
@@ -300,6 +305,7 @@ describe('SSEServerTransport', () => {
         const transport = new SSEServerTransport('/messages', mockRes, {
           allowedHosts: ['localhost:3000'],
           allowedOrigins: ['http://localhost:3000'],
+          enableDnsRebindingProtection: true,
         });
         await transport.start();
 
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 73c74bb3f..bd5d80b93 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -26,9 +26,10 @@ export interface SSEServerTransportOptions {
   allowedOrigins?: string[];
   
   /**
-   * Disable DNS rebinding protection entirely (overrides allowedHosts and allowedOrigins).
+   * Enable DNS rebinding protection (requires allowedHosts and/or allowedOrigins to be configured).
+   * Default is false for backwards compatibility.
    */
-  disableDnsRebindingProtection?: boolean;
+  enableDnsRebindingProtection?: boolean;
 }
 
 /**
@@ -54,7 +55,7 @@ export class SSEServerTransport implements Transport {
     options?: SSEServerTransportOptions,
   ) {
     this._sessionId = randomUUID();
-    this._options = options || {disableDnsRebindingProtection: true};
+    this._options = options || {enableDnsRebindingProtection: false};
   }
 
   /**
@@ -62,8 +63,8 @@ export class SSEServerTransport implements Transport {
    * @returns Error message if validation fails, undefined if validation passes.
    */
   private validateRequestHeaders(req: IncomingMessage): string | undefined {
-    // Skip validation if protection is disabled
-    if (this._options.disableDnsRebindingProtection) {
+    // Skip validation if protection is not enabled
+    if (!this._options.enableDnsRebindingProtection) {
       return undefined;
     }
 
diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index 68fe8ee7f..4683024b1 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -1312,7 +1312,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedHosts: ['localhost:3001'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1338,7 +1338,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedHosts: ['example.com:3001'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1362,7 +1362,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedHosts: ['example.com:3001'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1384,7 +1384,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedOrigins: ['http://localhost:3000', 'https://example.com'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1407,7 +1407,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedOrigins: ['http://localhost:3000'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1429,13 +1429,13 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
     });
   });
 
-  describe("disableDnsRebindingProtection option", () => {
-    it("should skip all validations when disableDnsRebindingProtection is true", async () => {
+  describe("enableDnsRebindingProtection option", () => {
+    it("should skip all validations when enableDnsRebindingProtection is false", async () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
         allowedHosts: ['localhost:3001'],
         allowedOrigins: ['http://localhost:3000'],
-        disableDnsRebindingProtection: true,
+        enableDnsRebindingProtection: false,
       });
       server = result.server;
       transport = result.transport;
@@ -1463,7 +1463,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
         sessionIdGenerator: undefined,
         allowedHosts: ['localhost:3001'],
         allowedOrigins: ['http://localhost:3001'],
-        disableDnsRebindingProtection: false,
+        enableDnsRebindingProtection: true,
       });
       server = result.server;
       transport = result.transport;
@@ -1507,7 +1507,7 @@ async function createTestServerWithDnsProtection(config: {
   sessionIdGenerator: (() => string) | undefined;
   allowedHosts?: string[];
   allowedOrigins?: string[];
-  disableDnsRebindingProtection?: boolean;
+  enableDnsRebindingProtection?: boolean;
 }): Promise<{
   server: Server;
   transport: StreamableHTTPServerTransport;
@@ -1523,7 +1523,7 @@ async function createTestServerWithDnsProtection(config: {
     sessionIdGenerator: config.sessionIdGenerator,
     allowedHosts: config.allowedHosts,
     allowedOrigins: config.allowedOrigins,
-    disableDnsRebindingProtection: config.disableDnsRebindingProtection,
+    enableDnsRebindingProtection: config.enableDnsRebindingProtection,
   });
 
   await mcpServer.connect(transport);
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index 8feeac558..084147dc7 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -75,10 +75,10 @@ export interface StreamableHTTPServerTransportOptions {
   allowedOrigins?: string[];
   
   /**
-   * Disable DNS rebinding protection entirely (overrides allowedHosts and allowedOrigins).
-   * Default is true for backwards compatibility.
+   * Enable DNS rebinding protection (requires allowedHosts and/or allowedOrigins to be configured).
+   * Default is false for backwards compatibility.
    */
-  disableDnsRebindingProtection?: boolean;
+  enableDnsRebindingProtection?: boolean;
 }
 
 /**
@@ -129,7 +129,7 @@ export class StreamableHTTPServerTransport implements Transport {
   private _onsessioninitialized?: (sessionId: string) => void;
   private _allowedHosts?: string[];
   private _allowedOrigins?: string[];
-  private _disableDnsRebindingProtection: boolean;
+  private _enableDnsRebindingProtection: boolean;
 
   sessionId?: string | undefined;
   onclose?: () => void;
@@ -143,7 +143,7 @@ export class StreamableHTTPServerTransport implements Transport {
     this._onsessioninitialized = options.onsessioninitialized;
     this._allowedHosts = options.allowedHosts;
     this._allowedOrigins = options.allowedOrigins;
-    this._disableDnsRebindingProtection = options.disableDnsRebindingProtection ?? true;
+    this._enableDnsRebindingProtection = options.enableDnsRebindingProtection ?? false;
   }
 
   /**
@@ -162,8 +162,8 @@ export class StreamableHTTPServerTransport implements Transport {
    * @returns Error message if validation fails, undefined if validation passes.
    */
   private validateRequestHeaders(req: IncomingMessage): string | undefined {
-    // Skip validation if protection is disabled
-    if (this._disableDnsRebindingProtection) {
+    // Skip validation if protection is not enabled
+    if (!this._enableDnsRebindingProtection) {
       return undefined;
     }
 

From 6cf034595dbfb58c2061a370a49da4078e429d1e Mon Sep 17 00:00:00 2001
From: Carl Peaslee <carl@loopwork.com>
Date: Fri, 30 May 2025 11:32:10 -0700
Subject: [PATCH 024/147] updates listed resources from resource templates to
 favor their own metadata

---
 src/server/mcp.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 5b864b8b4..65ed1b8f1 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -369,8 +369,9 @@ export class McpServer {
           const result = await template.resourceTemplate.listCallback(extra);
           for (const resource of result.resources) {
             templateResources.push({
-              ...resource,
               ...template.metadata,
+              // the defined resource metadata should override the template metadata if present
+              ...resource,
             });
           }
         }

From 921ce70fa3acf1cb626bc7ff5088f358727be335 Mon Sep 17 00:00:00 2001
From: sinedied <noda@free.fr>
Date: Mon, 9 Jun 2025 14:17:53 +0200
Subject: [PATCH 025/147] fix: missing "properties" property in empty schema

---
 src/server/mcp.test.ts | 1 +
 src/server/mcp.ts      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 49f852d65..fd71443df 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -265,6 +265,7 @@ describe("tool()", () => {
     expect(result.tools[0].name).toBe("test");
     expect(result.tools[0].inputSchema).toEqual({
       type: "object",
+      properties: {},
     });
 
     // Adding the tool before the connection was established means no notification was sent
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 5b864b8b4..436a948fd 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -1018,6 +1018,7 @@ export type RegisteredTool = {
 
 const EMPTY_OBJECT_JSON_SCHEMA = {
   type: "object" as const,
+  properties: {},
 };
 
 // Helper to check if an object is a Zod schema (ZodRawShape)

From 2d61b4b8fc0a63162a4b64aa52793af7e9f27d15 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 10 Jun 2025 15:52:20 +0100
Subject: [PATCH 026/147] adding README

---
 README.md              | 102 +++++++++++++++++
 src/server/mcp.test.ts | 255 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 357 insertions(+)

diff --git a/README.md b/README.md
index c9e27c275..6c1007353 100644
--- a/README.md
+++ b/README.md
@@ -635,6 +635,108 @@ const transport = new StdioServerTransport();
 await server.connect(transport);
 ```
 
+### Eliciting User Input
+
+MCP servers can request additional information from users through the elicitation feature. This is useful for interactive workflows where the server needs user input or confirmation:
+
+```typescript
+// Server-side: Restaurant booking tool that asks for alternatives
+server.tool(
+  "book-restaurant",
+  { 
+    restaurant: z.string(),
+    date: z.string(),
+    partySize: z.number()
+  },
+  async ({ restaurant, date, partySize }) => {
+    // Check availability
+    const available = await checkAvailability(restaurant, date, partySize);
+    
+    if (!available) {
+      // Ask user if they want to try alternative dates
+      const result = await server.server.elicitInput({
+        message: `No tables available at ${restaurant} on ${date}. Would you like to check alternative dates?`,
+        requestedSchema: {
+          type: "object",
+          properties: {
+            checkAlternatives: {
+              type: "boolean",
+              title: "Check alternative dates",
+              description: "Would you like me to check other dates?"
+            },
+            flexibleDates: {
+              type: "string",
+              title: "Date flexibility",
+              description: "How flexible are your dates?",
+              enum: ["next_day", "same_week", "next_week"],
+              enumNames: ["Next day", "Same week", "Next week"]
+            }
+          },
+          required: ["checkAlternatives"]
+        }
+      });
+
+      if (result.action === "accept" && result.content?.checkAlternatives) {
+        const alternatives = await findAlternatives(
+          restaurant, 
+          date, 
+          partySize, 
+          result.content.flexibleDates as string
+        );
+        return {
+          content: [{
+            type: "text",
+            text: `Found these alternatives: ${alternatives.join(", ")}`
+          }]
+        };
+      }
+      
+      return {
+        content: [{
+          type: "text",
+          text: "No booking made. Original date not available."
+        }]
+      };
+    }
+    
+    // Book the table
+    await makeBooking(restaurant, date, partySize);
+    return {
+      content: [{
+        type: "text",
+        text: `Booked table for ${partySize} at ${restaurant} on ${date}`
+      }]
+    };
+  }
+);
+
+// Client-side: Handle elicitation requests
+
+
+// This is a placeholder - implement based on your UI framework
+async function getInputFromUser(message: string, schema: any): Promise<{
+  action: "accept" | "decline" | "cancel";
+  data?: Record<string, any>;
+}> {
+  // This should be implemented depending on the app
+  throw new Error("getInputFromUser must be implemented for your platform");
+}
+
+client.setRequestHandler(ElicitRequestSchema, async (request) => {
+  const userResponse = await getInputFromUser(
+    request.params.message, 
+    request.params.requestedSchema
+  );
+  
+  return {
+    action: userResponse.action,
+    content: userResponse.action === "accept" ? userResponse.data : undefined
+  };
+});
+```
+
+**Note**: Elicitation requires client support. Clients must declare the `elicitation` capability during initialization.
+
 ### Writing MCP Clients
 
 The SDK provides a high-level client interface:
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 0ba1998d2..bcf09d520 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -14,6 +14,7 @@ import {
   LoggingMessageNotificationSchema,
   Notification,
   TextContent,
+  ElicitRequestSchema,
 } from "../types.js";
 import { ResourceTemplate } from "./mcp.js";
 import { completable } from "./completable.js";
@@ -3457,4 +3458,258 @@ describe("prompt()", () => {
     expect(typeof receivedRequestId === 'string' || typeof receivedRequestId === 'number').toBe(true);
     expect(result.messages[0].content.text).toContain("Received request ID:");
   });
+
+  /**
+   * Test: Restaurant booking example with elicitation from README
+   */
+  describe("Restaurant booking elicitation example", () => {
+    // Mock restaurant booking functions
+    const checkAvailability = jest.fn().mockResolvedValue(false);
+    const findAlternatives = jest.fn().mockResolvedValue([]);
+    const makeBooking = jest.fn().mockResolvedValue("BOOKING-123");
+
+    let mcpServer: McpServer;
+    let client: Client;
+
+    beforeEach(() => {
+      // Reset mocks
+      jest.clearAllMocks();
+      
+      // Create server with restaurant booking tool
+      mcpServer = new McpServer({
+        name: "restaurant-booking-server",
+        version: "1.0.0",
+      });
+
+      // Register the restaurant booking tool from README example
+      mcpServer.tool(
+        "book-restaurant",
+        { 
+          restaurant: z.string(),
+          date: z.string(),
+          partySize: z.number()
+        },
+        async ({ restaurant, date, partySize }) => {
+          // Check availability
+          const available = await checkAvailability(restaurant, date, partySize);
+          
+          if (!available) {
+            // Ask user if they want to try alternative dates
+            const result = await mcpServer.server.elicitInput({
+              message: `No tables available at ${restaurant} on ${date}. Would you like to check alternative dates?`,
+              requestedSchema: {
+                type: "object",
+                properties: {
+                  checkAlternatives: {
+                    type: "boolean",
+                    title: "Check alternative dates",
+                    description: "Would you like me to check other dates?"
+                  },
+                  flexibleDates: {
+                    type: "string",
+                    title: "Date flexibility",
+                    description: "How flexible are your dates?",
+                    enum: ["next_day", "same_week", "next_week"],
+                    enumNames: ["Next day", "Same week", "Next week"]
+                  }
+                },
+                required: ["checkAlternatives"]
+              }
+            });
+
+            if (result.action === "accept" && result.content?.checkAlternatives) {
+              const alternatives = await findAlternatives(
+                restaurant, 
+                date, 
+                partySize, 
+                result.content.flexibleDates as string
+              );
+              return {
+                content: [{
+                  type: "text",
+                  text: `Found these alternatives: ${alternatives.join(", ")}`
+                }]
+              };
+            }
+            
+            return {
+              content: [{
+                type: "text",
+                text: "No booking made. Original date not available."
+              }]
+            };
+          }
+          
+          // Book the table
+          await makeBooking(restaurant, date, partySize);
+          return {
+            content: [{
+              type: "text",
+              text: `Booked table for ${partySize} at ${restaurant} on ${date}`
+            }]
+          };
+        }
+      );
+
+      // Create client with elicitation capability
+      client = new Client(
+        {
+          name: "test-client",
+          version: "1.0.0",
+        },
+        {
+          capabilities: {
+            elicitation: {},
+          },
+        }
+      );
+    });
+
+    test("should successfully book when table is available", async () => {
+      // Mock availability check to return true
+      checkAvailability.mockResolvedValue(true);
+      makeBooking.mockResolvedValue("BOOKING-123");
+
+      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+      
+      await Promise.all([
+        client.connect(clientTransport),
+        mcpServer.server.connect(serverTransport),
+      ]);
+
+      // Call the tool
+      const result = await client.callTool({
+        name: "book-restaurant",
+        arguments: {
+          restaurant: "ABC Restaurant",
+          date: "2024-12-25",
+          partySize: 2
+        }
+      });
+
+      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+      expect(makeBooking).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+      expect(result.content).toEqual([{
+        type: "text",
+        text: "Booked table for 2 at ABC Restaurant on 2024-12-25"
+      }]);
+    });
+
+    test("should ask for alternatives when no availability and user accepts", async () => {
+      // Mock availability check to return false
+      checkAvailability.mockResolvedValue(false);
+      findAlternatives.mockResolvedValue(["2024-12-26", "2024-12-27", "2024-12-28"]);
+
+      // Set up client to accept alternative date checking
+      client.setRequestHandler(ElicitRequestSchema, async (request) => {
+        expect(request.params.message).toContain("No tables available at ABC Restaurant on 2024-12-25");
+        return {
+          action: "accept",
+          content: {
+            checkAlternatives: true,
+            flexibleDates: "same_week"
+          }
+        };
+      });
+
+      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+      
+      await Promise.all([
+        client.connect(clientTransport),
+        mcpServer.server.connect(serverTransport),
+      ]);
+
+      // Call the tool
+      const result = await client.callTool({
+        name: "book-restaurant",
+        arguments: {
+          restaurant: "ABC Restaurant",
+          date: "2024-12-25",
+          partySize: 2
+        }
+      });
+
+      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+      expect(findAlternatives).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2, "same_week");
+      expect(result.content).toEqual([{
+        type: "text",
+        text: "Found these alternatives: 2024-12-26, 2024-12-27, 2024-12-28"
+      }]);
+    });
+
+    test("should handle user declining to check alternatives", async () => {
+      // Mock availability check to return false
+      checkAvailability.mockResolvedValue(false);
+
+      // Set up client to decline alternative date checking
+      client.setRequestHandler(ElicitRequestSchema, async () => {
+        return {
+          action: "accept",
+          content: {
+            checkAlternatives: false
+          }
+        };
+      });
+
+      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+      
+      await Promise.all([
+        client.connect(clientTransport),
+        mcpServer.server.connect(serverTransport),
+      ]);
+
+      // Call the tool
+      const result = await client.callTool({
+        name: "book-restaurant",
+        arguments: {
+          restaurant: "ABC Restaurant",
+          date: "2024-12-25",
+          partySize: 2
+        }
+      });
+
+      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+      expect(findAlternatives).not.toHaveBeenCalled();
+      expect(result.content).toEqual([{
+        type: "text",
+        text: "No booking made. Original date not available."
+      }]);
+    });
+
+    test("should handle user cancelling the elicitation", async () => {
+      // Mock availability check to return false
+      checkAvailability.mockResolvedValue(false);
+
+      // Set up client to cancel the elicitation
+      client.setRequestHandler(ElicitRequestSchema, async () => {
+        return {
+          action: "cancel"
+        };
+      });
+
+      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+      
+      await Promise.all([
+        client.connect(clientTransport),
+        mcpServer.server.connect(serverTransport),
+      ]);
+
+      // Call the tool
+      const result = await client.callTool({
+        name: "book-restaurant",
+        arguments: {
+          restaurant: "ABC Restaurant",
+          date: "2024-12-25",
+          partySize: 2
+        }
+      });
+
+      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+      expect(findAlternatives).not.toHaveBeenCalled();
+      expect(result.content).toEqual([{
+        type: "text",
+        text: "No booking made. Original date not available."
+      }]);
+    });
+  });
 });

From c08871998530d3f5f10e53d52342c645e2a73230 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 10 Jun 2025 17:26:48 +0100
Subject: [PATCH 027/147] tests

---
 src/server/mcp.test.ts | 399 +++++++++++++++++++----------------------
 1 file changed, 182 insertions(+), 217 deletions(-)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index bcf09d520..7cb0c4894 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -3458,258 +3458,223 @@ describe("prompt()", () => {
     expect(typeof receivedRequestId === 'string' || typeof receivedRequestId === 'number').toBe(true);
     expect(result.messages[0].content.text).toContain("Received request ID:");
   });
+});
 
-  /**
-   * Test: Restaurant booking example with elicitation from README
-   */
-  describe("Restaurant booking elicitation example", () => {
-    // Mock restaurant booking functions
-    const checkAvailability = jest.fn().mockResolvedValue(false);
-    const findAlternatives = jest.fn().mockResolvedValue([]);
-    const makeBooking = jest.fn().mockResolvedValue("BOOKING-123");
-
-    let mcpServer: McpServer;
-    let client: Client;
-
-    beforeEach(() => {
-      // Reset mocks
-      jest.clearAllMocks();
-      
-      // Create server with restaurant booking tool
-      mcpServer = new McpServer({
-        name: "restaurant-booking-server",
-        version: "1.0.0",
-      });
-
-      // Register the restaurant booking tool from README example
-      mcpServer.tool(
-        "book-restaurant",
-        { 
-          restaurant: z.string(),
-          date: z.string(),
-          partySize: z.number()
-        },
-        async ({ restaurant, date, partySize }) => {
-          // Check availability
-          const available = await checkAvailability(restaurant, date, partySize);
-          
-          if (!available) {
-            // Ask user if they want to try alternative dates
-            const result = await mcpServer.server.elicitInput({
-              message: `No tables available at ${restaurant} on ${date}. Would you like to check alternative dates?`,
-              requestedSchema: {
-                type: "object",
-                properties: {
-                  checkAlternatives: {
-                    type: "boolean",
-                    title: "Check alternative dates",
-                    description: "Would you like me to check other dates?"
-                  },
-                  flexibleDates: {
-                    type: "string",
-                    title: "Date flexibility",
-                    description: "How flexible are your dates?",
-                    enum: ["next_day", "same_week", "next_week"],
-                    enumNames: ["Next day", "Same week", "Next week"]
-                  }
-                },
-                required: ["checkAlternatives"]
-              }
-            });
+describe("elicitInput()", () => {
+
+  const checkAvailability = jest.fn().mockResolvedValue(false);
+  const findAlternatives = jest.fn().mockResolvedValue([]);
+  const makeBooking = jest.fn().mockResolvedValue("BOOKING-123");
+
+  let mcpServer: McpServer;
+  let client: Client;
 
-            if (result.action === "accept" && result.content?.checkAlternatives) {
-              const alternatives = await findAlternatives(
-                restaurant, 
-                date, 
-                partySize, 
-                result.content.flexibleDates as string
-              );
-              return {
-                content: [{
-                  type: "text",
-                  text: `Found these alternatives: ${alternatives.join(", ")}`
-                }]
-              };
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    // Create server with restaurant booking tool
+    mcpServer = new McpServer({
+      name: "restaurant-booking-server",
+      version: "1.0.0",
+    });
+
+    // Register the restaurant booking tool from README example
+    mcpServer.tool(
+      "book-restaurant",
+      {
+        restaurant: z.string(),
+        date: z.string(),
+        partySize: z.number()
+      },
+      async ({ restaurant, date, partySize }) => {
+        // Check availability
+        const available = await checkAvailability(restaurant, date, partySize);
+
+        if (!available) {
+          // Ask user if they want to try alternative dates
+          const result = await mcpServer.server.elicitInput({
+            message: `No tables available at ${restaurant} on ${date}. Would you like to check alternative dates?`,
+            requestedSchema: {
+              type: "object",
+              properties: {
+                checkAlternatives: {
+                  type: "boolean",
+                  title: "Check alternative dates",
+                  description: "Would you like me to check other dates?"
+                },
+                flexibleDates: {
+                  type: "string",
+                  title: "Date flexibility",
+                  description: "How flexible are your dates?",
+                  enum: ["next_day", "same_week", "next_week"],
+                  enumNames: ["Next day", "Same week", "Next week"]
+                }
+              },
+              required: ["checkAlternatives"]
             }
-            
+          });
+
+          if (result.action === "accept" && result.content?.checkAlternatives) {
+            const alternatives = await findAlternatives(
+              restaurant,
+              date,
+              partySize,
+              result.content.flexibleDates as string
+            );
             return {
               content: [{
                 type: "text",
-                text: "No booking made. Original date not available."
+                text: `Found these alternatives: ${alternatives.join(", ")}`
               }]
             };
           }
-          
-          // Book the table
-          await makeBooking(restaurant, date, partySize);
+
           return {
             content: [{
               type: "text",
-              text: `Booked table for ${partySize} at ${restaurant} on ${date}`
+              text: "No booking made. Original date not available."
             }]
           };
         }
-      );
 
-      // Create client with elicitation capability
-      client = new Client(
-        {
-          name: "test-client",
-          version: "1.0.0",
+        await makeBooking(restaurant, date, partySize);
+        return {
+          content: [{
+            type: "text",
+            text: `Booked table for ${partySize} at ${restaurant} on ${date}`
+          }]
+        };
+      }
+    );
+
+    // Create client with elicitation capability
+    client = new Client(
+      {
+        name: "test-client",
+        version: "1.0.0",
+      },
+      {
+        capabilities: {
+          elicitation: {},
         },
-        {
-          capabilities: {
-            elicitation: {},
-          },
+      }
+    );
+  });
+
+  test("should successfully elicit additional information", async () => {
+    // Mock availability check to return false
+    checkAvailability.mockResolvedValue(false);
+    findAlternatives.mockResolvedValue(["2024-12-26", "2024-12-27", "2024-12-28"]);
+
+    // Set up client to accept alternative date checking
+    client.setRequestHandler(ElicitRequestSchema, async (request) => {
+      expect(request.params.message).toContain("No tables available at ABC Restaurant on 2024-12-25");
+      return {
+        action: "accept",
+        content: {
+          checkAlternatives: true,
+          flexibleDates: "same_week"
         }
-      );
+      };
     });
 
-    test("should successfully book when table is available", async () => {
-      // Mock availability check to return true
-      checkAvailability.mockResolvedValue(true);
-      makeBooking.mockResolvedValue("BOOKING-123");
-
-      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-      
-      await Promise.all([
-        client.connect(clientTransport),
-        mcpServer.server.connect(serverTransport),
-      ]);
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
 
-      // Call the tool
-      const result = await client.callTool({
-        name: "book-restaurant",
-        arguments: {
-          restaurant: "ABC Restaurant",
-          date: "2024-12-25",
-          partySize: 2
-        }
-      });
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
 
-      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
-      expect(makeBooking).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
-      expect(result.content).toEqual([{
-        type: "text",
-        text: "Booked table for 2 at ABC Restaurant on 2024-12-25"
-      }]);
+    // Call the tool
+    const result = await client.callTool({
+      name: "book-restaurant",
+      arguments: {
+        restaurant: "ABC Restaurant",
+        date: "2024-12-25",
+        partySize: 2
+      }
     });
 
-    test("should ask for alternatives when no availability and user accepts", async () => {
-      // Mock availability check to return false
-      checkAvailability.mockResolvedValue(false);
-      findAlternatives.mockResolvedValue(["2024-12-26", "2024-12-27", "2024-12-28"]);
+    expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+    expect(findAlternatives).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2, "same_week");
+    expect(result.content).toEqual([{
+      type: "text",
+      text: "Found these alternatives: 2024-12-26, 2024-12-27, 2024-12-28"
+    }]);
+  });
 
-      // Set up client to accept alternative date checking
-      client.setRequestHandler(ElicitRequestSchema, async (request) => {
-        expect(request.params.message).toContain("No tables available at ABC Restaurant on 2024-12-25");
-        return {
-          action: "accept",
-          content: {
-            checkAlternatives: true,
-            flexibleDates: "same_week"
-          }
-        };
-      });
-
-      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-      
-      await Promise.all([
-        client.connect(clientTransport),
-        mcpServer.server.connect(serverTransport),
-      ]);
-
-      // Call the tool
-      const result = await client.callTool({
-        name: "book-restaurant",
-        arguments: {
-          restaurant: "ABC Restaurant",
-          date: "2024-12-25",
-          partySize: 2
+  test("should handle user declining to elicitation request", async () => {
+    // Mock availability check to return false
+    checkAvailability.mockResolvedValue(false);
+
+    // Set up client to decline alternative date checking
+    client.setRequestHandler(ElicitRequestSchema, async () => {
+      return {
+        action: "accept",
+        content: {
+          checkAlternatives: false
         }
-      });
+      };
+    });
 
-      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
-      expect(findAlternatives).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2, "same_week");
-      expect(result.content).toEqual([{
-        type: "text",
-        text: "Found these alternatives: 2024-12-26, 2024-12-27, 2024-12-28"
-      }]);
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    // Call the tool
+    const result = await client.callTool({
+      name: "book-restaurant",
+      arguments: {
+        restaurant: "ABC Restaurant",
+        date: "2024-12-25",
+        partySize: 2
+      }
     });
 
-    test("should handle user declining to check alternatives", async () => {
-      // Mock availability check to return false
-      checkAvailability.mockResolvedValue(false);
+    expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+    expect(findAlternatives).not.toHaveBeenCalled();
+    expect(result.content).toEqual([{
+      type: "text",
+      text: "No booking made. Original date not available."
+    }]);
+  });
 
-      // Set up client to decline alternative date checking
-      client.setRequestHandler(ElicitRequestSchema, async () => {
-        return {
-          action: "accept",
-          content: {
-            checkAlternatives: false
-          }
-        };
-      });
-
-      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-      
-      await Promise.all([
-        client.connect(clientTransport),
-        mcpServer.server.connect(serverTransport),
-      ]);
-
-      // Call the tool
-      const result = await client.callTool({
-        name: "book-restaurant",
-        arguments: {
-          restaurant: "ABC Restaurant",
-          date: "2024-12-25",
-          partySize: 2
-        }
-      });
+  test("should handle user cancelling the elicitation", async () => {
+    // Mock availability check to return false
+    checkAvailability.mockResolvedValue(false);
 
-      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
-      expect(findAlternatives).not.toHaveBeenCalled();
-      expect(result.content).toEqual([{
-        type: "text",
-        text: "No booking made. Original date not available."
-      }]);
+    // Set up client to cancel the elicitation
+    client.setRequestHandler(ElicitRequestSchema, async () => {
+      return {
+        action: "cancel"
+      };
     });
 
-    test("should handle user cancelling the elicitation", async () => {
-      // Mock availability check to return false
-      checkAvailability.mockResolvedValue(false);
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
 
-      // Set up client to cancel the elicitation
-      client.setRequestHandler(ElicitRequestSchema, async () => {
-        return {
-          action: "cancel"
-        };
-      });
-
-      const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-      
-      await Promise.all([
-        client.connect(clientTransport),
-        mcpServer.server.connect(serverTransport),
-      ]);
-
-      // Call the tool
-      const result = await client.callTool({
-        name: "book-restaurant",
-        arguments: {
-          restaurant: "ABC Restaurant",
-          date: "2024-12-25",
-          partySize: 2
-        }
-      });
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
 
-      expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
-      expect(findAlternatives).not.toHaveBeenCalled();
-      expect(result.content).toEqual([{
-        type: "text",
-        text: "No booking made. Original date not available."
-      }]);
+    // Call the tool
+    const result = await client.callTool({
+      name: "book-restaurant",
+      arguments: {
+        restaurant: "ABC Restaurant",
+        date: "2024-12-25",
+        partySize: 2
+      }
     });
+
+    expect(checkAvailability).toHaveBeenCalledWith("ABC Restaurant", "2024-12-25", 2);
+    expect(findAlternatives).not.toHaveBeenCalled();
+    expect(result.content).toEqual([{
+      type: "text",
+      text: "No booking made. Original date not available."
+    }]);
   });
 });

From 84971c83ea19f6481f72e4e489f101c8a2055458 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 10 Jun 2025 14:07:10 +0100
Subject: [PATCH 028/147] Set Mcp-Protocol-Version in client requests after
 init, and warn when it doesn't match negotiated version (it SHOULD match)

---
 src/client/index.ts                           |   2 +
 src/client/sse.ts                             |  14 +-
 src/client/streamableHttp.ts                  |   6 +-
 .../stateManagementStreamableHttp.test.ts     |  21 +++
 src/server/index.ts                           |  11 +-
 src/server/sse.ts                             |   1 +
 src/server/streamableHttp.test.ts             | 145 +++++++++++++++++-
 src/server/streamableHttp.ts                  |  55 ++++++-
 src/shared/transport.ts                       |   7 +
 9 files changed, 243 insertions(+), 19 deletions(-)

diff --git a/src/client/index.ts b/src/client/index.ts
index 98618a171..0e7d6cf47 100644
--- a/src/client/index.ts
+++ b/src/client/index.ts
@@ -165,6 +165,8 @@ export class Client<
 
       this._serverCapabilities = result.capabilities;
       this._serverVersion = result.serverInfo;
+      // HTTP transports must set the protocol version in each header after initialization.
+      transport.protocolVersion = result.protocolVersion;
 
       this._instructions = result.instructions;
 
diff --git a/src/client/sse.ts b/src/client/sse.ts
index 7939e8cb5..a80e06eb7 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -62,6 +62,7 @@ export class SSEClientTransport implements Transport {
   private _eventSourceInit?: EventSourceInit;
   private _requestInit?: RequestInit;
   private _authProvider?: OAuthClientProvider;
+  protocolVersion?: string;
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
@@ -99,13 +100,18 @@ export class SSEClientTransport implements Transport {
   }
 
   private async _commonHeaders(): Promise<HeadersInit> {
-    const headers: HeadersInit = { ...this._requestInit?.headers };
+    const headers = {
+      ...this._requestInit?.headers,
+    } as HeadersInit & Record<string, string>;
     if (this._authProvider) {
       const tokens = await this._authProvider.tokens();
       if (tokens) {
-        (headers as Record<string, string>)["Authorization"] = `Bearer ${tokens.access_token}`;
+        headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
+    if (this.protocolVersion) {
+      headers["mcp-protocol-version"] = this.protocolVersion;
+    }
 
     return headers;
   }
@@ -214,7 +220,9 @@ export class SSEClientTransport implements Transport {
 
     try {
       const commonHeaders = await this._commonHeaders();
-      const headers = new Headers({ ...commonHeaders, ...this._requestInit?.headers });
+      // Note: this._requestInit?.headers already set in _commonHeaders
+      // const headers = new Headers({ ...commonHeaders, ...this._requestInit?.headers });
+      const headers = new Headers(commonHeaders);
       headers.set("content-type", "application/json");
       const init = {
         ...this._requestInit,
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 1bcfbb2d1..1bc2724e3 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -124,6 +124,7 @@ export class StreamableHTTPClientTransport implements Transport {
   private _authProvider?: OAuthClientProvider;
   private _sessionId?: string;
   private _reconnectionOptions: StreamableHTTPReconnectionOptions;
+  protocolVersion?: string;
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
@@ -162,7 +163,7 @@ export class StreamableHTTPClientTransport implements Transport {
   }
 
   private async _commonHeaders(): Promise<Headers> {
-    const headers: HeadersInit = {};
+    const headers: HeadersInit & Record<string, string> = {};
     if (this._authProvider) {
       const tokens = await this._authProvider.tokens();
       if (tokens) {
@@ -173,6 +174,9 @@ export class StreamableHTTPClientTransport implements Transport {
     if (this._sessionId) {
       headers["mcp-session-id"] = this._sessionId;
     }
+    if (this.protocolVersion != null) {
+      headers["mcp-protocol-version"] = this.protocolVersion;
+    }
 
     return new Headers(
       { ...headers, ...this._requestInit?.headers }
diff --git a/src/integration-tests/stateManagementStreamableHttp.test.ts b/src/integration-tests/stateManagementStreamableHttp.test.ts
index b7ff17e68..503be80a0 100644
--- a/src/integration-tests/stateManagementStreamableHttp.test.ts
+++ b/src/integration-tests/stateManagementStreamableHttp.test.ts
@@ -211,6 +211,27 @@ describe('Streamable HTTP Transport Session Management', () => {
       // Clean up
       await transport.close();
     });
+
+    it('should set protocol version after connecting', async () => {
+      // Create and connect a client
+      const client = new Client({
+        name: 'test-client',
+        version: '1.0.0'
+      });
+
+      const transport = new StreamableHTTPClientTransport(baseUrl);
+      
+      // Verify protocol version is not set before connecting
+      expect(transport.protocolVersion).toBeUndefined();
+      
+      await client.connect(transport);
+      
+      // Verify protocol version is set after connecting
+      expect(transport.protocolVersion).toBe('2025-03-26');
+      
+      // Clean up
+      await transport.close();
+    });
   });
 
   describe('Stateful Mode', () => {
diff --git a/src/server/index.ts b/src/server/index.ts
index 3901099e3..d05c54894 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -251,10 +251,15 @@ export class Server<
     this._clientCapabilities = request.params.capabilities;
     this._clientVersion = request.params.clientInfo;
 
-    return {
-      protocolVersion: SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion)
+    const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion)
         ? requestedVersion
-        : LATEST_PROTOCOL_VERSION,
+        : LATEST_PROTOCOL_VERSION;
+    if (this.transport) {
+      this.transport.protocolVersion = protocolVersion;
+    }
+
+    return {
+      protocolVersion,
       capabilities: this.getCapabilities(),
       serverInfo: this._serverInfo,
       ...(this._instructions && { instructions: this._instructions }),
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 03f6fefc9..b2f85ce08 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -18,6 +18,7 @@ export class SSEServerTransport implements Transport {
   private _sseResponse?: ServerResponse;
   private _sessionId: string;
 
+  protocolVersion?: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
   onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index b961f6c41..51cc4c47e 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -185,6 +185,8 @@ async function sendPostRequest(baseUrl: URL, message: JSONRPCMessage | JSONRPCMe
 
   if (sessionId) {
     headers["mcp-session-id"] = sessionId;
+    // After initialization, include the protocol version header
+    headers["mcp-protocol-version"] = "2025-03-26";
   }
 
   return fetch(baseUrl, {
@@ -277,7 +279,7 @@ describe("StreamableHTTPServerTransport", () => {
     expectErrorResponse(errorData, -32600, /Only one initialization request is allowed/);
   });
 
-  it("should pandle post requests via sse response correctly", async () => {
+  it("should handle post requests via sse response correctly", async () => {
     sessionId = await initializeServer();
 
     const response = await sendPostRequest(baseUrl, TEST_MESSAGES.toolsList, sessionId);
@@ -376,6 +378,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -417,6 +420,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -448,6 +452,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -459,6 +464,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -477,6 +483,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "application/json",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -670,6 +677,7 @@ describe("StreamableHTTPServerTransport", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -705,7 +713,10 @@ describe("StreamableHTTPServerTransport", () => {
     // Now DELETE the session
     const deleteResponse = await fetch(tempUrl, {
       method: "DELETE",
-      headers: { "mcp-session-id": tempSessionId || "" },
+      headers: {
+        "mcp-session-id": tempSessionId || "",
+        "mcp-protocol-version": "2025-03-26",
+      },
     });
 
     expect(deleteResponse.status).toBe(200);
@@ -721,13 +732,129 @@ describe("StreamableHTTPServerTransport", () => {
     // Try to delete with invalid session ID
     const response = await fetch(baseUrl, {
       method: "DELETE",
-      headers: { "mcp-session-id": "invalid-session-id" },
+      headers: {
+        "mcp-session-id": "invalid-session-id",
+        "mcp-protocol-version": "2025-03-26",
+      },
     });
 
     expect(response.status).toBe(404);
     const errorData = await response.json();
     expectErrorResponse(errorData, -32001, /Session not found/);
   });
+
+  describe("protocol version header validation", () => {
+    it("should accept requests with matching protocol version", async () => {
+      sessionId = await initializeServer();
+
+      // Send request with matching protocol version
+      const response = await sendPostRequest(baseUrl, TEST_MESSAGES.toolsList, sessionId);
+      
+      expect(response.status).toBe(200);
+    });
+
+    it("should accept requests without protocol version header", async () => {
+      sessionId = await initializeServer();
+
+      // Send request without protocol version header
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          "mcp-session-id": sessionId,
+          // No mcp-protocol-version header
+        },
+        body: JSON.stringify(TEST_MESSAGES.toolsList),
+      });
+      
+      expect(response.status).toBe(200);
+    });
+
+    it("should reject requests with unsupported protocol version", async () => {
+      sessionId = await initializeServer();
+
+      // Send request with unsupported protocol version
+      const response = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          "mcp-session-id": sessionId,
+          "mcp-protocol-version": "1999-01-01", // Unsupported version
+        },
+        body: JSON.stringify(TEST_MESSAGES.toolsList),
+      });
+      
+      expect(response.status).toBe(400);
+      const errorData = await response.json();
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+    });
+
+    it("should accept but warn when protocol version differs from negotiated version", async () => {
+      sessionId = await initializeServer();
+      
+      // Spy on console.warn to verify warning is logged
+      const warnSpy = jest.spyOn(console, 'warn').mockImplementation();
+
+      // Send request with different but supported protocol version
+      const response = await fetch(baseUrl, {
+        method: "POST", 
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          "mcp-session-id": sessionId,
+          "mcp-protocol-version": "2024-11-05", // Different but supported version
+        },
+        body: JSON.stringify(TEST_MESSAGES.toolsList),
+      });
+      
+      // Request should still succeed
+      expect(response.status).toBe(200);
+      
+      // But warning should have been logged
+      expect(warnSpy).toHaveBeenCalledWith(
+        expect.stringContaining("Request has header with protocol version 2024-11-05, but version previously negotiated is 2025-03-26")
+      );
+      
+      warnSpy.mockRestore();
+    });
+
+    it("should handle protocol version validation for GET requests", async () => {
+      sessionId = await initializeServer();
+
+      // GET request with unsupported protocol version
+      const response = await fetch(baseUrl, {
+        method: "GET",
+        headers: {
+          Accept: "text/event-stream",
+          "mcp-session-id": sessionId,
+          "mcp-protocol-version": "invalid-version",
+        },
+      });
+      
+      expect(response.status).toBe(400);
+      const errorData = await response.json();
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+    });
+
+    it("should handle protocol version validation for DELETE requests", async () => {
+      sessionId = await initializeServer();
+
+      // DELETE request with unsupported protocol version
+      const response = await fetch(baseUrl, {
+        method: "DELETE",
+        headers: {
+          "mcp-session-id": sessionId,
+          "mcp-protocol-version": "invalid-version",
+        },
+      });
+      
+      expect(response.status).toBe(400);
+      const errorData = await response.json();
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+    });
+  });
 });
 
 describe("StreamableHTTPServerTransport with AuthInfo", () => {
@@ -1120,6 +1247,7 @@ describe("StreamableHTTPServerTransport with resumability", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
       },
     });
 
@@ -1196,6 +1324,7 @@ describe("StreamableHTTPServerTransport with resumability", () => {
       headers: {
         Accept: "text/event-stream",
         "mcp-session-id": sessionId,
+        "mcp-protocol-version": "2025-03-26",
         "last-event-id": firstEventId
       },
     });
@@ -1282,14 +1411,20 @@ describe("StreamableHTTPServerTransport in stateless mode", () => {
     // Open first SSE stream
     const stream1 = await fetch(baseUrl, {
       method: "GET",
-      headers: { Accept: "text/event-stream" },
+      headers: { 
+        Accept: "text/event-stream",
+        "mcp-protocol-version": "2025-03-26"
+      },
     });
     expect(stream1.status).toBe(200);
 
     // Open second SSE stream - should still be rejected, stateless mode still only allows one
     const stream2 = await fetch(baseUrl, {
       method: "GET",
-      headers: { Accept: "text/event-stream" },
+      headers: { 
+        Accept: "text/event-stream",
+        "mcp-protocol-version": "2025-03-26"
+      },
     });
     expect(stream2.status).toBe(409); // Conflict - only one stream allowed
   });
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index dc99c3065..b387f2ff8 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -1,6 +1,6 @@
 import { IncomingMessage, ServerResponse } from "node:http";
 import { Transport } from "../shared/transport.js";
-import { isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId } from "../types.js";
+import { isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId, SUPPORTED_PROTOCOL_VERSIONS } from "../types.js";
 import getRawBody from "raw-body";
 import contentType from "content-type";
 import { randomUUID } from "node:crypto";
@@ -110,7 +110,8 @@ export class StreamableHTTPServerTransport implements Transport {
   private _eventStore?: EventStore;
   private _onsessioninitialized?: (sessionId: string) => void;
 
-  sessionId?: string | undefined;
+  sessionId?: string;
+  protocolVersion?: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
   onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
@@ -172,6 +173,9 @@ export class StreamableHTTPServerTransport implements Transport {
     if (!this.validateSession(req, res)) {
       return;
     }
+    if (!this.validateProtocolVersion(req, res)) {
+      return;
+    }
     // Handle resumability: check for Last-Event-ID header
     if (this._eventStore) {
       const lastEventId = req.headers['last-event-id'] as string | undefined;
@@ -378,11 +382,17 @@ export class StreamableHTTPServerTransport implements Transport {
         }
 
       }
-      // If an Mcp-Session-Id is returned by the server during initialization,
-      // clients using the Streamable HTTP transport MUST include it 
-      // in the Mcp-Session-Id header on all of their subsequent HTTP requests.
-      if (!isInitializationRequest && !this.validateSession(req, res)) {
-        return;
+      if (!isInitializationRequest) {
+        // If an Mcp-Session-Id is returned by the server during initialization,
+        // clients using the Streamable HTTP transport MUST include it 
+        // in the Mcp-Session-Id header on all of their subsequent HTTP requests.
+        if (!this.validateSession(req, res)) {
+          return;
+        }
+        // Mcp-Protocol-Version header is required for all requests after initialization.
+        if (!this.validateProtocolVersion(req, res)) {
+          return;
+        }
       }
 
 
@@ -457,6 +467,9 @@ export class StreamableHTTPServerTransport implements Transport {
     if (!this.validateSession(req, res)) {
       return;
     }
+    if (!this.validateProtocolVersion(req, res)) {
+      return;
+    }
     await this.close();
     res.writeHead(200).end();
   }
@@ -524,6 +537,34 @@ export class StreamableHTTPServerTransport implements Transport {
     return true;
   }
 
+  private validateProtocolVersion(req: IncomingMessage, res: ServerResponse): boolean {
+    let protocolVersion = req.headers["mcp-protocol-version"];
+    if (Array.isArray(protocolVersion)) {
+      protocolVersion = protocolVersion[protocolVersion.length - 1];
+    }
+    
+    if (protocolVersion == null || protocolVersion === undefined) {
+      // If the protocol version is not set, we assume the client supports the implicit protocol version
+      return true;
+    }
+    
+    protocolVersion = String(protocolVersion).trim();
+    if (this.protocolVersion !== undefined && this.protocolVersion !== protocolVersion) {
+      console.warn(`Request has header with protocol version ${protocolVersion}, but version previously negotiated is ${this.protocolVersion}.`);
+    }
+    if (!SUPPORTED_PROTOCOL_VERSIONS.includes(protocolVersion)) {
+      res.writeHead(400).end(JSON.stringify({
+        jsonrpc: "2.0",
+        error: {
+          code: -32000,
+          message: 'Bad Request: Unsupported protocol version'
+        },
+        id: null
+      }));
+      return false;
+    }
+    return true;
+  }
 
   async close(): Promise<void> {
     // Close all SSE connections
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
index fe0a60e6d..976be79d4 100644
--- a/src/shared/transport.ts
+++ b/src/shared/transport.ts
@@ -75,4 +75,11 @@ export interface Transport {
    * The session ID generated for this connection.
    */
   sessionId?: string;
+
+  /**
+   * The protocol version used for the connection.
+   *
+   * Only set after the initialize response was received.
+   */
+  protocolVersion?: string;
 }

From 255d30cbf2fb070898f3517c88957753ccbb5d2f Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Thu, 12 Jun 2025 15:10:12 +0100
Subject: [PATCH 029/147] Rename ResourceReference to ResourceTemplateReference

---
 src/server/mcp.ts |  4 ++--
 src/types.ts      | 15 ++++++++++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 38c869c78..a20659b90 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -21,7 +21,7 @@ import {
   CompleteRequest,
   CompleteResult,
   PromptReference,
-  ResourceReference,
+  ResourceTemplateReference,
   Resource,
   ListResourcesResult,
   ListResourceTemplatesRequestSchema,
@@ -297,7 +297,7 @@ export class McpServer {
 
   private async handleResourceCompletion(
     request: CompleteRequest,
-    ref: ResourceReference,
+    ref: ResourceTemplateReference,
   ): Promise<CompleteResult> {
     const template = Object.values(this._registeredResourceTemplates).find(
       (t) => t.resourceTemplate.uriTemplate.toString() === ref.uri,
diff --git a/src/types.ts b/src/types.ts
index ae25848ea..9334e4c3d 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1092,7 +1092,7 @@ export const CreateMessageResultSchema = ResultSchema.extend({
 /**
  * A reference to a resource or resource template definition.
  */
-export const ResourceReferenceSchema = z
+export const ResourceTemplateReferenceSchema = z
   .object({
     type: z.literal("ref/resource"),
     /**
@@ -1102,6 +1102,11 @@ export const ResourceReferenceSchema = z
   })
   .passthrough();
 
+/**
+ * @deprecated Use ResourceTemplateReferenceSchema instead
+ */
+export const ResourceReferenceSchema = ResourceTemplateReferenceSchema;
+
 /**
  * Identifies a prompt.
  */
@@ -1121,7 +1126,7 @@ export const PromptReferenceSchema = z
 export const CompleteRequestSchema = RequestSchema.extend({
   method: z.literal("completion/complete"),
   params: BaseRequestParamsSchema.extend({
-    ref: z.union([PromptReferenceSchema, ResourceReferenceSchema]),
+    ref: z.union([PromptReferenceSchema, ResourceTemplateReferenceSchema]),
     /**
      * The argument's information
      */
@@ -1377,7 +1382,11 @@ export type CreateMessageRequest = Infer<typeof CreateMessageRequestSchema>;
 export type CreateMessageResult = Infer<typeof CreateMessageResultSchema>;
 
 /* Autocomplete */
-export type ResourceReference = Infer<typeof ResourceReferenceSchema>;
+export type ResourceTemplateReference = Infer<typeof ResourceTemplateReferenceSchema>;
+/**
+ * @deprecated Use ResourceTemplateReference instead
+ */
+export type ResourceReference = ResourceTemplateReference;
 export type PromptReference = Infer<typeof PromptReferenceSchema>;
 export type CompleteRequest = Infer<typeof CompleteRequestSchema>;
 export type CompleteResult = Infer<typeof CompleteResultSchema>;

From bb0592bd50935ca487e3f08568b9e4d7313a7c64 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Thu, 12 Jun 2025 18:42:51 +0100
Subject: [PATCH 030/147] add supported versions to error message

---
 src/server/streamableHttp.test.ts |  6 +++---
 src/server/streamableHttp.ts      | 15 +++++----------
 src/types.ts                      |  1 +
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index 51cc4c47e..f00721e21 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -788,7 +788,7 @@ describe("StreamableHTTPServerTransport", () => {
       
       expect(response.status).toBe(400);
       const errorData = await response.json();
-      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
     });
 
     it("should accept but warn when protocol version differs from negotiated version", async () => {
@@ -835,7 +835,7 @@ describe("StreamableHTTPServerTransport", () => {
       
       expect(response.status).toBe(400);
       const errorData = await response.json();
-      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
     });
 
     it("should handle protocol version validation for DELETE requests", async () => {
@@ -852,7 +852,7 @@ describe("StreamableHTTPServerTransport", () => {
       
       expect(response.status).toBe(400);
       const errorData = await response.json();
-      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version/);
+      expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
     });
   });
 });
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index b387f2ff8..c6010fd32 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -1,6 +1,6 @@
 import { IncomingMessage, ServerResponse } from "node:http";
 import { Transport } from "../shared/transport.js";
-import { isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId, SUPPORTED_PROTOCOL_VERSIONS } from "../types.js";
+import { isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId, SUPPORTED_PROTOCOL_VERSIONS, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from "../types.js";
 import getRawBody from "raw-body";
 import contentType from "content-type";
 import { randomUUID } from "node:crypto";
@@ -538,17 +538,12 @@ export class StreamableHTTPServerTransport implements Transport {
   }
 
   private validateProtocolVersion(req: IncomingMessage, res: ServerResponse): boolean {
-    let protocolVersion = req.headers["mcp-protocol-version"];
+    let protocolVersion = req.headers["mcp-protocol-version"] ?? DEFAULT_NEGOTIATED_PROTOCOL_VERSION;
     if (Array.isArray(protocolVersion)) {
       protocolVersion = protocolVersion[protocolVersion.length - 1];
     }
-    
-    if (protocolVersion == null || protocolVersion === undefined) {
-      // If the protocol version is not set, we assume the client supports the implicit protocol version
-      return true;
-    }
-    
-    protocolVersion = String(protocolVersion).trim();
+
+
     if (this.protocolVersion !== undefined && this.protocolVersion !== protocolVersion) {
       console.warn(`Request has header with protocol version ${protocolVersion}, but version previously negotiated is ${this.protocolVersion}.`);
     }
@@ -557,7 +552,7 @@ export class StreamableHTTPServerTransport implements Transport {
         jsonrpc: "2.0",
         error: {
           code: -32000,
-          message: 'Bad Request: Unsupported protocol version'
+          message: `Bad Request: Unsupported protocol version (supported versions: ${SUPPORTED_PROTOCOL_VERSIONS.join(", ")})`
         },
         id: null
       }));
diff --git a/src/types.ts b/src/types.ts
index ae25848ea..4bf87ef65 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,6 +1,7 @@
 import { z, ZodTypeAny } from "zod";
 
 export const LATEST_PROTOCOL_VERSION = "2025-03-26";
+export const DEFAULT_NEGOTIATED_PROTOCOL_VERSION = "2025-03-26";
 export const SUPPORTED_PROTOCOL_VERSIONS = [
   LATEST_PROTOCOL_VERSION,
   "2024-11-05",

From a28e25a9c0c4e4bd3ee1ead292c30b1238d9d057 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Thu, 12 Jun 2025 18:43:06 +0100
Subject: [PATCH 031/147] use const in test

---
 src/integration-tests/stateManagementStreamableHttp.test.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/integration-tests/stateManagementStreamableHttp.test.ts b/src/integration-tests/stateManagementStreamableHttp.test.ts
index 503be80a0..d12a4f993 100644
--- a/src/integration-tests/stateManagementStreamableHttp.test.ts
+++ b/src/integration-tests/stateManagementStreamableHttp.test.ts
@@ -5,7 +5,7 @@ import { Client } from '../client/index.js';
 import { StreamableHTTPClientTransport } from '../client/streamableHttp.js';
 import { McpServer } from '../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../server/streamableHttp.js';
-import { CallToolResultSchema, ListToolsResultSchema, ListResourcesResultSchema, ListPromptsResultSchema } from '../types.js';
+import { CallToolResultSchema, ListToolsResultSchema, ListResourcesResultSchema, ListPromptsResultSchema, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from '../types.js';
 import { z } from 'zod';
 
 describe('Streamable HTTP Transport Session Management', () => {
@@ -227,7 +227,7 @@ describe('Streamable HTTP Transport Session Management', () => {
       await client.connect(transport);
       
       // Verify protocol version is set after connecting
-      expect(transport.protocolVersion).toBe('2025-03-26');
+      expect(transport.protocolVersion).toBe(DEFAULT_NEGOTIATED_PROTOCOL_VERSION);
       
       // Clean up
       await transport.close();

From e573a0f342f92b24250d860bc0f3d2a6aa55c53e Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Thu, 12 Jun 2025 18:43:49 +0100
Subject: [PATCH 032/147] nits: remove dead comment & align test style on local
 idioms

---
 src/client/sse.ts            | 2 --
 src/client/streamableHttp.ts | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/client/sse.ts b/src/client/sse.ts
index a80e06eb7..3111cd9db 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -220,8 +220,6 @@ export class SSEClientTransport implements Transport {
 
     try {
       const commonHeaders = await this._commonHeaders();
-      // Note: this._requestInit?.headers already set in _commonHeaders
-      // const headers = new Headers({ ...commonHeaders, ...this._requestInit?.headers });
       const headers = new Headers(commonHeaders);
       headers.set("content-type", "application/json");
       const init = {
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 1bc2724e3..2a1895f5e 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -174,7 +174,7 @@ export class StreamableHTTPClientTransport implements Transport {
     if (this._sessionId) {
       headers["mcp-session-id"] = this._sessionId;
     }
-    if (this.protocolVersion != null) {
+    if (this.protocolVersion) {
       headers["mcp-protocol-version"] = this.protocolVersion;
     }
 

From bc5312991ebf47d5133b22d04e9a56cb3b9a3f15 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Thu, 12 Jun 2025 18:47:16 +0100
Subject: [PATCH 033/147] adding tests to prevent regressions

---
 src/server/mcp.test.ts | 140 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 140 insertions(+)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 49f852d65..b7bfdffb8 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -3499,4 +3499,144 @@ describe("prompt()", () => {
     expect(typeof receivedRequestId === 'string' || typeof receivedRequestId === 'number').toBe(true);
     expect(result.messages[0].content.text).toContain("Received request ID:");
   });
+
+  /***
+   * Test: Resource Template Metadata Priority
+   */
+  test("should prioritize individual resource metadata over template metadata", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.resource(
+      "test",
+      new ResourceTemplate("test://resource/{id}", {
+        list: async () => ({
+          resources: [
+            {
+              name: "Resource 1",
+              uri: "test://resource/1",
+              description: "Individual resource description",
+              mimeType: "text/plain",
+            },
+            {
+              name: "Resource 2",
+              uri: "test://resource/2",
+              // This resource has no description or mimeType
+            },
+          ],
+        }),
+      }),
+      {
+        description: "Template description",
+        mimeType: "application/json",
+      },
+      async (uri) => ({
+        contents: [
+          {
+            uri: uri.href,
+            text: "Test content",
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    const result = await client.request(
+      {
+        method: "resources/list",
+      },
+      ListResourcesResultSchema,
+    );
+
+    expect(result.resources).toHaveLength(2);
+    
+    // Resource 1 should have its own metadata
+    expect(result.resources[0].name).toBe("Resource 1");
+    expect(result.resources[0].description).toBe("Individual resource description");
+    expect(result.resources[0].mimeType).toBe("text/plain");
+    
+    // Resource 2 should inherit template metadata
+    expect(result.resources[1].name).toBe("Resource 2");
+    expect(result.resources[1].description).toBe("Template description");
+    expect(result.resources[1].mimeType).toBe("application/json");
+  });
+
+  /***
+   * Test: Resource Template Metadata Overrides All Fields
+   */
+  test("should allow resource to override all template metadata fields", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.resource(
+      "test",
+      new ResourceTemplate("test://resource/{id}", {
+        list: async () => ({
+          resources: [
+            {
+              name: "Overridden Name",
+              uri: "test://resource/1",
+              description: "Overridden description",
+              mimeType: "text/markdown",
+              // Add any other metadata fields if they exist
+            },
+          ],
+        }),
+      }),
+      {
+        name: "Template Name",
+        description: "Template description",
+        mimeType: "application/json",
+      },
+      async (uri) => ({
+        contents: [
+          {
+            uri: uri.href,
+            text: "Test content",
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    const result = await client.request(
+      {
+        method: "resources/list",
+      },
+      ListResourcesResultSchema,
+    );
+
+    expect(result.resources).toHaveLength(1);
+    
+    // All fields should be from the individual resource, not the template
+    expect(result.resources[0].name).toBe("Overridden Name");
+    expect(result.resources[0].description).toBe("Overridden description");
+    expect(result.resources[0].mimeType).toBe("text/markdown");
+  });
 });

From ea6d97d5abe21fb147d49ede26eafbeee4e89ca1 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Thu, 12 Jun 2025 19:21:45 +0100
Subject: [PATCH 034/147] 1.12.3

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 764ce2cbb..6b184f31d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.12.2",
+  "version": "1.12.3",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

From 4aaa26d900d452b61165cc440776b8e960b88a99 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Fri, 13 Jun 2025 13:35:38 +0100
Subject: [PATCH 035/147] remove protocol version mismatch warning

---
 src/server/streamableHttp.test.ts | 7 +------
 src/server/streamableHttp.ts      | 4 ----
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index f00721e21..d66083fe8 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -791,7 +791,7 @@ describe("StreamableHTTPServerTransport", () => {
       expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
     });
 
-    it("should accept but warn when protocol version differs from negotiated version", async () => {
+    it("should accept when protocol version differs from negotiated version", async () => {
       sessionId = await initializeServer();
       
       // Spy on console.warn to verify warning is logged
@@ -812,11 +812,6 @@ describe("StreamableHTTPServerTransport", () => {
       // Request should still succeed
       expect(response.status).toBe(200);
       
-      // But warning should have been logged
-      expect(warnSpy).toHaveBeenCalledWith(
-        expect.stringContaining("Request has header with protocol version 2024-11-05, but version previously negotiated is 2025-03-26")
-      );
-      
       warnSpy.mockRestore();
     });
 
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index c6010fd32..62503120c 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -543,10 +543,6 @@ export class StreamableHTTPServerTransport implements Transport {
       protocolVersion = protocolVersion[protocolVersion.length - 1];
     }
 
-
-    if (this.protocolVersion !== undefined && this.protocolVersion !== protocolVersion) {
-      console.warn(`Request has header with protocol version ${protocolVersion}, but version previously negotiated is ${this.protocolVersion}.`);
-    }
     if (!SUPPORTED_PROTOCOL_VERSIONS.includes(protocolVersion)) {
       res.writeHead(400).end(JSON.stringify({
         jsonrpc: "2.0",

From 33257f14d4d4e8b09b20f58126ab1fb8ef9e05ab Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Fri, 13 Jun 2025 13:36:04 +0100
Subject: [PATCH 036/147] switch to optional Transport.setProtocolVersion

---
 src/client/index.ts          |  4 +++-
 src/client/sse.ts            | 10 +++++++---
 src/client/streamableHttp.ts | 13 ++++++++++---
 src/server/index.ts          |  3 ---
 src/server/sse.ts            |  2 --
 src/server/streamableHttp.ts |  1 -
 src/shared/transport.ts      |  6 ++----
 7 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/src/client/index.ts b/src/client/index.ts
index 0e7d6cf47..a8fbdcee8 100644
--- a/src/client/index.ts
+++ b/src/client/index.ts
@@ -166,7 +166,9 @@ export class Client<
       this._serverCapabilities = result.capabilities;
       this._serverVersion = result.serverInfo;
       // HTTP transports must set the protocol version in each header after initialization.
-      transport.protocolVersion = result.protocolVersion;
+      if (transport.setProtocolVersion) {
+        transport.setProtocolVersion(result.protocolVersion);
+      }
 
       this._instructions = result.instructions;
 
diff --git a/src/client/sse.ts b/src/client/sse.ts
index 3111cd9db..5aa99abb4 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -62,7 +62,7 @@ export class SSEClientTransport implements Transport {
   private _eventSourceInit?: EventSourceInit;
   private _requestInit?: RequestInit;
   private _authProvider?: OAuthClientProvider;
-  protocolVersion?: string;
+  private _protocolVersion?: string;
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
@@ -109,8 +109,8 @@ export class SSEClientTransport implements Transport {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    if (this.protocolVersion) {
-      headers["mcp-protocol-version"] = this.protocolVersion;
+    if (this._protocolVersion) {
+      headers["mcp-protocol-version"] = this._protocolVersion;
     }
 
     return headers;
@@ -255,4 +255,8 @@ export class SSEClientTransport implements Transport {
       throw error;
     }
   }
+
+  setProtocolVersion(version: string): void {
+    this._protocolVersion = version;
+  }
 }
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 2a1895f5e..4117bb1b4 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -124,7 +124,7 @@ export class StreamableHTTPClientTransport implements Transport {
   private _authProvider?: OAuthClientProvider;
   private _sessionId?: string;
   private _reconnectionOptions: StreamableHTTPReconnectionOptions;
-  protocolVersion?: string;
+  private _protocolVersion?: string;
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
@@ -174,8 +174,8 @@ export class StreamableHTTPClientTransport implements Transport {
     if (this._sessionId) {
       headers["mcp-session-id"] = this._sessionId;
     }
-    if (this.protocolVersion) {
-      headers["mcp-protocol-version"] = this.protocolVersion;
+    if (this._protocolVersion) {
+      headers["mcp-protocol-version"] = this._protocolVersion;
     }
 
     return new Headers(
@@ -520,4 +520,11 @@ export class StreamableHTTPClientTransport implements Transport {
       throw error;
     }
   }
+
+  setProtocolVersion(version: string): void {
+    this._protocolVersion = version;
+  }
+  get protocolVersion(): string | undefined {
+    return this._protocolVersion;
+  }
 }
diff --git a/src/server/index.ts b/src/server/index.ts
index d05c54894..caf72f9c3 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -254,9 +254,6 @@ export class Server<
     const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion)
         ? requestedVersion
         : LATEST_PROTOCOL_VERSION;
-    if (this.transport) {
-      this.transport.protocolVersion = protocolVersion;
-    }
 
     return {
       protocolVersion,
diff --git a/src/server/sse.ts b/src/server/sse.ts
index b2f85ce08..e9a4d53ab 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -17,8 +17,6 @@ const MAXIMUM_MESSAGE_SIZE = "4mb";
 export class SSEServerTransport implements Transport {
   private _sseResponse?: ServerResponse;
   private _sessionId: string;
-
-  protocolVersion?: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
   onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index 62503120c..34b2ab68a 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -111,7 +111,6 @@ export class StreamableHTTPServerTransport implements Transport {
   private _onsessioninitialized?: (sessionId: string) => void;
 
   sessionId?: string;
-  protocolVersion?: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
   onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
index 976be79d4..b75e072e8 100644
--- a/src/shared/transport.ts
+++ b/src/shared/transport.ts
@@ -77,9 +77,7 @@ export interface Transport {
   sessionId?: string;
 
   /**
-   * The protocol version used for the connection.
-   *
-   * Only set after the initialize response was received.
+   * Sets the protocol version used for the connection (called when the initialize response is received).
    */
-  protocolVersion?: string;
+  setProtocolVersion?: (version: string) => void;
 }

From db9ba7b419bfe0e0686576c5365e8a969bd97637 Mon Sep 17 00:00:00 2001
From: Konstantin Konstantinov <konstantin@mach5technology.com>
Date: Sat, 14 Jun 2025 01:08:02 +0300
Subject: [PATCH 037/147] raw request propagation in tools - implementation,
 unit tests, types

---
 package-lock.json                 |   4 +-
 package.json                      |   2 +-
 src/client/index.test.ts          |  15 +-
 src/server/index.test.ts          |  14 +-
 src/server/mcp.test.ts            | 365 ++++++++++++++----------------
 src/server/mcp.ts                 |   4 +
 src/server/sse.test.ts            | 204 ++++++++++++++++-
 src/server/sse.ts                 |   8 +-
 src/server/streamableHttp.test.ts |  65 ++++++
 src/server/streamableHttp.ts      |   8 +-
 src/server/types/types.ts         |  31 +++
 src/shared/protocol.test.ts       | 126 +++++++++++
 src/shared/protocol.ts            |  14 +-
 src/shared/transport.ts           |   7 +-
 14 files changed, 641 insertions(+), 226 deletions(-)
 create mode 100644 src/server/types/types.ts

diff --git a/package-lock.json b/package-lock.json
index 40bad9fe2..1a9a8f454 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.11.4",
+  "version": "1.12.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.11.4",
+      "version": "1.12.0",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index 467800fc4..764ce2cbb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.12.0",
+  "version": "1.12.2",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
diff --git a/src/client/index.test.ts b/src/client/index.test.ts
index bbfa80faf..f80459f1f 100644
--- a/src/client/index.test.ts
+++ b/src/client/index.test.ts
@@ -20,7 +20,14 @@ import {
 import { Transport } from "../shared/transport.js";
 import { Server } from "../server/index.js";
 import { InMemoryTransport } from "../inMemory.js";
-
+import { RequestInfo } from "../server/types/types.js";
+
+const mockRequestInfo: RequestInfo = {
+  headers: {
+    'content-type': 'application/json',
+    'accept': 'application/json',
+  },
+};
 /***
  * Test: Initialize with Matching Protocol Version
  */
@@ -42,7 +49,7 @@ test("should initialize with matching protocol version", async () => {
             },
             instructions: "test instructions",
           },
-        });
+        }, { requestInfo: mockRequestInfo });
       }
       return Promise.resolve();
     }),
@@ -100,7 +107,7 @@ test("should initialize with supported older protocol version", async () => {
               version: "1.0",
             },
           },
-        });
+        }, { requestInfo: mockRequestInfo });
       }
       return Promise.resolve();
     }),
@@ -150,7 +157,7 @@ test("should reject unsupported protocol version", async () => {
               version: "1.0",
             },
           },
-        });
+        }, { requestInfo: mockRequestInfo });
       }
       return Promise.resolve();
     }),
diff --git a/src/server/index.test.ts b/src/server/index.test.ts
index 7c0fbc51a..e015be94c 100644
--- a/src/server/index.test.ts
+++ b/src/server/index.test.ts
@@ -19,6 +19,14 @@ import {
 import { Transport } from "../shared/transport.js";
 import { InMemoryTransport } from "../inMemory.js";
 import { Client } from "../client/index.js";
+import { RequestInfo } from "./types/types.js";
+
+const mockRequestInfo: RequestInfo = {
+  headers: {
+    'content-type': 'application/json',
+    'traceparent': '00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01',
+  },
+};
 
 test("should accept latest protocol version", async () => {
   let sendPromiseResolve: (value: unknown) => void;
@@ -77,7 +85,7 @@ test("should accept latest protocol version", async () => {
         version: "1.0",
       },
     },
-  });
+  }, { requestInfo: mockRequestInfo });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
@@ -138,7 +146,7 @@ test("should accept supported older protocol version", async () => {
         version: "1.0",
       },
     },
-  });
+  }, { requestInfo: mockRequestInfo });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
@@ -198,7 +206,7 @@ test("should handle unsupported protocol version", async () => {
         version: "1.0",
       },
     },
-  });
+  }, { requestInfo: mockRequestInfo });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 49f852d65..773777cbb 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -18,6 +18,14 @@ import {
 import { ResourceTemplate } from "./mcp.js";
 import { completable } from "./completable.js";
 import { UriTemplate } from "../shared/uriTemplate.js";
+import { RequestInfo } from "./types/types.js";
+
+const mockRequestInfo: RequestInfo = {
+  headers: {
+    'content-type': 'application/json',
+    'accept': 'application/json',
+  },
+};
 
 describe("McpServer", () => {
   /***
@@ -212,7 +220,8 @@ describe("ResourceTemplate", () => {
       signal: abortController.signal,
       requestId: 'not-implemented',
       sendRequest: () => { throw new Error("Not implemented") },
-      sendNotification: () => { throw new Error("Not implemented") }
+      sendNotification: () => { throw new Error("Not implemented") }, 
+      requestInfo: mockRequestInfo
     });
     expect(result?.resources).toHaveLength(1);
     expect(list).toHaveBeenCalled();
@@ -913,18 +922,10 @@ describe("tool()", () => {
       name: "test server",
       version: "1.0",
     });
-
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool(
       "test",
@@ -1056,17 +1057,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema
     mcpServer.registerTool(
@@ -1169,17 +1163,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema that returns only content without structuredContent
     mcpServer.registerTool(
@@ -1233,17 +1220,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     // Register a tool with outputSchema that returns invalid data
     mcpServer.registerTool(
@@ -1308,17 +1288,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedSessionId: string | undefined;
     mcpServer.tool("test-tool", async (extra) => {
@@ -1364,17 +1337,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.tool("request-id-test", async (extra) => {
@@ -1423,17 +1389,10 @@ describe("tool()", () => {
       { capabilities: { logging: {} } },
     );
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedLogMessage: string | undefined;
     const loggingMessage = "hello here is log message 1";
@@ -1480,17 +1439,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool(
       "test",
@@ -1546,17 +1498,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool("error-test", async () => {
       throw new Error("Tool execution failed");
@@ -1598,17 +1543,10 @@ describe("tool()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          tools: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.tool("test-tool", async () => ({
       content: [
@@ -2393,26 +2331,61 @@ describe("resource()", () => {
   });
 
   /***
-   * Test: Resource Template Parameter Completion
+   * Test: Registering a resource template with a complete callback should update server capabilities to advertise support for completion
    */
-  test("should support completion of resource template parameters", async () => {
+  test("should advertise support for completion when a resource template with a complete callback is defined", async () => {
     const mcpServer = new McpServer({
       name: "test server",
       version: "1.0",
     });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
+    mcpServer.resource(
+      "test",
+      new ResourceTemplate("test://resource/{category}", {
+        list: undefined,
+        complete: {
+          category: () => ["books", "movies", "music"],
         },
-      },
+      }),
+      async () => ({
+        contents: [
+          {
+            uri: "test://resource/test",
+            text: "Test content",
+          },
+        ],
+      }),
     );
 
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    expect(client.getServerCapabilities()).toMatchObject({ completions: {} })
+  })
+
+  /***
+   * Test: Resource Template Parameter Completion
+   */
+  test("should support completion of resource template parameters", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
     mcpServer.resource(
       "test",
       new ResourceTemplate("test://resource/{category}", {
@@ -2469,17 +2442,10 @@ describe("resource()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.resource(
       "test",
@@ -2540,17 +2506,10 @@ describe("resource()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          resources: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.resource("request-id-test", "test://resource", async (_uri, extra) => {
@@ -3052,17 +3011,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt(
       "test",
@@ -3258,17 +3210,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt("test-prompt", async () => ({
       messages: [
@@ -3303,27 +3248,63 @@ describe("prompt()", () => {
     ).rejects.toThrow(/Prompt nonexistent-prompt not found/);
   });
 
+
   /***
-   * Test: Prompt Argument Completion
+   * Test: Registering a prompt with a completable argument should update server capabilities to advertise support for completion
    */
-  test("should support completion of prompt arguments", async () => {
+  test("should advertise support for completion when a prompt with a completable argument is defined", async () => {
     const mcpServer = new McpServer({
       name: "test server",
       version: "1.0",
     });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
+    mcpServer.prompt(
+      "test-prompt",
       {
-        capabilities: {
-          prompts: {},
-        },
+        name: completable(z.string(), () => ["Alice", "Bob", "Charlie"]),
       },
+      async ({ name }) => ({
+        messages: [
+          {
+            role: "assistant",
+            content: {
+              type: "text",
+              text: `Hello ${name}`,
+            },
+          },
+        ],
+      }),
     );
 
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    expect(client.getServerCapabilities()).toMatchObject({ completions: {} })
+  })
+
+  /***
+   * Test: Prompt Argument Completion
+   */
+  test("should support completion of prompt arguments", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
     mcpServer.prompt(
       "test-prompt",
       {
@@ -3380,17 +3361,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     mcpServer.prompt(
       "test-prompt",
@@ -3450,17 +3424,10 @@ describe("prompt()", () => {
       version: "1.0",
     });
 
-    const client = new Client(
-      {
-        name: "test client",
-        version: "1.0",
-      },
-      {
-        capabilities: {
-          prompts: {},
-        },
-      },
-    );
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
 
     let receivedRequestId: string | number | undefined;
     mcpServer.prompt("request-id-test", async (extra) => {
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 5b864b8b4..38c869c78 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -236,6 +236,10 @@ export class McpServer {
       CompleteRequestSchema.shape.method.value,
     );
 
+    this.server.registerCapabilities({
+      completions: {},
+    });
+
     this.server.setRequestHandler(
       CompleteRequestSchema,
       async (request): Promise<CompleteResult> => {
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 2fd2c0424..7edef6af0 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -1,20 +1,146 @@
 import http from 'http'; 
 import { jest } from '@jest/globals';
 import { SSEServerTransport } from './sse.js'; 
+import { McpServer } from './mcp.js';
+import { createServer, type Server } from "node:http";
+import { AddressInfo } from "node:net";
+import { z } from 'zod';
+import { CallToolResult, JSONRPCMessage } from 'src/types.js';
 
 const createMockResponse = () => {
   const res = {
-    writeHead: jest.fn<http.ServerResponse['writeHead']>(),
-    write: jest.fn<http.ServerResponse['write']>().mockReturnValue(true),
-    on: jest.fn<http.ServerResponse['on']>(),
+    writeHead: jest.fn<http.ServerResponse['writeHead']>().mockReturnThis(),
+    write: jest.fn<http.ServerResponse['write']>().mockReturnThis(),
+    on: jest.fn<http.ServerResponse['on']>().mockReturnThis(),
+    end: jest.fn<http.ServerResponse['end']>().mockReturnThis(),
   };
-  res.writeHead.mockReturnThis();
-  res.on.mockReturnThis();
   
-  return res as unknown as http.ServerResponse;
+  return res as unknown as jest.Mocked<http.ServerResponse>;
 };
 
+/**
+ * Helper to create and start test HTTP server with MCP setup
+ */
+async function createTestServerWithSse(args: {
+  mockRes: http.ServerResponse;
+}): Promise<{
+  server: Server;
+  transport: SSEServerTransport;
+  mcpServer: McpServer;
+  baseUrl: URL;
+  sessionId: string
+  serverPort: number;
+}> {
+  const mcpServer = new McpServer(
+    { name: "test-server", version: "1.0.0" },
+    { capabilities: { logging: {} } }
+  );
+
+  mcpServer.tool(
+    "greet",
+    "A simple greeting tool",
+    { name: z.string().describe("Name to greet") },
+    async ({ name }): Promise<CallToolResult> => {
+      return { content: [{ type: "text", text: `Hello, ${name}!` }] };
+    }
+  );
+
+  const endpoint = '/messages';
+
+  const transport = new SSEServerTransport(endpoint, args.mockRes);
+  const sessionId = transport.sessionId;
+
+  await mcpServer.connect(transport);
+
+  const server = createServer(async (req, res) => {
+    try {
+        await transport.handlePostMessage(req, res);
+    } catch (error) {
+      console.error("Error handling request:", error);
+      if (!res.headersSent) res.writeHead(500).end();
+    }
+  });
+
+  const baseUrl = await new Promise<URL>((resolve) => {
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address() as AddressInfo;
+      resolve(new URL(`http://127.0.0.1:${addr.port}`));
+    });
+  });
+
+  const port = (server.address() as AddressInfo).port;
+
+  return { server, transport, mcpServer, baseUrl, sessionId, serverPort: port };
+}
+
+async function readAllSSEEvents(response: Response): Promise<string[]> {
+  const reader = response.body?.getReader();
+  if (!reader) throw new Error('No readable stream');
+  
+  const events: string[] = [];
+  const decoder = new TextDecoder();
+  
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      
+      if (value) {
+        events.push(decoder.decode(value));
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+  
+  return events;
+}
+
+/**
+ * Helper to send JSON-RPC request
+ */
+async function sendSsePostRequest(baseUrl: URL, message: JSONRPCMessage | JSONRPCMessage[], sessionId?: string, extraHeaders?: Record<string, string>): Promise<Response> {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    Accept: "application/json, text/event-stream",
+    ...extraHeaders
+  };
+
+  if (sessionId) {
+    baseUrl.searchParams.set('sessionId', sessionId);
+  }
+
+  return fetch(baseUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(message),
+  });
+}
+
 describe('SSEServerTransport', () => {
+
+  async function initializeServer(baseUrl: URL): Promise<void> {
+    const response = await sendSsePostRequest(baseUrl, {
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        clientInfo: { name: "test-client", version: "1.0" },
+        protocolVersion: "2025-03-26",
+        capabilities: {
+        },
+      },
+  
+      id: "init-1",
+    } as JSONRPCMessage);
+
+    expect(response.status).toBe(202);
+
+    const text = await readAllSSEEvents(response);
+
+    expect(text).toHaveLength(1);
+    expect(text[0]).toBe('Accepted');
+  }
+
   describe('start method', () => { 
     it('should correctly append sessionId to a simple relative endpoint', async () => { 
       const mockRes = createMockResponse();
@@ -105,5 +231,71 @@ describe('SSEServerTransport', () => {
         `event: endpoint\ndata: /?sessionId=${expectedSessionId}\n\n`
       );
     });
+
+     /***
+   * Test: Tool With Request Info
+   */
+  it("should pass request info to tool callback", async () => {
+    const mockRes = createMockResponse();
+    const { mcpServer, baseUrl, sessionId, serverPort } = await createTestServerWithSse({ mockRes });
+    await initializeServer(baseUrl);
+
+    mcpServer.tool(
+      "test-request-info",
+      "A simple test tool with request info",
+      { name: z.string().describe("Name to greet") },
+      async ({ name }, { requestInfo }): Promise<CallToolResult> => {
+        return { content: [{ type: "text", text: `Hello, ${name}!` }, { type: "text", text: `${JSON.stringify(requestInfo)}` }] };
+      }
+    );
+   
+    const toolCallMessage: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "tools/call",
+      params: {
+        name: "test-request-info",
+        arguments: {
+          name: "Test User",
+        },
+      },
+      id: "call-1",
+    };
+
+    const response = await sendSsePostRequest(baseUrl, toolCallMessage, sessionId);
+
+    expect(response.status).toBe(202);
+
+    expect(mockRes.write).toHaveBeenCalledWith(`event: endpoint\ndata: /messages?sessionId=${sessionId}\n\n`);
+
+    const expectedMessage = {
+      result: {
+        content: [
+          {
+            type: "text",
+            text: "Hello, Test User!",
+          },
+          {
+            type: "text",
+            text: JSON.stringify({
+              headers: {
+                host: `127.0.0.1:${serverPort}`,
+                connection: 'keep-alive',
+                'content-type': 'application/json',
+                accept: 'application/json, text/event-stream',
+                'accept-language': '*',
+                'sec-fetch-mode': 'cors',
+                'user-agent': 'node',
+                'accept-encoding': 'gzip, deflate',
+                'content-length': '124'
+              },
+            })
+          },
+        ],
+      },
+      jsonrpc: "2.0",
+      id: "call-1",
+    };
+    expect(mockRes.write).toHaveBeenCalledWith(`event: message\ndata: ${JSON.stringify(expectedMessage)}\n\n`);
+  });
   });
 });
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 03f6fefc9..bac58c80a 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -5,6 +5,7 @@ import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import getRawBody from "raw-body";
 import contentType from "content-type";
 import { AuthInfo } from "./auth/types.js";
+import { MessageExtraInfo, RequestInfo } from "./types/types.js";
 import { URL } from 'url';
 
 const MAXIMUM_MESSAGE_SIZE = "4mb";
@@ -20,7 +21,7 @@ export class SSEServerTransport implements Transport {
 
   onclose?: () => void;
   onerror?: (error: Error) => void;
-  onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
+  onmessage?: (message: JSONRPCMessage, extra: { authInfo?: AuthInfo, requestInfo: RequestInfo }) => void;
 
   /**
    * Creates a new SSE server transport, which will direct the client to POST messages to the relative or absolute URL identified by `_endpoint`.
@@ -87,6 +88,7 @@ export class SSEServerTransport implements Transport {
       throw new Error(message);
     }
     const authInfo: AuthInfo | undefined = req.auth;
+    const requestInfo: RequestInfo = { headers: req.headers };
 
     let body: string | unknown;
     try {
@@ -106,7 +108,7 @@ export class SSEServerTransport implements Transport {
     }
 
     try {
-      await this.handleMessage(typeof body === 'string' ? JSON.parse(body) : body, { authInfo });
+      await this.handleMessage(typeof body === 'string' ? JSON.parse(body) : body, { requestInfo, authInfo });
     } catch {
       res.writeHead(400).end(`Invalid message: ${body}`);
       return;
@@ -118,7 +120,7 @@ export class SSEServerTransport implements Transport {
   /**
    * Handle a client message, regardless of how it arrived. This can be used to inform the server of messages that arrive via a means different than HTTP POST.
    */
-  async handleMessage(message: unknown, extra?: { authInfo?: AuthInfo }): Promise<void> {
+  async handleMessage(message: unknown, extra: MessageExtraInfo): Promise<void> {
     let parsedMessage: JSONRPCMessage;
     try {
       parsedMessage = JSONRPCMessageSchema.parse(message);
diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index b961f6c41..83af86cc8 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -206,6 +206,7 @@ function expectErrorResponse(data: unknown, expectedCode: number, expectedMessag
 
 describe("StreamableHTTPServerTransport", () => {
   let server: Server;
+  let mcpServer: McpServer;
   let transport: StreamableHTTPServerTransport;
   let baseUrl: URL;
   let sessionId: string;
@@ -214,6 +215,7 @@ describe("StreamableHTTPServerTransport", () => {
     const result = await createTestServer();
     server = result.server;
     transport = result.transport;
+    mcpServer = result.mcpServer;
     baseUrl = result.baseUrl;
   });
 
@@ -345,6 +347,69 @@ describe("StreamableHTTPServerTransport", () => {
     });
   });
 
+  /***
+   * Test: Tool With Request Info
+   */
+  it("should pass request info to tool callback", async () => {
+    sessionId = await initializeServer();
+
+    mcpServer.tool(
+      "test-request-info",
+      "A simple test tool with request info",
+      { name: z.string().describe("Name to greet") },
+      async ({ name }, { requestInfo }): Promise<CallToolResult> => {
+        return { content: [{ type: "text", text: `Hello, ${name}!` }, { type: "text", text: `${JSON.stringify(requestInfo)}` }] };
+      }
+    );
+   
+    const toolCallMessage: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "tools/call",
+      params: {
+        name: "test-request-info",
+        arguments: {
+          name: "Test User",
+        },
+      },
+      id: "call-1",
+    };
+
+    const response = await sendPostRequest(baseUrl, toolCallMessage, sessionId);
+    expect(response.status).toBe(200);
+
+    const text = await readSSEEvent(response);
+    const eventLines = text.split("\n");
+    const dataLine = eventLines.find(line => line.startsWith("data:"));
+    expect(dataLine).toBeDefined();
+
+    const eventData = JSON.parse(dataLine!.substring(5));
+
+    expect(eventData).toMatchObject({
+      jsonrpc: "2.0",
+      result: {
+        content: [
+          { type: "text", text: "Hello, Test User!" },
+          { type: "text", text: expect.any(String) }
+        ],
+      },
+      id: "call-1",
+    });
+
+    const requestInfo = JSON.parse(eventData.result.content[1].text);
+    expect(requestInfo).toMatchObject({
+      headers: {
+        'content-type': 'application/json',
+        accept: 'application/json, text/event-stream',
+        connection: 'keep-alive',
+        'mcp-session-id': sessionId,
+        'accept-language': '*',
+        'user-agent': expect.any(String),
+        'accept-encoding': expect.any(String),
+        'content-length': expect.any(String),
+      },
+    });
+  });
+
   it("should reject requests without a valid session ID", async () => {
     const response = await sendPostRequest(baseUrl, TEST_MESSAGES.toolsList);
 
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index dc99c3065..779410957 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -5,6 +5,7 @@ import getRawBody from "raw-body";
 import contentType from "content-type";
 import { randomUUID } from "node:crypto";
 import { AuthInfo } from "./auth/types.js";
+import { MessageExtraInfo, RequestInfo } from "./types/types.js";
 
 const MAXIMUM_MESSAGE_SIZE = "4mb";
 
@@ -113,7 +114,7 @@ export class StreamableHTTPServerTransport implements Transport {
   sessionId?: string | undefined;
   onclose?: () => void;
   onerror?: (error: Error) => void;
-  onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
+  onmessage?: (message: JSONRPCMessage, extra: MessageExtraInfo) => void;
 
   constructor(options: StreamableHTTPServerTransportOptions) {
     this.sessionIdGenerator = options.sessionIdGenerator;
@@ -318,6 +319,7 @@ export class StreamableHTTPServerTransport implements Transport {
       }
 
       const authInfo: AuthInfo | undefined = req.auth;
+      const requestInfo: RequestInfo = { headers: req.headers };
 
       let rawMessage;
       if (parsedBody !== undefined) {
@@ -395,7 +397,7 @@ export class StreamableHTTPServerTransport implements Transport {
 
         // handle each message
         for (const message of messages) {
-          this.onmessage?.(message, { authInfo });
+          this.onmessage?.(message, { authInfo, requestInfo });
         }
       } else if (hasRequests) {
         // The default behavior is to use SSE streaming
@@ -430,7 +432,7 @@ export class StreamableHTTPServerTransport implements Transport {
 
         // handle each message
         for (const message of messages) {
-          this.onmessage?.(message, { authInfo });
+          this.onmessage?.(message, { authInfo, requestInfo });
         }
         // The server SHOULD NOT close the SSE stream before sending all JSON-RPC responses
         // This will be handled by the send() method when responses are ready
diff --git a/src/server/types/types.ts b/src/server/types/types.ts
new file mode 100644
index 000000000..1114e50b7
--- /dev/null
+++ b/src/server/types/types.ts
@@ -0,0 +1,31 @@
+import { AuthInfo } from "../auth/types.js";
+
+/**
+ * Headers that are compatible with both Node.js and the browser.
+ */
+export type IsomorphicHeaders = Record<string, string | string[] | undefined>;
+
+/**
+ * Information about the incoming request.
+ */
+export interface RequestInfo {
+  /**
+   * The headers of the request.
+   */
+  headers: IsomorphicHeaders;
+}
+
+/**
+ * Extra information about a message.
+ */
+export interface MessageExtraInfo {
+  /**
+   * The request information.
+   */
+  requestInfo: RequestInfo;
+
+  /**
+   * The authentication information.
+   */
+  authInfo?: AuthInfo;
+}
\ No newline at end of file
diff --git a/src/shared/protocol.test.ts b/src/shared/protocol.test.ts
index e0141da19..05bc8f3bc 100644
--- a/src/shared/protocol.test.ts
+++ b/src/shared/protocol.test.ts
@@ -27,9 +27,11 @@ class MockTransport implements Transport {
 describe("protocol tests", () => {
   let protocol: Protocol<Request, Notification, Result>;
   let transport: MockTransport;
+  let sendSpy: jest.SpyInstance;
 
   beforeEach(() => {
     transport = new MockTransport();
+    sendSpy = jest.spyOn(transport, 'send');
     protocol = new (class extends Protocol<Request, Notification, Result> {
       protected assertCapabilityForMethod(): void {}
       protected assertNotificationCapability(): void {}
@@ -63,6 +65,130 @@ describe("protocol tests", () => {
     expect(oncloseMock).toHaveBeenCalled();
   });
 
+  describe("_meta preservation with onprogress", () => {
+    test("should preserve existing _meta when adding progressToken", async () => {
+      await protocol.connect(transport);
+      const request = { 
+        method: "example", 
+        params: {
+          data: "test",
+          _meta: {
+            customField: "customValue",
+            anotherField: 123
+          }
+        }
+      };
+      const mockSchema: ZodType<{ result: string }> = z.object({
+        result: z.string(),
+      });
+      const onProgressMock = jest.fn();
+      
+      protocol.request(request, mockSchema, {
+        onprogress: onProgressMock,
+      });
+      
+      expect(sendSpy).toHaveBeenCalledWith(expect.objectContaining({
+        method: "example",
+        params: {
+          data: "test",
+          _meta: {
+            customField: "customValue",
+            anotherField: 123,
+            progressToken: expect.any(Number)
+          }
+        },
+        jsonrpc: "2.0",
+        id: expect.any(Number)
+      }), expect.any(Object));
+    });
+
+    test("should create _meta with progressToken when no _meta exists", async () => {
+      await protocol.connect(transport);
+      const request = { 
+        method: "example", 
+        params: {
+          data: "test"
+        }
+      };
+      const mockSchema: ZodType<{ result: string }> = z.object({
+        result: z.string(),
+      });
+      const onProgressMock = jest.fn();
+      
+      protocol.request(request, mockSchema, {
+        onprogress: onProgressMock,
+      });
+      
+      expect(sendSpy).toHaveBeenCalledWith(expect.objectContaining({
+        method: "example",
+        params: {
+          data: "test",
+          _meta: {
+            progressToken: expect.any(Number)
+          }
+        },
+        jsonrpc: "2.0",
+        id: expect.any(Number)
+      }), expect.any(Object));
+    });
+
+    test("should not modify _meta when onprogress is not provided", async () => {
+      await protocol.connect(transport);
+      const request = { 
+        method: "example", 
+        params: {
+          data: "test",
+          _meta: {
+            customField: "customValue"
+          }
+        }
+      };
+      const mockSchema: ZodType<{ result: string }> = z.object({
+        result: z.string(),
+      });
+      
+      protocol.request(request, mockSchema);
+      
+      expect(sendSpy).toHaveBeenCalledWith(expect.objectContaining({
+        method: "example",
+        params: {
+          data: "test",
+          _meta: {
+            customField: "customValue"
+          }
+        },
+        jsonrpc: "2.0",
+        id: expect.any(Number)
+      }), expect.any(Object));
+    });
+
+    test("should handle params being undefined with onprogress", async () => {
+      await protocol.connect(transport);
+      const request = { 
+        method: "example"
+      };
+      const mockSchema: ZodType<{ result: string }> = z.object({
+        result: z.string(),
+      });
+      const onProgressMock = jest.fn();
+      
+      protocol.request(request, mockSchema, {
+        onprogress: onProgressMock,
+      });
+      
+      expect(sendSpy).toHaveBeenCalledWith(expect.objectContaining({
+        method: "example",
+        params: {
+          _meta: {
+            progressToken: expect.any(Number)
+          }
+        },
+        jsonrpc: "2.0",
+        id: expect.any(Number)
+      }), expect.any(Object));
+    });
+  });
+
   describe("progress notification timeout behavior", () => {
     beforeEach(() => {
       jest.useFakeTimers();
diff --git a/src/shared/protocol.ts b/src/shared/protocol.ts
index 4694929d7..ae539c177 100644
--- a/src/shared/protocol.ts
+++ b/src/shared/protocol.ts
@@ -25,6 +25,7 @@ import {
 } from "../types.js";
 import { Transport, TransportSendOptions } from "./transport.js";
 import { AuthInfo } from "../server/auth/types.js";
+import { MessageExtraInfo, RequestInfo } from "../server/types/types.js";
 
 /**
  * Callback for progress notifications.
@@ -127,6 +128,11 @@ export type RequestHandlerExtra<SendRequestT extends Request,
      */
     requestId: RequestId;
 
+    /**
+     * The original HTTP request.
+     */
+    requestInfo: RequestInfo;
+
     /**
      * Sends a notification that relates to the current request being handled.
      * 
@@ -339,7 +345,7 @@ export abstract class Protocol<
       );
   }
 
-  private _onrequest(request: JSONRPCRequest, extra?: { authInfo?: AuthInfo }): void {
+  private _onrequest(request: JSONRPCRequest, extra: MessageExtraInfo): void {
     const handler =
       this._requestHandlers.get(request.method) ?? this.fallbackRequestHandler;
 
@@ -375,6 +381,7 @@ export abstract class Protocol<
         this.request(r, resultSchema, { ...options, relatedRequestId: request.id }),
       authInfo: extra?.authInfo,
       requestId: request.id,
+      requestInfo: extra.requestInfo
     };
 
     // Starting with Promise.resolve() puts any synchronous errors into the monad as well.
@@ -541,7 +548,10 @@ export abstract class Protocol<
         this._progressHandlers.set(messageId, options.onprogress);
         jsonrpcRequest.params = {
           ...request.params,
-          _meta: { progressToken: messageId },
+          _meta: {
+            ...(request.params?._meta || {}),
+            progressToken: messageId
+          },
         };
       }
 
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
index fe0a60e6d..9279b0ea5 100644
--- a/src/shared/transport.ts
+++ b/src/shared/transport.ts
@@ -1,4 +1,4 @@
-import { AuthInfo } from "../server/auth/types.js";
+import { MessageExtraInfo } from "../server/types/types.js";
 import { JSONRPCMessage, RequestId } from "../types.js";
 
 /**
@@ -66,10 +66,11 @@ export interface Transport {
   /**
    * Callback for when a message (request or response) is received over the connection.
    * 
-   * Includes the authInfo if the transport is authenticated.
+   * Includes the requestInfo and authInfo if the transport is authenticated.
    * 
+   * The requestInfo can be used to get the original request information (headers, etc.)
    */
-  onmessage?: (message: JSONRPCMessage, extra?: { authInfo?: AuthInfo }) => void;
+  onmessage?: (message: JSONRPCMessage, extra: MessageExtraInfo) => void;
 
   /**
    * The session ID generated for this connection.

From e7284d29c8271f62208caf4a90d70d2a2cd46bee Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Sun, 15 Jun 2025 18:47:44 +0100
Subject: [PATCH 038/147] added _meta to more objects

---
 src/types.ts | 45 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 40 insertions(+), 5 deletions(-)

diff --git a/src/types.ts b/src/types.ts
index 740b6c439..822ba8d77 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -44,8 +44,8 @@ export const RequestSchema = z.object({
 const BaseNotificationParamsSchema = z
   .object({
     /**
-     * This parameter name is reserved by MCP to allow clients and servers to attach additional metadata to their notifications.
-     */
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -58,8 +58,8 @@ export const NotificationSchema = z.object({
 export const ResultSchema = z
   .object({
     /**
-     * This result property is reserved by the protocol to allow clients and servers to attach additional metadata to their responses.
-     */
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -463,6 +463,11 @@ export const ResourceSchema = z
      * The MIME type of this resource, if known.
      */
     mimeType: z.optional(z.string()),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -494,6 +499,11 @@ export const ResourceTemplateSchema = z
      * The MIME type for all resources that match this template. This should only be included if all resources matching this template have the same type.
      */
     mimeType: z.optional(z.string()),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -677,6 +687,11 @@ export const TextContentSchema = z
      * The text content of the message.
      */
     text: z.string(),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -694,6 +709,11 @@ export const ImageContentSchema = z
      * The MIME type of the image. Different providers may support different image types.
      */
     mimeType: z.string(),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -711,6 +731,11 @@ export const AudioContentSchema = z
      * The MIME type of the audio. Different providers may support different audio types.
      */
     mimeType: z.string(),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -847,12 +872,17 @@ export const ToolSchema = z
         properties: z.optional(z.object({}).passthrough()),
         required: z.optional(z.array(z.string())),
       })
-      .passthrough()
+        .passthrough()
     ),
     /**
      * Optional additional tool information.
      */
     annotations: z.optional(ToolAnnotationsSchema),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -1182,6 +1212,11 @@ export const RootSchema = z
      * An optional name for the root.
      */
     name: z.optional(z.string()),
+
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+    */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 

From 4d03b243e37a6b1965c8cbe601cd37c94b9b0080 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Sun, 15 Jun 2025 20:42:25 +0100
Subject: [PATCH 039/147] add title

---
 README.md                                   | 138 +++++++++---
 src/examples/client/simpleStreamableHttp.ts |   7 +-
 src/examples/server/simpleStreamableHttp.ts |  29 ++-
 src/server/mcp.ts                           | 158 +++++++++++++-
 src/server/title.test.ts                    | 194 +++++++++++++++++
 src/shared/metadataUtils.ts                 |  21 ++
 src/types.ts                                | 223 +++++++++-----------
 7 files changed, 599 insertions(+), 171 deletions(-)
 create mode 100644 src/server/title.test.ts
 create mode 100644 src/shared/metadataUtils.ts

diff --git a/README.md b/README.md
index c9e27c275..d13378b53 100644
--- a/README.md
+++ b/README.md
@@ -54,26 +54,35 @@ import { z } from "zod";
 
 // Create an MCP server
 const server = new McpServer({
-  name: "Demo",
-  version: "1.0.0"
+  name: "demo-server",
+  version: "1.0.0",
+  title: "Demo Server"  // Optional display name
 });
 
 // Add an addition tool
-server.tool("add",
-  { a: z.number(), b: z.number() },
+server.registerTool("add",
+  {
+    title: "Addition Tool",
+    description: "Add two numbers",
+    inputSchema: { a: z.number(), b: z.number() }
+  },
   async ({ a, b }) => ({
     content: [{ type: "text", text: String(a + b) }]
   })
 );
 
 // Add a dynamic greeting resource
-server.resource(
+server.registerResource(
   "greeting",
   new ResourceTemplate("greeting://{name}", { list: undefined }),
-  async (uri, { name }) => ({
+  { 
+    title: "Greeting Resource",      // Display name for UI
+    description: "Dynamic greeting generator"
+  },
+  async (uri, params) => ({
     contents: [{
       uri: uri.href,
-      text: `Hello, ${name}!`
+      text: `Hello, ${params.name}!`
     }]
   })
 );
@@ -100,8 +109,9 @@ The McpServer is your core interface to the MCP protocol. It handles connection
 
 ```typescript
 const server = new McpServer({
-  name: "My App",
-  version: "1.0.0"
+  name: "my-app",              // Unique identifier for your server
+  version: "1.0.0",            // Server version
+  title: "My Application"      // Optional display name for UI
 });
 ```
 
@@ -111,9 +121,14 @@ Resources are how you expose data to LLMs. They're similar to GET endpoints in a
 
 ```typescript
 // Static resource
-server.resource(
+server.registerResource(
   "config",
   "config://app",
+  {
+    title: "Application Config",
+    description: "Application configuration data",
+    mimeType: "text/plain"
+  },
   async (uri) => ({
     contents: [{
       uri: uri.href,
@@ -123,13 +138,17 @@ server.resource(
 );
 
 // Dynamic resource with parameters
-server.resource(
+server.registerResource(
   "user-profile",
   new ResourceTemplate("users://{userId}/profile", { list: undefined }),
-  async (uri, { userId }) => ({
+  {
+    title: "User Profile",
+    description: "User profile information"
+  },
+  async (uri, params) => ({
     contents: [{
       uri: uri.href,
-      text: `Profile data for user ${userId}`
+      text: `Profile data for user ${params.userId}`
     }]
   })
 );
@@ -141,11 +160,15 @@ Tools let LLMs take actions through your server. Unlike resources, tools are exp
 
 ```typescript
 // Simple tool with parameters
-server.tool(
+server.registerTool(
   "calculate-bmi",
   {
-    weightKg: z.number(),
-    heightM: z.number()
+    title: "BMI Calculator",
+    description: "Calculate Body Mass Index",
+    inputSchema: {
+      weightKg: z.number(),
+      heightM: z.number()
+    }
   },
   async ({ weightKg, heightM }) => ({
     content: [{
@@ -156,9 +179,13 @@ server.tool(
 );
 
 // Async tool with external API call
-server.tool(
+server.registerTool(
   "fetch-weather",
-  { city: z.string() },
+  {
+    title: "Weather Fetcher",
+    description: "Get weather data for a city",
+    inputSchema: { city: z.string() }
+  },
   async ({ city }) => {
     const response = await fetch(`https://api.weather.com/${city}`);
     const data = await response.text();
@@ -174,9 +201,13 @@ server.tool(
 Prompts are reusable templates that help LLMs interact with your server effectively:
 
 ```typescript
-server.prompt(
+server.registerPrompt(
   "review-code",
-  { code: z.string() },
+  {
+    title: "Code Review",
+    description: "Review code for best practices and potential issues",
+    arguments: { code: z.string() }
+  },
   ({ code }) => ({
     messages: [{
       role: "user",
@@ -189,6 +220,22 @@ server.prompt(
 );
 ```
 
+### Display Names and Metadata
+
+All resources, tools, and prompts support an optional `title` field for better UI presentation. The `title` is used as a display name, while `name` remains the unique identifier.
+
+**Note:** The `register*` methods (`registerTool`, `registerPrompt`, `registerResource`) are the recommended approach for new code. The older methods (`tool`, `prompt`, `resource`) remain available for backwards compatibility.
+
+
+When building clients, use the provided utility to get the appropriate display name:
+
+```typescript
+import { getDisplayName } from "@modelcontextprotocol/sdk/shared/metadataUtils.js";
+
+// Falls back to 'name' if 'title' is not provided
+const displayName = getDisplayName(tool);  // Returns title if available, otherwise name
+```
+
 ## Running Your Server
 
 MCP servers in TypeScript need to be connected to a transport to communicate with clients. How you start the server depends on the choice of transport:
@@ -401,32 +448,45 @@ import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mc
 import { z } from "zod";
 
 const server = new McpServer({
-  name: "Echo",
-  version: "1.0.0"
+  name: "echo-server",
+  version: "1.0.0",
+  title: "Echo Server"
 });
 
-server.resource(
+server.registerResource(
   "echo",
   new ResourceTemplate("echo://{message}", { list: undefined }),
-  async (uri, { message }) => ({
+  {
+    title: "Echo Resource",
+    description: "Echoes back messages as resources"
+  },
+  async (uri, params) => ({
     contents: [{
       uri: uri.href,
-      text: `Resource echo: ${message}`
+      text: `Resource echo: ${params.message}`
     }]
   })
 );
 
-server.tool(
+server.registerTool(
   "echo",
-  { message: z.string() },
+  {
+    title: "Echo Tool",
+    description: "Echoes back the provided message",
+    inputSchema: { message: z.string() }
+  },
   async ({ message }) => ({
     content: [{ type: "text", text: `Tool echo: ${message}` }]
   })
 );
 
-server.prompt(
+server.registerPrompt(
   "echo",
-  { message: z.string() },
+  {
+    title: "Echo Prompt",
+    description: "Creates a prompt to process a message",
+    arguments: { message: z.string() }
+  },
   ({ message }) => ({
     messages: [{
       role: "user",
@@ -450,8 +510,9 @@ import { promisify } from "util";
 import { z } from "zod";
 
 const server = new McpServer({
-  name: "SQLite Explorer",
-  version: "1.0.0"
+  name: "sqlite-explorer",
+  version: "1.0.0",
+  title: "SQLite Explorer"
 });
 
 // Helper to create DB connection
@@ -463,9 +524,14 @@ const getDb = () => {
   };
 };
 
-server.resource(
+server.registerResource(
   "schema",
   "schema://main",
+  {
+    title: "Database Schema",
+    description: "SQLite database schema",
+    mimeType: "text/plain"
+  },
   async (uri) => {
     const db = getDb();
     try {
@@ -484,9 +550,13 @@ server.resource(
   }
 );
 
-server.tool(
+server.registerTool(
   "query",
-  { sql: z.string() },
+  {
+    title: "SQL Query",
+    description: "Execute SQL queries on the database",
+    inputSchema: { sql: z.string() }
+  },
   async ({ sql }) => {
     const db = getDb();
     try {
diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index 19d32bbcf..63d7d60a9 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -15,6 +15,7 @@ import {
   LoggingMessageNotificationSchema,
   ResourceListChangedNotificationSchema,
 } from '../../types.js';
+import { getDisplayName } from '../../shared/metadataUtils.js';
 
 // Create readline interface for user input
 const readline = createInterface({
@@ -317,7 +318,7 @@ async function listTools(): Promise<void> {
       console.log('  No tools available');
     } else {
       for (const tool of toolsResult.tools) {
-        console.log(`  - ${tool.name}: ${tool.description}`);
+        console.log(`  - ${getDisplayName(tool)}: ${tool.description}`);
       }
     }
   } catch (error) {
@@ -429,7 +430,7 @@ async function listPrompts(): Promise<void> {
       console.log('  No prompts available');
     } else {
       for (const prompt of promptsResult.prompts) {
-        console.log(`  - ${prompt.name}: ${prompt.description}`);
+        console.log(`  - ${getDisplayName(prompt)}: ${prompt.description}`);
       }
     }
   } catch (error) {
@@ -480,7 +481,7 @@ async function listResources(): Promise<void> {
       console.log('  No resources available');
     } else {
       for (const resource of resourcesResult.resources) {
-        console.log(`  - ${resource.name}: ${resource.uri}`);
+        console.log(`  - ${getDisplayName(resource)}: ${resource.uri}`);
       }
     }
   } catch (error) {
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 6c3311920..b66be93d0 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -18,14 +18,18 @@ const getServer = () => {
   const server = new McpServer({
     name: 'simple-streamable-http-server',
     version: '1.0.0',
+    title: 'Simple Streamable HTTP Server',  // Display name for UI
   }, { capabilities: { logging: {} } });
 
   // Register a simple tool that returns a greeting
-  server.tool(
+  server.registerTool(
     'greet',
-    'A simple greeting tool',
     {
-      name: z.string().describe('Name to greet'),
+      title: 'Greeting Tool',  // Display name for UI
+      description: 'A simple greeting tool',
+      inputSchema: {
+        name: z.string().describe('Name to greet'),
+      },
     },
     async ({ name }): Promise<CallToolResult> => {
       return {
@@ -84,12 +88,15 @@ const getServer = () => {
     }
   );
 
-  // Register a simple prompt
-  server.prompt(
+  // Register a simple prompt with title
+  server.registerPrompt(
     'greeting-template',
-    'A simple greeting prompt template',
     {
-      name: z.string().describe('Name to include in greeting'),
+      title: 'Greeting Template',  // Display name for UI
+      description: 'A simple greeting prompt template',
+      arguments: {
+        name: z.string().describe('Name to include in greeting'),
+      },
     },
     async ({ name }): Promise<GetPromptResult> => {
       return {
@@ -148,10 +155,14 @@ const getServer = () => {
   );
 
   // Create a simple resource at a fixed URI
-  server.resource(
+  server.registerResource(
     'greeting-resource',
     'https://example.com/greetings/default',
-    { mimeType: 'text/plain' },
+    { 
+      title: 'Default Greeting',  // Display name for UI
+      description: 'A simple greeting resource',
+      mimeType: 'text/plain' 
+    },
     async (): Promise<ReadResourceResult> => {
       return {
         contents: [
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 7fba043f0..7c77add13 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -122,6 +122,10 @@ export class McpServer {
               annotations: tool.annotations,
             };
 
+            if (tool.title !== undefined) {
+              toolDefinition.title = tool.title;
+            }
+
             if (tool.outputSchema) {
               toolDefinition.outputSchema = zodToJsonSchema(
                 tool.outputSchema, 
@@ -467,13 +471,19 @@ export class McpServer {
           ([, prompt]) => prompt.enabled,
         ).map(
           ([name, prompt]): Prompt => {
-            return {
+            const promptDefinition: Prompt = {
               name,
               description: prompt.description,
               arguments: prompt.argsSchema
                 ? promptArgumentsFromSchema(prompt.argsSchema)
                 : undefined,
             };
+
+            if (prompt.title !== undefined) {
+              promptDefinition.title = prompt.title;
+            }
+
+            return promptDefinition;
           },
         ),
       }),
@@ -634,6 +644,83 @@ export class McpServer {
     }
   }
 
+  /**
+   * Registers a resource with a config object and callback.
+   * For static resources, use a URI string. For dynamic resources, use a ResourceTemplate.
+   */
+  registerResource(
+    name: string,
+    uriOrTemplate: string | ResourceTemplate,
+    config: ResourceMetadata & {
+      title?: string;
+      description?: string;
+      mimeType?: string;
+    },
+    readCallback: ReadResourceCallback | ReadResourceTemplateCallback
+  ): RegisteredResource | RegisteredResourceTemplate {
+    if (typeof uriOrTemplate === "string") {
+      if (this._registeredResources[uriOrTemplate]) {
+        throw new Error(`Resource ${uriOrTemplate} is already registered`);
+      }
+
+      const registeredResource: RegisteredResource = {
+        name,
+        metadata: config,
+        readCallback: readCallback as ReadResourceCallback,
+        enabled: true,
+        disable: () => registeredResource.update({ enabled: false }),
+        enable: () => registeredResource.update({ enabled: true }),
+        remove: () => registeredResource.update({ uri: null }),
+        update: (updates) => {
+          if (typeof updates.uri !== "undefined" && updates.uri !== uriOrTemplate) {
+            delete this._registeredResources[uriOrTemplate]
+            if (updates.uri) this._registeredResources[updates.uri] = registeredResource
+          }
+          if (typeof updates.name !== "undefined") registeredResource.name = updates.name
+          if (typeof updates.metadata !== "undefined") registeredResource.metadata = updates.metadata
+          if (typeof updates.callback !== "undefined") registeredResource.readCallback = updates.callback
+          if (typeof updates.enabled !== "undefined") registeredResource.enabled = updates.enabled
+          this.sendResourceListChanged()
+        },
+      };
+      this._registeredResources[uriOrTemplate] = registeredResource;
+
+      this.setResourceRequestHandlers();
+      this.sendResourceListChanged();
+      return registeredResource;
+    } else {
+      if (this._registeredResourceTemplates[name]) {
+        throw new Error(`Resource template ${name} is already registered`);
+      }
+
+      const registeredResourceTemplate: RegisteredResourceTemplate = {
+        resourceTemplate: uriOrTemplate,
+        metadata: config,
+        readCallback: readCallback as ReadResourceTemplateCallback,
+        enabled: true,
+        disable: () => registeredResourceTemplate.update({ enabled: false }),
+        enable: () => registeredResourceTemplate.update({ enabled: true }),
+        remove: () => registeredResourceTemplate.update({ name: null }),
+        update: (updates) => {
+          if (typeof updates.name !== "undefined" && updates.name !== name) {
+            delete this._registeredResourceTemplates[name]
+            if (updates.name) this._registeredResourceTemplates[updates.name] = registeredResourceTemplate
+          }
+          if (typeof updates.template !== "undefined") registeredResourceTemplate.resourceTemplate = updates.template
+          if (typeof updates.metadata !== "undefined") registeredResourceTemplate.metadata = updates.metadata
+          if (typeof updates.callback !== "undefined") registeredResourceTemplate.readCallback = updates.callback
+          if (typeof updates.enabled !== "undefined") registeredResourceTemplate.enabled = updates.enabled
+          this.sendResourceListChanged()
+        },
+      };
+      this._registeredResourceTemplates[name] = registeredResourceTemplate;
+
+      this.setResourceRequestHandlers();
+      this.sendResourceListChanged();
+      return registeredResourceTemplate;
+    }
+  }
+
   private _createRegisteredTool(
     name: string,
     description: string | undefined,
@@ -659,6 +746,7 @@ export class McpServer {
           delete this._registeredTools[name]
           if (updates.name) this._registeredTools[updates.name] = registeredTool
         }
+        if (typeof updates.title !== "undefined") registeredTool.title = updates.title
         if (typeof updates.description !== "undefined") registeredTool.description = updates.description
         if (typeof updates.paramsSchema !== "undefined") registeredTool.inputSchema = z.object(updates.paramsSchema)
         if (typeof updates.callback !== "undefined") registeredTool.callback = updates.callback
@@ -789,6 +877,7 @@ export class McpServer {
   registerTool<InputArgs extends ZodRawShape, OutputArgs extends ZodRawShape>(
     name: string,
     config: {
+      title?: string;
       description?: string;
       inputSchema?: InputArgs;
       outputSchema?: OutputArgs;
@@ -800,16 +889,23 @@ export class McpServer {
       throw new Error(`Tool ${name} is already registered`);
     }
 
-    const { description, inputSchema, outputSchema, annotations } = config;
+    const { title, description, inputSchema, outputSchema, annotations } = config;
 
-    return this._createRegisteredTool(
+    const registeredTool = this._createRegisteredTool(
       name,
       description,
       inputSchema,
       outputSchema,
       annotations,
       cb as ToolCallback<ZodRawShape | undefined>
-    )
+    );
+
+    // Set title if provided
+    if (title !== undefined) {
+      registeredTool.title = title;
+    }
+
+    return registeredTool;
   }
 
   /**
@@ -870,6 +966,7 @@ export class McpServer {
           delete this._registeredPrompts[name]
           if (updates.name) this._registeredPrompts[updates.name] = registeredPrompt
         }
+        if (typeof updates.title !== "undefined") registeredPrompt.title = updates.title
         if (typeof updates.description !== "undefined") registeredPrompt.description = updates.description
         if (typeof updates.argsSchema !== "undefined") registeredPrompt.argsSchema = z.object(updates.argsSchema)
         if (typeof updates.callback !== "undefined") registeredPrompt.callback = updates.callback
@@ -885,6 +982,54 @@ export class McpServer {
     return registeredPrompt
   }
 
+  /**
+   * Registers a prompt with a config object and callback.
+   */
+  registerPrompt<Args extends PromptArgsRawShape>(
+    name: string,
+    config: {
+      title?: string;
+      description?: string;
+      arguments?: Args;
+    },
+    cb: PromptCallback<Args>
+  ): RegisteredPrompt {
+    if (this._registeredPrompts[name]) {
+      throw new Error(`Prompt ${name} is already registered`);
+    }
+
+    const { title, description, arguments: argsSchema } = config;
+
+    const registeredPrompt: RegisteredPrompt = {
+      title,
+      description,
+      argsSchema: argsSchema === undefined ? undefined : z.object(argsSchema),
+      callback: cb as PromptCallback<PromptArgsRawShape | undefined>,
+      enabled: true,
+      disable: () => registeredPrompt.update({ enabled: false }),
+      enable: () => registeredPrompt.update({ enabled: true }),
+      remove: () => registeredPrompt.update({ name: null }),
+      update: (updates) => {
+        if (typeof updates.name !== "undefined" && updates.name !== name) {
+          delete this._registeredPrompts[name]
+          if (updates.name) this._registeredPrompts[updates.name] = registeredPrompt
+        }
+        if (typeof updates.title !== "undefined") registeredPrompt.title = updates.title
+        if (typeof updates.description !== "undefined") registeredPrompt.description = updates.description
+        if (typeof updates.argsSchema !== "undefined") registeredPrompt.argsSchema = z.object(updates.argsSchema)
+        if (typeof updates.callback !== "undefined") registeredPrompt.callback = updates.callback
+        if (typeof updates.enabled !== "undefined") registeredPrompt.enabled = updates.enabled
+        this.sendPromptListChanged()
+      },
+    };
+    this._registeredPrompts[name] = registeredPrompt;
+
+    this.setPromptRequestHandlers();
+    this.sendPromptListChanged()
+
+    return registeredPrompt;
+  }
+
   /**
    * Checks if the server is connected to a transport.
    * @returns True if the server is connected
@@ -1000,6 +1145,7 @@ export type ToolCallback<Args extends undefined | ZodRawShape = undefined> =
   : (extra: RequestHandlerExtra<ServerRequest, ServerNotification>) => CallToolResult | Promise<CallToolResult>;
 
 export type RegisteredTool = {
+  title?: string;
   description?: string;
   inputSchema?: AnyZodObject;
   outputSchema?: AnyZodObject;
@@ -1011,6 +1157,7 @@ export type RegisteredTool = {
   update<InputArgs extends ZodRawShape, OutputArgs extends ZodRawShape>(
     updates: { 
       name?: string | null, 
+      title?: string,
       description?: string, 
       paramsSchema?: InputArgs, 
       outputSchema?: OutputArgs, 
@@ -1110,13 +1257,14 @@ export type PromptCallback<
   : (extra: RequestHandlerExtra<ServerRequest, ServerNotification>) => GetPromptResult | Promise<GetPromptResult>;
 
 export type RegisteredPrompt = {
+  title?: string;
   description?: string;
   argsSchema?: ZodObject<PromptArgsRawShape>;
   callback: PromptCallback<undefined | PromptArgsRawShape>;
   enabled: boolean;
   enable(): void;
   disable(): void;
-  update<Args extends PromptArgsRawShape>(updates: { name?: string | null, description?: string, argsSchema?: Args, callback?: PromptCallback<Args>, enabled?: boolean }): void
+  update<Args extends PromptArgsRawShape>(updates: { name?: string | null, title?: string, description?: string, argsSchema?: Args, callback?: PromptCallback<Args>, enabled?: boolean }): void
   remove(): void
 };
 
diff --git a/src/server/title.test.ts b/src/server/title.test.ts
new file mode 100644
index 000000000..7874fb62c
--- /dev/null
+++ b/src/server/title.test.ts
@@ -0,0 +1,194 @@
+import { Server } from "./index.js";
+import { Client } from "../client/index.js";
+import { InMemoryTransport } from "../inMemory.js";
+import { z } from "zod";
+import { McpServer } from "./mcp.js";
+
+describe("Title field backwards compatibility", () => {
+  it("should work with tools that have title", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    
+    // Register tool with title
+    server.registerTool(
+      "test-tool",
+      {
+        title: "Test Tool Display Name",
+        description: "A test tool",
+        inputSchema: {
+          value: z.string()
+        }
+      },
+      async () => ({ content: [{ type: "text", text: "result" }] })
+    );
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const tools = await client.listTools();
+    expect(tools.tools).toHaveLength(1);
+    expect(tools.tools[0].name).toBe("test-tool");
+    expect(tools.tools[0].title).toBe("Test Tool Display Name");
+    expect(tools.tools[0].description).toBe("A test tool");
+  });
+
+  it("should work with tools without title", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    
+    // Register tool without title
+    server.tool(
+      "test-tool",
+      "A test tool",
+      { value: z.string() },
+      async () => ({ content: [{ type: "text", text: "result" }] })
+    );
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const tools = await client.listTools();
+    expect(tools.tools).toHaveLength(1);
+    expect(tools.tools[0].name).toBe("test-tool");
+    expect(tools.tools[0].title).toBeUndefined();
+    expect(tools.tools[0].description).toBe("A test tool");
+  });
+
+  it("should work with prompts that have title using update", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    
+    // Register prompt with title by updating after creation
+    const prompt = server.prompt(
+      "test-prompt",
+      "A test prompt",
+      async () => ({ messages: [{ role: "user", content: { type: "text", text: "test" } }] })
+    );
+    prompt.update({ title: "Test Prompt Display Name" });
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const prompts = await client.listPrompts();
+    expect(prompts.prompts).toHaveLength(1);
+    expect(prompts.prompts[0].name).toBe("test-prompt");
+    expect(prompts.prompts[0].title).toBe("Test Prompt Display Name");
+    expect(prompts.prompts[0].description).toBe("A test prompt");
+  });
+
+  it("should work with prompts using registerPrompt", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    
+    // Register prompt with title using registerPrompt
+    server.registerPrompt(
+      "test-prompt",
+      {
+        title: "Test Prompt Display Name",
+        description: "A test prompt",
+        arguments: { input: z.string() }
+      },
+      async ({ input }) => ({ 
+        messages: [{ 
+          role: "user", 
+          content: { type: "text", text: `test: ${input}` } 
+        }] 
+      })
+    );
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const prompts = await client.listPrompts();
+    expect(prompts.prompts).toHaveLength(1);
+    expect(prompts.prompts[0].name).toBe("test-prompt");
+    expect(prompts.prompts[0].title).toBe("Test Prompt Display Name");
+    expect(prompts.prompts[0].description).toBe("A test prompt");
+    expect(prompts.prompts[0].arguments).toHaveLength(1);
+  });
+
+  it("should work with resources using registerResource", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    
+    // Register resource with title using registerResource
+    server.registerResource(
+      "test-resource",
+      "https://example.com/test",
+      {
+        title: "Test Resource Display Name",
+        description: "A test resource",
+        mimeType: "text/plain"
+      },
+      async () => ({ 
+        contents: [{ 
+          uri: "https://example.com/test",
+          text: "test content" 
+        }] 
+      })
+    );
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const resources = await client.listResources();
+    expect(resources.resources).toHaveLength(1);
+    expect(resources.resources[0].name).toBe("test-resource");
+    expect(resources.resources[0].title).toBe("Test Resource Display Name");
+    expect(resources.resources[0].description).toBe("A test resource");
+    expect(resources.resources[0].mimeType).toBe("text/plain");
+  });
+
+  it("should support serverInfo with title", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    
+    const server = new Server(
+      { 
+        name: "test-server",
+        version: "1.0.0",
+        title: "Test Server Display Name"
+      },
+      { capabilities: {} }
+    );
+    
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+    
+    await server.connect(serverTransport);
+    await client.connect(clientTransport);
+    
+    const serverInfo = client.getServerVersion();
+    expect(serverInfo?.name).toBe("test-server");
+    expect(serverInfo?.version).toBe("1.0.0");
+    expect(serverInfo?.title).toBe("Test Server Display Name");
+  });
+});
\ No newline at end of file
diff --git a/src/shared/metadataUtils.ts b/src/shared/metadataUtils.ts
new file mode 100644
index 000000000..d581a6b24
--- /dev/null
+++ b/src/shared/metadataUtils.ts
@@ -0,0 +1,21 @@
+import { BaseMetadata } from "../types.js";
+
+/**
+ * Utilities for working with BaseMetadata objects.
+ */
+
+/**
+ * Gets the display name for an object with BaseMetadata.
+ * Returns the title if available, otherwise falls back to name.
+ * This implements the spec requirement: "if no title is provided, name should be used for display purposes"
+ */
+export function getDisplayName(metadata: BaseMetadata): string {
+  return metadata.title ?? metadata.name;
+}
+
+/**
+ * Checks if an object has a custom title different from its name.
+ */
+export function hasCustomTitle(metadata: BaseMetadata): boolean {
+  return metadata.title !== undefined && metadata.title !== metadata.name;
+}
\ No newline at end of file
diff --git a/src/types.ts b/src/types.ts
index 822ba8d77..9ece70d46 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -195,17 +195,27 @@ export const CancelledNotificationSchema = NotificationSchema.extend({
   }),
 });
 
-/* Initialization */
+/* Base Metadata */
 /**
- * Describes the name and version of an MCP implementation.
+ * Base metadata interface for common properties across resources, tools, prompts, and implementations.
  */
-export const ImplementationSchema = z
+export const BaseMetadataSchema = z
   .object({
+    /** Intended for programmatic or logical use, but used as a display name in past specs or fallback */
     name: z.string(),
-    version: z.string(),
+    /** Intended for UI and end-user contexts — optimized to be human-readable */
+    title: z.optional(z.string()),
   })
   .passthrough();
 
+/* Initialization */
+/**
+ * Describes the name and version of an MCP implementation.
+ */
+export const ImplementationSchema = BaseMetadataSchema.extend({
+  version: z.string(),
+});
+
 /**
  * Capabilities a client may support. Known capabilities are defined here, in this schema, but this is not a closed set: any client can define its own, additional capabilities.
  */
@@ -438,74 +448,56 @@ export const BlobResourceContentsSchema = ResourceContentsSchema.extend({
 /**
  * A known resource that the server is capable of reading.
  */
-export const ResourceSchema = z
-  .object({
-    /**
-     * The URI of this resource.
-     */
-    uri: z.string(),
-
-    /**
-     * A human-readable name for this resource.
-     *
-     * This can be used by clients to populate UI elements.
-     */
-    name: z.string(),
+export const ResourceSchema = BaseMetadataSchema.extend({
+  /**
+   * The URI of this resource.
+   */
+  uri: z.string(),
 
-    /**
-     * A description of what this resource represents.
-     *
-     * This can be used by clients to improve the LLM's understanding of available resources. It can be thought of like a "hint" to the model.
-     */
-    description: z.optional(z.string()),
+  /**
+   * A description of what this resource represents.
+   *
+   * This can be used by clients to improve the LLM's understanding of available resources. It can be thought of like a "hint" to the model.
+   */
+  description: z.optional(z.string()),
 
-    /**
-     * The MIME type of this resource, if known.
-     */
-    mimeType: z.optional(z.string()),
+  /**
+   * The MIME type of this resource, if known.
+   */
+  mimeType: z.optional(z.string()),
 
-    /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
-    _meta: z.optional(z.object({}).passthrough()),
-  })
-  .passthrough();
+  /**
+   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+  */
+  _meta: z.optional(z.object({}).passthrough()),
+});
 
 /**
  * A template description for resources available on the server.
  */
-export const ResourceTemplateSchema = z
-  .object({
-    /**
-     * A URI template (according to RFC 6570) that can be used to construct resource URIs.
-     */
-    uriTemplate: z.string(),
-
-    /**
-     * A human-readable name for the type of resource this template refers to.
-     *
-     * This can be used by clients to populate UI elements.
-     */
-    name: z.string(),
+export const ResourceTemplateSchema = BaseMetadataSchema.extend({
+  /**
+   * A URI template (according to RFC 6570) that can be used to construct resource URIs.
+   */
+  uriTemplate: z.string(),
 
-    /**
-     * A description of what this template is for.
-     *
-     * This can be used by clients to improve the LLM's understanding of available resources. It can be thought of like a "hint" to the model.
-     */
-    description: z.optional(z.string()),
+  /**
+   * A description of what this template is for.
+   *
+   * This can be used by clients to improve the LLM's understanding of available resources. It can be thought of like a "hint" to the model.
+   */
+  description: z.optional(z.string()),
 
-    /**
-     * The MIME type for all resources that match this template. This should only be included if all resources matching this template have the same type.
-     */
-    mimeType: z.optional(z.string()),
+  /**
+   * The MIME type for all resources that match this template. This should only be included if all resources matching this template have the same type.
+   */
+  mimeType: z.optional(z.string()),
 
-    /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
-    _meta: z.optional(z.object({}).passthrough()),
-  })
-  .passthrough();
+  /**
+   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+  */
+  _meta: z.optional(z.object({}).passthrough()),
+});
 
 /**
  * Sent from the client to request a list of resources the server has.
@@ -629,22 +621,16 @@ export const PromptArgumentSchema = z
 /**
  * A prompt or prompt template that the server offers.
  */
-export const PromptSchema = z
-  .object({
-    /**
-     * The name of the prompt or prompt template.
-     */
-    name: z.string(),
-    /**
-     * An optional description of what this prompt provides
-     */
-    description: z.optional(z.string()),
-    /**
-     * A list of arguments to use for templating the prompt.
-     */
-    arguments: z.optional(z.array(PromptArgumentSchema)),
-  })
-  .passthrough();
+export const PromptSchema = BaseMetadataSchema.extend({
+  /**
+   * An optional description of what this prompt provides
+   */
+  description: z.optional(z.string()),
+  /**
+   * A list of arguments to use for templating the prompt.
+   */
+  arguments: z.optional(z.array(PromptArgumentSchema)),
+});
 
 /**
  * Sent from the client to request a list of prompts and prompt templates the server has.
@@ -842,49 +828,43 @@ export const ToolAnnotationsSchema = z
 /**
  * Definition for a tool the client can call.
  */
-export const ToolSchema = z
-  .object({
-    /**
-     * The name of the tool.
-     */
-    name: z.string(),
-    /**
-     * A human-readable description of the tool.
-     */
-    description: z.optional(z.string()),
-    /**
-     * A JSON Schema object defining the expected parameters for the tool.
-     */
-    inputSchema: z
-      .object({
-        type: z.literal("object"),
-        properties: z.optional(z.object({}).passthrough()),
-        required: z.optional(z.array(z.string())),
-      })
-      .passthrough(),
-    /**
-     * An optional JSON Schema object defining the structure of the tool's output returned in 
-     * the structuredContent field of a CallToolResult.
-     */
-    outputSchema: z.optional(
-      z.object({
-        type: z.literal("object"),
-        properties: z.optional(z.object({}).passthrough()),
-        required: z.optional(z.array(z.string())),
-      })
-        .passthrough()
-    ),
-    /**
-     * Optional additional tool information.
-     */
-    annotations: z.optional(ToolAnnotationsSchema),
+export const ToolSchema = BaseMetadataSchema.extend({
+  /**
+   * A human-readable description of the tool.
+   */
+  description: z.optional(z.string()),
+  /**
+   * A JSON Schema object defining the expected parameters for the tool.
+   */
+  inputSchema: z
+    .object({
+      type: z.literal("object"),
+      properties: z.optional(z.object({}).passthrough()),
+      required: z.optional(z.array(z.string())),
+    })
+    .passthrough(),
+  /**
+   * An optional JSON Schema object defining the structure of the tool's output returned in 
+   * the structuredContent field of a CallToolResult.
+   */
+  outputSchema: z.optional(
+    z.object({
+      type: z.literal("object"),
+      properties: z.optional(z.object({}).passthrough()),
+      required: z.optional(z.array(z.string())),
+    })
+      .passthrough()
+  ),
+  /**
+   * Optional additional tool information.
+   */
+  annotations: z.optional(ToolAnnotationsSchema),
 
-    /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
-    _meta: z.optional(z.object({}).passthrough()),
-  })
-  .passthrough();
+  /**
+   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+  */
+  _meta: z.optional(z.object({}).passthrough()),
+});
 
 /**
  * Sent from the client to request a list of tools the server has.
@@ -1347,6 +1327,9 @@ export type EmptyResult = Infer<typeof EmptyResultSchema>;
 /* Cancellation */
 export type CancelledNotification = Infer<typeof CancelledNotificationSchema>;
 
+/* Base Metadata */
+export type BaseMetadata = Infer<typeof BaseMetadataSchema>;
+
 /* Initialization */
 export type Implementation = Infer<typeof ImplementationSchema>;
 export type ClientCapabilities = Infer<typeof ClientCapabilitiesSchema>;

From 7e59081b43ca156771470a195794cdff716f3859 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Sun, 15 Jun 2025 22:19:53 +0100
Subject: [PATCH 040/147] add resource link

---
 README.md                                   |  32 +++
 src/examples/client/simpleStreamableHttp.ts |  74 ++++++-
 src/examples/server/simpleStreamableHttp.ts |  95 ++++++++-
 src/types.test.ts                           | 211 +++++++++++++++++++-
 src/types.ts                                |  37 ++--
 5 files changed, 433 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index d13378b53..e7fa574cf 100644
--- a/README.md
+++ b/README.md
@@ -194,8 +194,40 @@ server.registerTool(
     };
   }
 );
+
+// Tool that returns ResourceLinks
+server.registerTool(
+  "list-files",
+  {
+    title: "List Files",
+    description: "List project files",
+    inputSchema: { pattern: z.string() }
+  },
+  async ({ pattern }) => ({
+    content: [
+      { type: "text", text: `Found files matching "${pattern}":` },
+      // ResourceLinks let tools return references without file content
+      {
+        type: "resource_link" as const,
+        uri: "file:///project/README.md",
+        name: "README.md",
+        mimeType: "text/markdown"
+      },
+      {
+        type: "resource_link" as const,
+        uri: "file:///project/src/index.ts",
+        name: "index.ts",
+        mimeType: "text/typescript"
+      }
+    ]
+  })
+);
 ```
 
+#### ResourceLinks
+
+Tools can return `ResourceLink` objects to reference resources without embedding their full content. This is essential for performance when dealing with large files or many resources - clients can then selectively read only the resources they need using the provided URIs.
+
 ### Prompts
 
 Prompts are reusable templates that help LLMs interact with your server effectively:
diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index 63d7d60a9..8b539d97f 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -14,6 +14,9 @@ import {
   ListResourcesResultSchema,
   LoggingMessageNotificationSchema,
   ResourceListChangedNotificationSchema,
+  ReadResourceRequest,
+  ReadResourceResultSchema,
+  ResourceLink,
 } from '../../types.js';
 import { getDisplayName } from '../../shared/metadataUtils.js';
 
@@ -60,6 +63,7 @@ function printHelp(): void {
   console.log('  list-prompts               - List available prompts');
   console.log('  get-prompt [name] [args]   - Get a prompt with optional JSON arguments');
   console.log('  list-resources             - List available resources');
+  console.log('  read-resource <uri>        - Read a specific resource by URI');
   console.log('  help                       - Show this help');
   console.log('  quit                       - Exit the program');
 }
@@ -155,6 +159,14 @@ function commandLoop(): void {
           await listResources();
           break;
 
+        case 'read-resource':
+          if (args.length < 2) {
+            console.log('Usage: read-resource <uri>');
+          } else {
+            await readResource(args[1]);
+          }
+          break;
+
         case 'help':
           printHelp();
           break;
@@ -345,13 +357,37 @@ async function callTool(name: string, args: Record<string, unknown>): Promise<vo
     const result = await client.request(request, CallToolResultSchema);
 
     console.log('Tool result:');
+    const resourceLinks: ResourceLink[] = [];
+    
     result.content.forEach(item => {
       if (item.type === 'text') {
         console.log(`  ${item.text}`);
+      } else if (item.type === 'resource_link') {
+        const resourceLink = item as ResourceLink;
+        resourceLinks.push(resourceLink);
+        console.log(`  📁 Resource Link: ${resourceLink.name}`);
+        console.log(`     URI: ${resourceLink.uri}`);
+        if (resourceLink.mimeType) {
+          console.log(`     Type: ${resourceLink.mimeType}`);
+        }
+        if (resourceLink.description) {
+          console.log(`     Description: ${resourceLink.description}`);
+        }
+      } else if (item.type === 'resource') {
+        console.log(`  [Embedded Resource: ${item.resource.uri}]`);
+      } else if (item.type === 'image') {
+        console.log(`  [Image: ${item.mimeType}]`);
+      } else if (item.type === 'audio') {
+        console.log(`  [Audio: ${item.mimeType}]`);
       } else {
-        console.log(`  ${item.type} content:`, item);
+        console.log(`  [Unknown content type]:`, item);
       }
     });
+    
+    // Offer to read resource links
+    if (resourceLinks.length > 0) {
+      console.log(`\nFound ${resourceLinks.length} resource link(s). Use 'read-resource <uri>' to read their content.`);
+    }
   } catch (error) {
     console.log(`Error calling tool ${name}: ${error}`);
   }
@@ -489,6 +525,42 @@ async function listResources(): Promise<void> {
   }
 }
 
+async function readResource(uri: string): Promise<void> {
+  if (!client) {
+    console.log('Not connected to server.');
+    return;
+  }
+
+  try {
+    const request: ReadResourceRequest = {
+      method: 'resources/read',
+      params: { uri }
+    };
+
+    console.log(`Reading resource: ${uri}`);
+    const result = await client.request(request, ReadResourceResultSchema);
+
+    console.log('Resource contents:');
+    for (const content of result.contents) {
+      console.log(`  URI: ${content.uri}`);
+      if (content.mimeType) {
+        console.log(`  Type: ${content.mimeType}`);
+      }
+      
+      if ('text' in content && typeof content.text === 'string') {
+        console.log('  Content:');
+        console.log('  ---');
+        console.log(content.text.split('\n').map((line: string) => '  ' + line).join('\n'));
+        console.log('  ---');
+      } else if ('blob' in content && typeof content.blob === 'string') {
+        console.log(`  [Binary data: ${content.blob.length} bytes]`);
+      }
+    }
+  } catch (error) {
+    console.log(`Error reading resource ${uri}: ${error}`);
+  }
+}
+
 async function cleanup(): Promise<void> {
   if (client && transport) {
     try {
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index b66be93d0..e5d35a823 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -5,7 +5,7 @@ import { McpServer } from '../../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter } from '../../server/auth/router.js';
 import { requireBearerAuth } from '../../server/auth/middleware/bearerAuth.js';
-import { CallToolResult, GetPromptResult, isInitializeRequest, ReadResourceResult } from '../../types.js';
+import { CallToolResult, GetPromptResult, isInitializeRequest, ReadResourceResult, ResourceLink } from '../../types.js';
 import { InMemoryEventStore } from '../shared/inMemoryEventStore.js';
 import { setupAuthServer } from './demoInMemoryOAuthProvider.js';
 import { OAuthMetadata } from 'src/shared/auth.js';
@@ -174,6 +174,99 @@ const getServer = () => {
       };
     }
   );
+
+  // Create additional resources for ResourceLink demonstration
+  server.registerResource(
+    'example-file-1',
+    'file:///example/file1.txt',
+    { 
+      title: 'Example File 1',
+      description: 'First example file for ResourceLink demonstration',
+      mimeType: 'text/plain' 
+    },
+    async (): Promise<ReadResourceResult> => {
+      return {
+        contents: [
+          {
+            uri: 'file:///example/file1.txt',
+            text: 'This is the content of file 1',
+          },
+        ],
+      };
+    }
+  );
+
+  server.registerResource(
+    'example-file-2',
+    'file:///example/file2.txt',
+    { 
+      title: 'Example File 2',
+      description: 'Second example file for ResourceLink demonstration',
+      mimeType: 'text/plain' 
+    },
+    async (): Promise<ReadResourceResult> => {
+      return {
+        contents: [
+          {
+            uri: 'file:///example/file2.txt',
+            text: 'This is the content of file 2',
+          },
+        ],
+      };
+    }
+  );
+
+  // Register a tool that returns ResourceLinks
+  server.registerTool(
+    'list-files',
+    {
+      title: 'List Files with ResourceLinks',
+      description: 'Returns a list of files as ResourceLinks without embedding their content',
+      inputSchema: {
+        includeDescriptions: z.boolean().optional().describe('Whether to include descriptions in the resource links'),
+      },
+    },
+    async ({ includeDescriptions = true }): Promise<CallToolResult> => {
+      const resourceLinks: ResourceLink[] = [
+        {
+          type: 'resource_link',
+          uri: 'https://example.com/greetings/default',
+          name: 'Default Greeting',
+          mimeType: 'text/plain',
+          ...(includeDescriptions && { description: 'A simple greeting resource' })
+        },
+        {
+          type: 'resource_link',
+          uri: 'file:///example/file1.txt',
+          name: 'Example File 1',
+          mimeType: 'text/plain',
+          ...(includeDescriptions && { description: 'First example file for ResourceLink demonstration' })
+        },
+        {
+          type: 'resource_link',
+          uri: 'file:///example/file2.txt',
+          name: 'Example File 2',
+          mimeType: 'text/plain',
+          ...(includeDescriptions && { description: 'Second example file for ResourceLink demonstration' })
+        }
+      ];
+
+      return {
+        content: [
+          {
+            type: 'text',
+            text: 'Here are the available files as resource links:',
+          },
+          ...resourceLinks,
+          {
+            type: 'text',
+            text: '\nYou can read any of these resources using their URI.',
+          }
+        ],
+      };
+    }
+  );
+
   return server;
 };
 
diff --git a/src/types.test.ts b/src/types.test.ts
index 0fbc003de..ca49867a8 100644
--- a/src/types.test.ts
+++ b/src/types.test.ts
@@ -1,4 +1,11 @@
-import { LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS } from "./types.js";
+import { 
+    LATEST_PROTOCOL_VERSION, 
+    SUPPORTED_PROTOCOL_VERSIONS,
+    ResourceLinkSchema,
+    ContentBlockSchema,
+    PromptMessageSchema,
+    CallToolResultSchema
+} from "./types.js";
 
 describe("Types", () => {
 
@@ -14,4 +21,206 @@ describe("Types", () => {
         expect(SUPPORTED_PROTOCOL_VERSIONS).toContain("2024-10-07");
     });
 
+    describe("ResourceLink", () => {
+        test("should validate a minimal ResourceLink", () => {
+            const resourceLink = {
+                type: "resource_link",
+                uri: "file:///path/to/file.txt",
+                name: "file.txt"
+            };
+            
+            const result = ResourceLinkSchema.safeParse(resourceLink);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("resource_link");
+                expect(result.data.uri).toBe("file:///path/to/file.txt");
+                expect(result.data.name).toBe("file.txt");
+            }
+        });
+
+        test("should validate a ResourceLink with all optional fields", () => {
+            const resourceLink = {
+                type: "resource_link",
+                uri: "https://example.com/resource",
+                name: "Example Resource",
+                title: "A comprehensive example resource",
+                description: "This resource demonstrates all fields",
+                mimeType: "text/plain",
+                _meta: { custom: "metadata" }
+            };
+            
+            const result = ResourceLinkSchema.safeParse(resourceLink);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.title).toBe("A comprehensive example resource");
+                expect(result.data.description).toBe("This resource demonstrates all fields");
+                expect(result.data.mimeType).toBe("text/plain");
+                expect(result.data._meta).toEqual({ custom: "metadata" });
+            }
+        });
+
+        test("should fail validation for invalid type", () => {
+            const invalidResourceLink = {
+                type: "invalid_type",
+                uri: "file:///path/to/file.txt",
+                name: "file.txt"
+            };
+            
+            const result = ResourceLinkSchema.safeParse(invalidResourceLink);
+            expect(result.success).toBe(false);
+        });
+
+        test("should fail validation for missing required fields", () => {
+            const invalidResourceLink = {
+                type: "resource_link",
+                uri: "file:///path/to/file.txt"
+                // missing name
+            };
+            
+            const result = ResourceLinkSchema.safeParse(invalidResourceLink);
+            expect(result.success).toBe(false);
+        });
+    });
+
+    describe("ContentBlock", () => {
+        test("should validate text content", () => {
+            const textContent = {
+                type: "text",
+                text: "Hello, world!"
+            };
+            
+            const result = ContentBlockSchema.safeParse(textContent);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("text");
+            }
+        });
+
+        test("should validate image content", () => {
+            const imageContent = {
+                type: "image",
+                data: "aGVsbG8=", // base64 encoded "hello"
+                mimeType: "image/png"
+            };
+            
+            const result = ContentBlockSchema.safeParse(imageContent);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("image");
+            }
+        });
+
+        test("should validate audio content", () => {
+            const audioContent = {
+                type: "audio",
+                data: "aGVsbG8=", // base64 encoded "hello"
+                mimeType: "audio/mp3"
+            };
+            
+            const result = ContentBlockSchema.safeParse(audioContent);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("audio");
+            }
+        });
+
+        test("should validate resource link content", () => {
+            const resourceLink = {
+                type: "resource_link",
+                uri: "file:///path/to/file.txt",
+                name: "file.txt",
+                mimeType: "text/plain"
+            };
+            
+            const result = ContentBlockSchema.safeParse(resourceLink);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("resource_link");
+            }
+        });
+
+        test("should validate embedded resource content", () => {
+            const embeddedResource = {
+                type: "resource",
+                resource: {
+                    uri: "file:///path/to/file.txt",
+                    mimeType: "text/plain",
+                    text: "File contents"
+                }
+            };
+            
+            const result = ContentBlockSchema.safeParse(embeddedResource);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.type).toBe("resource");
+            }
+        });
+    });
+
+    describe("PromptMessage with ContentBlock", () => {
+        test("should validate prompt message with resource link", () => {
+            const promptMessage = {
+                role: "assistant",
+                content: {
+                    type: "resource_link",
+                    uri: "file:///project/src/main.rs",
+                    name: "main.rs",
+                    description: "Primary application entry point",
+                    mimeType: "text/x-rust"
+                }
+            };
+            
+            const result = PromptMessageSchema.safeParse(promptMessage);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.content.type).toBe("resource_link");
+            }
+        });
+    });
+
+    describe("CallToolResult with ContentBlock", () => {
+        test("should validate tool result with resource links", () => {
+            const toolResult = {
+                content: [
+                    {
+                        type: "text",
+                        text: "Found the following files:"
+                    },
+                    {
+                        type: "resource_link",
+                        uri: "file:///project/src/main.rs",
+                        name: "main.rs",
+                        description: "Primary application entry point",
+                        mimeType: "text/x-rust"
+                    },
+                    {
+                        type: "resource_link",
+                        uri: "file:///project/src/lib.rs",
+                        name: "lib.rs",
+                        description: "Library exports",
+                        mimeType: "text/x-rust"
+                    }
+                ]
+            };
+            
+            const result = CallToolResultSchema.safeParse(toolResult);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.content).toHaveLength(3);
+                expect(result.data.content[0].type).toBe("text");
+                expect(result.data.content[1].type).toBe("resource_link");
+                expect(result.data.content[2].type).toBe("resource_link");
+            }
+        });
+
+        test("should validate empty content array with default", () => {
+            const toolResult = {};
+            
+            const result = CallToolResultSchema.safeParse(toolResult);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.content).toEqual([]);
+            }
+        });
+    });
 });
diff --git a/src/types.ts b/src/types.ts
index 9ece70d46..0d051eded 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -735,18 +735,33 @@ export const EmbeddedResourceSchema = z
   })
   .passthrough();
 
+/**
+ * A resource that the server is capable of reading, included in a prompt or tool call result.
+ *
+ * Note: resource links returned by tools are not guaranteed to appear in the results of `resources/list` requests.
+ */
+export const ResourceLinkSchema = ResourceSchema.extend({
+  type: z.literal("resource_link"),
+});
+
+/**
+ * A content block that can be used in prompts and tool results.
+ */
+export const ContentBlockSchema = z.union([
+  TextContentSchema,
+  ImageContentSchema,
+  AudioContentSchema,
+  ResourceLinkSchema,
+  EmbeddedResourceSchema,
+]);
+
 /**
  * Describes a message returned as part of a prompt.
  */
 export const PromptMessageSchema = z
   .object({
     role: z.enum(["user", "assistant"]),
-    content: z.union([
-      TextContentSchema,
-      ImageContentSchema,
-      AudioContentSchema,
-      EmbeddedResourceSchema,
-    ]),
+    content: ContentBlockSchema,
   })
   .passthrough();
 
@@ -890,13 +905,7 @@ export const CallToolResultSchema = ResultSchema.extend({
    * If the Tool does not define an outputSchema, this field MUST be present in the result.
    * For backwards compatibility, this field is always present, but it may be empty.
    */
-  content: z.array(
-    z.union([
-      TextContentSchema,
-      ImageContentSchema,
-      AudioContentSchema,
-      EmbeddedResourceSchema,
-    ])).default([]),
+  content: z.array(ContentBlockSchema).default([]),
 
   /**
    * An object containing structured tool output.
@@ -1376,6 +1385,8 @@ export type TextContent = Infer<typeof TextContentSchema>;
 export type ImageContent = Infer<typeof ImageContentSchema>;
 export type AudioContent = Infer<typeof AudioContentSchema>;
 export type EmbeddedResource = Infer<typeof EmbeddedResourceSchema>;
+export type ResourceLink = Infer<typeof ResourceLinkSchema>;
+export type ContentBlock = Infer<typeof ContentBlockSchema>;
 export type PromptMessage = Infer<typeof PromptMessageSchema>;
 export type GetPromptResult = Infer<typeof GetPromptResultSchema>;
 export type PromptListChangedNotification = Infer<typeof PromptListChangedNotificationSchema>;

From 6dd0b1ee4d9ff5e2043cfab7f6391ef4e8ff54b0 Mon Sep 17 00:00:00 2001
From: Achintha Isuru <achinthaisuru444@gmail.com>
Date: Sun, 15 Jun 2025 21:47:53 -0400
Subject: [PATCH 041/147] Update readme file to include a tip to allow
 `mcp-session-id` in CORS when

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index c9e27c275..241056e52 100644
--- a/README.md
+++ b/README.md
@@ -307,6 +307,21 @@ app.delete('/mcp', handleSessionRequest);
 app.listen(3000);
 ```
 
+> [!TIP]
+> When using this in a remote environment, make sure to allow the header parameter `mcp-session-id` in CORS. Otherwise, it may result in a `Bad Request: No valid session ID provided` error. 
+> 
+> For example, in Node.js you can configure it like this:
+> 
+> ```ts
+> app.use(
+>   cors({
+>     origin: '*',
+>     exposedHeaders: ['mcp-session-id'],
+>     allowedHeaders: ['Content-Type', 'mcp-session-id'],
+>   })
+> );
+> ```
+
 #### Without Session Management (Stateless)
 
 For simpler use cases where session management isn't needed:

From d1c94a2c696c131f65419f2e3d68efe4a18a1d27 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 10:43:31 +0100
Subject: [PATCH 042/147] refactor

---
 README.md                                   |  26 +-
 src/examples/client/simpleStreamableHttp.ts |   7 +-
 src/server/mcp.test.ts                      | 138 +++++++++
 src/server/mcp.ts                           | 303 ++++++++++----------
 src/shared/metadataUtils.ts                 |  19 +-
 src/types.ts                                |   9 +-
 6 files changed, 348 insertions(+), 154 deletions(-)

diff --git a/README.md b/README.md
index d13378b53..f9f080b92 100644
--- a/README.md
+++ b/README.md
@@ -226,14 +226,36 @@ All resources, tools, and prompts support an optional `title` field for better U
 
 **Note:** The `register*` methods (`registerTool`, `registerPrompt`, `registerResource`) are the recommended approach for new code. The older methods (`tool`, `prompt`, `resource`) remain available for backwards compatibility.
 
+#### Title Precedence for Tools
+
+For tools specifically, there are two ways to specify a title:
+- `title` field in the tool configuration
+- `annotations.title` field (when using the older `tool()` method with annotations)
+
+The precedence order is: `title` → `annotations.title` → `name`
+
+```typescript
+// Using registerTool (recommended)
+server.registerTool("my_tool", {
+  title: "My Tool",              // This title takes precedence
+  annotations: {
+    title: "Annotation Title"    // This is ignored if title is set
+  }
+}, handler);
+
+// Using tool with annotations (older API)
+server.tool("my_tool", "description", {
+  title: "Annotation Title"      // This is used as title
+}, handler);
+```
 
 When building clients, use the provided utility to get the appropriate display name:
 
 ```typescript
 import { getDisplayName } from "@modelcontextprotocol/sdk/shared/metadataUtils.js";
 
-// Falls back to 'name' if 'title' is not provided
-const displayName = getDisplayName(tool);  // Returns title if available, otherwise name
+// Automatically handles the precedence: title → annotations.title → name
+const displayName = getDisplayName(tool);
 ```
 
 ## Running Your Server
diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index 63d7d60a9..efa176df5 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -318,7 +318,12 @@ async function listTools(): Promise<void> {
       console.log('  No tools available');
     } else {
       for (const tool of toolsResult.tools) {
-        console.log(`  - ${getDisplayName(tool)}: ${tool.description}`);
+        const displayName = getDisplayName(tool);
+        if (displayName !== tool.name) {
+          console.log(`  - ${tool.name} (${displayName}): ${tool.description}`);
+        } else {
+          console.log(`  - ${tool.name}: ${tool.description}`);
+        }
       }
     }
   } catch (error) {
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 6ef33540c..36a8f7b88 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -18,6 +18,7 @@ import {
 import { ResourceTemplate } from "./mcp.js";
 import { completable } from "./completable.js";
 import { UriTemplate } from "../shared/uriTemplate.js";
+import { getDisplayName } from "../shared/metadataUtils.js";
 
 describe("McpServer", () => {
   /***
@@ -3598,3 +3599,140 @@ describe("prompt()", () => {
     expect(result.resources[0].mimeType).toBe("text/markdown");
   });
 });
+
+describe("Tool title precedence", () => {
+  test("should follow correct title precedence: title → annotations.title → name", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    // Tool 1: Only name
+    mcpServer.tool(
+      "tool_name_only",
+      async () => ({
+        content: [{ type: "text", text: "Response" }],
+      })
+    );
+
+    // Tool 2: Name and annotations.title
+    mcpServer.tool(
+      "tool_with_annotations_title",
+      "Tool with annotations title",
+      {
+        title: "Annotations Title"
+      },
+      async () => ({
+        content: [{ type: "text", text: "Response" }],
+      })
+    );
+
+    // Tool 3: Name and title (using registerTool)
+    mcpServer.registerTool(
+      "tool_with_title",
+      {
+        title: "Regular Title",
+        description: "Tool with regular title"
+      },
+      async () => ({
+        content: [{ type: "text", text: "Response" }],
+      })
+    );
+
+    // Tool 4: All three - title should win
+    mcpServer.registerTool(
+      "tool_with_all_titles",
+      {
+        title: "Regular Title Wins",
+        description: "Tool with all titles",
+        annotations: {
+          title: "Annotations Title Should Not Show"
+        }
+      },
+      async () => ({
+        content: [{ type: "text", text: "Response" }],
+      })
+    );
+
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.connect(serverTransport),
+    ]);
+
+    const result = await client.request(
+      { method: "tools/list" },
+      ListToolsResultSchema,
+    );
+
+
+    expect(result.tools).toHaveLength(4);
+
+    // Tool 1: Only name - should display name
+    const tool1 = result.tools.find(t => t.name === "tool_name_only");
+    expect(tool1).toBeDefined();
+    expect(getDisplayName(tool1!)).toBe("tool_name_only");
+
+    // Tool 2: Name and annotations.title - should display annotations.title
+    const tool2 = result.tools.find(t => t.name === "tool_with_annotations_title");
+    expect(tool2).toBeDefined();
+    expect(tool2!.annotations?.title).toBe("Annotations Title");
+    expect(getDisplayName(tool2!)).toBe("Annotations Title");
+
+    // Tool 3: Name and title - should display title
+    const tool3 = result.tools.find(t => t.name === "tool_with_title");
+    expect(tool3).toBeDefined();
+    expect(tool3!.title).toBe("Regular Title");
+    expect(getDisplayName(tool3!)).toBe("Regular Title");
+
+    // Tool 4: All three - title should take precedence
+    const tool4 = result.tools.find(t => t.name === "tool_with_all_titles");
+    expect(tool4).toBeDefined();
+    expect(tool4!.title).toBe("Regular Title Wins");
+    expect(tool4!.annotations?.title).toBe("Annotations Title Should Not Show");
+    expect(getDisplayName(tool4!)).toBe("Regular Title Wins");
+  });
+
+  test("getDisplayName unit tests for title precedence", () => {
+    
+    // Test 1: Only name
+    expect(getDisplayName({ name: "tool_name" })).toBe("tool_name");
+    
+    // Test 2: Name and title - title wins
+    expect(getDisplayName({ 
+      name: "tool_name", 
+      title: "Tool Title" 
+    })).toBe("Tool Title");
+    
+    // Test 3: Name and annotations.title - annotations.title wins
+    expect(getDisplayName({ 
+      name: "tool_name",
+      annotations: { title: "Annotations Title" }
+    })).toBe("Annotations Title");
+    
+    // Test 4: All three - title wins (correct precedence)
+    expect(getDisplayName({ 
+      name: "tool_name", 
+      title: "Regular Title",
+      annotations: { title: "Annotations Title" }
+    })).toBe("Regular Title");
+    
+    // Test 5: Empty title should not be used
+    expect(getDisplayName({ 
+      name: "tool_name", 
+      title: "",
+      annotations: { title: "Annotations Title" }
+    })).toBe("Annotations Title");
+    
+    // Test 6: Undefined vs null handling
+    expect(getDisplayName({ 
+      name: "tool_name", 
+      title: undefined,
+      annotations: { title: "Annotations Title" }
+    })).toBe("Annotations Title");
+  });
+});
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 7c77add13..3c1c00d9e 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -22,6 +22,7 @@ import {
   CompleteResult,
   PromptReference,
   ResourceTemplateReference,
+  BaseMetadata,
   Resource,
   ListResourcesResult,
   ListResourceTemplatesRequestSchema,
@@ -128,7 +129,7 @@ export class McpServer {
 
             if (tool.outputSchema) {
               toolDefinition.outputSchema = zodToJsonSchema(
-                tool.outputSchema, 
+                tool.outputSchema,
                 { strictUnions: true }
               ) as Tool["outputSchema"];
             }
@@ -586,27 +587,13 @@ export class McpServer {
         throw new Error(`Resource ${uriOrTemplate} is already registered`);
       }
 
-      const registeredResource: RegisteredResource = {
+      const registeredResource = this._createRegisteredResource(
         name,
+        undefined,
+        uriOrTemplate,
         metadata,
-        readCallback: readCallback as ReadResourceCallback,
-        enabled: true,
-        disable: () => registeredResource.update({ enabled: false }),
-        enable: () => registeredResource.update({ enabled: true }),
-        remove: () => registeredResource.update({ uri: null }),
-        update: (updates) => {
-          if (typeof updates.uri !== "undefined" && updates.uri !== uriOrTemplate) {
-            delete this._registeredResources[uriOrTemplate]
-            if (updates.uri) this._registeredResources[updates.uri] = registeredResource
-          }
-          if (typeof updates.name !== "undefined") registeredResource.name = updates.name
-          if (typeof updates.metadata !== "undefined") registeredResource.metadata = updates.metadata
-          if (typeof updates.callback !== "undefined") registeredResource.readCallback = updates.callback
-          if (typeof updates.enabled !== "undefined") registeredResource.enabled = updates.enabled
-          this.sendResourceListChanged()
-        },
-      };
-      this._registeredResources[uriOrTemplate] = registeredResource;
+        readCallback as ReadResourceCallback
+      );
 
       this.setResourceRequestHandlers();
       this.sendResourceListChanged();
@@ -616,27 +603,13 @@ export class McpServer {
         throw new Error(`Resource template ${name} is already registered`);
       }
 
-      const registeredResourceTemplate: RegisteredResourceTemplate = {
-        resourceTemplate: uriOrTemplate,
+      const registeredResourceTemplate = this._createRegisteredResourceTemplate(
+        name,
+        undefined,
+        uriOrTemplate,
         metadata,
-        readCallback: readCallback as ReadResourceTemplateCallback,
-        enabled: true,
-        disable: () => registeredResourceTemplate.update({ enabled: false }),
-        enable: () => registeredResourceTemplate.update({ enabled: true }),
-        remove: () => registeredResourceTemplate.update({ name: null }),
-        update: (updates) => {
-          if (typeof updates.name !== "undefined" && updates.name !== name) {
-            delete this._registeredResourceTemplates[name]
-            if (updates.name) this._registeredResourceTemplates[updates.name] = registeredResourceTemplate
-          }
-          if (typeof updates.template !== "undefined") registeredResourceTemplate.resourceTemplate = updates.template
-          if (typeof updates.metadata !== "undefined") registeredResourceTemplate.metadata = updates.metadata
-          if (typeof updates.callback !== "undefined") registeredResourceTemplate.readCallback = updates.callback
-          if (typeof updates.enabled !== "undefined") registeredResourceTemplate.enabled = updates.enabled
-          this.sendResourceListChanged()
-        },
-      };
-      this._registeredResourceTemplates[name] = registeredResourceTemplate;
+        readCallback as ReadResourceTemplateCallback
+      );
 
       this.setResourceRequestHandlers();
       this.sendResourceListChanged();
@@ -651,11 +624,7 @@ export class McpServer {
   registerResource(
     name: string,
     uriOrTemplate: string | ResourceTemplate,
-    config: ResourceMetadata & {
-      title?: string;
-      description?: string;
-      mimeType?: string;
-    },
+    config: ResourceMetadata,
     readCallback: ReadResourceCallback | ReadResourceTemplateCallback
   ): RegisteredResource | RegisteredResourceTemplate {
     if (typeof uriOrTemplate === "string") {
@@ -663,27 +632,13 @@ export class McpServer {
         throw new Error(`Resource ${uriOrTemplate} is already registered`);
       }
 
-      const registeredResource: RegisteredResource = {
+      const registeredResource = this._createRegisteredResource(
         name,
-        metadata: config,
-        readCallback: readCallback as ReadResourceCallback,
-        enabled: true,
-        disable: () => registeredResource.update({ enabled: false }),
-        enable: () => registeredResource.update({ enabled: true }),
-        remove: () => registeredResource.update({ uri: null }),
-        update: (updates) => {
-          if (typeof updates.uri !== "undefined" && updates.uri !== uriOrTemplate) {
-            delete this._registeredResources[uriOrTemplate]
-            if (updates.uri) this._registeredResources[updates.uri] = registeredResource
-          }
-          if (typeof updates.name !== "undefined") registeredResource.name = updates.name
-          if (typeof updates.metadata !== "undefined") registeredResource.metadata = updates.metadata
-          if (typeof updates.callback !== "undefined") registeredResource.readCallback = updates.callback
-          if (typeof updates.enabled !== "undefined") registeredResource.enabled = updates.enabled
-          this.sendResourceListChanged()
-        },
-      };
-      this._registeredResources[uriOrTemplate] = registeredResource;
+        (config as BaseMetadata).title,
+        uriOrTemplate,
+        config,
+        readCallback as ReadResourceCallback
+      );
 
       this.setResourceRequestHandlers();
       this.sendResourceListChanged();
@@ -693,27 +648,13 @@ export class McpServer {
         throw new Error(`Resource template ${name} is already registered`);
       }
 
-      const registeredResourceTemplate: RegisteredResourceTemplate = {
-        resourceTemplate: uriOrTemplate,
-        metadata: config,
-        readCallback: readCallback as ReadResourceTemplateCallback,
-        enabled: true,
-        disable: () => registeredResourceTemplate.update({ enabled: false }),
-        enable: () => registeredResourceTemplate.update({ enabled: true }),
-        remove: () => registeredResourceTemplate.update({ name: null }),
-        update: (updates) => {
-          if (typeof updates.name !== "undefined" && updates.name !== name) {
-            delete this._registeredResourceTemplates[name]
-            if (updates.name) this._registeredResourceTemplates[updates.name] = registeredResourceTemplate
-          }
-          if (typeof updates.template !== "undefined") registeredResourceTemplate.resourceTemplate = updates.template
-          if (typeof updates.metadata !== "undefined") registeredResourceTemplate.metadata = updates.metadata
-          if (typeof updates.callback !== "undefined") registeredResourceTemplate.readCallback = updates.callback
-          if (typeof updates.enabled !== "undefined") registeredResourceTemplate.enabled = updates.enabled
-          this.sendResourceListChanged()
-        },
-      };
-      this._registeredResourceTemplates[name] = registeredResourceTemplate;
+      const registeredResourceTemplate = this._createRegisteredResourceTemplate(
+        name,
+        (config as BaseMetadata).title,
+        uriOrTemplate,
+        config,
+        readCallback as ReadResourceTemplateCallback
+      );
 
       this.setResourceRequestHandlers();
       this.sendResourceListChanged();
@@ -721,8 +662,108 @@ export class McpServer {
     }
   }
 
+  private _createRegisteredResource(
+    name: string,
+    title: string | undefined,
+    uri: string,
+    metadata: ResourceMetadata | undefined,
+    readCallback: ReadResourceCallback
+  ): RegisteredResource {
+    const registeredResource: RegisteredResource = {
+      name,
+      title,
+      metadata,
+      readCallback,
+      enabled: true,
+      disable: () => registeredResource.update({ enabled: false }),
+      enable: () => registeredResource.update({ enabled: true }),
+      remove: () => registeredResource.update({ uri: null }),
+      update: (updates) => {
+        if (typeof updates.uri !== "undefined" && updates.uri !== uri) {
+          delete this._registeredResources[uri]
+          if (updates.uri) this._registeredResources[updates.uri] = registeredResource
+        }
+        if (typeof updates.name !== "undefined") registeredResource.name = updates.name
+        if (typeof updates.title !== "undefined") registeredResource.title = updates.title
+        if (typeof updates.metadata !== "undefined") registeredResource.metadata = updates.metadata
+        if (typeof updates.callback !== "undefined") registeredResource.readCallback = updates.callback
+        if (typeof updates.enabled !== "undefined") registeredResource.enabled = updates.enabled
+        this.sendResourceListChanged()
+      },
+    };
+    this._registeredResources[uri] = registeredResource;
+    return registeredResource;
+  }
+
+  private _createRegisteredResourceTemplate(
+    name: string,
+    title: string | undefined,
+    template: ResourceTemplate,
+    metadata: ResourceMetadata | undefined,
+    readCallback: ReadResourceTemplateCallback
+  ): RegisteredResourceTemplate {
+    const registeredResourceTemplate: RegisteredResourceTemplate = {
+      resourceTemplate: template,
+      title,
+      metadata,
+      readCallback,
+      enabled: true,
+      disable: () => registeredResourceTemplate.update({ enabled: false }),
+      enable: () => registeredResourceTemplate.update({ enabled: true }),
+      remove: () => registeredResourceTemplate.update({ name: null }),
+      update: (updates) => {
+        if (typeof updates.name !== "undefined" && updates.name !== name) {
+          delete this._registeredResourceTemplates[name]
+          if (updates.name) this._registeredResourceTemplates[updates.name] = registeredResourceTemplate
+        }
+        if (typeof updates.title !== "undefined") registeredResourceTemplate.title = updates.title
+        if (typeof updates.template !== "undefined") registeredResourceTemplate.resourceTemplate = updates.template
+        if (typeof updates.metadata !== "undefined") registeredResourceTemplate.metadata = updates.metadata
+        if (typeof updates.callback !== "undefined") registeredResourceTemplate.readCallback = updates.callback
+        if (typeof updates.enabled !== "undefined") registeredResourceTemplate.enabled = updates.enabled
+        this.sendResourceListChanged()
+      },
+    };
+    this._registeredResourceTemplates[name] = registeredResourceTemplate;
+    return registeredResourceTemplate;
+  }
+
+  private _createRegisteredPrompt(
+    name: string,
+    title: string | undefined,
+    description: string | undefined,
+    argsSchema: PromptArgsRawShape | undefined,
+    callback: PromptCallback<PromptArgsRawShape | undefined>
+  ): RegisteredPrompt {
+    const registeredPrompt: RegisteredPrompt = {
+      title,
+      description,
+      argsSchema: argsSchema === undefined ? undefined : z.object(argsSchema),
+      callback,
+      enabled: true,
+      disable: () => registeredPrompt.update({ enabled: false }),
+      enable: () => registeredPrompt.update({ enabled: true }),
+      remove: () => registeredPrompt.update({ name: null }),
+      update: (updates) => {
+        if (typeof updates.name !== "undefined" && updates.name !== name) {
+          delete this._registeredPrompts[name]
+          if (updates.name) this._registeredPrompts[updates.name] = registeredPrompt
+        }
+        if (typeof updates.title !== "undefined") registeredPrompt.title = updates.title
+        if (typeof updates.description !== "undefined") registeredPrompt.description = updates.description
+        if (typeof updates.argsSchema !== "undefined") registeredPrompt.argsSchema = z.object(updates.argsSchema)
+        if (typeof updates.callback !== "undefined") registeredPrompt.callback = updates.callback
+        if (typeof updates.enabled !== "undefined") registeredPrompt.enabled = updates.enabled
+        this.sendPromptListChanged()
+      },
+    };
+    this._registeredPrompts[name] = registeredPrompt;
+    return registeredPrompt;
+  }
+
   private _createRegisteredTool(
     name: string,
+    title: string | undefined,
     description: string | undefined,
     inputSchema: ZodRawShape | undefined,
     outputSchema: ZodRawShape | undefined,
@@ -730,6 +771,7 @@ export class McpServer {
     callback: ToolCallback<ZodRawShape | undefined>
   ): RegisteredTool {
     const registeredTool: RegisteredTool = {
+      title,
       description,
       inputSchema:
         inputSchema === undefined ? undefined : z.object(inputSchema),
@@ -868,7 +910,7 @@ export class McpServer {
     }
     const callback = rest[0] as ToolCallback<ZodRawShape | undefined>;
 
-    return this._createRegisteredTool(name, description, inputSchema, outputSchema, annotations, callback)
+    return this._createRegisteredTool(name, undefined, description, inputSchema, outputSchema, annotations, callback)
   }
 
   /**
@@ -891,21 +933,15 @@ export class McpServer {
 
     const { title, description, inputSchema, outputSchema, annotations } = config;
 
-    const registeredTool = this._createRegisteredTool(
+    return this._createRegisteredTool(
       name,
+      title,
       description,
       inputSchema,
       outputSchema,
       annotations,
       cb as ToolCallback<ZodRawShape | undefined>
     );
-
-    // Set title if provided
-    if (title !== undefined) {
-      registeredTool.title = title;
-    }
-
-    return registeredTool;
   }
 
   /**
@@ -953,28 +989,13 @@ export class McpServer {
     }
 
     const cb = rest[0] as PromptCallback<PromptArgsRawShape | undefined>;
-    const registeredPrompt: RegisteredPrompt = {
+    const registeredPrompt = this._createRegisteredPrompt(
+      name,
+      undefined,
       description,
-      argsSchema: argsSchema === undefined ? undefined : z.object(argsSchema),
-      callback: cb,
-      enabled: true,
-      disable: () => registeredPrompt.update({ enabled: false }),
-      enable: () => registeredPrompt.update({ enabled: true }),
-      remove: () => registeredPrompt.update({ name: null }),
-      update: (updates) => {
-        if (typeof updates.name !== "undefined" && updates.name !== name) {
-          delete this._registeredPrompts[name]
-          if (updates.name) this._registeredPrompts[updates.name] = registeredPrompt
-        }
-        if (typeof updates.title !== "undefined") registeredPrompt.title = updates.title
-        if (typeof updates.description !== "undefined") registeredPrompt.description = updates.description
-        if (typeof updates.argsSchema !== "undefined") registeredPrompt.argsSchema = z.object(updates.argsSchema)
-        if (typeof updates.callback !== "undefined") registeredPrompt.callback = updates.callback
-        if (typeof updates.enabled !== "undefined") registeredPrompt.enabled = updates.enabled
-        this.sendPromptListChanged()
-      },
-    };
-    this._registeredPrompts[name] = registeredPrompt;
+      argsSchema,
+      cb
+    );
 
     this.setPromptRequestHandlers();
     this.sendPromptListChanged()
@@ -1000,29 +1021,13 @@ export class McpServer {
 
     const { title, description, arguments: argsSchema } = config;
 
-    const registeredPrompt: RegisteredPrompt = {
+    const registeredPrompt = this._createRegisteredPrompt(
+      name,
       title,
       description,
-      argsSchema: argsSchema === undefined ? undefined : z.object(argsSchema),
-      callback: cb as PromptCallback<PromptArgsRawShape | undefined>,
-      enabled: true,
-      disable: () => registeredPrompt.update({ enabled: false }),
-      enable: () => registeredPrompt.update({ enabled: true }),
-      remove: () => registeredPrompt.update({ name: null }),
-      update: (updates) => {
-        if (typeof updates.name !== "undefined" && updates.name !== name) {
-          delete this._registeredPrompts[name]
-          if (updates.name) this._registeredPrompts[updates.name] = registeredPrompt
-        }
-        if (typeof updates.title !== "undefined") registeredPrompt.title = updates.title
-        if (typeof updates.description !== "undefined") registeredPrompt.description = updates.description
-        if (typeof updates.argsSchema !== "undefined") registeredPrompt.argsSchema = z.object(updates.argsSchema)
-        if (typeof updates.callback !== "undefined") registeredPrompt.callback = updates.callback
-        if (typeof updates.enabled !== "undefined") registeredPrompt.enabled = updates.enabled
-        this.sendPromptListChanged()
-      },
-    };
-    this._registeredPrompts[name] = registeredPrompt;
+      argsSchema,
+      cb as PromptCallback<PromptArgsRawShape | undefined>
+    );
 
     this.setPromptRequestHandlers();
     this.sendPromptListChanged()
@@ -1155,16 +1160,16 @@ export type RegisteredTool = {
   enable(): void;
   disable(): void;
   update<InputArgs extends ZodRawShape, OutputArgs extends ZodRawShape>(
-    updates: { 
-      name?: string | null, 
+    updates: {
+      name?: string | null,
       title?: string,
-      description?: string, 
-      paramsSchema?: InputArgs, 
-      outputSchema?: OutputArgs, 
-      annotations?: ToolAnnotations, 
-      callback?: ToolCallback<InputArgs>, 
-      enabled?: boolean 
-  }): void
+      description?: string,
+      paramsSchema?: InputArgs,
+      outputSchema?: OutputArgs,
+      annotations?: ToolAnnotations,
+      callback?: ToolCallback<InputArgs>,
+      enabled?: boolean
+    }): void
   remove(): void
 };
 
@@ -1212,12 +1217,13 @@ export type ReadResourceCallback = (
 
 export type RegisteredResource = {
   name: string;
+  title?: string;
   metadata?: ResourceMetadata;
   readCallback: ReadResourceCallback;
   enabled: boolean;
   enable(): void;
   disable(): void;
-  update(updates: { name?: string, uri?: string | null, metadata?: ResourceMetadata, callback?: ReadResourceCallback, enabled?: boolean }): void
+  update(updates: { name?: string, title?: string, uri?: string | null, metadata?: ResourceMetadata, callback?: ReadResourceCallback, enabled?: boolean }): void
   remove(): void
 };
 
@@ -1232,12 +1238,13 @@ export type ReadResourceTemplateCallback = (
 
 export type RegisteredResourceTemplate = {
   resourceTemplate: ResourceTemplate;
+  title?: string;
   metadata?: ResourceMetadata;
   readCallback: ReadResourceTemplateCallback;
   enabled: boolean;
   enable(): void;
   disable(): void;
-  update(updates: { name?: string | null, template?: ResourceTemplate, metadata?: ResourceMetadata, callback?: ReadResourceTemplateCallback, enabled?: boolean }): void
+  update(updates: { name?: string | null, title?: string, template?: ResourceTemplate, metadata?: ResourceMetadata, callback?: ReadResourceTemplateCallback, enabled?: boolean }): void
   remove(): void
 };
 
diff --git a/src/shared/metadataUtils.ts b/src/shared/metadataUtils.ts
index d581a6b24..410827a5f 100644
--- a/src/shared/metadataUtils.ts
+++ b/src/shared/metadataUtils.ts
@@ -6,11 +6,26 @@ import { BaseMetadata } from "../types.js";
 
 /**
  * Gets the display name for an object with BaseMetadata.
- * Returns the title if available, otherwise falls back to name.
+ * For tools, the precedence is: title → annotations.title → name
+ * For other objects: title → name
  * This implements the spec requirement: "if no title is provided, name should be used for display purposes"
  */
 export function getDisplayName(metadata: BaseMetadata): string {
-  return metadata.title ?? metadata.name;
+  // First check for title (not undefined and not empty string)
+  if (metadata.title !== undefined && metadata.title !== '') {
+    return metadata.title;
+  }
+  
+  // Then check for annotations.title (only present in Tool objects)
+  if ('annotations' in metadata) {
+    const metadataWithAnnotations = metadata as BaseMetadata & { annotations?: { title?: string } };
+    if (metadataWithAnnotations.annotations?.title) {
+      return metadataWithAnnotations.annotations.title;
+    }
+  }
+  
+  // Finally fall back to name
+  return metadata.name;
 }
 
 /**
diff --git a/src/types.ts b/src/types.ts
index 9ece70d46..4d1d14d24 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -203,7 +203,14 @@ export const BaseMetadataSchema = z
   .object({
     /** Intended for programmatic or logical use, but used as a display name in past specs or fallback */
     name: z.string(),
-    /** Intended for UI and end-user contexts — optimized to be human-readable */
+    /**
+    * Intended for UI and end-user contexts — optimized to be human-readable and easily understood,
+    * even by those unfamiliar with domain-specific terminology.
+    *
+    * If not provided, the name should be used for display (except for Tool,
+    * where `annotations.title` should be given precedence over using `name`,
+    * if present).
+    */
     title: z.optional(z.string()),
   })
   .passthrough();

From bce2dbfb83c6936be6ab05598d30b3d4d5e09d82 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 10:55:02 +0100
Subject: [PATCH 043/147] small fixes like argsSchema

---
 README.md                                   | 13 ++--
 src/examples/server/simpleStreamableHttp.ts |  9 ++-
 src/server/mcp.ts                           |  4 +-
 src/server/title.test.ts                    | 80 ++++++++++-----------
 4 files changed, 51 insertions(+), 55 deletions(-)

diff --git a/README.md b/README.md
index f9f080b92..5ae9e0436 100644
--- a/README.md
+++ b/README.md
@@ -55,8 +55,7 @@ import { z } from "zod";
 // Create an MCP server
 const server = new McpServer({
   name: "demo-server",
-  version: "1.0.0",
-  title: "Demo Server"  // Optional display name
+  version: "1.0.0"
 });
 
 // Add an addition tool
@@ -109,9 +108,8 @@ The McpServer is your core interface to the MCP protocol. It handles connection
 
 ```typescript
 const server = new McpServer({
-  name: "my-app",              // Unique identifier for your server
-  version: "1.0.0",            // Server version
-  title: "My Application"      // Optional display name for UI
+  name: "my-app",
+  version: "1.0.0"
 });
 ```
 
@@ -471,8 +469,7 @@ import { z } from "zod";
 
 const server = new McpServer({
   name: "echo-server",
-  version: "1.0.0",
-  title: "Echo Server"
+  version: "1.0.0"
 });
 
 server.registerResource(
@@ -507,7 +504,7 @@ server.registerPrompt(
   {
     title: "Echo Prompt",
     description: "Creates a prompt to process a message",
-    arguments: { message: z.string() }
+    argsSchema: { message: z.string() }
   },
   ({ message }) => ({
     messages: [{
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index b66be93d0..fca0ff5af 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -17,8 +17,7 @@ const useOAuth = process.argv.includes('--oauth');
 const getServer = () => {
   const server = new McpServer({
     name: 'simple-streamable-http-server',
-    version: '1.0.0',
-    title: 'Simple Streamable HTTP Server',  // Display name for UI
+    version: '1.0.0'
   }, { capabilities: { logging: {} } });
 
   // Register a simple tool that returns a greeting
@@ -94,7 +93,7 @@ const getServer = () => {
     {
       title: 'Greeting Template',  // Display name for UI
       description: 'A simple greeting prompt template',
-      arguments: {
+      argsSchema: {
         name: z.string().describe('Name to include in greeting'),
       },
     },
@@ -158,10 +157,10 @@ const getServer = () => {
   server.registerResource(
     'greeting-resource',
     'https://example.com/greetings/default',
-    { 
+    {
       title: 'Default Greeting',  // Display name for UI
       description: 'A simple greeting resource',
-      mimeType: 'text/plain' 
+      mimeType: 'text/plain'
     },
     async (): Promise<ReadResourceResult> => {
       return {
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 3c1c00d9e..7394ecbf5 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -1011,7 +1011,7 @@ export class McpServer {
     config: {
       title?: string;
       description?: string;
-      arguments?: Args;
+      argsSchema?: Args;
     },
     cb: PromptCallback<Args>
   ): RegisteredPrompt {
@@ -1019,7 +1019,7 @@ export class McpServer {
       throw new Error(`Prompt ${name} is already registered`);
     }
 
-    const { title, description, arguments: argsSchema } = config;
+    const { title, description, argsSchema } = config;
 
     const registeredPrompt = this._createRegisteredPrompt(
       name,
diff --git a/src/server/title.test.ts b/src/server/title.test.ts
index 7874fb62c..02bafe127 100644
--- a/src/server/title.test.ts
+++ b/src/server/title.test.ts
@@ -7,12 +7,12 @@ import { McpServer } from "./mcp.js";
 describe("Title field backwards compatibility", () => {
   it("should work with tools that have title", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
       { capabilities: {} }
     );
-    
+
     // Register tool with title
     server.registerTool(
       "test-tool",
@@ -25,12 +25,12 @@ describe("Title field backwards compatibility", () => {
       },
       async () => ({ content: [{ type: "text", text: "result" }] })
     );
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const tools = await client.listTools();
     expect(tools.tools).toHaveLength(1);
     expect(tools.tools[0].name).toBe("test-tool");
@@ -40,12 +40,12 @@ describe("Title field backwards compatibility", () => {
 
   it("should work with tools without title", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
       { capabilities: {} }
     );
-    
+
     // Register tool without title
     server.tool(
       "test-tool",
@@ -53,12 +53,12 @@ describe("Title field backwards compatibility", () => {
       { value: z.string() },
       async () => ({ content: [{ type: "text", text: "result" }] })
     );
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const tools = await client.listTools();
     expect(tools.tools).toHaveLength(1);
     expect(tools.tools[0].name).toBe("test-tool");
@@ -68,12 +68,12 @@ describe("Title field backwards compatibility", () => {
 
   it("should work with prompts that have title using update", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
       { capabilities: {} }
     );
-    
+
     // Register prompt with title by updating after creation
     const prompt = server.prompt(
       "test-prompt",
@@ -81,12 +81,12 @@ describe("Title field backwards compatibility", () => {
       async () => ({ messages: [{ role: "user", content: { type: "text", text: "test" } }] })
     );
     prompt.update({ title: "Test Prompt Display Name" });
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const prompts = await client.listPrompts();
     expect(prompts.prompts).toHaveLength(1);
     expect(prompts.prompts[0].name).toBe("test-prompt");
@@ -96,33 +96,33 @@ describe("Title field backwards compatibility", () => {
 
   it("should work with prompts using registerPrompt", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
       { capabilities: {} }
     );
-    
+
     // Register prompt with title using registerPrompt
     server.registerPrompt(
       "test-prompt",
       {
         title: "Test Prompt Display Name",
         description: "A test prompt",
-        arguments: { input: z.string() }
+        argsSchema: { input: z.string() }
       },
-      async ({ input }) => ({ 
-        messages: [{ 
-          role: "user", 
-          content: { type: "text", text: `test: ${input}` } 
-        }] 
+      async ({ input }) => ({
+        messages: [{
+          role: "user",
+          content: { type: "text", text: `test: ${input}` }
+        }]
       })
     );
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const prompts = await client.listPrompts();
     expect(prompts.prompts).toHaveLength(1);
     expect(prompts.prompts[0].name).toBe("test-prompt");
@@ -133,12 +133,12 @@ describe("Title field backwards compatibility", () => {
 
   it("should work with resources using registerResource", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
       { capabilities: {} }
     );
-    
+
     // Register resource with title using registerResource
     server.registerResource(
       "test-resource",
@@ -148,19 +148,19 @@ describe("Title field backwards compatibility", () => {
         description: "A test resource",
         mimeType: "text/plain"
       },
-      async () => ({ 
-        contents: [{ 
+      async () => ({
+        contents: [{
           uri: "https://example.com/test",
-          text: "test content" 
-        }] 
+          text: "test content"
+        }]
       })
     );
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const resources = await client.listResources();
     expect(resources.resources).toHaveLength(1);
     expect(resources.resources[0].name).toBe("test-resource");
@@ -171,21 +171,21 @@ describe("Title field backwards compatibility", () => {
 
   it("should support serverInfo with title", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    
+
     const server = new Server(
-      { 
+      {
         name: "test-server",
         version: "1.0.0",
         title: "Test Server Display Name"
       },
       { capabilities: {} }
     );
-    
+
     const client = new Client({ name: "test-client", version: "1.0.0" });
-    
+
     await server.connect(serverTransport);
     await client.connect(clientTransport);
-    
+
     const serverInfo = client.getServerVersion();
     expect(serverInfo?.name).toBe("test-server");
     expect(serverInfo?.version).toBe("1.0.0");

From 8719f933571e5ba8e0f5b1dc47fb901cb84d9a48 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 11:00:20 +0100
Subject: [PATCH 044/147] clean up mcp.ts

---
 src/server/mcp.ts | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 7394ecbf5..ac6cf7727 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -114,6 +114,7 @@ export class McpServer {
           ([name, tool]): Tool => {
             const toolDefinition: Tool = {
               name,
+              title: tool.title,
               description: tool.description,
               inputSchema: tool.inputSchema
                 ? (zodToJsonSchema(tool.inputSchema, {
@@ -123,10 +124,6 @@ export class McpServer {
               annotations: tool.annotations,
             };
 
-            if (tool.title !== undefined) {
-              toolDefinition.title = tool.title;
-            }
-
             if (tool.outputSchema) {
               toolDefinition.outputSchema = zodToJsonSchema(
                 tool.outputSchema,
@@ -472,19 +469,14 @@ export class McpServer {
           ([, prompt]) => prompt.enabled,
         ).map(
           ([name, prompt]): Prompt => {
-            const promptDefinition: Prompt = {
+            return {
               name,
+              title: prompt.title,
               description: prompt.description,
               arguments: prompt.argsSchema
                 ? promptArgumentsFromSchema(prompt.argsSchema)
                 : undefined,
             };
-
-            if (prompt.title !== undefined) {
-              promptDefinition.title = prompt.title;
-            }
-
-            return promptDefinition;
           },
         ),
       }),

From 3f939be6c7336af0fd91e3fd4ded20a4d0d02a57 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 11:21:07 +0100
Subject: [PATCH 045/147] readme fixes and template tests for title

---
 README.md                | 12 +++++------
 src/server/title.test.ts | 44 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 5ae9e0436..c753e3b18 100644
--- a/README.md
+++ b/README.md
@@ -78,10 +78,10 @@ server.registerResource(
     title: "Greeting Resource",      // Display name for UI
     description: "Dynamic greeting generator"
   },
-  async (uri, params) => ({
+  async (uri, { name }) => ({
     contents: [{
       uri: uri.href,
-      text: `Hello, ${params.name}!`
+      text: `Hello, ${name}!`
     }]
   })
 );
@@ -143,10 +143,10 @@ server.registerResource(
     title: "User Profile",
     description: "User profile information"
   },
-  async (uri, params) => ({
+  async (uri, { userId }) => ({
     contents: [{
       uri: uri.href,
-      text: `Profile data for user ${params.userId}`
+      text: `Profile data for user ${userId}`
     }]
   })
 );
@@ -479,10 +479,10 @@ server.registerResource(
     title: "Echo Resource",
     description: "Echoes back messages as resources"
   },
-  async (uri, params) => ({
+  async (uri, { message }) => ({
     contents: [{
       uri: uri.href,
-      text: `Resource echo: ${params.message}`
+      text: `Resource echo: ${message}`
     }]
   })
 );
diff --git a/src/server/title.test.ts b/src/server/title.test.ts
index 02bafe127..480257cd5 100644
--- a/src/server/title.test.ts
+++ b/src/server/title.test.ts
@@ -2,7 +2,7 @@ import { Server } from "./index.js";
 import { Client } from "../client/index.js";
 import { InMemoryTransport } from "../inMemory.js";
 import { z } from "zod";
-import { McpServer } from "./mcp.js";
+import { McpServer, ResourceTemplate } from "./mcp.js";
 
 describe("Title field backwards compatibility", () => {
   it("should work with tools that have title", async () => {
@@ -169,6 +169,48 @@ describe("Title field backwards compatibility", () => {
     expect(resources.resources[0].mimeType).toBe("text/plain");
   });
 
+  it("should work with dynamic resources using registerResource", async () => {
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+    const server = new McpServer(
+      { name: "test-server", version: "1.0.0" },
+      { capabilities: {} }
+    );
+
+    // Register dynamic resource with title using registerResource
+    server.registerResource(
+      "user-profile",
+      new ResourceTemplate("users://{userId}/profile", { list: undefined }),
+      {
+        title: "User Profile",
+        description: "User profile information"
+      },
+      async (uri, { userId }, extra) => ({
+        contents: [{
+          uri: uri.href,
+          text: `Profile data for user ${userId}`
+        }]
+      })
+    );
+
+    const client = new Client({ name: "test-client", version: "1.0.0" });
+
+    await server.server.connect(serverTransport);
+    await client.connect(clientTransport);
+
+    const resourceTemplates = await client.listResourceTemplates();
+    expect(resourceTemplates.resourceTemplates).toHaveLength(1);
+    expect(resourceTemplates.resourceTemplates[0].name).toBe("user-profile");
+    expect(resourceTemplates.resourceTemplates[0].title).toBe("User Profile");
+    expect(resourceTemplates.resourceTemplates[0].description).toBe("User profile information");
+    expect(resourceTemplates.resourceTemplates[0].uriTemplate).toBe("users://{userId}/profile");
+
+    // Test reading the resource
+    const readResult = await client.readResource({ uri: "users://123/profile" });
+    expect(readResult.contents).toHaveLength(1);
+    expect(readResult.contents[0].text).toBe("Profile data for user 123");
+  });
+
   it("should support serverInfo with title", async () => {
     const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
 

From e78c1b787d663c17d3e122d9372d96998f268be7 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 11:27:34 +0100
Subject: [PATCH 046/147] fix

---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c753e3b18..0170b5fe1 100644
--- a/README.md
+++ b/README.md
@@ -530,8 +530,7 @@ import { z } from "zod";
 
 const server = new McpServer({
   name: "sqlite-explorer",
-  version: "1.0.0",
-  title: "SQLite Explorer"
+  version: "1.0.0"
 });
 
 // Helper to create DB connection

From 90e45950b3c0100469a340b661731f929c02298e Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 11:36:08 +0100
Subject: [PATCH 047/147] show name and title in example

---
 src/examples/client/simpleStreamableHttp.ts | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index efa176df5..e7232fe0f 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -318,12 +318,7 @@ async function listTools(): Promise<void> {
       console.log('  No tools available');
     } else {
       for (const tool of toolsResult.tools) {
-        const displayName = getDisplayName(tool);
-        if (displayName !== tool.name) {
-          console.log(`  - ${tool.name} (${displayName}): ${tool.description}`);
-        } else {
-          console.log(`  - ${tool.name}: ${tool.description}`);
-        }
+        console.log(`  - id: ${tool.name}, name: ${getDisplayName(tool)}, description: ${tool.description}`);
       }
     }
   } catch (error) {
@@ -386,7 +381,7 @@ async function runNotificationsToolWithResumability(interval: number, count: num
   try {
     console.log(`Starting notification stream with resumability: interval=${interval}ms, count=${count || 'unlimited'}`);
     console.log(`Using resumption token: ${notificationsToolLastEventId || 'none'}`);
-    
+
     const request: CallToolRequest = {
       method: 'tools/call',
       params: {
@@ -399,7 +394,7 @@ async function runNotificationsToolWithResumability(interval: number, count: num
       notificationsToolLastEventId = event;
       console.log(`Updated resumption token: ${event}`);
     };
-    
+
     const result = await client.request(request, CallToolResultSchema, {
       resumptionToken: notificationsToolLastEventId,
       onresumptiontoken: onLastEventIdUpdate
@@ -435,7 +430,7 @@ async function listPrompts(): Promise<void> {
       console.log('  No prompts available');
     } else {
       for (const prompt of promptsResult.prompts) {
-        console.log(`  - ${getDisplayName(prompt)}: ${prompt.description}`);
+        console.log(`  - id: ${prompt.name}, name: ${getDisplayName(prompt)}, description: ${prompt.description}`);
       }
     }
   } catch (error) {
@@ -486,7 +481,7 @@ async function listResources(): Promise<void> {
       console.log('  No resources available');
     } else {
       for (const resource of resourcesResult.resources) {
-        console.log(`  - ${getDisplayName(resource)}: ${resource.uri}`);
+        console.log(`  - id: ${resource.name}, name: ${getDisplayName(resource)}, description: ${resource.uri}`);
       }
     }
   } catch (error) {

From f1a07a940a13b79da8d2ac3b13ba7f2590de65d5 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 11:45:35 +0100
Subject: [PATCH 048/147] ci fix

---
 src/server/title.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/title.test.ts b/src/server/title.test.ts
index 480257cd5..3f64570b8 100644
--- a/src/server/title.test.ts
+++ b/src/server/title.test.ts
@@ -185,7 +185,7 @@ describe("Title field backwards compatibility", () => {
         title: "User Profile",
         description: "User profile information"
       },
-      async (uri, { userId }, extra) => ({
+      async (uri, { userId }, _extra) => ({
         contents: [{
           uri: uri.href,
           text: `Profile data for user ${userId}`

From 97519d3e32472410b04d8e20a4102f778c5d82aa Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 12:08:21 +0100
Subject: [PATCH 049/147] add description to resourse link

---
 README.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 0cf2b85e1..ff6c482f5 100644
--- a/README.md
+++ b/README.md
@@ -206,16 +206,18 @@ server.registerTool(
       { type: "text", text: `Found files matching "${pattern}":` },
       // ResourceLinks let tools return references without file content
       {
-        type: "resource_link" as const,
+        type: "resource_link",
         uri: "file:///project/README.md",
         name: "README.md",
-        mimeType: "text/markdown"
+        mimeType: "text/markdown",
+        description: 'A README file'
       },
       {
-        type: "resource_link" as const,
+        type: "resource_link",
         uri: "file:///project/src/index.ts",
         name: "index.ts",
-        mimeType: "text/typescript"
+        mimeType: "text/typescript",
+        description: 'An index file'
       }
     ]
   })

From 1e5f0e16ba4801d7c5cfa8227b2becdff2ec6571 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 12:08:59 +0100
Subject: [PATCH 050/147] whitespaces

---
 src/types.test.ts | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/types.test.ts b/src/types.test.ts
index ca49867a8..d163f03d0 100644
--- a/src/types.test.ts
+++ b/src/types.test.ts
@@ -1,5 +1,5 @@
-import { 
-    LATEST_PROTOCOL_VERSION, 
+import {
+    LATEST_PROTOCOL_VERSION,
     SUPPORTED_PROTOCOL_VERSIONS,
     ResourceLinkSchema,
     ContentBlockSchema,
@@ -28,7 +28,7 @@ describe("Types", () => {
                 uri: "file:///path/to/file.txt",
                 name: "file.txt"
             };
-            
+
             const result = ResourceLinkSchema.safeParse(resourceLink);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -48,7 +48,7 @@ describe("Types", () => {
                 mimeType: "text/plain",
                 _meta: { custom: "metadata" }
             };
-            
+
             const result = ResourceLinkSchema.safeParse(resourceLink);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -65,7 +65,7 @@ describe("Types", () => {
                 uri: "file:///path/to/file.txt",
                 name: "file.txt"
             };
-            
+
             const result = ResourceLinkSchema.safeParse(invalidResourceLink);
             expect(result.success).toBe(false);
         });
@@ -76,7 +76,7 @@ describe("Types", () => {
                 uri: "file:///path/to/file.txt"
                 // missing name
             };
-            
+
             const result = ResourceLinkSchema.safeParse(invalidResourceLink);
             expect(result.success).toBe(false);
         });
@@ -88,7 +88,7 @@ describe("Types", () => {
                 type: "text",
                 text: "Hello, world!"
             };
-            
+
             const result = ContentBlockSchema.safeParse(textContent);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -102,7 +102,7 @@ describe("Types", () => {
                 data: "aGVsbG8=", // base64 encoded "hello"
                 mimeType: "image/png"
             };
-            
+
             const result = ContentBlockSchema.safeParse(imageContent);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -116,7 +116,7 @@ describe("Types", () => {
                 data: "aGVsbG8=", // base64 encoded "hello"
                 mimeType: "audio/mp3"
             };
-            
+
             const result = ContentBlockSchema.safeParse(audioContent);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -131,7 +131,7 @@ describe("Types", () => {
                 name: "file.txt",
                 mimeType: "text/plain"
             };
-            
+
             const result = ContentBlockSchema.safeParse(resourceLink);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -148,7 +148,7 @@ describe("Types", () => {
                     text: "File contents"
                 }
             };
-            
+
             const result = ContentBlockSchema.safeParse(embeddedResource);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -169,7 +169,7 @@ describe("Types", () => {
                     mimeType: "text/x-rust"
                 }
             };
-            
+
             const result = PromptMessageSchema.safeParse(promptMessage);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -202,7 +202,7 @@ describe("Types", () => {
                     }
                 ]
             };
-            
+
             const result = CallToolResultSchema.safeParse(toolResult);
             expect(result.success).toBe(true);
             if (result.success) {
@@ -215,7 +215,7 @@ describe("Types", () => {
 
         test("should validate empty content array with default", () => {
             const toolResult = {};
-            
+
             const result = CallToolResultSchema.safeParse(toolResult);
             expect(result.success).toBe(true);
             if (result.success) {

From c90d6c9853ab64cf94c2d3d016f615ae4376fa89 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 14:11:10 +0100
Subject: [PATCH 051/147] add context with arguments to completable

---
 src/server/completable.ts |   3 +
 src/server/mcp.test.ts    | 271 +++++++++++++++++++++++++++++++++++---
 src/server/mcp.ts         |   7 +-
 src/types.test.ts         |  90 ++++++++++++-
 src/types.ts              |   8 ++
 5 files changed, 357 insertions(+), 22 deletions(-)

diff --git a/src/server/completable.ts b/src/server/completable.ts
index 3b5bc1644..652eaf72e 100644
--- a/src/server/completable.ts
+++ b/src/server/completable.ts
@@ -15,6 +15,9 @@ export enum McpZodTypeKind {
 
 export type CompleteCallback<T extends ZodTypeAny = ZodTypeAny> = (
   value: T["_input"],
+  context?: {
+    arguments?: Record<string, string>;
+  },
 ) => T["_input"][] | Promise<T["_input"][]>;
 
 export interface CompletableDef<T extends ZodTypeAny = ZodTypeAny>
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 36a8f7b88..23600db45 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -3521,12 +3521,12 @@ describe("prompt()", () => {
     );
 
     expect(result.resources).toHaveLength(2);
-    
+
     // Resource 1 should have its own metadata
     expect(result.resources[0].name).toBe("Resource 1");
     expect(result.resources[0].description).toBe("Individual resource description");
     expect(result.resources[0].mimeType).toBe("text/plain");
-    
+
     // Resource 2 should inherit template metadata
     expect(result.resources[1].name).toBe("Resource 2");
     expect(result.resources[1].description).toBe("Template description");
@@ -3592,7 +3592,7 @@ describe("prompt()", () => {
     );
 
     expect(result.resources).toHaveLength(1);
-    
+
     // All fields should be from the individual resource, not the template
     expect(result.resources[0].name).toBe("Overridden Name");
     expect(result.resources[0].description).toBe("Overridden description");
@@ -3698,41 +3698,274 @@ describe("Tool title precedence", () => {
   });
 
   test("getDisplayName unit tests for title precedence", () => {
-    
+
     // Test 1: Only name
     expect(getDisplayName({ name: "tool_name" })).toBe("tool_name");
-    
+
     // Test 2: Name and title - title wins
-    expect(getDisplayName({ 
-      name: "tool_name", 
-      title: "Tool Title" 
+    expect(getDisplayName({
+      name: "tool_name",
+      title: "Tool Title"
     })).toBe("Tool Title");
-    
+
     // Test 3: Name and annotations.title - annotations.title wins
-    expect(getDisplayName({ 
+    expect(getDisplayName({
       name: "tool_name",
       annotations: { title: "Annotations Title" }
     })).toBe("Annotations Title");
-    
+
     // Test 4: All three - title wins (correct precedence)
-    expect(getDisplayName({ 
-      name: "tool_name", 
+    expect(getDisplayName({
+      name: "tool_name",
       title: "Regular Title",
       annotations: { title: "Annotations Title" }
     })).toBe("Regular Title");
-    
+
     // Test 5: Empty title should not be used
-    expect(getDisplayName({ 
-      name: "tool_name", 
+    expect(getDisplayName({
+      name: "tool_name",
       title: "",
       annotations: { title: "Annotations Title" }
     })).toBe("Annotations Title");
-    
+
     // Test 6: Undefined vs null handling
-    expect(getDisplayName({ 
-      name: "tool_name", 
+    expect(getDisplayName({
+      name: "tool_name",
       title: undefined,
       annotations: { title: "Annotations Title" }
     })).toBe("Annotations Title");
   });
+
+  test("should support resource template completion with resolved context", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.resource(
+      "test",
+      new ResourceTemplate("github://repos/{owner}/{repo}", {
+        list: undefined,
+        complete: {
+          repo: (value, context) => {
+            if (context?.arguments?.["owner"] === "org1") {
+              return ["project1", "project2", "project3"].filter(r => r.startsWith(value));
+            } else if (context?.arguments?.["owner"] === "org2") {
+              return ["repo1", "repo2", "repo3"].filter(r => r.startsWith(value));
+            }
+            return [];
+          },
+        },
+      }),
+      async () => ({
+        contents: [
+          {
+            uri: "github://repos/test/test",
+            text: "Test content",
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    // Test with microsoft owner
+    const result1 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/resource",
+            uri: "github://repos/{owner}/{repo}",
+          },
+          argument: {
+            name: "repo",
+            value: "p",
+          },
+          context: {
+            arguments: {
+              owner: "org1",
+            },
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result1.completion.values).toEqual(["project1", "project2", "project3"]);
+    expect(result1.completion.total).toBe(3);
+
+    // Test with facebook owner
+    const result2 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/resource",
+            uri: "github://repos/{owner}/{repo}",
+          },
+          argument: {
+            name: "repo",
+            value: "r",
+          },
+          context: {
+            arguments: {
+              owner: "org2",
+            },
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result2.completion.values).toEqual(["repo1", "repo2", "repo3"]);
+    expect(result2.completion.total).toBe(3);
+
+    // Test with no resolved context
+    const result3 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/resource",
+            uri: "github://repos/{owner}/{repo}",
+          },
+          argument: {
+            name: "repo",
+            value: "t",
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result3.completion.values).toEqual([]);
+    expect(result3.completion.total).toBe(0);
+  });
+
+  test("should support prompt argument completion with resolved context", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.prompt(
+      "test-prompt",
+      {
+        name: completable(z.string(), (value, context) => {
+          if (context?.arguments?.["category"] === "developers") {
+            return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
+          } else if (context?.arguments?.["category"] === "managers") {
+            return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
+          }
+          return ["Guest"].filter(n => n.startsWith(value));
+        }),
+      },
+      async ({ name }) => ({
+        messages: [
+          {
+            role: "assistant",
+            content: {
+              type: "text",
+              text: `Hello ${name}`,
+            },
+          },
+        ],
+      }),
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    // Test with developers category
+    const result1 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/prompt",
+            name: "test-prompt",
+          },
+          argument: {
+            name: "name",
+            value: "A",
+          },
+          context: {
+            arguments: {
+              category: "developers",
+            },
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result1.completion.values).toEqual(["Alice"]);
+
+    // Test with managers category
+    const result2 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/prompt",
+            name: "test-prompt",
+          },
+          argument: {
+            name: "name",
+            value: "D",
+          },
+          context: {
+            arguments: {
+              category: "managers",
+            },
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result2.completion.values).toEqual(["David"]);
+
+    // Test with no resolved context
+    const result3 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/prompt",
+            name: "test-prompt",
+          },
+          argument: {
+            name: "name",
+            value: "G",
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result3.completion.values).toEqual(["Guest"]);
+  });
 });
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index ac6cf7727..3d9673da7 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -293,7 +293,7 @@ export class McpServer {
     }
 
     const def: CompletableDef<ZodString> = field._def;
-    const suggestions = await def.complete(request.params.argument.value);
+    const suggestions = await def.complete(request.params.argument.value, request.params.context);
     return createCompletionResult(suggestions);
   }
 
@@ -324,7 +324,7 @@ export class McpServer {
       return EMPTY_COMPLETION_RESULT;
     }
 
-    const suggestions = await completer(request.params.argument.value);
+    const suggestions = await completer(request.params.argument.value, request.params.context);
     return createCompletionResult(suggestions);
   }
 
@@ -1068,6 +1068,9 @@ export class McpServer {
  */
 export type CompleteResourceTemplateCallback = (
   value: string,
+  context?: {
+    arguments?: Record<string, string>;
+  },
 ) => string[] | Promise<string[]>;
 
 /**
diff --git a/src/types.test.ts b/src/types.test.ts
index d163f03d0..bc1091105 100644
--- a/src/types.test.ts
+++ b/src/types.test.ts
@@ -4,7 +4,8 @@ import {
     ResourceLinkSchema,
     ContentBlockSchema,
     PromptMessageSchema,
-    CallToolResultSchema
+    CallToolResultSchema,
+    CompleteRequestSchema
 } from "./types.js";
 
 describe("Types", () => {
@@ -223,4 +224,91 @@ describe("Types", () => {
             }
         });
     });
+
+    describe("CompleteRequest", () => {
+        test("should validate a CompleteRequest without resolved field", () => {
+            const request = {
+                method: "completion/complete",
+                params: {
+                    ref: { type: "ref/prompt", name: "greeting" },
+                    argument: { name: "name", value: "A" }
+                }
+            };
+
+            const result = CompleteRequestSchema.safeParse(request);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.method).toBe("completion/complete");
+                expect(result.data.params.ref.type).toBe("ref/prompt");
+                expect(result.data.params.context).toBeUndefined();
+            }
+        });
+
+        test("should validate a CompleteRequest with resolved field", () => {
+            const request = {
+                method: "completion/complete",
+                params: {
+                    ref: { type: "ref/resource", uri: "github://repos/{owner}/{repo}" },
+                    argument: { name: "repo", value: "t" },
+                    context: {
+                        arguments: {
+                            "{owner}": "microsoft"
+                        }
+                    }
+                }
+            };
+
+            const result = CompleteRequestSchema.safeParse(request);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.params.context?.arguments).toEqual({
+                    "{owner}": "microsoft"
+                });
+            }
+        });
+
+        test("should validate a CompleteRequest with empty resolved field", () => {
+            const request = {
+                method: "completion/complete",
+                params: {
+                    ref: { type: "ref/prompt", name: "test" },
+                    argument: { name: "arg", value: "" },
+                    context: {
+                        arguments: {}
+                    }
+                }
+            };
+
+            const result = CompleteRequestSchema.safeParse(request);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.params.context?.arguments).toEqual({});
+            }
+        });
+
+        test("should validate a CompleteRequest with multiple resolved variables", () => {
+            const request = {
+                method: "completion/complete",
+                params: {
+                    ref: { type: "ref/resource", uri: "api://v1/{tenant}/{resource}/{id}" },
+                    argument: { name: "id", value: "123" },
+                    context: {
+                        arguments: {
+                            "{tenant}": "acme-corp",
+                            "{resource}": "users"
+                        }
+                    }
+                }
+            };
+
+            const result = CompleteRequestSchema.safeParse(request);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.params.context?.arguments).toEqual({
+                    "{tenant}": "acme-corp",
+                    "{resource}": "users"
+                });
+            }
+        });
+    });
 });
diff --git a/src/types.ts b/src/types.ts
index 8e8b7d33e..1bc225919 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1169,6 +1169,14 @@ export const CompleteRequestSchema = RequestSchema.extend({
         value: z.string(),
       })
       .passthrough(),
+    context: z.optional(
+      z.object({
+        /**
+         * Previously-resolved variables in a URI template or prompt.
+         */
+        arguments: z.optional(z.record(z.string(), z.string())),
+      })
+    ),
   }),
 });
 

From 42c3967d8b04f2a95550102967f65763719fceb5 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 14:23:17 +0100
Subject: [PATCH 052/147] add to readme

---
 README.md              | 111 ++++++++++++++++++++++++++++++++++++++++-
 src/server/mcp.test.ts |  28 +++++++----
 2 files changed, 128 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index ff6c482f5..63acfb065 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,33 @@ server.registerResource(
     }]
   })
 );
+
+// Resource with context-aware completion
+server.registerResource(
+  "repository",
+  new ResourceTemplate("github://repos/{owner}/{repo}", {
+    list: undefined,
+    complete: {
+      // Provide intelligent completions based on previously resolved parameters
+      repo: (value, context) => {
+        if (context?.arguments?.["owner"] === "org1") {
+          return ["project1", "project2", "project3"].filter(r => r.startsWith(value));
+        }
+        return ["default-repo"].filter(r => r.startsWith(value));
+      }
+    }
+  }),
+  {
+    title: "GitHub Repository",
+    description: "Repository information"
+  },
+  async (uri, { owner, repo }) => ({
+    contents: [{
+      uri: uri.href,
+      text: `Repository: ${owner}/${repo}`
+    }]
+  })
+);
 ```
 
 ### Tools
@@ -233,12 +260,14 @@ Tools can return `ResourceLink` objects to reference resources without embedding
 Prompts are reusable templates that help LLMs interact with your server effectively:
 
 ```typescript
+import { completable } from "@modelcontextprotocol/sdk/server/completable.js";
+
 server.registerPrompt(
   "review-code",
   {
     title: "Code Review",
     description: "Review code for best practices and potential issues",
-    arguments: { code: z.string() }
+    argsSchema: { code: z.string() }
   },
   ({ code }) => ({
     messages: [{
@@ -250,6 +279,35 @@ server.registerPrompt(
     }]
   })
 );
+
+// Prompt with context-aware completion
+server.registerPrompt(
+  "team-greeting",
+  {
+    title: "Team Greeting",
+    description: "Generate a greeting for team members",
+    argsSchema: {
+      // Completable arguments can use context for intelligent suggestions
+      name: completable(z.string(), (value, context) => {
+        if (context?.arguments?.["department"] === "engineering") {
+          return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
+        } else if (context?.arguments?.["department"] === "sales") {
+          return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
+        }
+        return ["Guest"].filter(n => n.startsWith(value));
+      })
+    }
+  },
+  ({ name }) => ({
+    messages: [{
+      role: "assistant",
+      content: {
+        type: "text",
+        text: `Hello ${name}, welcome to the team!`
+      }
+    }]
+  })
+);
 ```
 
 ### Display Names and Metadata
@@ -637,6 +695,57 @@ server.registerTool(
 
 ## Advanced Usage
 
+### Context-Aware Completions
+
+MCP supports intelligent completions that can use previously resolved values as context. This is useful for creating dependent parameter completions where later parameters depend on earlier ones:
+
+```typescript
+import { completable } from "@modelcontextprotocol/sdk/server/completable.js";
+
+// For resource templates
+server.registerResource(
+  "database-query",
+  new ResourceTemplate("db://{database}/{table}/{query}", {
+    list: undefined,
+    complete: {
+      // Table completions depend on the selected database
+      table: (value, context) => {
+        const database = context?.arguments?.["database"];
+        if (database === "users_db") {
+          return ["profiles", "sessions", "preferences"].filter(t => t.startsWith(value));
+        } else if (database === "products_db") {
+          return ["items", "categories", "inventory"].filter(t => t.startsWith(value));
+        }
+        return [];
+      }
+    }
+  }),
+  metadata,
+  handler
+);
+
+// For prompts with completable arguments
+server.registerPrompt(
+  "api-request",
+  {
+    argsSchema: {
+      endpoint: z.string(),
+      // Method completions can be context-aware
+      method: completable(z.string(), (value, context) => {
+        const endpoint = context?.arguments?.["endpoint"];
+        if (endpoint?.includes("/readonly/")) {
+          return ["GET"].filter(m => m.startsWith(value.toUpperCase()));
+        }
+        return ["GET", "POST", "PUT", "DELETE"].filter(m => m.startsWith(value.toUpperCase()));
+      })
+    }
+  },
+  handler
+);
+```
+
+The context object contains an `arguments` field with previously resolved parameter values, allowing you to provide more intelligent and contextual completions.
+
 ### Dynamic Servers
 
 If you want to offer an initial set of tools/prompts/resources, but later add additional ones based on user action or external state change, you can add/update/remove them _after_ the Server is connected. This will automatically emit the corresponding `listChanged` notifications:
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 23600db45..685987bf7 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -3747,7 +3747,7 @@ describe("Tool title precedence", () => {
       version: "1.0",
     });
 
-    mcpServer.resource(
+    mcpServer.registerResource(
       "test",
       new ResourceTemplate("github://repos/{owner}/{repo}", {
         list: undefined,
@@ -3762,6 +3762,10 @@ describe("Tool title precedence", () => {
           },
         },
       }),
+      {
+        title: "GitHub Repository",
+        description: "Repository information"
+      },
       async () => ({
         contents: [
           {
@@ -3865,17 +3869,21 @@ describe("Tool title precedence", () => {
       version: "1.0",
     });
 
-    mcpServer.prompt(
+    mcpServer.registerPrompt(
       "test-prompt",
       {
-        name: completable(z.string(), (value, context) => {
-          if (context?.arguments?.["category"] === "developers") {
-            return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
-          } else if (context?.arguments?.["category"] === "managers") {
-            return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
-          }
-          return ["Guest"].filter(n => n.startsWith(value));
-        }),
+        title: "Team Greeting",
+        description: "Generate a greeting for team members",
+        argsSchema: {
+          name: completable(z.string(), (value, context) => {
+            if (context?.arguments?.["category"] === "developers") {
+              return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
+            } else if (context?.arguments?.["category"] === "managers") {
+              return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
+            }
+            return ["Guest"].filter(n => n.startsWith(value));
+          }),
+        }
       },
       async ({ name }) => ({
         messages: [

From 0e86a6d139e0a3da564101cb751f53d3c3fb00fe Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 14:36:35 +0100
Subject: [PATCH 053/147] improve readme

---
 README.md              | 68 ++++++++----------------------------------
 src/server/mcp.test.ts | 51 ++++++++++++++++++++++++-------
 2 files changed, 53 insertions(+), 66 deletions(-)

diff --git a/README.md b/README.md
index 63acfb065..08b711c2e 100644
--- a/README.md
+++ b/README.md
@@ -287,23 +287,30 @@ server.registerPrompt(
     title: "Team Greeting",
     description: "Generate a greeting for team members",
     argsSchema: {
-      // Completable arguments can use context for intelligent suggestions
+      department: completable(z.string(), (value) => {
+        // Department suggestions
+        return ["engineering", "sales", "marketing", "support"].filter(d => d.startsWith(value));
+      }),
       name: completable(z.string(), (value, context) => {
-        if (context?.arguments?.["department"] === "engineering") {
+        // Name suggestions based on selected department
+        const department = context?.arguments?.["department"];
+        if (department === "engineering") {
           return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
-        } else if (context?.arguments?.["department"] === "sales") {
+        } else if (department === "sales") {
           return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
+        } else if (department === "marketing") {
+          return ["Grace", "Henry", "Iris"].filter(n => n.startsWith(value));
         }
         return ["Guest"].filter(n => n.startsWith(value));
       })
     }
   },
-  ({ name }) => ({
+  ({ department, name }) => ({
     messages: [{
       role: "assistant",
       content: {
         type: "text",
-        text: `Hello ${name}, welcome to the team!`
+        text: `Hello ${name}, welcome to the ${department} team!`
       }
     }]
   })
@@ -695,57 +702,6 @@ server.registerTool(
 
 ## Advanced Usage
 
-### Context-Aware Completions
-
-MCP supports intelligent completions that can use previously resolved values as context. This is useful for creating dependent parameter completions where later parameters depend on earlier ones:
-
-```typescript
-import { completable } from "@modelcontextprotocol/sdk/server/completable.js";
-
-// For resource templates
-server.registerResource(
-  "database-query",
-  new ResourceTemplate("db://{database}/{table}/{query}", {
-    list: undefined,
-    complete: {
-      // Table completions depend on the selected database
-      table: (value, context) => {
-        const database = context?.arguments?.["database"];
-        if (database === "users_db") {
-          return ["profiles", "sessions", "preferences"].filter(t => t.startsWith(value));
-        } else if (database === "products_db") {
-          return ["items", "categories", "inventory"].filter(t => t.startsWith(value));
-        }
-        return [];
-      }
-    }
-  }),
-  metadata,
-  handler
-);
-
-// For prompts with completable arguments
-server.registerPrompt(
-  "api-request",
-  {
-    argsSchema: {
-      endpoint: z.string(),
-      // Method completions can be context-aware
-      method: completable(z.string(), (value, context) => {
-        const endpoint = context?.arguments?.["endpoint"];
-        if (endpoint?.includes("/readonly/")) {
-          return ["GET"].filter(m => m.startsWith(value.toUpperCase()));
-        }
-        return ["GET", "POST", "PUT", "DELETE"].filter(m => m.startsWith(value.toUpperCase()));
-      })
-    }
-  },
-  handler
-);
-```
-
-The context object contains an `arguments` field with previously resolved parameter values, allowing you to provide more intelligent and contextual completions.
-
 ### Dynamic Servers
 
 If you want to offer an initial set of tools/prompts/resources, but later add additional ones based on user action or external state change, you can add/update/remove them _after_ the Server is connected. This will automatically emit the corresponding `listChanged` notifications:
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 685987bf7..15be3d987 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -3875,23 +3875,29 @@ describe("Tool title precedence", () => {
         title: "Team Greeting",
         description: "Generate a greeting for team members",
         argsSchema: {
+          department: completable(z.string(), (value) => {
+            return ["engineering", "sales", "marketing", "support"].filter(d => d.startsWith(value));
+          }),
           name: completable(z.string(), (value, context) => {
-            if (context?.arguments?.["category"] === "developers") {
+            const department = context?.arguments?.["department"];
+            if (department === "engineering") {
               return ["Alice", "Bob", "Charlie"].filter(n => n.startsWith(value));
-            } else if (context?.arguments?.["category"] === "managers") {
+            } else if (department === "sales") {
               return ["David", "Eve", "Frank"].filter(n => n.startsWith(value));
+            } else if (department === "marketing") {
+              return ["Grace", "Henry", "Iris"].filter(n => n.startsWith(value));
             }
             return ["Guest"].filter(n => n.startsWith(value));
           }),
         }
       },
-      async ({ name }) => ({
+      async ({ department, name }) => ({
         messages: [
           {
             role: "assistant",
             content: {
               type: "text",
-              text: `Hello ${name}`,
+              text: `Hello ${name}, welcome to the ${department} team!`,
             },
           },
         ],
@@ -3906,7 +3912,7 @@ describe("Tool title precedence", () => {
       mcpServer.server.connect(serverTransport),
     ]);
 
-    // Test with developers category
+    // Test with engineering department
     const result1 = await client.request(
       {
         method: "completion/complete",
@@ -3921,7 +3927,7 @@ describe("Tool title precedence", () => {
           },
           context: {
             arguments: {
-              category: "developers",
+              department: "engineering",
             },
           },
         },
@@ -3931,7 +3937,7 @@ describe("Tool title precedence", () => {
 
     expect(result1.completion.values).toEqual(["Alice"]);
 
-    // Test with managers category
+    // Test with sales department
     const result2 = await client.request(
       {
         method: "completion/complete",
@@ -3946,7 +3952,7 @@ describe("Tool title precedence", () => {
           },
           context: {
             arguments: {
-              category: "managers",
+              department: "sales",
             },
           },
         },
@@ -3956,8 +3962,33 @@ describe("Tool title precedence", () => {
 
     expect(result2.completion.values).toEqual(["David"]);
 
-    // Test with no resolved context
+    // Test with marketing department
     const result3 = await client.request(
+      {
+        method: "completion/complete",
+        params: {
+          ref: {
+            type: "ref/prompt",
+            name: "test-prompt",
+          },
+          argument: {
+            name: "name",
+            value: "G",
+          },
+          context: {
+            arguments: {
+              department: "marketing",
+            },
+          },
+        },
+      },
+      CompleteResultSchema,
+    );
+
+    expect(result3.completion.values).toEqual(["Grace"]);
+
+    // Test with no resolved context
+    const result4 = await client.request(
       {
         method: "completion/complete",
         params: {
@@ -3974,6 +4005,6 @@ describe("Tool title precedence", () => {
       CompleteResultSchema,
     );
 
-    expect(result3.completion.values).toEqual(["Guest"]);
+    expect(result4.completion.values).toEqual(["Guest"]);
   });
 });

From c0c78ad412c36403ec70fae28f767dd0a756eaa5 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 15:04:23 +0100
Subject: [PATCH 054/147] add how to use Completions to the readme

---
 README.md | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/README.md b/README.md
index 08b711c2e..8d319f67a 100644
--- a/README.md
+++ b/README.md
@@ -317,6 +317,32 @@ server.registerPrompt(
 );
 ```
 
+### Completions
+
+MCP supports argument completions to help users fill in prompt arguments and resource template parameters. See the examples above for [resource completions](#resources) and [prompt completions](#prompts).
+
+#### Client Usage
+
+```typescript
+// Request completions for any argument
+const result = await client.complete({
+  ref: {
+    type: "ref/prompt",  // or "ref/resource"
+    name: "example"      // or uri: "template://..."
+  },
+  argument: {
+    name: "argumentName",
+    value: "partial"     // What the user has typed so far
+  },
+  context: {             // Optional: Include previously resolved arguments
+    arguments: {
+      previousArg: "value"
+    }
+  }
+});
+console.log(result.completion.values); // ["suggestion1", "suggestion2", ...]
+```
+
 ### Display Names and Metadata
 
 All resources, tools, and prompts support an optional `title` field for better UI presentation. The `title` is used as a display name, while `name` remains the unique identifier.
@@ -870,6 +896,18 @@ const result = await client.callTool({
     arg1: "value"
   }
 });
+
+// Request completions
+const completions = await client.complete({
+  ref: {
+    type: "ref/prompt",
+    name: "example-prompt"
+  },
+  argument: {
+    name: "arg1",
+    value: "partial"
+  }
+});
 ```
 
 ### Proxy Authorization Requests Upstream

From 4549250a4301ac2f44b60923e38ef2db1f8b7051 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 15:04:33 +0100
Subject: [PATCH 055/147] readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8d319f67a..a73d8a381 100644
--- a/README.md
+++ b/README.md
@@ -340,7 +340,7 @@ const result = await client.complete({
     }
   }
 });
-console.log(result.completion.values); // ["suggestion1", "suggestion2", ...]
+
 ```
 
 ### Display Names and Metadata

From 5b875aa542337f253d9a31b166f068ed519a724b Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 15:19:21 +0100
Subject: [PATCH 056/147] clean up

---
 README.md | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/README.md b/README.md
index a73d8a381..272eeb129 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
   - [Resources](#resources)
   - [Tools](#tools)
   - [Prompts](#prompts)
+  - [Completions](#completions)
 - [Running Your Server](#running-your-server)
   - [stdio](#stdio)
   - [Streamable HTTP](#streamable-http)
@@ -897,17 +898,6 @@ const result = await client.callTool({
   }
 });
 
-// Request completions
-const completions = await client.complete({
-  ref: {
-    type: "ref/prompt",
-    name: "example-prompt"
-  },
-  argument: {
-    name: "arg1",
-    value: "partial"
-  }
-});
 ```
 
 ### Proxy Authorization Requests Upstream

From 3df732545f0f0d38c13181b6db1381e0eafff41d Mon Sep 17 00:00:00 2001
From: Felix Weinberger <fweinberger@anthropic.com>
Date: Mon, 16 Jun 2025 16:06:13 +0100
Subject: [PATCH 057/147] Add missing _meta fields to match spec requirements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added optional _meta field to ResourceContentsSchema, PromptSchema, and EmbeddedResourceSchema to align with spec change PR #710. These were the only schemas missing the _meta field that were required by the specification update.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/types.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/types.ts b/src/types.ts
index 1bc225919..1c248d77b 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -435,6 +435,10 @@ export const ResourceContentsSchema = z
      * The MIME type of this resource, if known.
      */
     mimeType: z.optional(z.string()),
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+     */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 
@@ -637,6 +641,10 @@ export const PromptSchema = BaseMetadataSchema.extend({
    * A list of arguments to use for templating the prompt.
    */
   arguments: z.optional(z.array(PromptArgumentSchema)),
+  /**
+   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+   */
+  _meta: z.optional(z.object({}).passthrough()),
 });
 
 /**
@@ -739,6 +747,10 @@ export const EmbeddedResourceSchema = z
   .object({
     type: z.literal("resource"),
     resource: z.union([TextResourceContentsSchema, BlobResourceContentsSchema]),
+    /**
+     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+     */
+    _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
 

From 4af2d4fe9fbcd983262e248cc18e2102887d8cce Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 16 Jun 2025 19:14:52 +0100
Subject: [PATCH 058/147] separate code block in README

---
 README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3ab5a8988..9fa07de34 100644
--- a/README.md
+++ b/README.md
@@ -923,10 +923,11 @@ server.tool(
     };
   }
 );
+```
 
-// Client-side: Handle elicitation requests
-
+Client-side: Handle elicitation requests
 
+```typescript
 // This is a placeholder - implement based on your UI framework
 async function getInputFromUser(message: string, schema: any): Promise<{
   action: "accept" | "decline" | "cancel";

From 7b5bfcee529bc98a1f1cf668b90167855bc28ca0 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 19:29:04 +0100
Subject: [PATCH 059/147] implementation of RFC 8707 Resource Indicators (Fixes
 #592, Fixes #635)

---
 src/client/auth.test.ts                       | 512 ++++++++++++++++++
 src/client/auth.ts                            |  34 +-
 src/client/sse.ts                             |  20 +-
 src/client/streamableHttp.ts                  |  20 +-
 .../server/demoInMemoryOAuthProvider.test.ts  | 218 ++++++++
 .../server/demoInMemoryOAuthProvider.ts       |  99 +++-
 .../server/resourceValidationExample.ts       | 152 ++++++
 .../server/serverUrlValidationExample.ts      | 103 ++++
 src/examples/server/strictModeExample.ts      |  85 +++
 src/server/auth/errors.ts                     |  10 +
 .../auth/handlers/authorize.config.test.ts    | 361 ++++++++++++
 src/server/auth/handlers/authorize.test.ts    | 122 +++++
 src/server/auth/handlers/authorize.ts         |  38 +-
 src/server/auth/handlers/token.test.ts        | 179 ++++++
 src/server/auth/handlers/token.ts             |  66 ++-
 src/server/auth/provider.ts                   |   6 +-
 .../auth/providers/proxyProvider.test.ts      | 127 +++++
 src/server/auth/providers/proxyProvider.ts    |  15 +-
 src/server/auth/types.ts                      |  33 ++
 src/shared/auth-utils.test.ts                 | 100 ++++
 src/shared/auth-utils.ts                      |  44 ++
 21 files changed, 2311 insertions(+), 33 deletions(-)
 create mode 100644 src/examples/server/demoInMemoryOAuthProvider.test.ts
 create mode 100644 src/examples/server/resourceValidationExample.ts
 create mode 100644 src/examples/server/serverUrlValidationExample.ts
 create mode 100644 src/examples/server/strictModeExample.ts
 create mode 100644 src/server/auth/handlers/authorize.config.test.ts
 create mode 100644 src/shared/auth-utils.test.ts
 create mode 100644 src/shared/auth-utils.ts

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 1b9fb0712..9a0674057 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -341,6 +341,31 @@ describe("OAuth Authorization", () => {
       expect(codeVerifier).toBe("test_verifier");
     });
 
+    it("includes resource parameter when provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+          resource: "https://api.example.com/mcp-server",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("excludes resource parameter when not provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.has("resource")).toBe(false);
+    });
+
     it("includes scope parameter when provided", async () => {
       const { authorizationUrl } = await startAuthorization(
         "https://auth.example.com",
@@ -489,6 +514,45 @@ describe("OAuth Authorization", () => {
       expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
     });
 
+    it("includes resource parameter in token exchange when provided", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validTokens,
+      });
+
+      const tokens = await exchangeAuthorization("https://auth.example.com", {
+        clientInformation: validClientInfo,
+        authorizationCode: "code123",
+        codeVerifier: "verifier123",
+        redirectUri: "http://localhost:3000/callback",
+        resource: "https://api.example.com/mcp-server",
+      });
+
+      expect(tokens).toEqual(validTokens);
+      
+      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
+      expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("excludes resource parameter from token exchange when not provided", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validTokens,
+      });
+
+      await exchangeAuthorization("https://auth.example.com", {
+        clientInformation: validClientInfo,
+        authorizationCode: "code123",
+        codeVerifier: "verifier123",
+        redirectUri: "http://localhost:3000/callback",
+      });
+
+      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
+      expect(body.has("resource")).toBe(false);
+    });
+
     it("validates token response schema", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
@@ -576,6 +640,41 @@ describe("OAuth Authorization", () => {
       expect(body.get("client_secret")).toBe("secret123");
     });
 
+    it("includes resource parameter in refresh token request when provided", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validTokensWithNewRefreshToken,
+      });
+
+      const tokens = await refreshAuthorization("https://auth.example.com", {
+        clientInformation: validClientInfo,
+        refreshToken: "refresh123",
+        resource: "https://api.example.com/mcp-server",
+      });
+
+      expect(tokens).toEqual(validTokensWithNewRefreshToken);
+      
+      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
+      expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("excludes resource parameter from refresh token request when not provided", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validTokensWithNewRefreshToken,
+      });
+
+      await refreshAuthorization("https://auth.example.com", {
+        clientInformation: validClientInfo,
+        refreshToken: "refresh123",
+      });
+
+      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
+      expect(body.has("resource")).toBe(false);
+    });
+
     it("exchanges refresh token for new tokens and keep existing refresh token if none is returned", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
@@ -807,5 +906,418 @@ describe("OAuth Authorization", () => {
         "https://resource.example.com/.well-known/oauth-authorization-server"
       );
     });
+
+    it("canonicalizes resource URI by removing fragment", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call the auth function with a resource that has a fragment
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "https://api.example.com/mcp-server#fragment",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify redirectToAuthorization was called with the canonicalized resource
+      expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
+        expect.objectContaining({
+          searchParams: expect.any(URLSearchParams),
+        })
+      );
+
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("passes resource parameter through authorization flow", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods for authorization flow
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth without authorization code (should trigger redirect)
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("REDIRECT");
+      
+      // Verify the authorization URL includes the resource parameter
+      expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
+        expect.objectContaining({
+          searchParams: expect.any(URLSearchParams),
+        })
+      );
+
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("includes resource in token exchange when authorization code is provided", async () => {
+      // Mock successful metadata discovery and token exchange
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        } else if (urlString.includes("/token")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              access_token: "access123",
+              token_type: "Bearer",
+              expires_in: 3600,
+              refresh_token: "refresh123",
+            }),
+          });
+        }
+        
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods for token exchange
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.codeVerifier as jest.Mock).mockResolvedValue("test-verifier");
+      (mockProvider.saveTokens as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with authorization code
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        authorizationCode: "auth-code-123",
+        resource: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("AUTHORIZED");
+
+      // Find the token exchange call
+      const tokenCall = mockFetch.mock.calls.find(call => 
+        call[0].toString().includes("/token")
+      );
+      expect(tokenCall).toBeDefined();
+      
+      const body = tokenCall![1].body as URLSearchParams;
+      expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
+      expect(body.get("code")).toBe("auth-code-123");
+    });
+
+    it("includes resource in token refresh", async () => {
+      // Mock successful metadata discovery and token refresh
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        } else if (urlString.includes("/token")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              access_token: "new-access123",
+              token_type: "Bearer",
+              expires_in: 3600,
+            }),
+          });
+        }
+        
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods for token refresh
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue({
+        access_token: "old-access",
+        refresh_token: "refresh123",
+      });
+      (mockProvider.saveTokens as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with existing tokens (should trigger refresh)
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("AUTHORIZED");
+
+      // Find the token refresh call
+      const tokenCall = mockFetch.mock.calls.find(call => 
+        call[0].toString().includes("/token")
+      );
+      expect(tokenCall).toBeDefined();
+      
+      const body = tokenCall![1].body as URLSearchParams;
+      expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
+      expect(body.get("grant_type")).toBe("refresh_token");
+      expect(body.get("refresh_token")).toBe("refresh123");
+    });
+
+    it("handles empty resource parameter", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with empty resource parameter
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify that empty resource is not included in the URL
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      expect(authUrl.searchParams.has("resource")).toBe(false);
+    });
+
+    it("handles resource with multiple fragments", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with resource containing multiple # symbols
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "https://api.example.com/mcp-server#fragment#another",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify the resource is properly canonicalized (everything after first # removed)
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
+    });
+
+    it("verifies resource parameter distinguishes between different paths on same domain", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Test with different resource paths on same domain
+      // This tests the security fix that prevents token confusion between
+      // multiple MCP servers on the same domain
+      const result1 = await auth(mockProvider, {
+        serverUrl: "https://api.example.com",
+        resource: "https://api.example.com/mcp-server-1/v1",
+      });
+
+      expect(result1).toBe("REDIRECT");
+
+      const redirectCall1 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl1: URL = redirectCall1[0];
+      expect(authUrl1.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-1/v1");
+
+      // Clear mock calls
+      (mockProvider.redirectToAuthorization as jest.Mock).mockClear();
+
+      // Test with different path on same domain
+      const result2 = await auth(mockProvider, {
+        serverUrl: "https://api.example.com",
+        resource: "https://api.example.com/mcp-server-2/v1",
+      });
+
+      expect(result2).toBe("REDIRECT");
+
+      const redirectCall2 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl2: URL = redirectCall2[0];
+      expect(authUrl2.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-2/v1");
+      
+      // Verify that the two resources are different (critical for security)
+      expect(authUrl1.searchParams.get("resource")).not.toBe(authUrl2.searchParams.get("resource"));
+    });
+
+    it("preserves query parameters in resource URI", async () => {
+      // Mock successful metadata discovery
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with resource containing query parameters
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+        resource: "https://api.example.com/mcp-server?param=value&another=test",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify query parameters are preserved (only fragment is removed)
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server?param=value&another=test");
+    });
   });
 });
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 7a91eb256..9a9965f60 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -2,6 +2,7 @@ import pkceChallenge from "pkce-challenge";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
 import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js";
 import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
+import { canonicalizeResourceUri } from "../shared/auth-utils.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
@@ -92,12 +93,20 @@ export async function auth(
   { serverUrl,
     authorizationCode,
     scope,
-    resourceMetadataUrl
+    resourceMetadataUrl,
+    resource
   }: {
     serverUrl: string | URL;
     authorizationCode?: string;
     scope?: string;
-    resourceMetadataUrl?: URL }): Promise<AuthResult> {
+    resourceMetadataUrl?: URL;
+    resource?: string }): Promise<AuthResult> {
+
+  // Remove fragment from resource parameter if provided
+  let canonicalResource: string | undefined;
+  if (resource) {
+    canonicalResource = canonicalizeResourceUri(resource);
+  }
 
   let authorizationServerUrl = serverUrl;
   try {
@@ -142,6 +151,7 @@ export async function auth(
       authorizationCode,
       codeVerifier,
       redirectUri: provider.redirectUrl,
+      resource: canonicalResource,
     });
 
     await provider.saveTokens(tokens);
@@ -158,6 +168,7 @@ export async function auth(
         metadata,
         clientInformation,
         refreshToken: tokens.refresh_token,
+        resource: canonicalResource,
       });
 
       await provider.saveTokens(newTokens);
@@ -176,6 +187,7 @@ export async function auth(
     state,
     redirectUrl: provider.redirectUrl,
     scope: scope || provider.clientMetadata.scope,
+    resource: canonicalResource,
   });
 
   await provider.saveCodeVerifier(codeVerifier);
@@ -310,12 +322,14 @@ export async function startAuthorization(
     redirectUrl,
     scope,
     state,
+    resource,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     redirectUrl: string | URL;
     scope?: string;
     state?: string;
+    resource?: string;
   },
 ): Promise<{ authorizationUrl: URL; codeVerifier: string }> {
   const responseType = "code";
@@ -365,6 +379,10 @@ export async function startAuthorization(
     authorizationUrl.searchParams.set("scope", scope);
   }
 
+  if (resource) {
+    authorizationUrl.searchParams.set("resource", resource);
+  }
+
   return { authorizationUrl, codeVerifier };
 }
 
@@ -379,12 +397,14 @@ export async function exchangeAuthorization(
     authorizationCode,
     codeVerifier,
     redirectUri,
+    resource,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     authorizationCode: string;
     codeVerifier: string;
     redirectUri: string | URL;
+    resource?: string;
   },
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
@@ -418,6 +438,10 @@ export async function exchangeAuthorization(
     params.set("client_secret", clientInformation.client_secret);
   }
 
+  if (resource) {
+    params.set("resource", resource);
+  }
+
   const response = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -442,10 +466,12 @@ export async function refreshAuthorization(
     metadata,
     clientInformation,
     refreshToken,
+    resource,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     refreshToken: string;
+    resource?: string;
   },
 ): Promise<OAuthTokens> {
   const grantType = "refresh_token";
@@ -477,6 +503,10 @@ export async function refreshAuthorization(
     params.set("client_secret", clientInformation.client_secret);
   }
 
+  if (resource) {
+    params.set("resource", resource);
+  }
+
   const response = await fetch(tokenUrl, {
     method: "POST",
     headers: {
diff --git a/src/client/sse.ts b/src/client/sse.ts
index 5aa99abb4..6c07cf252 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -2,6 +2,7 @@ import { EventSource, type ErrorEvent, type EventSourceInit } from "eventsource"
 import { Transport } from "../shared/transport.js";
 import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
+import { extractCanonicalResourceUri } from "../shared/auth-utils.js";
 
 export class SseError extends Error {
   constructor(
@@ -86,7 +87,11 @@ export class SSEClientTransport implements Transport {
 
     let result: AuthResult;
     try {
-      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+      result = await auth(this._authProvider, { 
+        serverUrl: this._url, 
+        resourceMetadataUrl: this._resourceMetadataUrl,
+        resource: extractCanonicalResourceUri(this._url)
+      });
     } catch (error) {
       this.onerror?.(error as Error);
       throw error;
@@ -201,7 +206,12 @@ export class SSEClientTransport implements Transport {
       throw new UnauthorizedError("No auth provider");
     }
 
-    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
+    const result = await auth(this._authProvider, { 
+      serverUrl: this._url, 
+      authorizationCode, 
+      resourceMetadataUrl: this._resourceMetadataUrl,
+      resource: extractCanonicalResourceUri(this._url)
+    });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -236,7 +246,11 @@ export class SSEClientTransport implements Transport {
 
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
 
-          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+          const result = await auth(this._authProvider, { 
+            serverUrl: this._url, 
+            resourceMetadataUrl: this._resourceMetadataUrl,
+            resource: extractCanonicalResourceUri(this._url)
+          });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 4117bb1b4..e452972bb 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -2,6 +2,7 @@ import { Transport } from "../shared/transport.js";
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { EventSourceParserStream } from "eventsource-parser/stream";
+import { extractCanonicalResourceUri } from "../shared/auth-utils.js";
 
 // Default reconnection options for StreamableHTTP connections
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS: StreamableHTTPReconnectionOptions = {
@@ -149,7 +150,11 @@ export class StreamableHTTPClientTransport implements Transport {
 
     let result: AuthResult;
     try {
-      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+      result = await auth(this._authProvider, { 
+        serverUrl: this._url, 
+        resourceMetadataUrl: this._resourceMetadataUrl,
+        resource: extractCanonicalResourceUri(this._url)
+      });
     } catch (error) {
       this.onerror?.(error as Error);
       throw error;
@@ -362,7 +367,12 @@ export class StreamableHTTPClientTransport implements Transport {
       throw new UnauthorizedError("No auth provider");
     }
 
-    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
+    const result = await auth(this._authProvider, { 
+      serverUrl: this._url, 
+      authorizationCode, 
+      resourceMetadataUrl: this._resourceMetadataUrl,
+      resource: extractCanonicalResourceUri(this._url)
+    });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -410,7 +420,11 @@ export class StreamableHTTPClientTransport implements Transport {
 
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
 
-          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+          const result = await auth(this._authProvider, { 
+            serverUrl: this._url, 
+            resourceMetadataUrl: this._resourceMetadataUrl,
+            resource: extractCanonicalResourceUri(this._url)
+          });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }
diff --git a/src/examples/server/demoInMemoryOAuthProvider.test.ts b/src/examples/server/demoInMemoryOAuthProvider.test.ts
new file mode 100644
index 000000000..49c6f69b1
--- /dev/null
+++ b/src/examples/server/demoInMemoryOAuthProvider.test.ts
@@ -0,0 +1,218 @@
+import { describe, it, expect, beforeEach } from '@jest/globals';
+import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore } from './demoInMemoryOAuthProvider.js';
+import { InvalidTargetError } from '../../server/auth/errors.js';
+import { OAuthClientInformationFull } from '../../shared/auth.js';
+import { Response } from 'express';
+
+describe('DemoInMemoryOAuthProvider - RFC 8707 Resource Validation', () => {
+  let provider: DemoInMemoryAuthProvider;
+  let clientsStore: DemoInMemoryClientsStore;
+  let mockClient: OAuthClientInformationFull & { allowed_resources?: string[] };
+  let mockResponse: Partial<Response>;
+
+  beforeEach(() => {
+    provider = new DemoInMemoryAuthProvider();
+    clientsStore = provider.clientsStore as DemoInMemoryClientsStore;
+    
+    mockClient = {
+      client_id: 'test-client',
+      client_name: 'Test Client',
+      client_uri: 'https://example.com',
+      redirect_uris: ['https://example.com/callback'],
+      grant_types: ['authorization_code'],
+      response_types: ['code'],
+      scope: 'mcp:tools',
+      token_endpoint_auth_method: 'none',
+    };
+
+    mockResponse = {
+      redirect: jest.fn(),
+    };
+  });
+
+  describe('Authorization with resource parameter', () => {
+    it('should allow authorization when no resources are configured', async () => {
+      await clientsStore.registerClient(mockClient);
+      
+      await expect(provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.example.com/v1',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response)).resolves.not.toThrow();
+
+      expect(mockResponse.redirect).toHaveBeenCalled();
+    });
+
+    it('should allow authorization when resource is in allowed list', async () => {
+      mockClient.allowed_resources = ['https://api.example.com/v1', 'https://api.example.com/v2'];
+      await clientsStore.registerClient(mockClient);
+      
+      await expect(provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.example.com/v1',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response)).resolves.not.toThrow();
+
+      expect(mockResponse.redirect).toHaveBeenCalled();
+    });
+
+    it('should reject authorization when resource is not in allowed list', async () => {
+      mockClient.allowed_resources = ['https://api.example.com/v1'];
+      await clientsStore.registerClient(mockClient);
+      
+      await expect(provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.forbidden.com',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
+    });
+  });
+
+  describe('Token exchange with resource validation', () => {
+    let authorizationCode: string;
+
+    beforeEach(async () => {
+      await clientsStore.registerClient(mockClient);
+      
+      // Authorize without resource first
+      await provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        scopes: ['mcp:tools']
+      }, mockResponse as Response);
+
+      // Extract authorization code from redirect call
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectCall);
+      authorizationCode = url.searchParams.get('code')!;
+    });
+
+    it('should exchange code successfully when resource matches', async () => {
+      // First authorize with a specific resource
+      mockResponse.redirect = jest.fn();
+      await provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.example.com/v1',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response);
+
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectCall);
+      const codeWithResource = url.searchParams.get('code')!;
+
+      const tokens = await provider.exchangeAuthorizationCode(
+        mockClient,
+        codeWithResource,
+        undefined,
+        undefined,
+        'https://api.example.com/v1'
+      );
+
+      expect(tokens).toHaveProperty('access_token');
+      expect(tokens.token_type).toBe('bearer');
+    });
+
+    it('should reject token exchange when resource does not match', async () => {
+      // First authorize with a specific resource
+      mockResponse.redirect = jest.fn();
+      await provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.example.com/v1',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response);
+
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectCall);
+      const codeWithResource = url.searchParams.get('code')!;
+
+      await expect(provider.exchangeAuthorizationCode(
+        mockClient,
+        codeWithResource,
+        undefined,
+        undefined,
+        'https://api.different.com'
+      )).rejects.toThrow(InvalidTargetError);
+    });
+
+    it('should reject token exchange when resource was not authorized but is requested', async () => {
+      await expect(provider.exchangeAuthorizationCode(
+        mockClient,
+        authorizationCode,
+        undefined,
+        undefined,
+        'https://api.example.com/v1'
+      )).rejects.toThrow(InvalidTargetError);
+    });
+
+    it('should store resource in token data', async () => {
+      // Authorize with resource
+      mockResponse.redirect = jest.fn();
+      await provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://api.example.com/v1',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response);
+
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectCall);
+      const codeWithResource = url.searchParams.get('code')!;
+
+      const tokens = await provider.exchangeAuthorizationCode(
+        mockClient,
+        codeWithResource,
+        undefined,
+        undefined,
+        'https://api.example.com/v1'
+      );
+
+      // Verify token has resource information
+      const tokenDetails = provider.getTokenDetails(tokens.access_token);
+      expect(tokenDetails?.resource).toBe('https://api.example.com/v1');
+    });
+  });
+
+  describe('Refresh token with resource validation', () => {
+    it('should validate resource when exchanging refresh token', async () => {
+      mockClient.allowed_resources = ['https://api.example.com/v1'];
+      await clientsStore.registerClient(mockClient);
+
+      await expect(provider.exchangeRefreshToken(
+        mockClient,
+        'refresh-token',
+        undefined,
+        'https://api.forbidden.com'
+      )).rejects.toThrow(InvalidTargetError);
+    });
+  });
+
+  describe('Allowed resources management', () => {
+    it('should update allowed resources for a client', async () => {
+      await clientsStore.registerClient(mockClient);
+      
+      // Initially no resources configured
+      await expect(provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://any.api.com',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response)).resolves.not.toThrow();
+
+      // Set allowed resources
+      clientsStore.setAllowedResources(mockClient.client_id, ['https://api.example.com/v1']);
+
+      // Now should reject unauthorized resources
+      await expect(provider.authorize(mockClient, {
+        codeChallenge: 'test-challenge',
+        redirectUri: mockClient.redirect_uris[0],
+        resource: 'https://any.api.com',
+        scopes: ['mcp:tools']
+      }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
+    });
+  });
+});
\ No newline at end of file
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 024208d61..66583e490 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -1,23 +1,38 @@
 import { randomUUID } from 'node:crypto';
 import { AuthorizationParams, OAuthServerProvider } from '../../server/auth/provider.js';
 import { OAuthRegisteredClientsStore } from '../../server/auth/clients.js';
-import { OAuthClientInformationFull, OAuthMetadata, OAuthTokens } from 'src/shared/auth.js';
+import { OAuthClientInformationFull, OAuthMetadata, OAuthTokens } from '../../shared/auth.js';
 import express, { Request, Response } from "express";
-import { AuthInfo } from 'src/server/auth/types.js';
-import { createOAuthMetadata, mcpAuthRouter } from 'src/server/auth/router.js';
+import { AuthInfo } from '../../server/auth/types.js';
+import { createOAuthMetadata, mcpAuthRouter } from '../../server/auth/router.js';
+import { InvalidTargetError } from '../../server/auth/errors.js';
 
 
+interface ExtendedClientInformation extends OAuthClientInformationFull {
+  allowed_resources?: string[];
+}
+
 export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
-  private clients = new Map<string, OAuthClientInformationFull>();
+  private clients = new Map<string, ExtendedClientInformation>();
 
   async getClient(clientId: string) {
     return this.clients.get(clientId);
   }
 
-  async registerClient(clientMetadata: OAuthClientInformationFull) {
+  async registerClient(clientMetadata: OAuthClientInformationFull & { allowed_resources?: string[] }) {
     this.clients.set(clientMetadata.client_id, clientMetadata);
     return clientMetadata;
   }
+
+  /**
+   * Demo method to set allowed resources for a client
+   */
+  setAllowedResources(clientId: string, resources: string[]) {
+    const client = this.clients.get(clientId);
+    if (client) {
+      client.allowed_resources = resources;
+    }
+  }
 }
 
 /**
@@ -28,18 +43,28 @@ export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
  * - Persistent token storage
  * - Rate limiting
  */
+interface ExtendedAuthInfo extends AuthInfo {
+  resource?: string;
+  type?: string;
+}
+
 export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   clientsStore = new DemoInMemoryClientsStore();
   private codes = new Map<string, {
     params: AuthorizationParams,
     client: OAuthClientInformationFull}>();
-  private tokens = new Map<string, AuthInfo>();
+  private tokens = new Map<string, ExtendedAuthInfo>();
 
   async authorize(
     client: OAuthClientInformationFull,
     params: AuthorizationParams,
     res: Response
   ): Promise<void> {
+    // Validate resource parameter if provided
+    if (params.resource) {
+      await this.validateResource(client, params.resource);
+    }
+
     const code = randomUUID();
 
     const searchParams = new URLSearchParams({
@@ -78,7 +103,9 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     authorizationCode: string,
     // Note: code verifier is checked in token.ts by default
     // it's unused here for that reason.
-    _codeVerifier?: string
+    _codeVerifier?: string,
+    _redirectUri?: string,
+    resource?: string
   ): Promise<OAuthTokens> {
     const codeData = this.codes.get(authorizationCode);
     if (!codeData) {
@@ -89,15 +116,26 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       throw new Error(`Authorization code was not issued to this client, ${codeData.client.client_id} != ${client.client_id}`);
     }
 
+    // Validate that the resource matches what was authorized
+    if (resource !== codeData.params.resource) {
+      throw new InvalidTargetError('Resource parameter does not match the authorized resource');
+    }
+
+    // If resource was specified during authorization, validate it's still allowed
+    if (codeData.params.resource) {
+      await this.validateResource(client, codeData.params.resource);
+    }
+
     this.codes.delete(authorizationCode);
     const token = randomUUID();
 
-    const tokenData = {
+    const tokenData: ExtendedAuthInfo = {
       token,
       clientId: client.client_id,
       scopes: codeData.params.scopes || [],
       expiresAt: Date.now() + 3600000, // 1 hour
-      type: 'access'
+      type: 'access',
+      resource: codeData.params.resource
     };
 
     this.tokens.set(token, tokenData);
@@ -111,11 +149,16 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   }
 
   async exchangeRefreshToken(
-    _client: OAuthClientInformationFull,
+    client: OAuthClientInformationFull,
     _refreshToken: string,
-    _scopes?: string[]
+    _scopes?: string[],
+    resource?: string
   ): Promise<OAuthTokens> {
-    throw new Error('Not implemented for example demo');
+    // Validate resource parameter if provided
+    if (resource) {
+      await this.validateResource(client, resource);
+    }
+    throw new Error('Refresh tokens not implemented for example demo');
   }
 
   async verifyAccessToken(token: string): Promise<AuthInfo> {
@@ -131,6 +174,33 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       expiresAt: Math.floor(tokenData.expiresAt / 1000),
     };
   }
+
+  /**
+   * Validates that the client is allowed to access the requested resource.
+   * In a real implementation, this would check against a database or configuration.
+   */
+  private async validateResource(client: OAuthClientInformationFull, resource: string): Promise<void> {
+    const extendedClient = client as ExtendedClientInformation;
+    
+    // If no resources are configured, allow any resource (for demo purposes)
+    if (!extendedClient.allowed_resources) {
+      return;
+    }
+
+    // Check if the requested resource is in the allowed list
+    if (!extendedClient.allowed_resources.includes(resource)) {
+      throw new InvalidTargetError(
+        `Client is not authorized to access resource: ${resource}`
+      );
+    }
+  }
+
+  /**
+   * Get token details including resource information (for demo introspection endpoint)
+   */
+  getTokenDetails(token: string): ExtendedAuthInfo | undefined {
+    return this.tokens.get(token);
+  }
 }
 
 
@@ -164,11 +234,14 @@ export const setupAuthServer = (authServerUrl: URL): OAuthMetadata => {
       }
 
       const tokenInfo = await provider.verifyAccessToken(token);
+      // For demo purposes, we'll add a method to get token details
+      const tokenDetails = provider.getTokenDetails(token);
       res.json({
         active: true,
         client_id: tokenInfo.clientId,
         scope: tokenInfo.scopes.join(' '),
-        exp: tokenInfo.expiresAt
+        exp: tokenInfo.expiresAt,
+        ...(tokenDetails?.resource && { aud: tokenDetails.resource })
       });
       return
     } catch (error) {
diff --git a/src/examples/server/resourceValidationExample.ts b/src/examples/server/resourceValidationExample.ts
new file mode 100644
index 000000000..880b9539b
--- /dev/null
+++ b/src/examples/server/resourceValidationExample.ts
@@ -0,0 +1,152 @@
+/**
+ * Example demonstrating RFC 8707 Resource Indicators for OAuth 2.0
+ * 
+ * This example shows how to configure and use resource validation in the MCP OAuth flow.
+ * RFC 8707 allows OAuth clients to specify which protected resource they intend to access,
+ * and enables authorization servers to restrict tokens to specific resources.
+ */
+
+import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
+import { OAuthClientInformationFull } from '../../shared/auth.js';
+
+async function demonstrateResourceValidation() {
+  // Create the OAuth provider
+  const provider = new DemoInMemoryAuthProvider();
+  const clientsStore = provider.clientsStore;
+
+  // Register a client with specific allowed resources
+  const clientWithResources: OAuthClientInformationFull & { allowed_resources?: string[] } = {
+    client_id: 'resource-aware-client',
+    client_name: 'Resource-Aware MCP Client',
+    client_uri: 'https://example.com',
+    redirect_uris: ['https://example.com/callback'],
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    scope: 'mcp:tools mcp:resources',
+    token_endpoint_auth_method: 'none',
+    // RFC 8707: Specify which resources this client can access
+    allowed_resources: [
+      'https://api.example.com/mcp/v1',
+      'https://api.example.com/mcp/v2',
+      'https://tools.example.com/mcp'
+    ]
+  };
+
+  await clientsStore.registerClient(clientWithResources);
+
+  console.log('Registered client with allowed resources:', clientWithResources.allowed_resources);
+
+  // Example 1: Authorization request with valid resource
+  try {
+    const mockResponse = {
+      redirect: (url: string) => {
+        console.log('✅ Authorization successful, redirecting to:', url);
+      }
+    };
+
+    await provider.authorize(clientWithResources, {
+      codeChallenge: 'S256-challenge-here',
+      redirectUri: clientWithResources.redirect_uris[0],
+      resource: 'https://api.example.com/mcp/v1', // Valid resource
+      scopes: ['mcp:tools']
+    }, mockResponse as any);
+  } catch (error) {
+    console.error('Authorization failed:', error);
+  }
+
+  // Example 2: Authorization request with invalid resource
+  try {
+    const mockResponse = {
+      redirect: (url: string) => {
+        console.log('Redirecting to:', url);
+      }
+    };
+
+    await provider.authorize(clientWithResources, {
+      codeChallenge: 'S256-challenge-here',
+      redirectUri: clientWithResources.redirect_uris[0],
+      resource: 'https://unauthorized.api.com/mcp', // Invalid resource
+      scopes: ['mcp:tools']
+    }, mockResponse as any);
+  } catch (error) {
+    console.error('❌ Authorization failed as expected:', error instanceof Error ? error.message : String(error));
+  }
+
+  // Example 3: Client without resource restrictions
+  const openClient: OAuthClientInformationFull = {
+    client_id: 'open-client',
+    client_name: 'Open MCP Client',
+    client_uri: 'https://open.example.com',
+    redirect_uris: ['https://open.example.com/callback'],
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    scope: 'mcp:tools',
+    token_endpoint_auth_method: 'none',
+    // No allowed_resources specified - can access any resource
+  };
+
+  await clientsStore.registerClient(openClient);
+
+  try {
+    const mockResponse = {
+      redirect: (url: string) => {
+        console.log('✅ Open client can access any resource, redirecting to:', url);
+      }
+    };
+
+    await provider.authorize(openClient, {
+      codeChallenge: 'S256-challenge-here',
+      redirectUri: openClient.redirect_uris[0],
+      resource: 'https://any.api.com/mcp', // Any resource is allowed
+      scopes: ['mcp:tools']
+    }, mockResponse as any);
+  } catch (error) {
+    console.error('Authorization failed:', error);
+  }
+
+  // Example 4: Token introspection with resource information
+  // First, simulate getting a token with resource restriction
+  const mockAuthCode = 'demo-auth-code';
+  const mockTokenResponse = await simulateTokenExchange(provider, clientWithResources, mockAuthCode);
+  
+  if (mockTokenResponse) {
+    const tokenDetails = provider.getTokenDetails(mockTokenResponse.access_token);
+    console.log('\n📋 Token introspection result:');
+    console.log('- Client ID:', tokenDetails?.clientId);
+    console.log('- Scopes:', tokenDetails?.scopes);
+    console.log('- Resource (aud):', tokenDetails?.resource);
+    console.log('- Token is restricted to:', tokenDetails?.resource || 'No resource restriction');
+  }
+}
+
+async function simulateTokenExchange(
+  provider: DemoInMemoryAuthProvider,
+  client: OAuthClientInformationFull,
+  authCode: string
+) {
+  // This is a simplified simulation - in real usage, the auth code would come from the authorization flow
+  console.log('\n🔄 Simulating token exchange with resource validation...');
+  
+  // Note: In a real implementation, you would:
+  // 1. Get the authorization code from the redirect after authorize()
+  // 2. Exchange it for tokens using the token endpoint
+  // 3. The resource parameter in the token request must match the one from authorization
+  
+  return {
+    access_token: 'demo-token-with-resource',
+    token_type: 'bearer',
+    expires_in: 3600,
+    scope: 'mcp:tools'
+  };
+}
+
+// Usage instructions
+console.log('🚀 RFC 8707 Resource Indicators Demo\n');
+console.log('This example demonstrates how to:');
+console.log('1. Register clients with allowed resources');
+console.log('2. Validate resource parameters during authorization');
+console.log('3. Include resource information in tokens');
+console.log('4. Handle invalid_target errors\n');
+
+// Run the demonstration
+demonstrateResourceValidation().catch(console.error);
\ No newline at end of file
diff --git a/src/examples/server/serverUrlValidationExample.ts b/src/examples/server/serverUrlValidationExample.ts
new file mode 100644
index 000000000..e88359bce
--- /dev/null
+++ b/src/examples/server/serverUrlValidationExample.ts
@@ -0,0 +1,103 @@
+/**
+ * Example demonstrating server URL validation for RFC 8707 compliance
+ * 
+ * This example shows how to configure an OAuth server to validate that
+ * the resource parameter in requests matches the server's own URL,
+ * ensuring tokens are only issued for this specific server.
+ */
+
+import express from 'express';
+import { authorizationHandler } from '../../server/auth/handlers/authorize.js';
+import { tokenHandler } from '../../server/auth/handlers/token.js';
+import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
+import { OAuthServerConfig } from '../../server/auth/types.js';
+
+// The canonical URL where this MCP server is accessible
+const SERVER_URL = 'https://api.example.com/mcp';
+
+// Configuration that validates resource matches this server
+const serverValidationConfig: OAuthServerConfig = {
+  // The server's canonical URL (without fragment)
+  serverUrl: SERVER_URL,
+  
+  // Enable validation that resource parameter matches serverUrl
+  // This also makes the resource parameter required
+  validateResourceMatchesServer: true
+};
+
+// Create the OAuth provider
+const provider = new DemoInMemoryAuthProvider();
+
+// Create Express app
+const app = express();
+
+// Configure authorization endpoint with server URL validation
+app.use('/oauth/authorize', authorizationHandler({
+  provider,
+  config: serverValidationConfig
+}));
+
+// Configure token endpoint with server URL validation
+app.use('/oauth/token', tokenHandler({
+  provider,
+  config: serverValidationConfig
+}));
+
+// Example scenarios
+console.log('🔐 Server URL Validation Example\n');
+console.log(`This server only accepts resource parameters matching: ${SERVER_URL}\n`);
+
+console.log('✅ Valid request examples:');
+console.log(`1. Resource matches server URL:
+   GET /oauth/authorize?client_id=my-client&resource=${SERVER_URL}&...
+   Result: Authorization proceeds normally\n`);
+
+console.log(`2. Resource with query parameters (exact match required):
+   GET /oauth/authorize?client_id=my-client&resource=${SERVER_URL}?version=2&...
+   Result: Rejected - resource must match exactly\n`);
+
+console.log('❌ Invalid request examples:');
+console.log(`1. Different domain:
+   GET /oauth/authorize?client_id=my-client&resource=https://evil.com/mcp&...
+   Response: 400 invalid_target - "Resource parameter 'https://evil.com/mcp' does not match this server's URL"\n`);
+
+console.log(`2. Different path:
+   GET /oauth/authorize?client_id=my-client&resource=https://api.example.com/different&...
+   Response: 400 invalid_target - "Resource parameter does not match this server's URL"\n`);
+
+console.log(`3. Missing resource (with validateResourceMatchesServer: true):
+   GET /oauth/authorize?client_id=my-client&...
+   Response: 400 invalid_request - "Resource parameter is required when server URL validation is enabled"\n`);
+
+console.log('🛡️  Security Benefits:');
+console.log('1. Prevents token confusion attacks - tokens cannot be obtained for other servers');
+console.log('2. Ensures all tokens are scoped to this specific MCP server');
+console.log('3. Provides clear audit trail of resource access attempts');
+console.log('4. Protects against malicious clients trying to obtain tokens for other services\n');
+
+console.log('📝 Configuration Notes:');
+console.log('- serverUrl should be the exact URL clients use to connect');
+console.log('- Fragments are automatically removed from both serverUrl and resource');
+console.log('- When validateResourceMatchesServer is true, resource parameter is required');
+console.log('- Validation ensures exact match between resource and serverUrl\n');
+
+console.log('🔧 Implementation Tips:');
+console.log('1. Set serverUrl from environment variable for different deployments:');
+console.log('   serverUrl: process.env.MCP_SERVER_URL || "https://api.example.com/mcp"\n');
+
+console.log('2. For development environments, you might disable validation:');
+console.log('   validateResourceMatchesServer: process.env.NODE_ENV === "production"\n');
+
+console.log('3. Consider logging failed validation attempts for security monitoring:');
+console.log('   Monitor logs for patterns of invalid_target errors\n');
+
+// Example of dynamic configuration based on environment
+const productionConfig: OAuthServerConfig = {
+  serverUrl: process.env.MCP_SERVER_URL || SERVER_URL,
+  validateResourceMatchesServer: process.env.NODE_ENV === 'production'
+};
+
+console.log('🚀 Production configuration example:');
+console.log(JSON.stringify(productionConfig, null, 2));
+
+export { app, provider, serverValidationConfig };
\ No newline at end of file
diff --git a/src/examples/server/strictModeExample.ts b/src/examples/server/strictModeExample.ts
new file mode 100644
index 000000000..5ff140d6b
--- /dev/null
+++ b/src/examples/server/strictModeExample.ts
@@ -0,0 +1,85 @@
+/**
+ * Example demonstrating strict RFC 8707 enforcement mode
+ * 
+ * This example shows how to configure an OAuth server that requires
+ * all requests to include a resource parameter, ensuring maximum
+ * security against token confusion attacks.
+ */
+
+import express from 'express';
+import { authorizationHandler } from '../../server/auth/handlers/authorize.js';
+import { tokenHandler } from '../../server/auth/handlers/token.js';
+import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
+import { OAuthServerConfig } from '../../server/auth/types.js';
+
+// Strict mode configuration - validates resource matches server URL
+const SERVER_URL = 'https://api.example.com/mcp';
+const strictConfig: OAuthServerConfig = {
+  serverUrl: SERVER_URL,
+  validateResourceMatchesServer: true
+};
+
+// Create the OAuth provider
+const provider = new DemoInMemoryAuthProvider();
+
+// Create Express app
+const app = express();
+
+// Configure authorization endpoint with strict mode
+app.use('/oauth/authorize', authorizationHandler({
+  provider,
+  config: strictConfig,
+  rateLimit: {
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10 // limit each IP to 10 requests per window
+  }
+}));
+
+// Configure token endpoint with strict mode
+app.use('/oauth/token', tokenHandler({
+  provider,
+  config: strictConfig,
+  rateLimit: {
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 20 // limit each IP to 20 requests per window
+  }
+}));
+
+// Example of what happens with different requests:
+console.log('🔒 Strict RFC 8707 Mode Example\n');
+console.log(`This server validates that resource parameter matches: ${SERVER_URL}\n`);
+
+console.log('✅ Valid request example:');
+console.log(`GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256&resource=${SERVER_URL}\n`);
+
+console.log('❌ Invalid request examples:');
+console.log('1. Missing resource:');
+console.log('GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256');
+console.log('Response: 400 Bad Request - "Resource parameter is required when server URL validation is enabled"\n');
+
+console.log('2. Wrong resource:');
+console.log('GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256&resource=https://evil.com/mcp');
+console.log(`Response: 400 Bad Request - "Resource parameter 'https://evil.com/mcp' does not match this server's URL '${SERVER_URL}'"\n`);
+
+console.log('📋 Benefits of server URL validation:');
+console.log('1. Prevents token confusion attacks - tokens can only be issued for this server');
+console.log('2. Ensures all tokens are properly scoped to this specific MCP server');
+console.log('3. No accidental token leakage to other services');
+console.log('4. Clear security boundary enforcement\n');
+
+console.log('⚠️  Migration considerations:');
+console.log('1. Server must know its canonical URL (configure via environment variable)');
+console.log('2. All clients must send the exact matching resource parameter');
+console.log('3. Consider using warnings-only mode first (validateResourceMatchesServer: false)');
+console.log('4. Monitor logs to track adoption before enabling validation\n');
+
+// Example middleware to track resource parameter usage
+app.use((req, res, next) => {
+  if (req.path.includes('/oauth/')) {
+    const hasResource = req.query.resource || req.body?.resource;
+    console.log(`[${new Date().toISOString()}] OAuth request to ${req.path} - Resource parameter: ${hasResource ? 'present' : 'MISSING'}`);
+  }
+  next();
+});
+
+export { app, provider, strictConfig };
\ No newline at end of file
diff --git a/src/server/auth/errors.ts b/src/server/auth/errors.ts
index 428199ce8..5c001bcda 100644
--- a/src/server/auth/errors.ts
+++ b/src/server/auth/errors.ts
@@ -189,3 +189,13 @@ export class InsufficientScopeError extends OAuthError {
     super("insufficient_scope", message, errorUri);
   }
 }
+
+/**
+ * Invalid target error - The requested resource is invalid, unknown, or malformed.
+ * (RFC 8707 - Resource Indicators for OAuth 2.0)
+ */
+export class InvalidTargetError extends OAuthError {
+  constructor(message: string, errorUri?: string) {
+    super("invalid_target", message, errorUri);
+  }
+}
diff --git a/src/server/auth/handlers/authorize.config.test.ts b/src/server/auth/handlers/authorize.config.test.ts
new file mode 100644
index 000000000..aa180c4b4
--- /dev/null
+++ b/src/server/auth/handlers/authorize.config.test.ts
@@ -0,0 +1,361 @@
+import express from "express";
+import request from "supertest";
+import { authorizationHandler } from "./authorize.js";
+import { OAuthServerProvider } from "../provider.js";
+import { OAuthServerConfig } from "../types.js";
+import { InvalidRequestError, InvalidTargetError } from "../errors.js";
+
+describe("Authorization handler with config", () => {
+  let app: express.Application;
+  let mockProvider: jest.Mocked<OAuthServerProvider>;
+  
+  beforeEach(() => {
+    app = express();
+    
+    const mockClientsStore = {
+      getClient: jest.fn(),
+      registerClient: jest.fn(),
+    };
+    
+    mockProvider = {
+      clientsStore: mockClientsStore,
+      authorize: jest.fn(),
+      exchangeAuthorizationCode: jest.fn(),
+      exchangeRefreshToken: jest.fn(),
+      challengeForAuthorizationCode: jest.fn(),
+      verifyAccessToken: jest.fn(),
+    } as jest.Mocked<OAuthServerProvider>;
+  });
+
+  describe("validateResourceMatchesServer configuration", () => {
+    it("should throw error when validateResourceMatchesServer is true but serverUrl is not set", () => {
+      const invalidConfig: OAuthServerConfig = {
+        validateResourceMatchesServer: true
+        // serverUrl is missing
+      };
+
+      expect(() => {
+        authorizationHandler({ 
+          provider: mockProvider,
+          config: invalidConfig 
+        });
+      }).toThrow("serverUrl must be configured when validateResourceMatchesServer is true");
+    });
+  });
+
+  describe("server URL validation (validateResourceMatchesServer: true)", () => {
+    const serverValidationConfig: OAuthServerConfig = {
+      serverUrl: "https://api.example.com/mcp",
+      validateResourceMatchesServer: true
+    };
+
+    beforeEach(() => {
+      app.use("/oauth/authorize", authorizationHandler({ 
+        provider: mockProvider,
+        config: serverValidationConfig 
+      }));
+    });
+
+    it("should reject requests without resource parameter", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state"
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("error=invalid_request");
+      expect(response.headers.location).toContain("Resource+parameter+is+required+when+server+URL+validation+is+enabled");
+    });
+
+    it("should accept requests with resource parameter", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+      mockProvider.authorize.mockImplementation(async (client, params, res) => {
+        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
+      });
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state",
+          resource: "https://api.example.com/mcp"
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("code=auth-code");
+      expect(mockProvider.authorize).toHaveBeenCalledWith(
+        mockClient,
+        expect.objectContaining({
+          resource: "https://api.example.com/mcp"
+        }),
+        expect.any(Object)
+      );
+    });
+  });
+
+  describe("warning mode (default behavior)", () => {
+    const warnConfig: OAuthServerConfig = {
+      // No configuration needed - warnings are always enabled by default
+    };
+
+    let consoleWarnSpy: jest.SpyInstance;
+
+    beforeEach(() => {
+      consoleWarnSpy = jest.spyOn(console, "warn").mockImplementation();
+      app.use("/oauth/authorize", authorizationHandler({ 
+        provider: mockProvider,
+        config: warnConfig 
+      }));
+    });
+
+    afterEach(() => {
+      consoleWarnSpy.mockRestore();
+    });
+
+    it("should log warning when resource is missing", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+      mockProvider.authorize.mockImplementation(async (client, params, res) => {
+        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
+      });
+
+      await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state"
+        });
+
+      expect(consoleWarnSpy).toHaveBeenCalledWith(
+        expect.stringContaining("test-client is missing the resource parameter")
+      );
+    });
+
+    it("should not log warning when resource is present", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+      mockProvider.authorize.mockImplementation(async (client, params, res) => {
+        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
+      });
+
+      await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state",
+          resource: "https://api.example.com/mcp"
+        });
+
+      expect(consoleWarnSpy).not.toHaveBeenCalled();
+    });
+  });
+
+  // Note: No silent mode test anymore - warnings are always enabled
+
+  describe("server URL validation (validateResourceMatchesServer: true)", () => {
+    const serverValidationConfig: OAuthServerConfig = {
+      serverUrl: "https://api.example.com/mcp",
+      validateResourceMatchesServer: true
+    };
+
+    beforeEach(() => {
+      app.use("/oauth/authorize", authorizationHandler({ 
+        provider: mockProvider,
+        config: serverValidationConfig 
+      }));
+    });
+
+    it("should accept requests when resource matches server URL", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+      mockProvider.authorize.mockImplementation(async (client, params, res) => {
+        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
+      });
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state",
+          resource: "https://api.example.com/mcp"
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("code=auth-code");
+    });
+
+    it("should reject requests when resource does not match server URL", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state",
+          resource: "https://different.api.com/mcp"
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("error=invalid_target");
+      expect(response.headers.location).toContain("does+not+match+this+server");
+    });
+
+    it("should reject requests without resource parameter when validation is enabled", async () => {
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state"
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("error=invalid_request");
+      expect(response.headers.location).toContain("Resource+parameter+is+required+when+server+URL+validation+is+enabled");
+    });
+
+    it("should handle server URL with fragment correctly", async () => {
+      // Reconfigure with a server URL that has a fragment (though it shouldn't)
+      const configWithFragment: OAuthServerConfig = {
+        serverUrl: "https://api.example.com/mcp#fragment",
+        validateResourceMatchesServer: true
+      };
+
+      app = express();
+      app.use("/oauth/authorize", authorizationHandler({ 
+        provider: mockProvider,
+        config: configWithFragment 
+      }));
+
+      const mockClient = {
+        client_id: "test-client",
+        client_name: "Test Client",
+        redirect_uris: ["https://example.com/callback"],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        scope: "read write",
+        token_endpoint_auth_method: "none",
+      };
+
+      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
+      mockProvider.authorize.mockImplementation(async (client, params, res) => {
+        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
+      });
+
+      const response = await request(app)
+        .get("/oauth/authorize")
+        .query({
+          client_id: "test-client",
+          redirect_uri: "https://example.com/callback",
+          response_type: "code",
+          code_challenge: "test-challenge",
+          code_challenge_method: "S256",
+          state: "test-state",
+          resource: "https://api.example.com/mcp" // No fragment
+        });
+
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain("code=auth-code");
+    });
+  });
+});
\ No newline at end of file
diff --git a/src/server/auth/handlers/authorize.test.ts b/src/server/auth/handlers/authorize.test.ts
index e921d5ea6..20a2af897 100644
--- a/src/server/auth/handlers/authorize.test.ts
+++ b/src/server/auth/handlers/authorize.test.ts
@@ -276,6 +276,128 @@ describe('Authorization Handler', () => {
     });
   });
 
+  describe('Resource parameter validation', () => {
+    it('accepts valid resource parameter', async () => {
+      const mockProviderWithResource = jest.spyOn(mockProvider, 'authorize');
+      
+      const response = await supertest(app)
+        .get('/authorize')
+        .query({
+          client_id: 'valid-client',
+          redirect_uri: 'https://example.com/callback',
+          response_type: 'code',
+          code_challenge: 'challenge123',
+          code_challenge_method: 'S256',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(302);
+      expect(mockProviderWithResource).toHaveBeenCalledWith(
+        validClient,
+        expect.objectContaining({
+          resource: 'https://api.example.com/resource',
+          redirectUri: 'https://example.com/callback',
+          codeChallenge: 'challenge123'
+        }),
+        expect.any(Object)
+      );
+    });
+
+    it('rejects invalid resource parameter (non-URL)', async () => {
+      const response = await supertest(app)
+        .get('/authorize')
+        .query({
+          client_id: 'valid-client',
+          redirect_uri: 'https://example.com/callback',
+          response_type: 'code',
+          code_challenge: 'challenge123',
+          code_challenge_method: 'S256',
+          resource: 'not-a-url'
+        });
+
+      expect(response.status).toBe(302);
+      const location = new URL(response.header.location);
+      expect(location.searchParams.get('error')).toBe('invalid_request');
+      expect(location.searchParams.get('error_description')).toContain('resource');
+    });
+
+    it('handles authorization without resource parameter', async () => {
+      const mockProviderWithoutResource = jest.spyOn(mockProvider, 'authorize');
+      
+      const response = await supertest(app)
+        .get('/authorize')
+        .query({
+          client_id: 'valid-client',
+          redirect_uri: 'https://example.com/callback',
+          response_type: 'code',
+          code_challenge: 'challenge123',
+          code_challenge_method: 'S256'
+        });
+
+      expect(response.status).toBe(302);
+      expect(mockProviderWithoutResource).toHaveBeenCalledWith(
+        validClient,
+        expect.objectContaining({
+          resource: undefined,
+          redirectUri: 'https://example.com/callback',
+          codeChallenge: 'challenge123'
+        }),
+        expect.any(Object)
+      );
+    });
+
+    it('passes multiple resources if provided', async () => {
+      const mockProviderWithResources = jest.spyOn(mockProvider, 'authorize');
+      
+      const response = await supertest(app)
+        .get('/authorize')
+        .query({
+          client_id: 'valid-client',
+          redirect_uri: 'https://example.com/callback',
+          response_type: 'code',
+          code_challenge: 'challenge123',
+          code_challenge_method: 'S256',
+          resource: 'https://api1.example.com/resource',
+          state: 'test-state'
+        });
+
+      expect(response.status).toBe(302);
+      expect(mockProviderWithResources).toHaveBeenCalledWith(
+        validClient,
+        expect.objectContaining({
+          resource: 'https://api1.example.com/resource',
+          state: 'test-state'
+        }),
+        expect.any(Object)
+      );
+    });
+
+    it('validates resource parameter in POST requests', async () => {
+      const mockProviderPost = jest.spyOn(mockProvider, 'authorize');
+      
+      const response = await supertest(app)
+        .post('/authorize')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          redirect_uri: 'https://example.com/callback',
+          response_type: 'code',
+          code_challenge: 'challenge123',
+          code_challenge_method: 'S256',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(302);
+      expect(mockProviderPost).toHaveBeenCalledWith(
+        validClient,
+        expect.objectContaining({
+          resource: 'https://api.example.com/resource'
+        }),
+        expect.any(Object)
+      );
+    });
+  });
+
   describe('Successful authorization', () => {
     it('handles successful authorization with all parameters', async () => {
       const response = await supertest(app)
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index 3e9a336b1..dbed1b522 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -8,10 +8,12 @@ import {
   InvalidRequestError,
   InvalidClientError,
   InvalidScopeError,
+  InvalidTargetError,
   ServerError,
   TooManyRequestsError,
   OAuthError
 } from "../errors.js";
+import { OAuthServerConfig } from "../types.js";
 
 export type AuthorizationHandlerOptions = {
   provider: OAuthServerProvider;
@@ -20,6 +22,10 @@ export type AuthorizationHandlerOptions = {
    * Set to false to disable rate limiting for this endpoint.
    */
   rateLimit?: Partial<RateLimitOptions> | false;
+  /**
+   * OAuth server configuration options
+   */
+  config?: OAuthServerConfig;
 };
 
 // Parameters that must be validated in order to issue redirects.
@@ -35,9 +41,15 @@ const RequestAuthorizationParamsSchema = z.object({
   code_challenge_method: z.literal("S256"),
   scope: z.string().optional(),
   state: z.string().optional(),
+  resource: z.string().url().optional(),
 });
 
-export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: AuthorizationHandlerOptions): RequestHandler {
+export function authorizationHandler({ provider, rateLimit: rateLimitConfig, config }: AuthorizationHandlerOptions): RequestHandler {
+  // Validate configuration
+  if (config?.validateResourceMatchesServer && !config?.serverUrl) {
+    throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
+  }
+
   // Create a router to apply middleware
   const router = express.Router();
   router.use(allowedMethods(["GET", "POST"]));
@@ -115,9 +127,30 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
         throw new InvalidRequestError(parseResult.error.message);
       }
 
-      const { scope, code_challenge } = parseResult.data;
+      const { scope, code_challenge, resource } = parseResult.data;
       state = parseResult.data.state;
 
+      // If validateResourceMatchesServer is enabled, resource is required and must match
+      if (config?.validateResourceMatchesServer) {
+        if (!resource) {
+          throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+        }
+        
+        // Remove fragment from server URL if present (though it shouldn't have one)
+        const canonicalServerUrl = config.serverUrl!.split('#')[0];
+        
+        if (resource !== canonicalServerUrl) {
+          throw new InvalidTargetError(
+            `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+          );
+        }
+      } else {
+        // Always log warning if resource is missing (unless validation is enabled)
+        if (!resource) {
+          console.warn(`Authorization request from client ${client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+        }
+      }
+
       // Validate scopes
       let requestedScopes: string[] = [];
       if (scope !== undefined) {
@@ -138,6 +171,7 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
         scopes: requestedScopes,
         redirectUri: redirect_uri,
         codeChallenge: code_challenge,
+        resource,
       }, res);
     } catch (error) {
       // Post-redirect errors - redirect with error parameters
diff --git a/src/server/auth/handlers/token.test.ts b/src/server/auth/handlers/token.test.ts
index c165fe7ff..68794c36b 100644
--- a/src/server/auth/handlers/token.test.ts
+++ b/src/server/auth/handlers/token.test.ts
@@ -282,6 +282,99 @@ describe('Token Handler', () => {
       expect(response.body.refresh_token).toBe('mock_refresh_token');
     });
 
+    it('accepts and passes resource parameter to provider', async () => {
+      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'authorization_code',
+          code: 'valid_code',
+          code_verifier: 'valid_verifier',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeCode).toHaveBeenCalledWith(
+        validClient,
+        'valid_code',
+        undefined, // code_verifier is undefined after PKCE validation
+        undefined, // redirect_uri
+        'https://api.example.com/resource' // resource parameter
+      );
+    });
+
+    it('rejects invalid resource parameter (non-URL)', async () => {
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'authorization_code',
+          code: 'valid_code',
+          code_verifier: 'valid_verifier',
+          resource: 'not-a-url'
+        });
+
+      expect(response.status).toBe(400);
+      expect(response.body.error).toBe('invalid_request');
+      expect(response.body.error_description).toContain('resource');
+    });
+
+    it('handles authorization code exchange without resource parameter', async () => {
+      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'authorization_code',
+          code: 'valid_code',
+          code_verifier: 'valid_verifier'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeCode).toHaveBeenCalledWith(
+        validClient,
+        'valid_code',
+        undefined, // code_verifier is undefined after PKCE validation
+        undefined, // redirect_uri
+        undefined  // resource parameter
+      );
+    });
+
+    it('passes resource with redirect_uri', async () => {
+      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'authorization_code',
+          code: 'valid_code',
+          code_verifier: 'valid_verifier',
+          redirect_uri: 'https://example.com/callback',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeCode).toHaveBeenCalledWith(
+        validClient,
+        'valid_code',
+        undefined, // code_verifier is undefined after PKCE validation
+        'https://example.com/callback', // redirect_uri
+        'https://api.example.com/resource' // resource parameter
+      );
+    });
+
     it('passes through code verifier when using proxy provider', async () => {
       const originalFetch = global.fetch;
 
@@ -472,6 +565,92 @@ describe('Token Handler', () => {
       expect(response.status).toBe(200);
       expect(response.body.scope).toBe('profile email');
     });
+
+    it('accepts and passes resource parameter to provider on refresh', async () => {
+      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'refresh_token',
+          refresh_token: 'valid_refresh_token',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeRefresh).toHaveBeenCalledWith(
+        validClient,
+        'valid_refresh_token',
+        undefined, // scopes
+        'https://api.example.com/resource' // resource parameter
+      );
+    });
+
+    it('rejects invalid resource parameter (non-URL) on refresh', async () => {
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'refresh_token',
+          refresh_token: 'valid_refresh_token',
+          resource: 'not-a-url'
+        });
+
+      expect(response.status).toBe(400);
+      expect(response.body.error).toBe('invalid_request');
+      expect(response.body.error_description).toContain('resource');
+    });
+
+    it('handles refresh token exchange without resource parameter', async () => {
+      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'refresh_token',
+          refresh_token: 'valid_refresh_token'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeRefresh).toHaveBeenCalledWith(
+        validClient,
+        'valid_refresh_token',
+        undefined, // scopes
+        undefined  // resource parameter
+      );
+    });
+
+    it('passes resource with scopes on refresh', async () => {
+      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
+      
+      const response = await supertest(app)
+        .post('/token')
+        .type('form')
+        .send({
+          client_id: 'valid-client',
+          client_secret: 'valid-secret',
+          grant_type: 'refresh_token',
+          refresh_token: 'valid_refresh_token',
+          scope: 'profile email',
+          resource: 'https://api.example.com/resource'
+        });
+
+      expect(response.status).toBe(200);
+      expect(mockExchangeRefresh).toHaveBeenCalledWith(
+        validClient,
+        'valid_refresh_token',
+        ['profile', 'email'], // scopes
+        'https://api.example.com/resource' // resource parameter
+      );
+    });
   });
 
   describe('CORS support', () => {
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index eadbd7515..37950502e 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -12,8 +12,10 @@ import {
   UnsupportedGrantTypeError,
   ServerError,
   TooManyRequestsError,
-  OAuthError
+  OAuthError,
+  InvalidTargetError
 } from "../errors.js";
+import { OAuthServerConfig } from "../types.js";
 
 export type TokenHandlerOptions = {
   provider: OAuthServerProvider;
@@ -22,6 +24,10 @@ export type TokenHandlerOptions = {
    * Set to false to disable rate limiting for this endpoint.
    */
   rateLimit?: Partial<RateLimitOptions> | false;
+  /**
+   * OAuth server configuration options
+   */
+  config?: OAuthServerConfig;
 };
 
 const TokenRequestSchema = z.object({
@@ -32,14 +38,21 @@ const AuthorizationCodeGrantSchema = z.object({
   code: z.string(),
   code_verifier: z.string(),
   redirect_uri: z.string().optional(),
+  resource: z.string().url().optional(),
 });
 
 const RefreshTokenGrantSchema = z.object({
   refresh_token: z.string(),
   scope: z.string().optional(),
+  resource: z.string().url().optional(),
 });
 
-export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHandlerOptions): RequestHandler {
+export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: TokenHandlerOptions): RequestHandler {
+  // Validate configuration
+  if (config?.validateResourceMatchesServer && !config?.serverUrl) {
+    throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
+  }
+
   // Nested router so we can configure middleware and restrict HTTP method
   const router = express.Router();
 
@@ -89,7 +102,27 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
             throw new InvalidRequestError(parseResult.error.message);
           }
 
-          const { code, code_verifier, redirect_uri } = parseResult.data;
+          const { code, code_verifier, redirect_uri, resource } = parseResult.data;
+
+          // If validateResourceMatchesServer is enabled, resource is required and must match
+          if (config?.validateResourceMatchesServer) {
+            if (!resource) {
+              throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+            }
+            
+            const canonicalServerUrl = config.serverUrl!.split('#')[0];
+            
+            if (resource !== canonicalServerUrl) {
+              throw new InvalidTargetError(
+                `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+              );
+            }
+          } else {
+            // Always log warning if resource is missing (unless validation is enabled)
+            if (!resource) {
+              console.warn(`Token exchange request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+            }
+          }
 
           const skipLocalPkceValidation = provider.skipLocalPkceValidation;
 
@@ -107,7 +140,8 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
             client, 
             code, 
             skipLocalPkceValidation ? code_verifier : undefined,
-            redirect_uri
+            redirect_uri,
+            resource
           );
           res.status(200).json(tokens);
           break;
@@ -119,10 +153,30 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
             throw new InvalidRequestError(parseResult.error.message);
           }
 
-          const { refresh_token, scope } = parseResult.data;
+          const { refresh_token, scope, resource } = parseResult.data;
+
+          // If validateResourceMatchesServer is enabled, resource is required and must match
+          if (config?.validateResourceMatchesServer) {
+            if (!resource) {
+              throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+            }
+            
+            const canonicalServerUrl = config.serverUrl!.split('#')[0];
+            
+            if (resource !== canonicalServerUrl) {
+              throw new InvalidTargetError(
+                `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+              );
+            }
+          } else {
+            // Always log warning if resource is missing (unless validation is enabled)
+            if (!resource) {
+              console.warn(`Token refresh request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+            }
+          }
 
           const scopes = scope?.split(" ");
-          const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes);
+          const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes, resource);
           res.status(200).json(tokens);
           break;
         }
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
index 7815b713e..256984166 100644
--- a/src/server/auth/provider.ts
+++ b/src/server/auth/provider.ts
@@ -8,6 +8,7 @@ export type AuthorizationParams = {
   scopes?: string[];
   codeChallenge: string;
   redirectUri: string;
+  resource?: string;
 };
 
 /**
@@ -40,13 +41,14 @@ export interface OAuthServerProvider {
     client: OAuthClientInformationFull, 
     authorizationCode: string, 
     codeVerifier?: string,
-    redirectUri?: string
+    redirectUri?: string,
+    resource?: string
   ): Promise<OAuthTokens>;
 
   /**
    * Exchanges a refresh token for an access token.
    */
-  exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[]): Promise<OAuthTokens>;
+  exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: string): Promise<OAuthTokens>;
 
   /**
    * Verifies an access token and returns information about it.
diff --git a/src/server/auth/providers/proxyProvider.test.ts b/src/server/auth/providers/proxyProvider.test.ts
index 69039c3e0..b652390b0 100644
--- a/src/server/auth/providers/proxyProvider.test.ts
+++ b/src/server/auth/providers/proxyProvider.test.ts
@@ -103,6 +103,49 @@ describe("Proxy OAuth Server Provider", () => {
 
       expect(mockResponse.redirect).toHaveBeenCalledWith(expectedUrl.toString());
     });
+
+    it('includes resource parameter in authorization redirect', async () => {
+      await provider.authorize(
+        validClient,
+        {
+          redirectUri: 'https://example.com/callback',
+          codeChallenge: 'test-challenge',
+          state: 'test-state',
+          scopes: ['read', 'write'],
+          resource: 'https://api.example.com/resource'
+        },
+        mockResponse
+      );
+
+      const expectedUrl = new URL('https://auth.example.com/authorize');
+      expectedUrl.searchParams.set('client_id', 'test-client');
+      expectedUrl.searchParams.set('response_type', 'code');
+      expectedUrl.searchParams.set('redirect_uri', 'https://example.com/callback');
+      expectedUrl.searchParams.set('code_challenge', 'test-challenge');
+      expectedUrl.searchParams.set('code_challenge_method', 'S256');
+      expectedUrl.searchParams.set('state', 'test-state');
+      expectedUrl.searchParams.set('scope', 'read write');
+      expectedUrl.searchParams.set('resource', 'https://api.example.com/resource');
+
+      expect(mockResponse.redirect).toHaveBeenCalledWith(expectedUrl.toString());
+    });
+
+    it('handles authorization without resource parameter', async () => {
+      await provider.authorize(
+        validClient,
+        {
+          redirectUri: 'https://example.com/callback',
+          codeChallenge: 'test-challenge',
+          state: 'test-state',
+          scopes: ['read']
+        },
+        mockResponse
+      );
+
+      const redirectUrl = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectUrl);
+      expect(url.searchParams.has('resource')).toBe(false);
+    });
   });
 
   describe("token exchange", () => {
@@ -164,6 +207,41 @@ describe("Proxy OAuth Server Provider", () => {
       expect(tokens).toEqual(mockTokenResponse);
     });
 
+    it('includes resource parameter in authorization code exchange', async () => {
+      const tokens = await provider.exchangeAuthorizationCode(
+        validClient,
+        'test-code',
+        'test-verifier',
+        'https://example.com/callback',
+        'https://api.example.com/resource'
+      );
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        'https://auth.example.com/token',
+        expect.objectContaining({
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+          body: expect.stringContaining('resource=' + encodeURIComponent('https://api.example.com/resource'))
+        })
+      );
+      expect(tokens).toEqual(mockTokenResponse);
+    });
+
+    it('handles authorization code exchange without resource parameter', async () => {
+      const tokens = await provider.exchangeAuthorizationCode(
+        validClient,
+        'test-code',
+        'test-verifier'
+      );
+
+      const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
+      const body = fetchCall[1].body as string;
+      expect(body).not.toContain('resource=');
+      expect(tokens).toEqual(mockTokenResponse);
+    });
+
     it("exchanges refresh token for new tokens", async () => {
       const tokens = await provider.exchangeRefreshToken(
         validClient,
@@ -184,6 +262,55 @@ describe("Proxy OAuth Server Provider", () => {
       expect(tokens).toEqual(mockTokenResponse);
     });
 
+    it('includes resource parameter in refresh token exchange', async () => {
+      const tokens = await provider.exchangeRefreshToken(
+        validClient,
+        'test-refresh-token',
+        ['read', 'write'],
+        'https://api.example.com/resource'
+      );
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        'https://auth.example.com/token',
+        expect.objectContaining({
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+          body: expect.stringContaining('resource=' + encodeURIComponent('https://api.example.com/resource'))
+        })
+      );
+      expect(tokens).toEqual(mockTokenResponse);
+    });
+
+    it('handles refresh token exchange without resource parameter', async () => {
+      const tokens = await provider.exchangeRefreshToken(
+        validClient,
+        'test-refresh-token',
+        ['read']
+      );
+
+      const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
+      const body = fetchCall[1].body as string;
+      expect(body).not.toContain('resource=');
+      expect(tokens).toEqual(mockTokenResponse);
+    });
+
+    it('includes both scope and resource parameters in refresh', async () => {
+      const tokens = await provider.exchangeRefreshToken(
+        validClient,
+        'test-refresh-token',
+        ['profile', 'email'],
+        'https://api.example.com/resource'
+      );
+
+      const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
+      const body = fetchCall[1].body as string;
+      expect(body).toContain('scope=profile+email');
+      expect(body).toContain('resource=' + encodeURIComponent('https://api.example.com/resource'));
+      expect(tokens).toEqual(mockTokenResponse);
+    });
+
   });
 
   describe("client registration", () => {
diff --git a/src/server/auth/providers/proxyProvider.ts b/src/server/auth/providers/proxyProvider.ts
index db7460e55..7f8b8d3df 100644
--- a/src/server/auth/providers/proxyProvider.ts
+++ b/src/server/auth/providers/proxyProvider.ts
@@ -134,6 +134,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     // Add optional standard OAuth parameters
     if (params.state) searchParams.set("state", params.state);
     if (params.scopes?.length) searchParams.set("scope", params.scopes.join(" "));
+    if (params.resource) searchParams.set("resource", params.resource);
 
     targetUrl.search = searchParams.toString();
     res.redirect(targetUrl.toString());
@@ -152,7 +153,8 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     client: OAuthClientInformationFull,
     authorizationCode: string,
     codeVerifier?: string,
-    redirectUri?: string
+    redirectUri?: string,
+    resource?: string
   ): Promise<OAuthTokens> {
     const params = new URLSearchParams({
       grant_type: "authorization_code",
@@ -172,6 +174,10 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
       params.append("redirect_uri", redirectUri);
     }
 
+    if (resource) {
+      params.append("resource", resource);
+    }
+
     const response = await fetch(this._endpoints.tokenUrl, {
       method: "POST",
       headers: {
@@ -192,7 +198,8 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
   async exchangeRefreshToken(
     client: OAuthClientInformationFull,
     refreshToken: string,
-    scopes?: string[]
+    scopes?: string[],
+    resource?: string
   ): Promise<OAuthTokens> {
 
     const params = new URLSearchParams({
@@ -209,6 +216,10 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
       params.set("scope", scopes.join(" "));
     }
 
+    if (resource) {
+      params.set("resource", resource);
+    }
+
     const response = await fetch(this._endpoints.tokenUrl, {
       method: "POST",
       headers: {
diff --git a/src/server/auth/types.ts b/src/server/auth/types.ts
index c25c2b602..33ba3f865 100644
--- a/src/server/auth/types.ts
+++ b/src/server/auth/types.ts
@@ -27,4 +27,37 @@ export interface AuthInfo {
    * This field should be used for any additional data that needs to be attached to the auth info.
   */
   extra?: Record<string, unknown>;
+}
+
+/**
+ * Configuration options for OAuth server behavior
+ */
+export interface OAuthServerConfig {
+  /**
+   * The canonical URL of this MCP server. When provided, the server will validate
+   * that the resource parameter in OAuth requests matches this URL.
+   * 
+   * This should be the full URL that clients use to connect to this server,
+   * without any fragment component (e.g., "https://api.example.com/mcp").
+   * 
+   * Required when validateResourceMatchesServer is true.
+   */
+  serverUrl?: string;
+
+  /**
+   * If true, validates that the resource parameter matches the configured serverUrl.
+   * 
+   * When enabled:
+   * - serverUrl must be configured (throws error if not)
+   * - resource parameter is required on all requests
+   * - resource must exactly match serverUrl (after fragment removal)
+   * - requests without resource parameter will be rejected with invalid_request error
+   * - requests with non-matching resource will be rejected with invalid_target error
+   * 
+   * When disabled:
+   * - warnings are logged when resource parameter is missing (for migration tracking)
+   * 
+   * @default false
+   */
+  validateResourceMatchesServer?: boolean;
 }
\ No newline at end of file
diff --git a/src/shared/auth-utils.test.ts b/src/shared/auth-utils.test.ts
new file mode 100644
index 000000000..1c45511a5
--- /dev/null
+++ b/src/shared/auth-utils.test.ts
@@ -0,0 +1,100 @@
+import { canonicalizeResourceUri, validateResourceUri, extractCanonicalResourceUri, resourceUrlFromServerUrl } from './auth-utils.js';
+
+describe('auth-utils', () => {
+  describe('resourceUrlFromServerUrl', () => {
+    it('should remove fragments', () => {
+      expect(resourceUrlFromServerUrl('https://example.com/path#fragment')).toBe('https://example.com/path');
+      expect(resourceUrlFromServerUrl('https://example.com#fragment')).toBe('https://example.com');
+      expect(resourceUrlFromServerUrl('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
+    });
+
+    it('should return URL unchanged if no fragment', () => {
+      expect(resourceUrlFromServerUrl('https://example.com')).toBe('https://example.com');
+      expect(resourceUrlFromServerUrl('https://example.com/path')).toBe('https://example.com/path');
+      expect(resourceUrlFromServerUrl('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
+    });
+
+    it('should keep everything else unchanged', () => {
+      // Case sensitivity preserved
+      expect(resourceUrlFromServerUrl('HTTPS://EXAMPLE.COM/PATH')).toBe('HTTPS://EXAMPLE.COM/PATH');
+      // Ports preserved
+      expect(resourceUrlFromServerUrl('https://example.com:443/path')).toBe('https://example.com:443/path');
+      expect(resourceUrlFromServerUrl('https://example.com:8080/path')).toBe('https://example.com:8080/path');
+      // Query parameters preserved
+      expect(resourceUrlFromServerUrl('https://example.com?foo=bar&baz=qux')).toBe('https://example.com?foo=bar&baz=qux');
+      // Trailing slashes preserved
+      expect(resourceUrlFromServerUrl('https://example.com/')).toBe('https://example.com/');
+      expect(resourceUrlFromServerUrl('https://example.com/path/')).toBe('https://example.com/path/');
+    });
+  });
+
+  describe('canonicalizeResourceUri', () => {
+    it('should remove fragments', () => {
+      expect(canonicalizeResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
+    });
+
+    it('should keep everything else unchanged', () => {
+      expect(canonicalizeResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
+      expect(canonicalizeResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
+      expect(canonicalizeResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
+    });
+  });
+
+  describe('validateResourceUri', () => {
+    it('should accept valid resource URIs without fragments', () => {
+      expect(() => validateResourceUri('https://example.com')).not.toThrow();
+      expect(() => validateResourceUri('https://example.com/path')).not.toThrow();
+      expect(() => validateResourceUri('http://example.com:8080')).not.toThrow();
+      expect(() => validateResourceUri('https://example.com?query=1')).not.toThrow();
+      expect(() => validateResourceUri('ftp://example.com')).not.toThrow(); // Only fragment check now
+    });
+
+    it('should reject URIs with fragments', () => {
+      expect(() => validateResourceUri('https://example.com#fragment')).toThrow('must not contain a fragment');
+      expect(() => validateResourceUri('https://example.com/path#section')).toThrow('must not contain a fragment');
+      expect(() => validateResourceUri('https://example.com?query=1#anchor')).toThrow('must not contain a fragment');
+    });
+
+    it('should accept any URI without fragment', () => {
+      // These are all valid now since we only check for fragments
+      expect(() => validateResourceUri('//example.com')).not.toThrow();
+      expect(() => validateResourceUri('https://user:pass@example.com')).not.toThrow();
+      expect(() => validateResourceUri('/path')).not.toThrow();
+      expect(() => validateResourceUri('path')).not.toThrow();
+    });
+  });
+
+  describe('extractCanonicalResourceUri', () => {
+    it('should remove fragments from URLs', () => {
+      expect(extractCanonicalResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
+      expect(extractCanonicalResourceUri('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
+    });
+
+    it('should handle URL object', () => {
+      const url = new URL('https://example.com:8443/path?query=1#fragment');
+      expect(extractCanonicalResourceUri(url)).toBe('https://example.com:8443/path?query=1');
+    });
+
+    it('should keep everything else unchanged', () => {
+      // Preserves case
+      expect(extractCanonicalResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
+      // Preserves all ports
+      expect(extractCanonicalResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
+      expect(extractCanonicalResourceUri('http://example.com:80/path')).toBe('http://example.com:80/path');
+      // Preserves query parameters
+      expect(extractCanonicalResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
+      // Preserves trailing slashes
+      expect(extractCanonicalResourceUri('https://example.com/')).toBe('https://example.com/');
+      expect(extractCanonicalResourceUri('https://example.com/app1/')).toBe('https://example.com/app1/');
+    });
+
+    it('should distinguish between different paths on same domain', () => {
+      // This is the key test for the security concern mentioned
+      const app1 = extractCanonicalResourceUri('https://api.example.com/mcp-server-1');
+      const app2 = extractCanonicalResourceUri('https://api.example.com/mcp-server-2');
+      expect(app1).not.toBe(app2);
+      expect(app1).toBe('https://api.example.com/mcp-server-1');
+      expect(app2).toBe('https://api.example.com/mcp-server-2');
+    });
+  });
+});
\ No newline at end of file
diff --git a/src/shared/auth-utils.ts b/src/shared/auth-utils.ts
new file mode 100644
index 000000000..aed5f247f
--- /dev/null
+++ b/src/shared/auth-utils.ts
@@ -0,0 +1,44 @@
+/**
+ * Utilities for handling OAuth resource URIs according to RFC 8707.
+ */
+
+/**
+ * Converts a server URL to a resource URL by removing the fragment.
+ * RFC 8707 section 2 states that resource URIs "MUST NOT include a fragment component".
+ * Keeps everything else unchanged (scheme, domain, port, path, query).
+ */
+export function resourceUrlFromServerUrl(url: string): string {
+  const hashIndex = url.indexOf('#');
+  return hashIndex === -1 ? url : url.substring(0, hashIndex);
+}
+
+/**
+ * Validates a resource URI according to RFC 8707 requirements.
+ * @param resourceUri The resource URI to validate
+ * @throws Error if the URI contains a fragment
+ */
+export function validateResourceUri(resourceUri: string): void {
+  if (resourceUri.includes('#')) {
+    throw new Error(`Invalid resource URI: ${resourceUri} - must not contain a fragment`);
+  }
+}
+
+/**
+ * Removes fragment from URI to make it RFC 8707 compliant.
+ * @deprecated Use resourceUrlFromServerUrl instead
+ */
+export function canonicalizeResourceUri(resourceUri: string): string {
+  return resourceUrlFromServerUrl(resourceUri);
+}
+
+/**
+ * Extracts resource URI from server URL by removing fragment.
+ * @param serverUrl The server URL to extract from
+ * @returns The resource URI without fragment
+ */
+export function extractResourceUri(serverUrl: string | URL): string {
+  return resourceUrlFromServerUrl(typeof serverUrl === 'string' ? serverUrl : serverUrl.href);
+}
+
+// Backward compatibility alias
+export const extractCanonicalResourceUri = extractResourceUri;
\ No newline at end of file

From 784d94437764dc0f8e46ccebab62337202b31a48 Mon Sep 17 00:00:00 2001
From: Basil Hosmer <basil@anthropic.com>
Date: Mon, 16 Jun 2025 14:52:33 -0400
Subject: [PATCH 060/147] update _meta comments

---
 src/types.ts | 54 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 33 insertions(+), 21 deletions(-)

diff --git a/src/types.ts b/src/types.ts
index 1c248d77b..762708f56 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -44,8 +44,9 @@ export const RequestSchema = z.object({
 const BaseNotificationParamsSchema = z
   .object({
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -58,8 +59,9 @@ export const NotificationSchema = z.object({
 export const ResultSchema = z
   .object({
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -436,7 +438,8 @@ export const ResourceContentsSchema = z
      */
     mimeType: z.optional(z.string()),
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
      */
     _meta: z.optional(z.object({}).passthrough()),
   })
@@ -478,8 +481,9 @@ export const ResourceSchema = BaseMetadataSchema.extend({
   mimeType: z.optional(z.string()),
 
   /**
-   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-  */
+   * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+   * for notes on _meta usage.
+   */
   _meta: z.optional(z.object({}).passthrough()),
 });
 
@@ -505,8 +509,9 @@ export const ResourceTemplateSchema = BaseMetadataSchema.extend({
   mimeType: z.optional(z.string()),
 
   /**
-   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-  */
+   * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+   * for notes on _meta usage.
+   */
   _meta: z.optional(z.object({}).passthrough()),
 });
 
@@ -642,7 +647,8 @@ export const PromptSchema = BaseMetadataSchema.extend({
    */
   arguments: z.optional(z.array(PromptArgumentSchema)),
   /**
-   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+   * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+   * for notes on _meta usage.
    */
   _meta: z.optional(z.object({}).passthrough()),
 });
@@ -690,8 +696,9 @@ export const TextContentSchema = z
     text: z.string(),
 
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -712,8 +719,9 @@ export const ImageContentSchema = z
     mimeType: z.string(),
 
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -734,8 +742,9 @@ export const AudioContentSchema = z
     mimeType: z.string(),
 
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();
@@ -748,7 +757,8 @@ export const EmbeddedResourceSchema = z
     type: z.literal("resource"),
     resource: z.union([TextResourceContentsSchema, BlobResourceContentsSchema]),
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
      */
     _meta: z.optional(z.object({}).passthrough()),
   })
@@ -895,8 +905,9 @@ export const ToolSchema = BaseMetadataSchema.extend({
   annotations: z.optional(ToolAnnotationsSchema),
 
   /**
-   * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-  */
+   * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+   * for notes on _meta usage.
+   */
   _meta: z.optional(z.object({}).passthrough()),
 });
 
@@ -1230,8 +1241,9 @@ export const RootSchema = z
     name: z.optional(z.string()),
 
     /**
-     * Reserved by MCP for protocol-level metadata; implementations must not make assumptions about its contents.
-    */
+     * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
+     * for notes on _meta usage.
+     */
     _meta: z.optional(z.object({}).passthrough()),
   })
   .passthrough();

From 1f4e42c09ea8c42db79afa63d2abea74a57473a1 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 20:05:02 +0100
Subject: [PATCH 061/147] cleanup auth-utils and remove example files

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/client/auth.ts                            |   4 +-
 src/client/sse.ts                             |   8 +-
 src/client/streamableHttp.ts                  |   8 +-
 .../server/resourceValidationExample.ts       | 152 ------------------
 .../server/serverUrlValidationExample.ts      | 103 ------------
 src/examples/server/strictModeExample.ts      |  85 ----------
 src/server/auth/handlers/authorize.ts         |   3 +-
 src/server/auth/handlers/token.ts             |   5 +-
 src/shared/auth-utils.test.ts                 |  37 ++---
 src/shared/auth-utils.ts                      |  13 +-
 10 files changed, 29 insertions(+), 389 deletions(-)
 delete mode 100644 src/examples/server/resourceValidationExample.ts
 delete mode 100644 src/examples/server/serverUrlValidationExample.ts
 delete mode 100644 src/examples/server/strictModeExample.ts

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 9a9965f60..28188b7c0 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -2,7 +2,7 @@ import pkceChallenge from "pkce-challenge";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
 import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js";
 import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
-import { canonicalizeResourceUri } from "../shared/auth-utils.js";
+import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
@@ -105,7 +105,7 @@ export async function auth(
   // Remove fragment from resource parameter if provided
   let canonicalResource: string | undefined;
   if (resource) {
-    canonicalResource = canonicalizeResourceUri(resource);
+    canonicalResource = resourceUrlFromServerUrl(resource);
   }
 
   let authorizationServerUrl = serverUrl;
diff --git a/src/client/sse.ts b/src/client/sse.ts
index 6c07cf252..c484bde96 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -2,7 +2,7 @@ import { EventSource, type ErrorEvent, type EventSourceInit } from "eventsource"
 import { Transport } from "../shared/transport.js";
 import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
-import { extractCanonicalResourceUri } from "../shared/auth-utils.js";
+import { extractResourceUri } from "../shared/auth-utils.js";
 
 export class SseError extends Error {
   constructor(
@@ -90,7 +90,7 @@ export class SSEClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: extractCanonicalResourceUri(this._url)
+        resource: extractResourceUri(this._url)
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -210,7 +210,7 @@ export class SSEClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: extractCanonicalResourceUri(this._url)
+      resource: extractResourceUri(this._url)
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -249,7 +249,7 @@ export class SSEClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: extractCanonicalResourceUri(this._url)
+            resource: extractResourceUri(this._url)
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index e452972bb..25c41bf3f 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -2,7 +2,7 @@ import { Transport } from "../shared/transport.js";
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { EventSourceParserStream } from "eventsource-parser/stream";
-import { extractCanonicalResourceUri } from "../shared/auth-utils.js";
+import { extractResourceUri } from "../shared/auth-utils.js";
 
 // Default reconnection options for StreamableHTTP connections
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS: StreamableHTTPReconnectionOptions = {
@@ -153,7 +153,7 @@ export class StreamableHTTPClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: extractCanonicalResourceUri(this._url)
+        resource: extractResourceUri(this._url)
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -371,7 +371,7 @@ export class StreamableHTTPClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: extractCanonicalResourceUri(this._url)
+      resource: extractResourceUri(this._url)
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -423,7 +423,7 @@ export class StreamableHTTPClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: extractCanonicalResourceUri(this._url)
+            resource: extractResourceUri(this._url)
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/examples/server/resourceValidationExample.ts b/src/examples/server/resourceValidationExample.ts
deleted file mode 100644
index 880b9539b..000000000
--- a/src/examples/server/resourceValidationExample.ts
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * Example demonstrating RFC 8707 Resource Indicators for OAuth 2.0
- * 
- * This example shows how to configure and use resource validation in the MCP OAuth flow.
- * RFC 8707 allows OAuth clients to specify which protected resource they intend to access,
- * and enables authorization servers to restrict tokens to specific resources.
- */
-
-import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
-import { OAuthClientInformationFull } from '../../shared/auth.js';
-
-async function demonstrateResourceValidation() {
-  // Create the OAuth provider
-  const provider = new DemoInMemoryAuthProvider();
-  const clientsStore = provider.clientsStore;
-
-  // Register a client with specific allowed resources
-  const clientWithResources: OAuthClientInformationFull & { allowed_resources?: string[] } = {
-    client_id: 'resource-aware-client',
-    client_name: 'Resource-Aware MCP Client',
-    client_uri: 'https://example.com',
-    redirect_uris: ['https://example.com/callback'],
-    grant_types: ['authorization_code'],
-    response_types: ['code'],
-    scope: 'mcp:tools mcp:resources',
-    token_endpoint_auth_method: 'none',
-    // RFC 8707: Specify which resources this client can access
-    allowed_resources: [
-      'https://api.example.com/mcp/v1',
-      'https://api.example.com/mcp/v2',
-      'https://tools.example.com/mcp'
-    ]
-  };
-
-  await clientsStore.registerClient(clientWithResources);
-
-  console.log('Registered client with allowed resources:', clientWithResources.allowed_resources);
-
-  // Example 1: Authorization request with valid resource
-  try {
-    const mockResponse = {
-      redirect: (url: string) => {
-        console.log('✅ Authorization successful, redirecting to:', url);
-      }
-    };
-
-    await provider.authorize(clientWithResources, {
-      codeChallenge: 'S256-challenge-here',
-      redirectUri: clientWithResources.redirect_uris[0],
-      resource: 'https://api.example.com/mcp/v1', // Valid resource
-      scopes: ['mcp:tools']
-    }, mockResponse as any);
-  } catch (error) {
-    console.error('Authorization failed:', error);
-  }
-
-  // Example 2: Authorization request with invalid resource
-  try {
-    const mockResponse = {
-      redirect: (url: string) => {
-        console.log('Redirecting to:', url);
-      }
-    };
-
-    await provider.authorize(clientWithResources, {
-      codeChallenge: 'S256-challenge-here',
-      redirectUri: clientWithResources.redirect_uris[0],
-      resource: 'https://unauthorized.api.com/mcp', // Invalid resource
-      scopes: ['mcp:tools']
-    }, mockResponse as any);
-  } catch (error) {
-    console.error('❌ Authorization failed as expected:', error instanceof Error ? error.message : String(error));
-  }
-
-  // Example 3: Client without resource restrictions
-  const openClient: OAuthClientInformationFull = {
-    client_id: 'open-client',
-    client_name: 'Open MCP Client',
-    client_uri: 'https://open.example.com',
-    redirect_uris: ['https://open.example.com/callback'],
-    grant_types: ['authorization_code'],
-    response_types: ['code'],
-    scope: 'mcp:tools',
-    token_endpoint_auth_method: 'none',
-    // No allowed_resources specified - can access any resource
-  };
-
-  await clientsStore.registerClient(openClient);
-
-  try {
-    const mockResponse = {
-      redirect: (url: string) => {
-        console.log('✅ Open client can access any resource, redirecting to:', url);
-      }
-    };
-
-    await provider.authorize(openClient, {
-      codeChallenge: 'S256-challenge-here',
-      redirectUri: openClient.redirect_uris[0],
-      resource: 'https://any.api.com/mcp', // Any resource is allowed
-      scopes: ['mcp:tools']
-    }, mockResponse as any);
-  } catch (error) {
-    console.error('Authorization failed:', error);
-  }
-
-  // Example 4: Token introspection with resource information
-  // First, simulate getting a token with resource restriction
-  const mockAuthCode = 'demo-auth-code';
-  const mockTokenResponse = await simulateTokenExchange(provider, clientWithResources, mockAuthCode);
-  
-  if (mockTokenResponse) {
-    const tokenDetails = provider.getTokenDetails(mockTokenResponse.access_token);
-    console.log('\n📋 Token introspection result:');
-    console.log('- Client ID:', tokenDetails?.clientId);
-    console.log('- Scopes:', tokenDetails?.scopes);
-    console.log('- Resource (aud):', tokenDetails?.resource);
-    console.log('- Token is restricted to:', tokenDetails?.resource || 'No resource restriction');
-  }
-}
-
-async function simulateTokenExchange(
-  provider: DemoInMemoryAuthProvider,
-  client: OAuthClientInformationFull,
-  authCode: string
-) {
-  // This is a simplified simulation - in real usage, the auth code would come from the authorization flow
-  console.log('\n🔄 Simulating token exchange with resource validation...');
-  
-  // Note: In a real implementation, you would:
-  // 1. Get the authorization code from the redirect after authorize()
-  // 2. Exchange it for tokens using the token endpoint
-  // 3. The resource parameter in the token request must match the one from authorization
-  
-  return {
-    access_token: 'demo-token-with-resource',
-    token_type: 'bearer',
-    expires_in: 3600,
-    scope: 'mcp:tools'
-  };
-}
-
-// Usage instructions
-console.log('🚀 RFC 8707 Resource Indicators Demo\n');
-console.log('This example demonstrates how to:');
-console.log('1. Register clients with allowed resources');
-console.log('2. Validate resource parameters during authorization');
-console.log('3. Include resource information in tokens');
-console.log('4. Handle invalid_target errors\n');
-
-// Run the demonstration
-demonstrateResourceValidation().catch(console.error);
\ No newline at end of file
diff --git a/src/examples/server/serverUrlValidationExample.ts b/src/examples/server/serverUrlValidationExample.ts
deleted file mode 100644
index e88359bce..000000000
--- a/src/examples/server/serverUrlValidationExample.ts
+++ /dev/null
@@ -1,103 +0,0 @@
-/**
- * Example demonstrating server URL validation for RFC 8707 compliance
- * 
- * This example shows how to configure an OAuth server to validate that
- * the resource parameter in requests matches the server's own URL,
- * ensuring tokens are only issued for this specific server.
- */
-
-import express from 'express';
-import { authorizationHandler } from '../../server/auth/handlers/authorize.js';
-import { tokenHandler } from '../../server/auth/handlers/token.js';
-import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
-import { OAuthServerConfig } from '../../server/auth/types.js';
-
-// The canonical URL where this MCP server is accessible
-const SERVER_URL = 'https://api.example.com/mcp';
-
-// Configuration that validates resource matches this server
-const serverValidationConfig: OAuthServerConfig = {
-  // The server's canonical URL (without fragment)
-  serverUrl: SERVER_URL,
-  
-  // Enable validation that resource parameter matches serverUrl
-  // This also makes the resource parameter required
-  validateResourceMatchesServer: true
-};
-
-// Create the OAuth provider
-const provider = new DemoInMemoryAuthProvider();
-
-// Create Express app
-const app = express();
-
-// Configure authorization endpoint with server URL validation
-app.use('/oauth/authorize', authorizationHandler({
-  provider,
-  config: serverValidationConfig
-}));
-
-// Configure token endpoint with server URL validation
-app.use('/oauth/token', tokenHandler({
-  provider,
-  config: serverValidationConfig
-}));
-
-// Example scenarios
-console.log('🔐 Server URL Validation Example\n');
-console.log(`This server only accepts resource parameters matching: ${SERVER_URL}\n`);
-
-console.log('✅ Valid request examples:');
-console.log(`1. Resource matches server URL:
-   GET /oauth/authorize?client_id=my-client&resource=${SERVER_URL}&...
-   Result: Authorization proceeds normally\n`);
-
-console.log(`2. Resource with query parameters (exact match required):
-   GET /oauth/authorize?client_id=my-client&resource=${SERVER_URL}?version=2&...
-   Result: Rejected - resource must match exactly\n`);
-
-console.log('❌ Invalid request examples:');
-console.log(`1. Different domain:
-   GET /oauth/authorize?client_id=my-client&resource=https://evil.com/mcp&...
-   Response: 400 invalid_target - "Resource parameter 'https://evil.com/mcp' does not match this server's URL"\n`);
-
-console.log(`2. Different path:
-   GET /oauth/authorize?client_id=my-client&resource=https://api.example.com/different&...
-   Response: 400 invalid_target - "Resource parameter does not match this server's URL"\n`);
-
-console.log(`3. Missing resource (with validateResourceMatchesServer: true):
-   GET /oauth/authorize?client_id=my-client&...
-   Response: 400 invalid_request - "Resource parameter is required when server URL validation is enabled"\n`);
-
-console.log('🛡️  Security Benefits:');
-console.log('1. Prevents token confusion attacks - tokens cannot be obtained for other servers');
-console.log('2. Ensures all tokens are scoped to this specific MCP server');
-console.log('3. Provides clear audit trail of resource access attempts');
-console.log('4. Protects against malicious clients trying to obtain tokens for other services\n');
-
-console.log('📝 Configuration Notes:');
-console.log('- serverUrl should be the exact URL clients use to connect');
-console.log('- Fragments are automatically removed from both serverUrl and resource');
-console.log('- When validateResourceMatchesServer is true, resource parameter is required');
-console.log('- Validation ensures exact match between resource and serverUrl\n');
-
-console.log('🔧 Implementation Tips:');
-console.log('1. Set serverUrl from environment variable for different deployments:');
-console.log('   serverUrl: process.env.MCP_SERVER_URL || "https://api.example.com/mcp"\n');
-
-console.log('2. For development environments, you might disable validation:');
-console.log('   validateResourceMatchesServer: process.env.NODE_ENV === "production"\n');
-
-console.log('3. Consider logging failed validation attempts for security monitoring:');
-console.log('   Monitor logs for patterns of invalid_target errors\n');
-
-// Example of dynamic configuration based on environment
-const productionConfig: OAuthServerConfig = {
-  serverUrl: process.env.MCP_SERVER_URL || SERVER_URL,
-  validateResourceMatchesServer: process.env.NODE_ENV === 'production'
-};
-
-console.log('🚀 Production configuration example:');
-console.log(JSON.stringify(productionConfig, null, 2));
-
-export { app, provider, serverValidationConfig };
\ No newline at end of file
diff --git a/src/examples/server/strictModeExample.ts b/src/examples/server/strictModeExample.ts
deleted file mode 100644
index 5ff140d6b..000000000
--- a/src/examples/server/strictModeExample.ts
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * Example demonstrating strict RFC 8707 enforcement mode
- * 
- * This example shows how to configure an OAuth server that requires
- * all requests to include a resource parameter, ensuring maximum
- * security against token confusion attacks.
- */
-
-import express from 'express';
-import { authorizationHandler } from '../../server/auth/handlers/authorize.js';
-import { tokenHandler } from '../../server/auth/handlers/token.js';
-import { DemoInMemoryAuthProvider } from './demoInMemoryOAuthProvider.js';
-import { OAuthServerConfig } from '../../server/auth/types.js';
-
-// Strict mode configuration - validates resource matches server URL
-const SERVER_URL = 'https://api.example.com/mcp';
-const strictConfig: OAuthServerConfig = {
-  serverUrl: SERVER_URL,
-  validateResourceMatchesServer: true
-};
-
-// Create the OAuth provider
-const provider = new DemoInMemoryAuthProvider();
-
-// Create Express app
-const app = express();
-
-// Configure authorization endpoint with strict mode
-app.use('/oauth/authorize', authorizationHandler({
-  provider,
-  config: strictConfig,
-  rateLimit: {
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    max: 10 // limit each IP to 10 requests per window
-  }
-}));
-
-// Configure token endpoint with strict mode
-app.use('/oauth/token', tokenHandler({
-  provider,
-  config: strictConfig,
-  rateLimit: {
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    max: 20 // limit each IP to 20 requests per window
-  }
-}));
-
-// Example of what happens with different requests:
-console.log('🔒 Strict RFC 8707 Mode Example\n');
-console.log(`This server validates that resource parameter matches: ${SERVER_URL}\n`);
-
-console.log('✅ Valid request example:');
-console.log(`GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256&resource=${SERVER_URL}\n`);
-
-console.log('❌ Invalid request examples:');
-console.log('1. Missing resource:');
-console.log('GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256');
-console.log('Response: 400 Bad Request - "Resource parameter is required when server URL validation is enabled"\n');
-
-console.log('2. Wrong resource:');
-console.log('GET /oauth/authorize?client_id=my-client&response_type=code&code_challenge=abc123&code_challenge_method=S256&resource=https://evil.com/mcp');
-console.log(`Response: 400 Bad Request - "Resource parameter 'https://evil.com/mcp' does not match this server's URL '${SERVER_URL}'"\n`);
-
-console.log('📋 Benefits of server URL validation:');
-console.log('1. Prevents token confusion attacks - tokens can only be issued for this server');
-console.log('2. Ensures all tokens are properly scoped to this specific MCP server');
-console.log('3. No accidental token leakage to other services');
-console.log('4. Clear security boundary enforcement\n');
-
-console.log('⚠️  Migration considerations:');
-console.log('1. Server must know its canonical URL (configure via environment variable)');
-console.log('2. All clients must send the exact matching resource parameter');
-console.log('3. Consider using warnings-only mode first (validateResourceMatchesServer: false)');
-console.log('4. Monitor logs to track adoption before enabling validation\n');
-
-// Example middleware to track resource parameter usage
-app.use((req, res, next) => {
-  if (req.path.includes('/oauth/')) {
-    const hasResource = req.query.resource || req.body?.resource;
-    console.log(`[${new Date().toISOString()}] OAuth request to ${req.path} - Resource parameter: ${hasResource ? 'present' : 'MISSING'}`);
-  }
-  next();
-});
-
-export { app, provider, strictConfig };
\ No newline at end of file
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index dbed1b522..946c46c9d 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -14,6 +14,7 @@ import {
   OAuthError
 } from "../errors.js";
 import { OAuthServerConfig } from "../types.js";
+import { resourceUrlFromServerUrl } from "../../../shared/auth-utils.js";
 
 export type AuthorizationHandlerOptions = {
   provider: OAuthServerProvider;
@@ -137,7 +138,7 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig, con
         }
         
         // Remove fragment from server URL if present (though it shouldn't have one)
-        const canonicalServerUrl = config.serverUrl!.split('#')[0];
+        const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
         
         if (resource !== canonicalServerUrl) {
           throw new InvalidTargetError(
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index 37950502e..7af42d7ad 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -16,6 +16,7 @@ import {
   InvalidTargetError
 } from "../errors.js";
 import { OAuthServerConfig } from "../types.js";
+import { resourceUrlFromServerUrl } from "../../../shared/auth-utils.js";
 
 export type TokenHandlerOptions = {
   provider: OAuthServerProvider;
@@ -110,7 +111,7 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: T
               throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
             }
             
-            const canonicalServerUrl = config.serverUrl!.split('#')[0];
+            const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
             
             if (resource !== canonicalServerUrl) {
               throw new InvalidTargetError(
@@ -161,7 +162,7 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: T
               throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
             }
             
-            const canonicalServerUrl = config.serverUrl!.split('#')[0];
+            const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
             
             if (resource !== canonicalServerUrl) {
               throw new InvalidTargetError(
diff --git a/src/shared/auth-utils.test.ts b/src/shared/auth-utils.test.ts
index 1c45511a5..b95714081 100644
--- a/src/shared/auth-utils.test.ts
+++ b/src/shared/auth-utils.test.ts
@@ -1,4 +1,4 @@
-import { canonicalizeResourceUri, validateResourceUri, extractCanonicalResourceUri, resourceUrlFromServerUrl } from './auth-utils.js';
+import { validateResourceUri, extractResourceUri, resourceUrlFromServerUrl } from './auth-utils.js';
 
 describe('auth-utils', () => {
   describe('resourceUrlFromServerUrl', () => {
@@ -28,17 +28,6 @@ describe('auth-utils', () => {
     });
   });
 
-  describe('canonicalizeResourceUri', () => {
-    it('should remove fragments', () => {
-      expect(canonicalizeResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
-    });
-
-    it('should keep everything else unchanged', () => {
-      expect(canonicalizeResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
-      expect(canonicalizeResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
-      expect(canonicalizeResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
-    });
-  });
 
   describe('validateResourceUri', () => {
     it('should accept valid resource URIs without fragments', () => {
@@ -64,34 +53,34 @@ describe('auth-utils', () => {
     });
   });
 
-  describe('extractCanonicalResourceUri', () => {
+  describe('extractResourceUri', () => {
     it('should remove fragments from URLs', () => {
-      expect(extractCanonicalResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
-      expect(extractCanonicalResourceUri('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
+      expect(extractResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
+      expect(extractResourceUri('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
     });
 
     it('should handle URL object', () => {
       const url = new URL('https://example.com:8443/path?query=1#fragment');
-      expect(extractCanonicalResourceUri(url)).toBe('https://example.com:8443/path?query=1');
+      expect(extractResourceUri(url)).toBe('https://example.com:8443/path?query=1');
     });
 
     it('should keep everything else unchanged', () => {
       // Preserves case
-      expect(extractCanonicalResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
+      expect(extractResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
       // Preserves all ports
-      expect(extractCanonicalResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
-      expect(extractCanonicalResourceUri('http://example.com:80/path')).toBe('http://example.com:80/path');
+      expect(extractResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
+      expect(extractResourceUri('http://example.com:80/path')).toBe('http://example.com:80/path');
       // Preserves query parameters
-      expect(extractCanonicalResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
+      expect(extractResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
       // Preserves trailing slashes
-      expect(extractCanonicalResourceUri('https://example.com/')).toBe('https://example.com/');
-      expect(extractCanonicalResourceUri('https://example.com/app1/')).toBe('https://example.com/app1/');
+      expect(extractResourceUri('https://example.com/')).toBe('https://example.com/');
+      expect(extractResourceUri('https://example.com/app1/')).toBe('https://example.com/app1/');
     });
 
     it('should distinguish between different paths on same domain', () => {
       // This is the key test for the security concern mentioned
-      const app1 = extractCanonicalResourceUri('https://api.example.com/mcp-server-1');
-      const app2 = extractCanonicalResourceUri('https://api.example.com/mcp-server-2');
+      const app1 = extractResourceUri('https://api.example.com/mcp-server-1');
+      const app2 = extractResourceUri('https://api.example.com/mcp-server-2');
       expect(app1).not.toBe(app2);
       expect(app1).toBe('https://api.example.com/mcp-server-1');
       expect(app2).toBe('https://api.example.com/mcp-server-2');
diff --git a/src/shared/auth-utils.ts b/src/shared/auth-utils.ts
index aed5f247f..e69d821da 100644
--- a/src/shared/auth-utils.ts
+++ b/src/shared/auth-utils.ts
@@ -23,14 +23,6 @@ export function validateResourceUri(resourceUri: string): void {
   }
 }
 
-/**
- * Removes fragment from URI to make it RFC 8707 compliant.
- * @deprecated Use resourceUrlFromServerUrl instead
- */
-export function canonicalizeResourceUri(resourceUri: string): string {
-  return resourceUrlFromServerUrl(resourceUri);
-}
-
 /**
  * Extracts resource URI from server URL by removing fragment.
  * @param serverUrl The server URL to extract from
@@ -38,7 +30,4 @@ export function canonicalizeResourceUri(resourceUri: string): string {
  */
 export function extractResourceUri(serverUrl: string | URL): string {
   return resourceUrlFromServerUrl(typeof serverUrl === 'string' ? serverUrl : serverUrl.href);
-}
-
-// Backward compatibility alias
-export const extractCanonicalResourceUri = extractResourceUri;
\ No newline at end of file
+}
\ No newline at end of file

From cba6a6ea589e8e5276fe1aef5c4efa17e99adafa Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 20:41:56 +0100
Subject: [PATCH 062/147] Update authorize.config.test.ts

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/server/auth/handlers/authorize.config.test.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/server/auth/handlers/authorize.config.test.ts b/src/server/auth/handlers/authorize.config.test.ts
index aa180c4b4..f0736da21 100644
--- a/src/server/auth/handlers/authorize.config.test.ts
+++ b/src/server/auth/handlers/authorize.config.test.ts
@@ -3,7 +3,6 @@ import request from "supertest";
 import { authorizationHandler } from "./authorize.js";
 import { OAuthServerProvider } from "../provider.js";
 import { OAuthServerConfig } from "../types.js";
-import { InvalidRequestError, InvalidTargetError } from "../errors.js";
 
 describe("Authorization handler with config", () => {
   let app: express.Application;

From ccccb4b7ccb98b06b3537bf9eebc29bfc3c00368 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 21:34:06 +0100
Subject: [PATCH 063/147] simplify PR / only keep verification in demo inmemory
 oauth provider

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../server/demoInMemoryOAuthProvider.test.ts  | 175 ++++++++-
 .../server/demoInMemoryOAuthProvider.ts       | 107 +++++-
 src/examples/server/simpleStreamableHttp.ts   |   7 +-
 .../auth/handlers/authorize.config.test.ts    | 360 ------------------
 src/server/auth/handlers/authorize.ts         |  36 +-
 src/server/auth/handlers/token.ts             |  58 +--
 src/server/auth/types.ts                      |  33 --
 7 files changed, 290 insertions(+), 486 deletions(-)
 delete mode 100644 src/server/auth/handlers/authorize.config.test.ts

diff --git a/src/examples/server/demoInMemoryOAuthProvider.test.ts b/src/examples/server/demoInMemoryOAuthProvider.test.ts
index 49c6f69b1..852f0c98f 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.test.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.test.ts
@@ -1,6 +1,6 @@
 import { describe, it, expect, beforeEach } from '@jest/globals';
-import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore } from './demoInMemoryOAuthProvider.js';
-import { InvalidTargetError } from '../../server/auth/errors.js';
+import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore, DemoOAuthProviderConfig } from './demoInMemoryOAuthProvider.js';
+import { InvalidTargetError, InvalidRequestError } from '../../server/auth/errors.js';
 import { OAuthClientInformationFull } from '../../shared/auth.js';
 import { Response } from 'express';
 
@@ -215,4 +215,175 @@ describe('DemoInMemoryOAuthProvider - RFC 8707 Resource Validation', () => {
       }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
     });
   });
+
+  describe('Server URL validation configuration', () => {
+    it('should throw error when validateResourceMatchesServer is true but serverUrl is not set', () => {
+      const invalidConfig: DemoOAuthProviderConfig = {
+        validateResourceMatchesServer: true
+        // serverUrl is missing
+      };
+
+      expect(() => {
+        new DemoInMemoryAuthProvider(invalidConfig);
+      }).toThrow("serverUrl must be configured when validateResourceMatchesServer is true");
+    });
+
+    describe('with server URL validation enabled', () => {
+      let strictProvider: DemoInMemoryAuthProvider;
+
+      beforeEach(() => {
+        const config: DemoOAuthProviderConfig = {
+          serverUrl: 'https://api.example.com/mcp',
+          validateResourceMatchesServer: true
+        };
+        strictProvider = new DemoInMemoryAuthProvider(config);
+        
+        strictProvider.clientsStore.registerClient(mockClient);
+      });
+
+      it('should reject authorization without resource parameter', async () => {
+        await expect(strictProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          scopes: ['mcp:tools']
+          // resource is missing
+        }, mockResponse as Response)).rejects.toThrow(InvalidRequestError);
+      });
+
+      it('should reject authorization with non-matching resource', async () => {
+        await expect(strictProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          resource: 'https://different.api.com/mcp',
+          scopes: ['mcp:tools']
+        }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
+      });
+
+      it('should accept authorization with matching resource', async () => {
+        await expect(strictProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          resource: 'https://api.example.com/mcp',
+          scopes: ['mcp:tools']
+        }, mockResponse as Response)).resolves.not.toThrow();
+
+        expect(mockResponse.redirect).toHaveBeenCalled();
+      });
+
+      it('should handle server URL with fragment correctly', async () => {
+        const configWithFragment: DemoOAuthProviderConfig = {
+          serverUrl: 'https://api.example.com/mcp#fragment',
+          validateResourceMatchesServer: true
+        };
+        const providerWithFragment = new DemoInMemoryAuthProvider(configWithFragment);
+        
+        await providerWithFragment.clientsStore.registerClient(mockClient);
+
+        // Should accept resource without fragment
+        await expect(providerWithFragment.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          resource: 'https://api.example.com/mcp',
+          scopes: ['mcp:tools']
+        }, mockResponse as Response)).resolves.not.toThrow();
+      });
+
+      it('should reject token exchange without resource parameter', async () => {
+        // First authorize with resource
+        mockResponse.redirect = jest.fn();
+        await strictProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          resource: 'https://api.example.com/mcp',
+          scopes: ['mcp:tools']
+        }, mockResponse as Response);
+
+        const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+        const url = new URL(redirectCall);
+        const authCode = url.searchParams.get('code')!;
+
+        await expect(strictProvider.exchangeAuthorizationCode(
+          mockClient,
+          authCode,
+          undefined,
+          undefined
+          // resource is missing
+        )).rejects.toThrow(InvalidRequestError);
+      });
+
+      it('should reject refresh token without resource parameter', async () => {
+        await expect(strictProvider.exchangeRefreshToken(
+          mockClient,
+          'refresh-token',
+          undefined
+          // resource is missing
+        )).rejects.toThrow(InvalidRequestError);
+      });
+    });
+
+    describe('with server URL validation disabled (warning mode)', () => {
+      let warnProvider: DemoInMemoryAuthProvider;
+      let consoleWarnSpy: jest.SpyInstance;
+
+      beforeEach(() => {
+        consoleWarnSpy = jest.spyOn(console, 'warn').mockImplementation();
+        warnProvider = new DemoInMemoryAuthProvider(); // No config = warnings enabled
+        
+        warnProvider.clientsStore.registerClient(mockClient);
+      });
+
+      afterEach(() => {
+        consoleWarnSpy.mockRestore();
+      });
+
+      it('should log warning when resource is missing from authorization', async () => {
+        await warnProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          scopes: ['mcp:tools']
+          // resource is missing
+        }, mockResponse as Response);
+
+        expect(consoleWarnSpy).toHaveBeenCalledWith(
+          expect.stringContaining('test-client is missing the resource parameter')
+        );
+      });
+
+      it('should not log warning when resource is present', async () => {
+        await warnProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          resource: 'https://api.example.com/mcp',
+          scopes: ['mcp:tools']
+        }, mockResponse as Response);
+
+        expect(consoleWarnSpy).not.toHaveBeenCalled();
+      });
+
+      it('should log warning when resource is missing from token exchange', async () => {
+        // First authorize without resource
+        await warnProvider.authorize(mockClient, {
+          codeChallenge: 'test-challenge',
+          redirectUri: mockClient.redirect_uris[0],
+          scopes: ['mcp:tools']
+        }, mockResponse as Response);
+
+        const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+        const url = new URL(redirectCall);
+        const authCode = url.searchParams.get('code')!;
+
+        await warnProvider.exchangeAuthorizationCode(
+          mockClient,
+          authCode,
+          undefined,
+          undefined
+          // resource is missing
+        );
+
+        expect(consoleWarnSpy).toHaveBeenCalledWith(
+          expect.stringContaining('test-client is missing the resource parameter')
+        );
+      });
+    });
+  });
 });
\ No newline at end of file
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 66583e490..2f0e35392 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -5,7 +5,8 @@ import { OAuthClientInformationFull, OAuthMetadata, OAuthTokens } from '../../sh
 import express, { Request, Response } from "express";
 import { AuthInfo } from '../../server/auth/types.js';
 import { createOAuthMetadata, mcpAuthRouter } from '../../server/auth/router.js';
-import { InvalidTargetError } from '../../server/auth/errors.js';
+import { InvalidTargetError, InvalidRequestError } from '../../server/auth/errors.js';
+import { resourceUrlFromServerUrl } from '../../shared/auth-utils.js';
 
 
 interface ExtendedClientInformation extends OAuthClientInformationFull {
@@ -48,19 +49,79 @@ interface ExtendedAuthInfo extends AuthInfo {
   type?: string;
 }
 
+/**
+ * Configuration options for the demo OAuth provider
+ */
+export interface DemoOAuthProviderConfig {
+  /**
+   * The canonical URL of this MCP server. When provided, the provider will validate
+   * that the resource parameter in OAuth requests matches this URL.
+   * 
+   * This should be the full URL that clients use to connect to this server,
+   * without any fragment component (e.g., "https://api.example.com/mcp").
+   * 
+   * Required when validateResourceMatchesServer is true.
+   */
+  serverUrl?: string;
+
+  /**
+   * If true, validates that the resource parameter matches the configured serverUrl.
+   * 
+   * When enabled:
+   * - serverUrl must be configured (throws error if not)
+   * - resource parameter is required on all requests
+   * - resource must exactly match serverUrl (after fragment removal)
+   * - requests without resource parameter will be rejected with invalid_request error
+   * - requests with non-matching resource will be rejected with invalid_target error
+   * 
+   * When disabled:
+   * - warnings are logged when resource parameter is missing (for migration tracking)
+   * 
+   * @default false
+   */
+  validateResourceMatchesServer?: boolean;
+}
+
 export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   clientsStore = new DemoInMemoryClientsStore();
   private codes = new Map<string, {
     params: AuthorizationParams,
     client: OAuthClientInformationFull}>();
   private tokens = new Map<string, ExtendedAuthInfo>();
+  private config?: DemoOAuthProviderConfig;
+
+  constructor(config?: DemoOAuthProviderConfig) {
+    if (config?.validateResourceMatchesServer && !config?.serverUrl) {
+      throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
+    }
+    this.config = config;
+  }
 
   async authorize(
     client: OAuthClientInformationFull,
     params: AuthorizationParams,
     res: Response
   ): Promise<void> {
-    // Validate resource parameter if provided
+    // Validate resource parameter based on configuration
+    if (this.config?.validateResourceMatchesServer) {
+      if (!params.resource) {
+        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+      }
+      
+      // Remove fragment from server URL if present (though it shouldn't have one)
+      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
+      
+      if (params.resource !== canonicalServerUrl) {
+        throw new InvalidTargetError(
+          `Resource parameter '${params.resource}' does not match this server's URL '${canonicalServerUrl}'`
+        );
+      }
+    } else if (!params.resource) {
+      // Always log warning if resource is missing (unless validation is enabled)
+      console.warn(`Authorization request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+    }
+    
+    // Additional validation: check if client is allowed to access the resource
     if (params.resource) {
       await this.validateResource(client, params.resource);
     }
@@ -116,6 +177,24 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       throw new Error(`Authorization code was not issued to this client, ${codeData.client.client_id} != ${client.client_id}`);
     }
 
+    // Validate resource parameter based on configuration
+    if (this.config?.validateResourceMatchesServer) {
+      if (!resource) {
+        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+      }
+      
+      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
+      
+      if (resource !== canonicalServerUrl) {
+        throw new InvalidTargetError(
+          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+        );
+      }
+    } else if (!resource) {
+      // Always log warning if resource is missing (unless validation is enabled)
+      console.warn(`Token exchange request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+    }
+
     // Validate that the resource matches what was authorized
     if (resource !== codeData.params.resource) {
       throw new InvalidTargetError('Resource parameter does not match the authorized resource');
@@ -154,7 +233,25 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     _scopes?: string[],
     resource?: string
   ): Promise<OAuthTokens> {
-    // Validate resource parameter if provided
+    // Validate resource parameter based on configuration
+    if (this.config?.validateResourceMatchesServer) {
+      if (!resource) {
+        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+      }
+      
+      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
+      
+      if (resource !== canonicalServerUrl) {
+        throw new InvalidTargetError(
+          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+        );
+      }
+    } else if (!resource) {
+      // Always log warning if resource is missing (unless validation is enabled)
+      console.warn(`Token refresh request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
+    }
+    
+    // Additional validation: check if client is allowed to access the resource
     if (resource) {
       await this.validateResource(client, resource);
     }
@@ -204,13 +301,13 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
 }
 
 
-export const setupAuthServer = (authServerUrl: URL): OAuthMetadata => {
+export const setupAuthServer = (authServerUrl: URL, config?: DemoOAuthProviderConfig): OAuthMetadata => {
   // Create separate auth server app
   // NOTE: This is a separate app on a separate port to illustrate
   // how to separate an OAuth Authorization Server from a Resource
   // server in the SDK. The SDK is not intended to be provide a standalone
   // authorization server.
-  const provider = new DemoInMemoryAuthProvider();
+  const provider = new DemoInMemoryAuthProvider(config);
   const authApp = express();
   authApp.use(express.json());
   // For introspection requests
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index ebe31920f..65b6263ec 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -282,7 +282,12 @@ if (useOAuth) {
   const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}`);
   const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-  const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl);
+  // Configure the demo auth provider to validate resources match this server
+  const demoProviderConfig = {
+    serverUrl: mcpServerUrl.href,
+    validateResourceMatchesServer: false // Set to true to enable strict validation
+  };
+  const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, demoProviderConfig);
 
   const tokenVerifier = {
     verifyAccessToken: async (token: string) => {
diff --git a/src/server/auth/handlers/authorize.config.test.ts b/src/server/auth/handlers/authorize.config.test.ts
deleted file mode 100644
index f0736da21..000000000
--- a/src/server/auth/handlers/authorize.config.test.ts
+++ /dev/null
@@ -1,360 +0,0 @@
-import express from "express";
-import request from "supertest";
-import { authorizationHandler } from "./authorize.js";
-import { OAuthServerProvider } from "../provider.js";
-import { OAuthServerConfig } from "../types.js";
-
-describe("Authorization handler with config", () => {
-  let app: express.Application;
-  let mockProvider: jest.Mocked<OAuthServerProvider>;
-  
-  beforeEach(() => {
-    app = express();
-    
-    const mockClientsStore = {
-      getClient: jest.fn(),
-      registerClient: jest.fn(),
-    };
-    
-    mockProvider = {
-      clientsStore: mockClientsStore,
-      authorize: jest.fn(),
-      exchangeAuthorizationCode: jest.fn(),
-      exchangeRefreshToken: jest.fn(),
-      challengeForAuthorizationCode: jest.fn(),
-      verifyAccessToken: jest.fn(),
-    } as jest.Mocked<OAuthServerProvider>;
-  });
-
-  describe("validateResourceMatchesServer configuration", () => {
-    it("should throw error when validateResourceMatchesServer is true but serverUrl is not set", () => {
-      const invalidConfig: OAuthServerConfig = {
-        validateResourceMatchesServer: true
-        // serverUrl is missing
-      };
-
-      expect(() => {
-        authorizationHandler({ 
-          provider: mockProvider,
-          config: invalidConfig 
-        });
-      }).toThrow("serverUrl must be configured when validateResourceMatchesServer is true");
-    });
-  });
-
-  describe("server URL validation (validateResourceMatchesServer: true)", () => {
-    const serverValidationConfig: OAuthServerConfig = {
-      serverUrl: "https://api.example.com/mcp",
-      validateResourceMatchesServer: true
-    };
-
-    beforeEach(() => {
-      app.use("/oauth/authorize", authorizationHandler({ 
-        provider: mockProvider,
-        config: serverValidationConfig 
-      }));
-    });
-
-    it("should reject requests without resource parameter", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state"
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("error=invalid_request");
-      expect(response.headers.location).toContain("Resource+parameter+is+required+when+server+URL+validation+is+enabled");
-    });
-
-    it("should accept requests with resource parameter", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-      mockProvider.authorize.mockImplementation(async (client, params, res) => {
-        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
-      });
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state",
-          resource: "https://api.example.com/mcp"
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("code=auth-code");
-      expect(mockProvider.authorize).toHaveBeenCalledWith(
-        mockClient,
-        expect.objectContaining({
-          resource: "https://api.example.com/mcp"
-        }),
-        expect.any(Object)
-      );
-    });
-  });
-
-  describe("warning mode (default behavior)", () => {
-    const warnConfig: OAuthServerConfig = {
-      // No configuration needed - warnings are always enabled by default
-    };
-
-    let consoleWarnSpy: jest.SpyInstance;
-
-    beforeEach(() => {
-      consoleWarnSpy = jest.spyOn(console, "warn").mockImplementation();
-      app.use("/oauth/authorize", authorizationHandler({ 
-        provider: mockProvider,
-        config: warnConfig 
-      }));
-    });
-
-    afterEach(() => {
-      consoleWarnSpy.mockRestore();
-    });
-
-    it("should log warning when resource is missing", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-      mockProvider.authorize.mockImplementation(async (client, params, res) => {
-        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
-      });
-
-      await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state"
-        });
-
-      expect(consoleWarnSpy).toHaveBeenCalledWith(
-        expect.stringContaining("test-client is missing the resource parameter")
-      );
-    });
-
-    it("should not log warning when resource is present", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-      mockProvider.authorize.mockImplementation(async (client, params, res) => {
-        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
-      });
-
-      await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state",
-          resource: "https://api.example.com/mcp"
-        });
-
-      expect(consoleWarnSpy).not.toHaveBeenCalled();
-    });
-  });
-
-  // Note: No silent mode test anymore - warnings are always enabled
-
-  describe("server URL validation (validateResourceMatchesServer: true)", () => {
-    const serverValidationConfig: OAuthServerConfig = {
-      serverUrl: "https://api.example.com/mcp",
-      validateResourceMatchesServer: true
-    };
-
-    beforeEach(() => {
-      app.use("/oauth/authorize", authorizationHandler({ 
-        provider: mockProvider,
-        config: serverValidationConfig 
-      }));
-    });
-
-    it("should accept requests when resource matches server URL", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-      mockProvider.authorize.mockImplementation(async (client, params, res) => {
-        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
-      });
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state",
-          resource: "https://api.example.com/mcp"
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("code=auth-code");
-    });
-
-    it("should reject requests when resource does not match server URL", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state",
-          resource: "https://different.api.com/mcp"
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("error=invalid_target");
-      expect(response.headers.location).toContain("does+not+match+this+server");
-    });
-
-    it("should reject requests without resource parameter when validation is enabled", async () => {
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state"
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("error=invalid_request");
-      expect(response.headers.location).toContain("Resource+parameter+is+required+when+server+URL+validation+is+enabled");
-    });
-
-    it("should handle server URL with fragment correctly", async () => {
-      // Reconfigure with a server URL that has a fragment (though it shouldn't)
-      const configWithFragment: OAuthServerConfig = {
-        serverUrl: "https://api.example.com/mcp#fragment",
-        validateResourceMatchesServer: true
-      };
-
-      app = express();
-      app.use("/oauth/authorize", authorizationHandler({ 
-        provider: mockProvider,
-        config: configWithFragment 
-      }));
-
-      const mockClient = {
-        client_id: "test-client",
-        client_name: "Test Client",
-        redirect_uris: ["https://example.com/callback"],
-        grant_types: ["authorization_code"],
-        response_types: ["code"],
-        scope: "read write",
-        token_endpoint_auth_method: "none",
-      };
-
-      (mockProvider.clientsStore.getClient as jest.Mock).mockResolvedValue(mockClient);
-      mockProvider.authorize.mockImplementation(async (client, params, res) => {
-        res.redirect(`https://example.com/callback?code=auth-code&state=${params.state}`);
-      });
-
-      const response = await request(app)
-        .get("/oauth/authorize")
-        .query({
-          client_id: "test-client",
-          redirect_uri: "https://example.com/callback",
-          response_type: "code",
-          code_challenge: "test-challenge",
-          code_challenge_method: "S256",
-          state: "test-state",
-          resource: "https://api.example.com/mcp" // No fragment
-        });
-
-      expect(response.status).toBe(302);
-      expect(response.headers.location).toContain("code=auth-code");
-    });
-  });
-});
\ No newline at end of file
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index 946c46c9d..f6c862aca 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -8,13 +8,10 @@ import {
   InvalidRequestError,
   InvalidClientError,
   InvalidScopeError,
-  InvalidTargetError,
   ServerError,
   TooManyRequestsError,
   OAuthError
 } from "../errors.js";
-import { OAuthServerConfig } from "../types.js";
-import { resourceUrlFromServerUrl } from "../../../shared/auth-utils.js";
 
 export type AuthorizationHandlerOptions = {
   provider: OAuthServerProvider;
@@ -23,10 +20,6 @@ export type AuthorizationHandlerOptions = {
    * Set to false to disable rate limiting for this endpoint.
    */
   rateLimit?: Partial<RateLimitOptions> | false;
-  /**
-   * OAuth server configuration options
-   */
-  config?: OAuthServerConfig;
 };
 
 // Parameters that must be validated in order to issue redirects.
@@ -45,12 +38,7 @@ const RequestAuthorizationParamsSchema = z.object({
   resource: z.string().url().optional(),
 });
 
-export function authorizationHandler({ provider, rateLimit: rateLimitConfig, config }: AuthorizationHandlerOptions): RequestHandler {
-  // Validate configuration
-  if (config?.validateResourceMatchesServer && !config?.serverUrl) {
-    throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
-  }
-
+export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: AuthorizationHandlerOptions): RequestHandler {
   // Create a router to apply middleware
   const router = express.Router();
   router.use(allowedMethods(["GET", "POST"]));
@@ -131,26 +119,8 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig, con
       const { scope, code_challenge, resource } = parseResult.data;
       state = parseResult.data.state;
 
-      // If validateResourceMatchesServer is enabled, resource is required and must match
-      if (config?.validateResourceMatchesServer) {
-        if (!resource) {
-          throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-        }
-        
-        // Remove fragment from server URL if present (though it shouldn't have one)
-        const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
-        
-        if (resource !== canonicalServerUrl) {
-          throw new InvalidTargetError(
-            `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-          );
-        }
-      } else {
-        // Always log warning if resource is missing (unless validation is enabled)
-        if (!resource) {
-          console.warn(`Authorization request from client ${client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-        }
-      }
+      // Pass through the resource parameter to the provider
+      // The provider can decide how to validate it
 
       // Validate scopes
       let requestedScopes: string[] = [];
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index 7af42d7ad..92fe99218 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -12,11 +12,8 @@ import {
   UnsupportedGrantTypeError,
   ServerError,
   TooManyRequestsError,
-  OAuthError,
-  InvalidTargetError
+  OAuthError
 } from "../errors.js";
-import { OAuthServerConfig } from "../types.js";
-import { resourceUrlFromServerUrl } from "../../../shared/auth-utils.js";
 
 export type TokenHandlerOptions = {
   provider: OAuthServerProvider;
@@ -25,10 +22,6 @@ export type TokenHandlerOptions = {
    * Set to false to disable rate limiting for this endpoint.
    */
   rateLimit?: Partial<RateLimitOptions> | false;
-  /**
-   * OAuth server configuration options
-   */
-  config?: OAuthServerConfig;
 };
 
 const TokenRequestSchema = z.object({
@@ -48,12 +41,7 @@ const RefreshTokenGrantSchema = z.object({
   resource: z.string().url().optional(),
 });
 
-export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: TokenHandlerOptions): RequestHandler {
-  // Validate configuration
-  if (config?.validateResourceMatchesServer && !config?.serverUrl) {
-    throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
-  }
-
+export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHandlerOptions): RequestHandler {
   // Nested router so we can configure middleware and restrict HTTP method
   const router = express.Router();
 
@@ -105,25 +93,8 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: T
 
           const { code, code_verifier, redirect_uri, resource } = parseResult.data;
 
-          // If validateResourceMatchesServer is enabled, resource is required and must match
-          if (config?.validateResourceMatchesServer) {
-            if (!resource) {
-              throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-            }
-            
-            const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
-            
-            if (resource !== canonicalServerUrl) {
-              throw new InvalidTargetError(
-                `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-              );
-            }
-          } else {
-            // Always log warning if resource is missing (unless validation is enabled)
-            if (!resource) {
-              console.warn(`Token exchange request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-            }
-          }
+          // Pass through the resource parameter to the provider
+          // The provider can decide how to validate it
 
           const skipLocalPkceValidation = provider.skipLocalPkceValidation;
 
@@ -156,25 +127,8 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig, config }: T
 
           const { refresh_token, scope, resource } = parseResult.data;
 
-          // If validateResourceMatchesServer is enabled, resource is required and must match
-          if (config?.validateResourceMatchesServer) {
-            if (!resource) {
-              throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-            }
-            
-            const canonicalServerUrl = resourceUrlFromServerUrl(config.serverUrl!);
-            
-            if (resource !== canonicalServerUrl) {
-              throw new InvalidTargetError(
-                `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-              );
-            }
-          } else {
-            // Always log warning if resource is missing (unless validation is enabled)
-            if (!resource) {
-              console.warn(`Token refresh request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-            }
-          }
+          // Pass through the resource parameter to the provider
+          // The provider can decide how to validate it
 
           const scopes = scope?.split(" ");
           const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes, resource);
diff --git a/src/server/auth/types.ts b/src/server/auth/types.ts
index 33ba3f865..c25c2b602 100644
--- a/src/server/auth/types.ts
+++ b/src/server/auth/types.ts
@@ -27,37 +27,4 @@ export interface AuthInfo {
    * This field should be used for any additional data that needs to be attached to the auth info.
   */
   extra?: Record<string, unknown>;
-}
-
-/**
- * Configuration options for OAuth server behavior
- */
-export interface OAuthServerConfig {
-  /**
-   * The canonical URL of this MCP server. When provided, the server will validate
-   * that the resource parameter in OAuth requests matches this URL.
-   * 
-   * This should be the full URL that clients use to connect to this server,
-   * without any fragment component (e.g., "https://api.example.com/mcp").
-   * 
-   * Required when validateResourceMatchesServer is true.
-   */
-  serverUrl?: string;
-
-  /**
-   * If true, validates that the resource parameter matches the configured serverUrl.
-   * 
-   * When enabled:
-   * - serverUrl must be configured (throws error if not)
-   * - resource parameter is required on all requests
-   * - resource must exactly match serverUrl (after fragment removal)
-   * - requests without resource parameter will be rejected with invalid_request error
-   * - requests with non-matching resource will be rejected with invalid_target error
-   * 
-   * When disabled:
-   * - warnings are logged when resource parameter is missing (for migration tracking)
-   * 
-   * @default false
-   */
-  validateResourceMatchesServer?: boolean;
 }
\ No newline at end of file

From 5a8af45c09a9b75da06e372817ed9c9b89b3ee10 Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Mon, 16 Jun 2025 16:34:46 -0400
Subject: [PATCH 064/147] In src/examples/server/simpleStreamableHttp.ts   - In
  mcpPostHandler,     - Get `mcp-session-id` header early so that it can be
 reported in every incoming request.     - Helpful for troubleshooting
 Inspector's ability to retain the session id for the Proxy <-> Server leg

---
 src/examples/server/simpleStreamableHttp.ts | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index ebe31920f..dfc1f1979 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -178,10 +178,10 @@ const getServer = () => {
   server.registerResource(
     'example-file-1',
     'file:///example/file1.txt',
-    { 
+    {
       title: 'Example File 1',
       description: 'First example file for ResourceLink demonstration',
-      mimeType: 'text/plain' 
+      mimeType: 'text/plain'
     },
     async (): Promise<ReadResourceResult> => {
       return {
@@ -198,10 +198,10 @@ const getServer = () => {
   server.registerResource(
     'example-file-2',
     'file:///example/file2.txt',
-    { 
+    {
       title: 'Example File 2',
       description: 'Second example file for ResourceLink demonstration',
-      mimeType: 'text/plain' 
+      mimeType: 'text/plain'
     },
     async (): Promise<ReadResourceResult> => {
       return {
@@ -338,15 +338,13 @@ const transports: { [sessionId: string]: StreamableHTTPServerTransport } = {};
 
 // MCP POST endpoint with optional auth
 const mcpPostHandler = async (req: Request, res: Response) => {
-  console.log('Received MCP request:', req.body);
+  const sessionId = req.headers['mcp-session-id'] as string | undefined;
+  console.log(sessionId? `Received MCP request for session: ${sessionId}`: 'Received MCP request:', req.body);
   if (useOAuth && req.auth) {
     console.log('Authenticated user:', req.auth);
   }
   try {
-    // Check for existing session ID
-    const sessionId = req.headers['mcp-session-id'] as string | undefined;
     let transport: StreamableHTTPServerTransport;
-
     if (sessionId && transports[sessionId]) {
       // Reuse existing transport
       transport = transports[sessionId];

From e542ec1989636987867ea082adb0e0b8eab88c91 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 21:38:00 +0100
Subject: [PATCH 065/147] docs: update PR description to clarify server-side
 validation is in demo provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Clarify that core server handlers only pass through resource parameter
- Emphasize that server URL validation is demonstrated in the demo provider
- Update issue references to show #592 is fixed, #635 is related
- Update examples to show DemoOAuthProviderConfig usage

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 CLAUDE.local.md   | 125 ++++++++++++++++++++++++++++++++++++++++++++++
 PR-DESCRIPTION.md | 111 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 236 insertions(+)
 create mode 100644 CLAUDE.local.md
 create mode 100644 PR-DESCRIPTION.md

diff --git a/CLAUDE.local.md b/CLAUDE.local.md
new file mode 100644
index 000000000..9a43ac7ca
--- /dev/null
+++ b/CLAUDE.local.md
@@ -0,0 +1,125 @@
+# RFC 8707 Resource Indicators Implementation for MCP TypeScript SDK
+
+This PR implements RFC 8707 (Resource Indicators for OAuth 2.0) in the MCP TypeScript SDK, addressing critical security vulnerabilities and adding resource-scoped authorization support.
+
+## Issues Addressed
+
+- **Fixes #592**: Implements client-side resource parameter passing to prevent token confusion attacks
+- **Related to #635**: Demonstrates server-side RFC 8707 validation in the demo OAuth provider
+
+## Overview
+
+This implementation adds resource parameter support to MCP's OAuth flow, explicitly binding access tokens to specific MCP servers. This prevents malicious servers from stealing OAuth tokens intended for other services.
+
+## Implementation Summary
+
+### 1. Core Auth Infrastructure
+
+#### Client-Side Changes (`src/client/`)
+- **auth.ts**: Added resource parameter support to authorization and token exchange flows
+- **Transport layers** (sse.ts, streamableHttp.ts): Automatically extract canonical server URIs for resource parameter
+
+#### Server-Side Changes (`src/server/auth/`)
+- **handlers/**: Updated authorize and token handlers to accept and pass through resource parameters
+- **provider.ts**: Extended provider interface to support resource parameters
+- **errors.ts**: Added `InvalidTargetError` for RFC 8707 compliance
+
+#### Shared Utilities (`src/shared/`)
+- **auth-utils.ts**: Created utilities for resource URI validation and canonicalization
+- **auth.ts**: Updated OAuth schemas to include resource parameter
+
+### 2. Demo OAuth Provider Enhancement (`src/examples/server/`)
+
+The demo provider demonstrates how to implement RFC 8707 validation:
+- Optional resource validation during authorization (via `DemoOAuthProviderConfig`)
+- Resource consistency checks during token exchange
+- Resource information included in token introspection
+- Support for validating resources against a configured server URL
+- Client-specific resource allowlists
+
+### 3. Resource URI Requirements
+
+Resource URIs follow RFC 8707 requirements:
+- **MUST NOT** include fragments (automatically removed by the SDK)
+- The SDK preserves all other URL components (scheme, host, port, path, query) exactly as provided
+- No additional canonicalization is performed to maintain compatibility with various server configurations
+
+## Client vs Server Implementation Differences
+
+### Client-Side Implementation
+- **Automatic resource extraction**: Transports automatically determine the server URI for resource parameter
+- **Transparent integration**: Resource parameter is added without changing existing auth APIs
+- **Fragment removal**: Fragments are automatically removed from URIs per RFC 8707
+- **Focus**: Ensuring resource parameter is correctly included in all OAuth requests
+
+### Server-Side Implementation
+- **Core handlers**: Pass through resource parameter without validation
+- **Demo provider**: Shows how to implement resource validation
+- **Provider flexibility**: Auth providers decide how to enforce resource restrictions
+- **Backward compatibility**: Servers work with clients that don't send resource parameter
+- **Focus**: Demonstrating best practices for resource validation
+
+## Testing Approach Differences
+
+### Client-Side Tests
+- **Unit tests**: Verify resource parameter is included in auth URLs and token requests
+- **Validation tests**: Ensure resource URI validation and canonicalization work correctly
+- **Integration focus**: Test interaction between transport layer and auth module
+
+### Server-Side Tests
+- **Handler tests**: Verify resource parameter is accepted and passed to providers
+- **Demo provider tests**: Comprehensive tests for server URL validation and client-specific allowlists
+- **Security tests**: Verify invalid resources are rejected with proper errors
+- **Configuration tests**: Test various demo provider configurations
+- **End-to-end tests**: Full OAuth flow with resource validation
+
+## Security Considerations
+
+1. **Token Binding**: Tokens are explicitly bound to the resource they're intended for
+2. **Validation**: Both client and server validate resource URIs to prevent attacks
+3. **Consistency**: Resource must match between authorization and token exchange
+4. **Introspection**: Resource information is included in token introspection responses
+
+## Migration Guide
+
+### For Client Developers
+No changes required - the SDK automatically includes the resource parameter based on the server URL.
+
+### For Server Developers
+1. Core server handlers automatically pass through the resource parameter
+2. Custom auth providers can implement resource validation as shown in the demo provider
+3. Demo provider configuration options:
+   - `serverUrl`: The canonical URL of the MCP server
+   - `validateResourceMatchesServer`: Enable strict resource validation
+4. Return `invalid_target` error for unauthorized resources
+5. Include resource in token introspection responses
+
+## Example Usage
+
+```typescript
+// Client automatically includes resource parameter
+const transport = new StreamableHttpClientTransport(
+  'https://api.example.com/mcp',
+  authProvider
+);
+
+// Demo provider configuration with resource validation
+const demoProviderConfig = {
+  serverUrl: 'https://api.example.com/mcp',
+  validateResourceMatchesServer: true  // Makes resource required and validates it
+};
+const provider = new DemoInMemoryAuthProvider(demoProviderConfig);
+```
+
+## Future Enhancements
+
+1. Add support for multiple resource parameters (RFC 8707 allows arrays)
+2. Implement resource-specific scope restrictions
+3. Add telemetry for resource parameter usage
+4. Create migration tooling for existing deployments
+
+## References
+
+- [RFC 8707 - Resource Indicators for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc8707)
+- [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)
+- [MCP Issue #544 - Security Vulnerability](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/544)
\ No newline at end of file
diff --git a/PR-DESCRIPTION.md b/PR-DESCRIPTION.md
new file mode 100644
index 000000000..b4e48cbd2
--- /dev/null
+++ b/PR-DESCRIPTION.md
@@ -0,0 +1,111 @@
+# RFC 8707 Resource Indicators Implementation
+
+<!-- Provide a brief summary of your changes -->
+Implements RFC 8707 (Resource Indicators for OAuth 2.0) support in the MCP TypeScript SDK. This adds the `resource` parameter to OAuth authorization and token exchange flows, allowing access tokens to be explicitly bound to specific MCP servers. The implementation includes automatic resource extraction in client transports, server-side parameter passing, and demonstrates resource validation in the demo OAuth provider.
+
+(Fixes #592, Related to #635)
+
+## Motivation and Context
+<!-- Why is this change needed? What problem does it solve? -->
+This change addresses critical security vulnerabilities identified in https://github.com/modelcontextprotocol/modelcontextprotocol/issues/544. Without resource indicators, OAuth tokens intended for one MCP server could be stolen and misused by malicious servers. RFC 8707 prevents these token confusion attacks by explicitly binding tokens to their intended resources.
+
+Key problems solved:
+- Prevents token theft/confusion attacks where a malicious MCP server steals tokens meant for other services
+- Enables fine-grained access control by restricting OAuth clients to specific resources
+- Improves security posture by following OAuth 2.0 Security Best Current Practice recommendations
+
+## How Has This Been Tested?
+<!-- Have you tested this in a real application? Which scenarios were tested? -->
+Comprehensive test coverage has been added:
+
+**Client-side testing:**
+- Unit tests verify resource parameter inclusion in authorization URLs and token requests (512 new lines in auth.test.ts)
+- Transport layer tests ensure automatic resource extraction works correctly
+- Fragment removal and URI validation tests
+
+**Server-side testing:**
+- Authorization handler tests for resource parameter acceptance
+- Token handler tests for resource parameter passing
+- Demo provider tests for resource restrictions and validation (including server URL validation)
+- Proxy provider tests for resource parameter forwarding
+
+**Integration testing:**
+- End-to-end OAuth flow with resource validation
+- Resource validation example demonstrating real-world usage patterns
+- Tests for both clients with and without resource restrictions
+
+## Breaking Changes
+
+While the change is breaking at a protocol level, it should not require code changes from SDK users (just SDK version bumping).
+
+- **Client developers**: No code changes required. The SDK automatically extracts and includes the resource parameter from the server URL
+- **Server developers**: The core server handlers now pass through the resource parameter. Resource validation is demonstrated in the demo provider but remains optional for custom providers
+- **Auth providers**: Should be updated to accept and handle the resource parameter. The demo provider shows how to implement server URL validation and client-specific resource restrictions
+
+## Types of changes
+<!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
+- [x] Bug fix (non-breaking change which fixes an issue)
+- [x] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation update
+
+## Checklist
+<!-- Go over all the following points, and put an `x` in all the boxes that apply. -->
+- [x] I have read the [MCP Documentation](https://modelcontextprotocol.io)
+- [x] My code follows the repository's style guidelines
+- [x] New and existing tests pass locally
+- [x] I have added appropriate error handling
+- [x] I have added or updated documentation as needed
+
+## Additional context
+<!-- Add any other context, implementation notes, or design decisions -->
+
+### Server-Side Implementation Approach
+
+The core server implementation focuses on passing through the resource parameter without enforcing validation, maintaining backward compatibility and flexibility. The demo provider demonstrates how to implement RFC 8707 validation:
+
+1. **Core Server**: Handlers accept and forward the resource parameter to auth providers without validation
+2. **Demo Provider**: Shows how to implement comprehensive resource validation including:
+   - Server URL matching validation (configurable via `DemoOAuthProviderConfig`)
+   - Client-specific resource allowlists
+   - Warning logs for missing resource parameters
+   - Consistent resource validation between authorization and token exchange
+
+This separation allows:
+- Existing providers to continue working without modification
+- New providers to implement validation according to their security requirements
+- Gradual migration to RFC 8707 compliance
+- Different validation strategies for different deployment scenarios
+
+### Implementation Approach
+
+Resource URIs are used as-is with only fragment removal (per RFC requirement). This allows having different MCP servers under different subpaths (even w/ different query URLs) w/o sharing spilling their resource authorization to each other (to allow a variety of MCP server federation use cases).
+
+### Key Components Added
+1. **Shared utilities** (`auth-utils.ts`): Resource URI handling and validation
+2. **Client auth** modifications: Resource parameter support in authorization/token flows
+3. **Transport layers**: Automatic resource extraction from server URLs
+4. **Server handlers**: Resource parameter acceptance and forwarding
+5. **Demo provider**: Full RFC 8707 implementation with resource validation
+6. **Error handling**: New `InvalidTargetError` for RFC 8707 compliance
+
+### Example Usage
+```typescript
+// Client-side (automatic)
+const transport = new StreamableHttpClientTransport(
+  'https://api.example.com/mcp',
+  authProvider
+);
+
+// Demo provider configuration with validation
+const demoProviderConfig = {
+  serverUrl: 'https://api.example.com/mcp',
+  validateResourceMatchesServer: true  // Makes resource required and validates it matches serverUrl
+};
+const provider = new DemoInMemoryAuthProvider(demoProviderConfig);
+```
+
+### References
+- [RFC 8707 - Resource Indicators for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc8707)
+- Fixes #592: OAuth token confusion vulnerability - client-side resource parameter support
+- Related to #635: Demonstrates server-side RFC 8707 validation in demo provider
\ No newline at end of file

From 6656d23d84cd9058dc8f8cfdd23a1a343a0d1a92 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 22:56:55 +0100
Subject: [PATCH 066/147] Simplify demo in-memory oauth provider

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../server/demoInMemoryOAuthProvider.ts       | 148 ++++--------------
 src/server/auth/types.ts                      |   6 +
 2 files changed, 33 insertions(+), 121 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 2f0e35392..3672c3e0a 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -9,44 +9,17 @@ import { InvalidTargetError, InvalidRequestError } from '../../server/auth/error
 import { resourceUrlFromServerUrl } from '../../shared/auth-utils.js';
 
 
-interface ExtendedClientInformation extends OAuthClientInformationFull {
-  allowed_resources?: string[];
-}
-
 export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
-  private clients = new Map<string, ExtendedClientInformation>();
+  private clients = new Map<string, OAuthClientInformationFull>();
 
   async getClient(clientId: string) {
     return this.clients.get(clientId);
   }
 
-  async registerClient(clientMetadata: OAuthClientInformationFull & { allowed_resources?: string[] }) {
+  async registerClient(clientMetadata: OAuthClientInformationFull) {
     this.clients.set(clientMetadata.client_id, clientMetadata);
     return clientMetadata;
   }
-
-  /**
-   * Demo method to set allowed resources for a client
-   */
-  setAllowedResources(clientId: string, resources: string[]) {
-    const client = this.clients.get(clientId);
-    if (client) {
-      client.allowed_resources = resources;
-    }
-  }
-}
-
-/**
- * 🚨 DEMO ONLY - NOT FOR PRODUCTION
- *
- * This example demonstrates MCP OAuth flow but lacks some of the features required for production use,
- * for example:
- * - Persistent token storage
- * - Rate limiting
- */
-interface ExtendedAuthInfo extends AuthInfo {
-  resource?: string;
-  type?: string;
 }
 
 /**
@@ -87,7 +60,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   private codes = new Map<string, {
     params: AuthorizationParams,
     client: OAuthClientInformationFull}>();
-  private tokens = new Map<string, ExtendedAuthInfo>();
+  private tokens = new Map<string, AuthInfo>();
   private config?: DemoOAuthProviderConfig;
 
   constructor(config?: DemoOAuthProviderConfig) {
@@ -102,29 +75,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     params: AuthorizationParams,
     res: Response
   ): Promise<void> {
-    // Validate resource parameter based on configuration
-    if (this.config?.validateResourceMatchesServer) {
-      if (!params.resource) {
-        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-      }
-      
-      // Remove fragment from server URL if present (though it shouldn't have one)
-      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
-      
-      if (params.resource !== canonicalServerUrl) {
-        throw new InvalidTargetError(
-          `Resource parameter '${params.resource}' does not match this server's URL '${canonicalServerUrl}'`
-        );
-      }
-    } else if (!params.resource) {
-      // Always log warning if resource is missing (unless validation is enabled)
-      console.warn(`Authorization request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-    }
-    
-    // Additional validation: check if client is allowed to access the resource
-    if (params.resource) {
-      await this.validateResource(client, params.resource);
-    }
+    await this.validateResource(params.resource);
 
     const code = randomUUID();
 
@@ -164,9 +115,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     authorizationCode: string,
     // Note: code verifier is checked in token.ts by default
     // it's unused here for that reason.
-    _codeVerifier?: string,
-    _redirectUri?: string,
-    resource?: string
+    _codeVerifier?: string
   ): Promise<OAuthTokens> {
     const codeData = this.codes.get(authorizationCode);
     if (!codeData) {
@@ -177,44 +126,18 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       throw new Error(`Authorization code was not issued to this client, ${codeData.client.client_id} != ${client.client_id}`);
     }
 
-    // Validate resource parameter based on configuration
-    if (this.config?.validateResourceMatchesServer) {
-      if (!resource) {
-        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-      }
-      
-      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
-      
-      if (resource !== canonicalServerUrl) {
-        throw new InvalidTargetError(
-          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-        );
-      }
-    } else if (!resource) {
-      // Always log warning if resource is missing (unless validation is enabled)
-      console.warn(`Token exchange request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-    }
-
-    // Validate that the resource matches what was authorized
-    if (resource !== codeData.params.resource) {
-      throw new InvalidTargetError('Resource parameter does not match the authorized resource');
-    }
-
-    // If resource was specified during authorization, validate it's still allowed
-    if (codeData.params.resource) {
-      await this.validateResource(client, codeData.params.resource);
-    }
+    await this.validateResource(codeData.params.resource);
 
     this.codes.delete(authorizationCode);
     const token = randomUUID();
 
-    const tokenData: ExtendedAuthInfo = {
+    const tokenData = {
       token,
       clientId: client.client_id,
       scopes: codeData.params.scopes || [],
       expiresAt: Date.now() + 3600000, // 1 hour
+      resource: codeData.params.resource,
       type: 'access',
-      resource: codeData.params.resource
     };
 
     this.tokens.set(token, tokenData);
@@ -233,28 +156,6 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     _scopes?: string[],
     resource?: string
   ): Promise<OAuthTokens> {
-    // Validate resource parameter based on configuration
-    if (this.config?.validateResourceMatchesServer) {
-      if (!resource) {
-        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-      }
-      
-      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
-      
-      if (resource !== canonicalServerUrl) {
-        throw new InvalidTargetError(
-          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-        );
-      }
-    } else if (!resource) {
-      // Always log warning if resource is missing (unless validation is enabled)
-      console.warn(`Token refresh request from client ${client.client_id} is missing the resource parameter. Consider migrating to RFC 8707.`);
-    }
-    
-    // Additional validation: check if client is allowed to access the resource
-    if (resource) {
-      await this.validateResource(client, resource);
-    }
     throw new Error('Refresh tokens not implemented for example demo');
   }
 
@@ -263,12 +164,14 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     if (!tokenData || !tokenData.expiresAt || tokenData.expiresAt < Date.now()) {
       throw new Error('Invalid or expired token');
     }
+    await this.validateResource(tokenData.resource);
 
     return {
       token,
       clientId: tokenData.clientId,
       scopes: tokenData.scopes,
       expiresAt: Math.floor(tokenData.expiresAt / 1000),
+      resource: tokenData.resource,
     };
   }
 
@@ -276,26 +179,29 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
    * Validates that the client is allowed to access the requested resource.
    * In a real implementation, this would check against a database or configuration.
    */
-  private async validateResource(client: OAuthClientInformationFull, resource: string): Promise<void> {
-    const extendedClient = client as ExtendedClientInformation;
-    
-    // If no resources are configured, allow any resource (for demo purposes)
-    if (!extendedClient.allowed_resources) {
-      return;
-    }
-
-    // Check if the requested resource is in the allowed list
-    if (!extendedClient.allowed_resources.includes(resource)) {
-      throw new InvalidTargetError(
-        `Client is not authorized to access resource: ${resource}`
-      );
+  private async validateResource(resource?: string): Promise<void> {
+    if (this.config?.validateResourceMatchesServer) {
+      if (!resource) {
+        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
+      }
+      
+      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
+      
+      if (resource !== canonicalServerUrl) {
+        throw new InvalidTargetError(
+          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
+        );
+      }
+    } else if (!resource) {
+      // Always log warning if resource is missing (unless validation is enabled)
+      console.warn(`Token refresh request is missing the resource parameter. Consider migrating to RFC 8707.`);
     }
   }
 
   /**
    * Get token details including resource information (for demo introspection endpoint)
    */
-  getTokenDetails(token: string): ExtendedAuthInfo | undefined {
+  getTokenDetails(token: string): AuthInfo | undefined {
     return this.tokens.get(token);
   }
 }
diff --git a/src/server/auth/types.ts b/src/server/auth/types.ts
index c25c2b602..bf1a257b2 100644
--- a/src/server/auth/types.ts
+++ b/src/server/auth/types.ts
@@ -22,6 +22,12 @@ export interface AuthInfo {
    */
   expiresAt?: number;
 
+  /**
+   * The RFC 8707 resource server identifier for which this token is valid.
+   * If set, this MUST match the MCP server's resource identifier (minus hash fragment).
+   */
+  resource?: string;
+
   /**
    * Additional data associated with the token.
    * This field should be used for any additional data that needs to be attached to the auth info.

From 02ce81b90c4ebe55e13b064051950f5fe2951daa Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 23:10:27 +0100
Subject: [PATCH 067/147] simplify diff

---
 .../server/demoInMemoryOAuthProvider.ts       | 82 +++----------------
 src/server/auth/errors.ts                     | 10 ---
 src/server/auth/provider.ts                   |  2 +-
 src/server/auth/types.ts                      |  2 +-
 src/shared/auth-utils.ts                      | 29 ++-----
 5 files changed, 20 insertions(+), 105 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 3672c3e0a..5de0fb904 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -5,7 +5,6 @@ import { OAuthClientInformationFull, OAuthMetadata, OAuthTokens } from '../../sh
 import express, { Request, Response } from "express";
 import { AuthInfo } from '../../server/auth/types.js';
 import { createOAuthMetadata, mcpAuthRouter } from '../../server/auth/router.js';
-import { InvalidTargetError, InvalidRequestError } from '../../server/auth/errors.js';
 import { resourceUrlFromServerUrl } from '../../shared/auth-utils.js';
 
 
@@ -22,52 +21,21 @@ export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
   }
 }
 
-/**
- * Configuration options for the demo OAuth provider
- */
-export interface DemoOAuthProviderConfig {
-  /**
-   * The canonical URL of this MCP server. When provided, the provider will validate
-   * that the resource parameter in OAuth requests matches this URL.
-   * 
-   * This should be the full URL that clients use to connect to this server,
-   * without any fragment component (e.g., "https://api.example.com/mcp").
-   * 
-   * Required when validateResourceMatchesServer is true.
-   */
-  serverUrl?: string;
-
-  /**
-   * If true, validates that the resource parameter matches the configured serverUrl.
-   * 
-   * When enabled:
-   * - serverUrl must be configured (throws error if not)
-   * - resource parameter is required on all requests
-   * - resource must exactly match serverUrl (after fragment removal)
-   * - requests without resource parameter will be rejected with invalid_request error
-   * - requests with non-matching resource will be rejected with invalid_target error
-   * 
-   * When disabled:
-   * - warnings are logged when resource parameter is missing (for migration tracking)
-   * 
-   * @default false
-   */
-  validateResourceMatchesServer?: boolean;
-}
-
 export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   clientsStore = new DemoInMemoryClientsStore();
   private codes = new Map<string, {
     params: AuthorizationParams,
     client: OAuthClientInformationFull}>();
   private tokens = new Map<string, AuthInfo>();
-  private config?: DemoOAuthProviderConfig;
-
-  constructor(config?: DemoOAuthProviderConfig) {
-    if (config?.validateResourceMatchesServer && !config?.serverUrl) {
-      throw new Error("serverUrl must be configured when validateResourceMatchesServer is true");
+  private validateResource?: (resource?: URL) => boolean;
+
+  constructor(mcpServerUrl?: URL) {
+    if (mcpServerUrl) {
+      const expectedResource = resourceUrlFromServerUrl(mcpServerUrl);
+      this.validateResource = (resource?: URL) => {
+        return !resource || resource.toString() !== expectedResource.toString();
+      };
     }
-    this.config = config;
   }
 
   async authorize(
@@ -75,8 +43,6 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     params: AuthorizationParams,
     res: Response
   ): Promise<void> {
-    await this.validateResource(params.resource);
-
     const code = randomUUID();
 
     const searchParams = new URLSearchParams({
@@ -126,7 +92,9 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       throw new Error(`Authorization code was not issued to this client, ${codeData.client.client_id} != ${client.client_id}`);
     }
 
-    await this.validateResource(codeData.params.resource);
+    if (this.validateResource && !this.validateResource(codeData.params.resource)) {
+      throw new Error('Invalid resource');
+    }
 
     this.codes.delete(authorizationCode);
     const token = randomUUID();
@@ -164,7 +132,6 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     if (!tokenData || !tokenData.expiresAt || tokenData.expiresAt < Date.now()) {
       throw new Error('Invalid or expired token');
     }
-    await this.validateResource(tokenData.resource);
 
     return {
       token,
@@ -175,29 +142,6 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     };
   }
 
-  /**
-   * Validates that the client is allowed to access the requested resource.
-   * In a real implementation, this would check against a database or configuration.
-   */
-  private async validateResource(resource?: string): Promise<void> {
-    if (this.config?.validateResourceMatchesServer) {
-      if (!resource) {
-        throw new InvalidRequestError("Resource parameter is required when server URL validation is enabled");
-      }
-      
-      const canonicalServerUrl = resourceUrlFromServerUrl(this.config.serverUrl!);
-      
-      if (resource !== canonicalServerUrl) {
-        throw new InvalidTargetError(
-          `Resource parameter '${resource}' does not match this server's URL '${canonicalServerUrl}'`
-        );
-      }
-    } else if (!resource) {
-      // Always log warning if resource is missing (unless validation is enabled)
-      console.warn(`Token refresh request is missing the resource parameter. Consider migrating to RFC 8707.`);
-    }
-  }
-
   /**
    * Get token details including resource information (for demo introspection endpoint)
    */
@@ -207,13 +151,13 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
 }
 
 
-export const setupAuthServer = (authServerUrl: URL, config?: DemoOAuthProviderConfig): OAuthMetadata => {
+export const setupAuthServer = (authServerUrl: URL, mcpServerUrl: URL): OAuthMetadata => {
   // Create separate auth server app
   // NOTE: This is a separate app on a separate port to illustrate
   // how to separate an OAuth Authorization Server from a Resource
   // server in the SDK. The SDK is not intended to be provide a standalone
   // authorization server.
-  const provider = new DemoInMemoryAuthProvider(config);
+  const provider = new DemoInMemoryAuthProvider(mcpServerUrl);
   const authApp = express();
   authApp.use(express.json());
   // For introspection requests
diff --git a/src/server/auth/errors.ts b/src/server/auth/errors.ts
index 5c001bcda..428199ce8 100644
--- a/src/server/auth/errors.ts
+++ b/src/server/auth/errors.ts
@@ -189,13 +189,3 @@ export class InsufficientScopeError extends OAuthError {
     super("insufficient_scope", message, errorUri);
   }
 }
-
-/**
- * Invalid target error - The requested resource is invalid, unknown, or malformed.
- * (RFC 8707 - Resource Indicators for OAuth 2.0)
- */
-export class InvalidTargetError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_target", message, errorUri);
-  }
-}
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
index 256984166..93a56a099 100644
--- a/src/server/auth/provider.ts
+++ b/src/server/auth/provider.ts
@@ -8,7 +8,7 @@ export type AuthorizationParams = {
   scopes?: string[];
   codeChallenge: string;
   redirectUri: string;
-  resource?: string;
+  resource?: URL;
 };
 
 /**
diff --git a/src/server/auth/types.ts b/src/server/auth/types.ts
index bf1a257b2..0189e9ed8 100644
--- a/src/server/auth/types.ts
+++ b/src/server/auth/types.ts
@@ -26,7 +26,7 @@ export interface AuthInfo {
    * The RFC 8707 resource server identifier for which this token is valid.
    * If set, this MUST match the MCP server's resource identifier (minus hash fragment).
    */
-  resource?: string;
+  resource?: URL;
 
   /**
    * Additional data associated with the token.
diff --git a/src/shared/auth-utils.ts b/src/shared/auth-utils.ts
index e69d821da..086d812f6 100644
--- a/src/shared/auth-utils.ts
+++ b/src/shared/auth-utils.ts
@@ -1,5 +1,5 @@
 /**
- * Utilities for handling OAuth resource URIs according to RFC 8707.
+ * Utilities for handling OAuth resource URIs.
  */
 
 /**
@@ -7,27 +7,8 @@
  * RFC 8707 section 2 states that resource URIs "MUST NOT include a fragment component".
  * Keeps everything else unchanged (scheme, domain, port, path, query).
  */
-export function resourceUrlFromServerUrl(url: string): string {
-  const hashIndex = url.indexOf('#');
-  return hashIndex === -1 ? url : url.substring(0, hashIndex);
+export function resourceUrlFromServerUrl(url: URL): URL {
+  const resourceURL = new URL(url.href);
+  resourceURL.hash = ''; // Remove fragment
+  return resourceURL;
 }
-
-/**
- * Validates a resource URI according to RFC 8707 requirements.
- * @param resourceUri The resource URI to validate
- * @throws Error if the URI contains a fragment
- */
-export function validateResourceUri(resourceUri: string): void {
-  if (resourceUri.includes('#')) {
-    throw new Error(`Invalid resource URI: ${resourceUri} - must not contain a fragment`);
-  }
-}
-
-/**
- * Extracts resource URI from server URL by removing fragment.
- * @param serverUrl The server URL to extract from
- * @returns The resource URI without fragment
- */
-export function extractResourceUri(serverUrl: string | URL): string {
-  return resourceUrlFromServerUrl(typeof serverUrl === 'string' ? serverUrl : serverUrl.href);
-}
\ No newline at end of file

From 36f338ae23503ce837f12c0f166e09de50885d16 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Mon, 16 Jun 2025 23:39:51 +0100
Subject: [PATCH 068/147] Update demoInMemoryOAuthProvider.ts

---
 src/examples/server/demoInMemoryOAuthProvider.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 5de0fb904..9fcb25176 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -29,7 +29,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   private tokens = new Map<string, AuthInfo>();
   private validateResource?: (resource?: URL) => boolean;
 
-  constructor(mcpServerUrl?: URL) {
+  constructor({mcpServerUrl}: {mcpServerUrl?: URL} = {}) {
     if (mcpServerUrl) {
       const expectedResource = resourceUrlFromServerUrl(mcpServerUrl);
       this.validateResource = (resource?: URL) => {
@@ -157,7 +157,7 @@ export const setupAuthServer = (authServerUrl: URL, mcpServerUrl: URL): OAuthMet
   // how to separate an OAuth Authorization Server from a Resource
   // server in the SDK. The SDK is not intended to be provide a standalone
   // authorization server.
-  const provider = new DemoInMemoryAuthProvider(mcpServerUrl);
+  const provider = new DemoInMemoryAuthProvider({mcpServerUrl});
   const authApp = express();
   authApp.use(express.json());
   // For introspection requests

From 224a2e242d956f30b20fdeb370c8b9958e321f0c Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 00:18:33 +0100
Subject: [PATCH 069/147] update resource to be a url

---
 src/client/auth.ts                            | 18 ++--
 .../server/demoInMemoryOAuthProvider.ts       |  2 +-
 src/server/auth/handlers/authorize.test.ts    |  6 +-
 src/server/auth/handlers/authorize.ts         |  2 +-
 src/server/auth/provider.ts                   |  4 +-
 .../auth/providers/proxyProvider.test.ts      |  2 +-
 src/server/auth/providers/proxyProvider.ts    |  6 +-
 src/shared/auth-utils.test.ts                 | 85 +++----------------
 8 files changed, 33 insertions(+), 92 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 28188b7c0..e465ea3be 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -100,12 +100,12 @@ export async function auth(
     authorizationCode?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
-    resource?: string }): Promise<AuthResult> {
+    resource?: URL }): Promise<AuthResult> {
 
   // Remove fragment from resource parameter if provided
-  let canonicalResource: string | undefined;
+  let canonicalResource: URL | undefined;
   if (resource) {
-    canonicalResource = resourceUrlFromServerUrl(resource);
+    canonicalResource = resourceUrlFromServerUrl(new URL(resource));
   }
 
   let authorizationServerUrl = serverUrl;
@@ -329,7 +329,7 @@ export async function startAuthorization(
     redirectUrl: string | URL;
     scope?: string;
     state?: string;
-    resource?: string;
+    resource?: URL;
   },
 ): Promise<{ authorizationUrl: URL; codeVerifier: string }> {
   const responseType = "code";
@@ -380,7 +380,7 @@ export async function startAuthorization(
   }
 
   if (resource) {
-    authorizationUrl.searchParams.set("resource", resource);
+    authorizationUrl.searchParams.set("resource", resource.href);
   }
 
   return { authorizationUrl, codeVerifier };
@@ -404,7 +404,7 @@ export async function exchangeAuthorization(
     authorizationCode: string;
     codeVerifier: string;
     redirectUri: string | URL;
-    resource?: string;
+    resource?: URL;
   },
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
@@ -439,7 +439,7 @@ export async function exchangeAuthorization(
   }
 
   if (resource) {
-    params.set("resource", resource);
+    params.set("resource", resource.href);
   }
 
   const response = await fetch(tokenUrl, {
@@ -471,7 +471,7 @@ export async function refreshAuthorization(
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     refreshToken: string;
-    resource?: string;
+    resource?: URL;
   },
 ): Promise<OAuthTokens> {
   const grantType = "refresh_token";
@@ -504,7 +504,7 @@ export async function refreshAuthorization(
   }
 
   if (resource) {
-    params.set("resource", resource);
+    params.set("resource", resource.href);
   }
 
   const response = await fetch(tokenUrl, {
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 9fcb25176..316d1f8a4 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -122,7 +122,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     client: OAuthClientInformationFull,
     _refreshToken: string,
     _scopes?: string[],
-    resource?: string
+    resource?: URL
   ): Promise<OAuthTokens> {
     throw new Error('Refresh tokens not implemented for example demo');
   }
diff --git a/src/server/auth/handlers/authorize.test.ts b/src/server/auth/handlers/authorize.test.ts
index 20a2af897..2742d1e55 100644
--- a/src/server/auth/handlers/authorize.test.ts
+++ b/src/server/auth/handlers/authorize.test.ts
@@ -295,7 +295,7 @@ describe('Authorization Handler', () => {
       expect(mockProviderWithResource).toHaveBeenCalledWith(
         validClient,
         expect.objectContaining({
-          resource: 'https://api.example.com/resource',
+          resource: new URL('https://api.example.com/resource'),
           redirectUri: 'https://example.com/callback',
           codeChallenge: 'challenge123'
         }),
@@ -365,7 +365,7 @@ describe('Authorization Handler', () => {
       expect(mockProviderWithResources).toHaveBeenCalledWith(
         validClient,
         expect.objectContaining({
-          resource: 'https://api1.example.com/resource',
+          resource: new URL('https://api1.example.com/resource'),
           state: 'test-state'
         }),
         expect.any(Object)
@@ -391,7 +391,7 @@ describe('Authorization Handler', () => {
       expect(mockProviderPost).toHaveBeenCalledWith(
         validClient,
         expect.objectContaining({
-          resource: 'https://api.example.com/resource'
+          resource: new URL('https://api.example.com/resource')
         }),
         expect.any(Object)
       );
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index f6c862aca..17c88b45a 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -142,7 +142,7 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
         scopes: requestedScopes,
         redirectUri: redirect_uri,
         codeChallenge: code_challenge,
-        resource,
+        resource: resource ? new URL(resource) : undefined,
       }, res);
     } catch (error) {
       // Post-redirect errors - redirect with error parameters
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
index 93a56a099..18beb2166 100644
--- a/src/server/auth/provider.ts
+++ b/src/server/auth/provider.ts
@@ -42,13 +42,13 @@ export interface OAuthServerProvider {
     authorizationCode: string, 
     codeVerifier?: string,
     redirectUri?: string,
-    resource?: string
+    resource?: URL
   ): Promise<OAuthTokens>;
 
   /**
    * Exchanges a refresh token for an access token.
    */
-  exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: string): Promise<OAuthTokens>;
+  exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: URL): Promise<OAuthTokens>;
 
   /**
    * Verifies an access token and returns information about it.
diff --git a/src/server/auth/providers/proxyProvider.test.ts b/src/server/auth/providers/proxyProvider.test.ts
index b652390b0..75dc1a15a 100644
--- a/src/server/auth/providers/proxyProvider.test.ts
+++ b/src/server/auth/providers/proxyProvider.test.ts
@@ -112,7 +112,7 @@ describe("Proxy OAuth Server Provider", () => {
           codeChallenge: 'test-challenge',
           state: 'test-state',
           scopes: ['read', 'write'],
-          resource: 'https://api.example.com/resource'
+          resource: new URL('https://api.example.com/resource')
         },
         mockResponse
       );
diff --git a/src/server/auth/providers/proxyProvider.ts b/src/server/auth/providers/proxyProvider.ts
index 7f8b8d3df..4c8074448 100644
--- a/src/server/auth/providers/proxyProvider.ts
+++ b/src/server/auth/providers/proxyProvider.ts
@@ -134,7 +134,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     // Add optional standard OAuth parameters
     if (params.state) searchParams.set("state", params.state);
     if (params.scopes?.length) searchParams.set("scope", params.scopes.join(" "));
-    if (params.resource) searchParams.set("resource", params.resource);
+    if (params.resource) searchParams.set("resource", params.resource.href);
 
     targetUrl.search = searchParams.toString();
     res.redirect(targetUrl.toString());
@@ -154,7 +154,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     authorizationCode: string,
     codeVerifier?: string,
     redirectUri?: string,
-    resource?: string
+    resource?: URL
   ): Promise<OAuthTokens> {
     const params = new URLSearchParams({
       grant_type: "authorization_code",
@@ -199,7 +199,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     client: OAuthClientInformationFull,
     refreshToken: string,
     scopes?: string[],
-    resource?: string
+    resource?: URL
   ): Promise<OAuthTokens> {
 
     const params = new URLSearchParams({
diff --git a/src/shared/auth-utils.test.ts b/src/shared/auth-utils.test.ts
index b95714081..c35bb1228 100644
--- a/src/shared/auth-utils.test.ts
+++ b/src/shared/auth-utils.test.ts
@@ -1,89 +1,30 @@
-import { validateResourceUri, extractResourceUri, resourceUrlFromServerUrl } from './auth-utils.js';
+import { resourceUrlFromServerUrl } from './auth-utils.js';
 
 describe('auth-utils', () => {
   describe('resourceUrlFromServerUrl', () => {
     it('should remove fragments', () => {
-      expect(resourceUrlFromServerUrl('https://example.com/path#fragment')).toBe('https://example.com/path');
-      expect(resourceUrlFromServerUrl('https://example.com#fragment')).toBe('https://example.com');
-      expect(resourceUrlFromServerUrl('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/path#fragment')).href).toBe('https://example.com/path');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com#fragment')).href).toBe('https://example.com/');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/path?query=1#fragment')).href).toBe('https://example.com/path?query=1');
     });
 
     it('should return URL unchanged if no fragment', () => {
-      expect(resourceUrlFromServerUrl('https://example.com')).toBe('https://example.com');
-      expect(resourceUrlFromServerUrl('https://example.com/path')).toBe('https://example.com/path');
-      expect(resourceUrlFromServerUrl('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com')).href).toBe('https://example.com/');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/path')).href).toBe('https://example.com/path');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/path?query=1')).href).toBe('https://example.com/path?query=1');
     });
 
     it('should keep everything else unchanged', () => {
       // Case sensitivity preserved
-      expect(resourceUrlFromServerUrl('HTTPS://EXAMPLE.COM/PATH')).toBe('HTTPS://EXAMPLE.COM/PATH');
+      expect(resourceUrlFromServerUrl(new URL('https://EXAMPLE.COM/PATH')).href).toBe('https://example.com/PATH');
       // Ports preserved
-      expect(resourceUrlFromServerUrl('https://example.com:443/path')).toBe('https://example.com:443/path');
-      expect(resourceUrlFromServerUrl('https://example.com:8080/path')).toBe('https://example.com:8080/path');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com:443/path')).href).toBe('https://example.com/path');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com:8080/path')).href).toBe('https://example.com:8080/path');
       // Query parameters preserved
-      expect(resourceUrlFromServerUrl('https://example.com?foo=bar&baz=qux')).toBe('https://example.com?foo=bar&baz=qux');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com?foo=bar&baz=qux')).href).toBe('https://example.com/?foo=bar&baz=qux');
       // Trailing slashes preserved
-      expect(resourceUrlFromServerUrl('https://example.com/')).toBe('https://example.com/');
-      expect(resourceUrlFromServerUrl('https://example.com/path/')).toBe('https://example.com/path/');
-    });
-  });
-
-
-  describe('validateResourceUri', () => {
-    it('should accept valid resource URIs without fragments', () => {
-      expect(() => validateResourceUri('https://example.com')).not.toThrow();
-      expect(() => validateResourceUri('https://example.com/path')).not.toThrow();
-      expect(() => validateResourceUri('http://example.com:8080')).not.toThrow();
-      expect(() => validateResourceUri('https://example.com?query=1')).not.toThrow();
-      expect(() => validateResourceUri('ftp://example.com')).not.toThrow(); // Only fragment check now
-    });
-
-    it('should reject URIs with fragments', () => {
-      expect(() => validateResourceUri('https://example.com#fragment')).toThrow('must not contain a fragment');
-      expect(() => validateResourceUri('https://example.com/path#section')).toThrow('must not contain a fragment');
-      expect(() => validateResourceUri('https://example.com?query=1#anchor')).toThrow('must not contain a fragment');
-    });
-
-    it('should accept any URI without fragment', () => {
-      // These are all valid now since we only check for fragments
-      expect(() => validateResourceUri('//example.com')).not.toThrow();
-      expect(() => validateResourceUri('https://user:pass@example.com')).not.toThrow();
-      expect(() => validateResourceUri('/path')).not.toThrow();
-      expect(() => validateResourceUri('path')).not.toThrow();
-    });
-  });
-
-  describe('extractResourceUri', () => {
-    it('should remove fragments from URLs', () => {
-      expect(extractResourceUri('https://example.com/path#fragment')).toBe('https://example.com/path');
-      expect(extractResourceUri('https://example.com/path?query=1#fragment')).toBe('https://example.com/path?query=1');
-    });
-
-    it('should handle URL object', () => {
-      const url = new URL('https://example.com:8443/path?query=1#fragment');
-      expect(extractResourceUri(url)).toBe('https://example.com:8443/path?query=1');
-    });
-
-    it('should keep everything else unchanged', () => {
-      // Preserves case
-      expect(extractResourceUri('HTTPS://EXAMPLE.COM/path')).toBe('HTTPS://EXAMPLE.COM/path');
-      // Preserves all ports
-      expect(extractResourceUri('https://example.com:443/path')).toBe('https://example.com:443/path');
-      expect(extractResourceUri('http://example.com:80/path')).toBe('http://example.com:80/path');
-      // Preserves query parameters
-      expect(extractResourceUri('https://example.com/path?query=1')).toBe('https://example.com/path?query=1');
-      // Preserves trailing slashes
-      expect(extractResourceUri('https://example.com/')).toBe('https://example.com/');
-      expect(extractResourceUri('https://example.com/app1/')).toBe('https://example.com/app1/');
-    });
-
-    it('should distinguish between different paths on same domain', () => {
-      // This is the key test for the security concern mentioned
-      const app1 = extractResourceUri('https://api.example.com/mcp-server-1');
-      const app2 = extractResourceUri('https://api.example.com/mcp-server-2');
-      expect(app1).not.toBe(app2);
-      expect(app1).toBe('https://api.example.com/mcp-server-1');
-      expect(app2).toBe('https://api.example.com/mcp-server-2');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/')).href).toBe('https://example.com/');
+      expect(resourceUrlFromServerUrl(new URL('https://example.com/path/')).href).toBe('https://example.com/path/');
     });
   });
 });
\ No newline at end of file

From 551a43942e412f43aee13de67ee7a796f5763831 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 00:33:27 +0100
Subject: [PATCH 070/147] use URL for resource throughout

---
 src/client/auth.test.ts                       | 24 +++++++++----------
 src/client/sse.ts                             |  8 +++----
 src/client/streamableHttp.ts                  |  8 +++----
 src/server/auth/handlers/token.test.ts        |  8 +++----
 src/server/auth/handlers/token.ts             |  4 ++--
 .../auth/providers/proxyProvider.test.ts      |  6 ++---
 src/server/auth/providers/proxyProvider.ts    |  4 ++--
 7 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 9a0674057..44516130a 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -347,7 +347,7 @@ describe("OAuth Authorization", () => {
         {
           clientInformation: validClientInfo,
           redirectUrl: "http://localhost:3000/callback",
-          resource: "https://api.example.com/mcp-server",
+          resource: new URL("https://api.example.com/mcp-server"),
         }
       );
 
@@ -526,7 +526,7 @@ describe("OAuth Authorization", () => {
         authorizationCode: "code123",
         codeVerifier: "verifier123",
         redirectUri: "http://localhost:3000/callback",
-        resource: "https://api.example.com/mcp-server",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(tokens).toEqual(validTokens);
@@ -650,7 +650,7 @@ describe("OAuth Authorization", () => {
       const tokens = await refreshAuthorization("https://auth.example.com", {
         clientInformation: validClientInfo,
         refreshToken: "refresh123",
-        resource: "https://api.example.com/mcp-server",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(tokens).toEqual(validTokensWithNewRefreshToken);
@@ -939,7 +939,7 @@ describe("OAuth Authorization", () => {
       // Call the auth function with a resource that has a fragment
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "https://api.example.com/mcp-server#fragment",
+        resource: new URL("https://api.example.com/mcp-server#fragment"),
       });
 
       expect(result).toBe("REDIRECT");
@@ -988,7 +988,7 @@ describe("OAuth Authorization", () => {
       // Call auth without authorization code (should trigger redirect)
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "https://api.example.com/mcp-server",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(result).toBe("REDIRECT");
@@ -1050,7 +1050,7 @@ describe("OAuth Authorization", () => {
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
         authorizationCode: "auth-code-123",
-        resource: "https://api.example.com/mcp-server",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(result).toBe("AUTHORIZED");
@@ -1112,7 +1112,7 @@ describe("OAuth Authorization", () => {
       // Call auth with existing tokens (should trigger refresh)
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "https://api.example.com/mcp-server",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(result).toBe("AUTHORIZED");
@@ -1161,7 +1161,7 @@ describe("OAuth Authorization", () => {
       // Call auth with empty resource parameter
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "",
+        resource: undefined,
       });
 
       expect(result).toBe("REDIRECT");
@@ -1204,7 +1204,7 @@ describe("OAuth Authorization", () => {
       // Call auth with resource containing multiple # symbols
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "https://api.example.com/mcp-server#fragment#another",
+        resource: new URL("https://api.example.com/mcp-server#fragment#another"),
       });
 
       expect(result).toBe("REDIRECT");
@@ -1249,7 +1249,7 @@ describe("OAuth Authorization", () => {
       // multiple MCP servers on the same domain
       const result1 = await auth(mockProvider, {
         serverUrl: "https://api.example.com",
-        resource: "https://api.example.com/mcp-server-1/v1",
+        resource: new URL("https://api.example.com/mcp-server-1/v1"),
       });
 
       expect(result1).toBe("REDIRECT");
@@ -1264,7 +1264,7 @@ describe("OAuth Authorization", () => {
       // Test with different path on same domain
       const result2 = await auth(mockProvider, {
         serverUrl: "https://api.example.com",
-        resource: "https://api.example.com/mcp-server-2/v1",
+        resource: new URL("https://api.example.com/mcp-server-2/v1"),
       });
 
       expect(result2).toBe("REDIRECT");
@@ -1309,7 +1309,7 @@ describe("OAuth Authorization", () => {
       // Call auth with resource containing query parameters
       const result = await auth(mockProvider, {
         serverUrl: "https://resource.example.com",
-        resource: "https://api.example.com/mcp-server?param=value&another=test",
+        resource: new URL("https://api.example.com/mcp-server?param=value&another=test"),
       });
 
       expect(result).toBe("REDIRECT");
diff --git a/src/client/sse.ts b/src/client/sse.ts
index c484bde96..41f21de65 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -2,7 +2,7 @@ import { EventSource, type ErrorEvent, type EventSourceInit } from "eventsource"
 import { Transport } from "../shared/transport.js";
 import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
-import { extractResourceUri } from "../shared/auth-utils.js";
+import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 export class SseError extends Error {
   constructor(
@@ -90,7 +90,7 @@ export class SSEClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: extractResourceUri(this._url)
+        resource: resourceUrlFromServerUrl(new URL(this._url))
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -210,7 +210,7 @@ export class SSEClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: extractResourceUri(this._url)
+      resource: resourceUrlFromServerUrl(new URL(this._url))
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -249,7 +249,7 @@ export class SSEClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: extractResourceUri(this._url)
+            resource: resourceUrlFromServerUrl(new URL(this._url))
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 25c41bf3f..3534fb459 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -2,7 +2,7 @@ import { Transport } from "../shared/transport.js";
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { EventSourceParserStream } from "eventsource-parser/stream";
-import { extractResourceUri } from "../shared/auth-utils.js";
+import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 // Default reconnection options for StreamableHTTP connections
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS: StreamableHTTPReconnectionOptions = {
@@ -153,7 +153,7 @@ export class StreamableHTTPClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: extractResourceUri(this._url)
+        resource: resourceUrlFromServerUrl(new URL(this._url))
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -371,7 +371,7 @@ export class StreamableHTTPClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: extractResourceUri(this._url)
+      resource: resourceUrlFromServerUrl(new URL(this._url))
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -423,7 +423,7 @@ export class StreamableHTTPClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: extractResourceUri(this._url)
+            resource: resourceUrlFromServerUrl(new URL(this._url))
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/server/auth/handlers/token.test.ts b/src/server/auth/handlers/token.test.ts
index 68794c36b..63b47f53e 100644
--- a/src/server/auth/handlers/token.test.ts
+++ b/src/server/auth/handlers/token.test.ts
@@ -303,7 +303,7 @@ describe('Token Handler', () => {
         'valid_code',
         undefined, // code_verifier is undefined after PKCE validation
         undefined, // redirect_uri
-        'https://api.example.com/resource' // resource parameter
+        new URL('https://api.example.com/resource') // resource parameter
       );
     });
 
@@ -371,7 +371,7 @@ describe('Token Handler', () => {
         'valid_code',
         undefined, // code_verifier is undefined after PKCE validation
         'https://example.com/callback', // redirect_uri
-        'https://api.example.com/resource' // resource parameter
+        new URL('https://api.example.com/resource') // resource parameter
       );
     });
 
@@ -585,7 +585,7 @@ describe('Token Handler', () => {
         validClient,
         'valid_refresh_token',
         undefined, // scopes
-        'https://api.example.com/resource' // resource parameter
+        new URL('https://api.example.com/resource') // resource parameter
       );
     });
 
@@ -648,7 +648,7 @@ describe('Token Handler', () => {
         validClient,
         'valid_refresh_token',
         ['profile', 'email'], // scopes
-        'https://api.example.com/resource' // resource parameter
+        new URL('https://api.example.com/resource') // resource parameter
       );
     });
   });
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index 92fe99218..3ffd4cf28 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -113,7 +113,7 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
             code, 
             skipLocalPkceValidation ? code_verifier : undefined,
             redirect_uri,
-            resource
+            resource ? new URL(resource) : undefined
           );
           res.status(200).json(tokens);
           break;
@@ -131,7 +131,7 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
           // The provider can decide how to validate it
 
           const scopes = scope?.split(" ");
-          const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes, resource);
+          const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes, resource ? new URL(resource) : undefined);
           res.status(200).json(tokens);
           break;
         }
diff --git a/src/server/auth/providers/proxyProvider.test.ts b/src/server/auth/providers/proxyProvider.test.ts
index 75dc1a15a..b834c6592 100644
--- a/src/server/auth/providers/proxyProvider.test.ts
+++ b/src/server/auth/providers/proxyProvider.test.ts
@@ -213,7 +213,7 @@ describe("Proxy OAuth Server Provider", () => {
         'test-code',
         'test-verifier',
         'https://example.com/callback',
-        'https://api.example.com/resource'
+        new URL('https://api.example.com/resource')
       );
 
       expect(global.fetch).toHaveBeenCalledWith(
@@ -267,7 +267,7 @@ describe("Proxy OAuth Server Provider", () => {
         validClient,
         'test-refresh-token',
         ['read', 'write'],
-        'https://api.example.com/resource'
+        new URL('https://api.example.com/resource')
       );
 
       expect(global.fetch).toHaveBeenCalledWith(
@@ -301,7 +301,7 @@ describe("Proxy OAuth Server Provider", () => {
         validClient,
         'test-refresh-token',
         ['profile', 'email'],
-        'https://api.example.com/resource'
+        new URL('https://api.example.com/resource')
       );
 
       const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
diff --git a/src/server/auth/providers/proxyProvider.ts b/src/server/auth/providers/proxyProvider.ts
index 4c8074448..de74862b5 100644
--- a/src/server/auth/providers/proxyProvider.ts
+++ b/src/server/auth/providers/proxyProvider.ts
@@ -175,7 +175,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     }
 
     if (resource) {
-      params.append("resource", resource);
+      params.append("resource", resource.href);
     }
 
     const response = await fetch(this._endpoints.tokenUrl, {
@@ -217,7 +217,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
     }
 
     if (resource) {
-      params.set("resource", resource);
+      params.set("resource", resource.href);
     }
 
     const response = await fetch(this._endpoints.tokenUrl, {

From 6e4fc52c7e7433e7c4bff5b571620e51669f293a Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 00:42:44 +0100
Subject: [PATCH 071/147] Update demoInMemoryOAuthProvider.test.ts

---
 .../server/demoInMemoryOAuthProvider.test.ts  | 345 ++++--------------
 1 file changed, 78 insertions(+), 267 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.test.ts b/src/examples/server/demoInMemoryOAuthProvider.test.ts
index 852f0c98f..9bdcfdfa6 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.test.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.test.ts
@@ -1,13 +1,12 @@
 import { describe, it, expect, beforeEach } from '@jest/globals';
-import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore, DemoOAuthProviderConfig } from './demoInMemoryOAuthProvider.js';
-import { InvalidTargetError, InvalidRequestError } from '../../server/auth/errors.js';
+import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore } from './demoInMemoryOAuthProvider.js';
 import { OAuthClientInformationFull } from '../../shared/auth.js';
 import { Response } from 'express';
 
-describe('DemoInMemoryOAuthProvider - RFC 8707 Resource Validation', () => {
+describe('DemoInMemoryOAuthProvider', () => {
   let provider: DemoInMemoryAuthProvider;
   let clientsStore: DemoInMemoryClientsStore;
-  let mockClient: OAuthClientInformationFull & { allowed_resources?: string[] };
+  let mockClient: OAuthClientInformationFull;
   let mockResponse: Partial<Response>;
 
   beforeEach(() => {
@@ -30,132 +29,104 @@ describe('DemoInMemoryOAuthProvider - RFC 8707 Resource Validation', () => {
     };
   });
 
-  describe('Authorization with resource parameter', () => {
-    it('should allow authorization when no resources are configured', async () => {
+  describe('Basic authorization flow', () => {
+    it('should handle authorization successfully', async () => {
       await clientsStore.registerClient(mockClient);
       
-      await expect(provider.authorize(mockClient, {
+      await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.example.com/v1',
+        resource: new URL('https://api.example.com/v1'),
         scopes: ['mcp:tools']
-      }, mockResponse as Response)).resolves.not.toThrow();
+      }, mockResponse as Response);
 
       expect(mockResponse.redirect).toHaveBeenCalled();
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      expect(redirectCall).toContain('code=');
     });
 
-    it('should allow authorization when resource is in allowed list', async () => {
-      mockClient.allowed_resources = ['https://api.example.com/v1', 'https://api.example.com/v2'];
+    it('should handle authorization without resource', async () => {
       await clientsStore.registerClient(mockClient);
       
-      await expect(provider.authorize(mockClient, {
+      await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.example.com/v1',
         scopes: ['mcp:tools']
-      }, mockResponse as Response)).resolves.not.toThrow();
+      }, mockResponse as Response);
 
       expect(mockResponse.redirect).toHaveBeenCalled();
     });
 
-    it('should reject authorization when resource is not in allowed list', async () => {
-      mockClient.allowed_resources = ['https://api.example.com/v1'];
+    it('should preserve state parameter', async () => {
       await clientsStore.registerClient(mockClient);
       
-      await expect(provider.authorize(mockClient, {
+      await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.forbidden.com',
+        state: 'test-state',
         scopes: ['mcp:tools']
-      }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
+      }, mockResponse as Response);
+
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      expect(redirectCall).toContain('state=test-state');
     });
   });
 
-  describe('Token exchange with resource validation', () => {
+  describe('Token exchange', () => {
     let authorizationCode: string;
 
     beforeEach(async () => {
       await clientsStore.registerClient(mockClient);
       
-      // Authorize without resource first
       await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
         scopes: ['mcp:tools']
       }, mockResponse as Response);
 
-      // Extract authorization code from redirect call
       const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
       const url = new URL(redirectCall);
       authorizationCode = url.searchParams.get('code')!;
     });
 
-    it('should exchange code successfully when resource matches', async () => {
-      // First authorize with a specific resource
-      mockResponse.redirect = jest.fn();
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.example.com/v1',
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectCall);
-      const codeWithResource = url.searchParams.get('code')!;
-
+    it('should exchange authorization code for tokens', async () => {
       const tokens = await provider.exchangeAuthorizationCode(
         mockClient,
-        codeWithResource,
-        undefined,
-        undefined,
-        'https://api.example.com/v1'
+        authorizationCode
       );
 
       expect(tokens).toHaveProperty('access_token');
       expect(tokens.token_type).toBe('bearer');
+      expect(tokens.expires_in).toBe(3600);
     });
 
-    it('should reject token exchange when resource does not match', async () => {
-      // First authorize with a specific resource
-      mockResponse.redirect = jest.fn();
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.example.com/v1',
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectCall);
-      const codeWithResource = url.searchParams.get('code')!;
-
+    it('should reject invalid authorization code', async () => {
       await expect(provider.exchangeAuthorizationCode(
         mockClient,
-        codeWithResource,
-        undefined,
-        undefined,
-        'https://api.different.com'
-      )).rejects.toThrow(InvalidTargetError);
+        'invalid-code'
+      )).rejects.toThrow('Invalid authorization code');
     });
 
-    it('should reject token exchange when resource was not authorized but is requested', async () => {
+    it('should reject code from different client', async () => {
+      const otherClient: OAuthClientInformationFull = {
+        ...mockClient,
+        client_id: 'other-client'
+      };
+      
+      await clientsStore.registerClient(otherClient);
+
       await expect(provider.exchangeAuthorizationCode(
-        mockClient,
-        authorizationCode,
-        undefined,
-        undefined,
-        'https://api.example.com/v1'
-      )).rejects.toThrow(InvalidTargetError);
+        otherClient,
+        authorizationCode
+      )).rejects.toThrow('Authorization code was not issued to this client');
     });
 
-    it('should store resource in token data', async () => {
-      // Authorize with resource
+    it('should store resource in token when provided during authorization', async () => {
       mockResponse.redirect = jest.fn();
       await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://api.example.com/v1',
+        resource: new URL('https://api.example.com/v1'),
         scopes: ['mcp:tools']
       }, mockResponse as Response);
 
@@ -165,225 +136,65 @@ describe('DemoInMemoryOAuthProvider - RFC 8707 Resource Validation', () => {
 
       const tokens = await provider.exchangeAuthorizationCode(
         mockClient,
-        codeWithResource,
-        undefined,
-        undefined,
-        'https://api.example.com/v1'
+        codeWithResource
       );
 
-      // Verify token has resource information
       const tokenDetails = provider.getTokenDetails(tokens.access_token);
-      expect(tokenDetails?.resource).toBe('https://api.example.com/v1');
-    });
-  });
-
-  describe('Refresh token with resource validation', () => {
-    it('should validate resource when exchanging refresh token', async () => {
-      mockClient.allowed_resources = ['https://api.example.com/v1'];
-      await clientsStore.registerClient(mockClient);
-
-      await expect(provider.exchangeRefreshToken(
-        mockClient,
-        'refresh-token',
-        undefined,
-        'https://api.forbidden.com'
-      )).rejects.toThrow(InvalidTargetError);
+      expect(tokenDetails?.resource).toEqual(new URL('https://api.example.com/v1'));
     });
   });
 
-  describe('Allowed resources management', () => {
-    it('should update allowed resources for a client', async () => {
+  describe('Token verification', () => {
+    it('should verify valid access token', async () => {
       await clientsStore.registerClient(mockClient);
       
-      // Initially no resources configured
-      await expect(provider.authorize(mockClient, {
+      await provider.authorize(mockClient, {
         codeChallenge: 'test-challenge',
         redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://any.api.com',
         scopes: ['mcp:tools']
-      }, mockResponse as Response)).resolves.not.toThrow();
-
-      // Set allowed resources
-      clientsStore.setAllowedResources(mockClient.client_id, ['https://api.example.com/v1']);
+      }, mockResponse as Response);
 
-      // Now should reject unauthorized resources
-      await expect(provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        resource: 'https://any.api.com',
-        scopes: ['mcp:tools']
-      }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
-    });
-  });
+      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
+      const url = new URL(redirectCall);
+      const code = url.searchParams.get('code')!;
 
-  describe('Server URL validation configuration', () => {
-    it('should throw error when validateResourceMatchesServer is true but serverUrl is not set', () => {
-      const invalidConfig: DemoOAuthProviderConfig = {
-        validateResourceMatchesServer: true
-        // serverUrl is missing
-      };
+      const tokens = await provider.exchangeAuthorizationCode(mockClient, code);
+      const tokenInfo = await provider.verifyAccessToken(tokens.access_token);
 
-      expect(() => {
-        new DemoInMemoryAuthProvider(invalidConfig);
-      }).toThrow("serverUrl must be configured when validateResourceMatchesServer is true");
+      expect(tokenInfo.clientId).toBe(mockClient.client_id);
+      expect(tokenInfo.scopes).toEqual(['mcp:tools']);
     });
 
-    describe('with server URL validation enabled', () => {
-      let strictProvider: DemoInMemoryAuthProvider;
-
-      beforeEach(() => {
-        const config: DemoOAuthProviderConfig = {
-          serverUrl: 'https://api.example.com/mcp',
-          validateResourceMatchesServer: true
-        };
-        strictProvider = new DemoInMemoryAuthProvider(config);
-        
-        strictProvider.clientsStore.registerClient(mockClient);
-      });
-
-      it('should reject authorization without resource parameter', async () => {
-        await expect(strictProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          scopes: ['mcp:tools']
-          // resource is missing
-        }, mockResponse as Response)).rejects.toThrow(InvalidRequestError);
-      });
-
-      it('should reject authorization with non-matching resource', async () => {
-        await expect(strictProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          resource: 'https://different.api.com/mcp',
-          scopes: ['mcp:tools']
-        }, mockResponse as Response)).rejects.toThrow(InvalidTargetError);
-      });
-
-      it('should accept authorization with matching resource', async () => {
-        await expect(strictProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          resource: 'https://api.example.com/mcp',
-          scopes: ['mcp:tools']
-        }, mockResponse as Response)).resolves.not.toThrow();
-
-        expect(mockResponse.redirect).toHaveBeenCalled();
-      });
-
-      it('should handle server URL with fragment correctly', async () => {
-        const configWithFragment: DemoOAuthProviderConfig = {
-          serverUrl: 'https://api.example.com/mcp#fragment',
-          validateResourceMatchesServer: true
-        };
-        const providerWithFragment = new DemoInMemoryAuthProvider(configWithFragment);
-        
-        await providerWithFragment.clientsStore.registerClient(mockClient);
-
-        // Should accept resource without fragment
-        await expect(providerWithFragment.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          resource: 'https://api.example.com/mcp',
-          scopes: ['mcp:tools']
-        }, mockResponse as Response)).resolves.not.toThrow();
-      });
-
-      it('should reject token exchange without resource parameter', async () => {
-        // First authorize with resource
-        mockResponse.redirect = jest.fn();
-        await strictProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          resource: 'https://api.example.com/mcp',
-          scopes: ['mcp:tools']
-        }, mockResponse as Response);
-
-        const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-        const url = new URL(redirectCall);
-        const authCode = url.searchParams.get('code')!;
-
-        await expect(strictProvider.exchangeAuthorizationCode(
-          mockClient,
-          authCode,
-          undefined,
-          undefined
-          // resource is missing
-        )).rejects.toThrow(InvalidRequestError);
-      });
-
-      it('should reject refresh token without resource parameter', async () => {
-        await expect(strictProvider.exchangeRefreshToken(
-          mockClient,
-          'refresh-token',
-          undefined
-          // resource is missing
-        )).rejects.toThrow(InvalidRequestError);
-      });
+    it('should reject invalid token', async () => {
+      await expect(provider.verifyAccessToken('invalid-token'))
+        .rejects.toThrow('Invalid or expired token');
     });
+  });
 
-    describe('with server URL validation disabled (warning mode)', () => {
-      let warnProvider: DemoInMemoryAuthProvider;
-      let consoleWarnSpy: jest.SpyInstance;
-
-      beforeEach(() => {
-        consoleWarnSpy = jest.spyOn(console, 'warn').mockImplementation();
-        warnProvider = new DemoInMemoryAuthProvider(); // No config = warnings enabled
-        
-        warnProvider.clientsStore.registerClient(mockClient);
-      });
-
-      afterEach(() => {
-        consoleWarnSpy.mockRestore();
-      });
-
-      it('should log warning when resource is missing from authorization', async () => {
-        await warnProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          scopes: ['mcp:tools']
-          // resource is missing
-        }, mockResponse as Response);
-
-        expect(consoleWarnSpy).toHaveBeenCalledWith(
-          expect.stringContaining('test-client is missing the resource parameter')
-        );
-      });
-
-      it('should not log warning when resource is present', async () => {
-        await warnProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          resource: 'https://api.example.com/mcp',
-          scopes: ['mcp:tools']
-        }, mockResponse as Response);
-
-        expect(consoleWarnSpy).not.toHaveBeenCalled();
-      });
-
-      it('should log warning when resource is missing from token exchange', async () => {
-        // First authorize without resource
-        await warnProvider.authorize(mockClient, {
-          codeChallenge: 'test-challenge',
-          redirectUri: mockClient.redirect_uris[0],
-          scopes: ['mcp:tools']
-        }, mockResponse as Response);
+  describe('Refresh token', () => {
+    it('should throw error for refresh token (not implemented)', async () => {
+      await clientsStore.registerClient(mockClient);
 
-        const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-        const url = new URL(redirectCall);
-        const authCode = url.searchParams.get('code')!;
+      await expect(provider.exchangeRefreshToken(
+        mockClient,
+        'refresh-token'
+      )).rejects.toThrow('Refresh tokens not implemented for example demo');
+    });
+  });
 
-        await warnProvider.exchangeAuthorizationCode(
-          mockClient,
-          authCode,
-          undefined,
-          undefined
-          // resource is missing
-        );
+  describe('Server URL validation', () => {
+    it('should accept mcpServerUrl configuration', () => {
+      const serverUrl = new URL('https://api.example.com/mcp');
+      const providerWithUrl = new DemoInMemoryAuthProvider({ mcpServerUrl: serverUrl });
+      
+      expect(providerWithUrl).toBeDefined();
+    });
 
-        expect(consoleWarnSpy).toHaveBeenCalledWith(
-          expect.stringContaining('test-client is missing the resource parameter')
-        );
-      });
+    it('should handle server URL with fragment', () => {
+      const serverUrl = new URL('https://api.example.com/mcp#fragment');
+      const providerWithUrl = new DemoInMemoryAuthProvider({ mcpServerUrl: serverUrl });
+      
+      expect(providerWithUrl).toBeDefined();
     });
   });
 });
\ No newline at end of file

From 8b9aa20b390699ef851863e28c1ef7a52adbe2ec Mon Sep 17 00:00:00 2001
From: Jerome <jerome@anthropic.com>
Date: Tue, 17 Jun 2025 10:18:58 +0100
Subject: [PATCH 072/147] Jerome/fix/dev oauth server required scopes change
 (#629)

* updating lock to latest version

* Added .git-blame-ignore-revs (fixes gitlens)

* Not requiring mcp:tools
---
 .git-blame-ignore-revs                      | 0
 package-lock.json                           | 4 ++--
 src/examples/server/simpleStreamableHttp.ts | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 .git-blame-ignore-revs

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 000000000..e69de29bb
diff --git a/package-lock.json b/package-lock.json
index 40bad9fe2..c676d07f8 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.11.4",
+  "version": "1.12.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.11.4",
+      "version": "1.12.3",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 52c49cafd..4f4241517 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -477,7 +477,7 @@ if (useOAuth) {
 
   authMiddleware = requireBearerAuth({
     verifier: tokenVerifier,
-    requiredScopes: ['mcp:tools'],
+    requiredScopes: [],
     resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(mcpServerUrl),
   });
 }

From ec0c50425ef4119f9547fcafc16f2eda95664956 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 10:59:36 +0100
Subject: [PATCH 073/147] rm noise

---
 CLAUDE.local.md   | 125 ----------------------------------------------
 PR-DESCRIPTION.md | 111 ----------------------------------------
 2 files changed, 236 deletions(-)
 delete mode 100644 CLAUDE.local.md
 delete mode 100644 PR-DESCRIPTION.md

diff --git a/CLAUDE.local.md b/CLAUDE.local.md
deleted file mode 100644
index 9a43ac7ca..000000000
--- a/CLAUDE.local.md
+++ /dev/null
@@ -1,125 +0,0 @@
-# RFC 8707 Resource Indicators Implementation for MCP TypeScript SDK
-
-This PR implements RFC 8707 (Resource Indicators for OAuth 2.0) in the MCP TypeScript SDK, addressing critical security vulnerabilities and adding resource-scoped authorization support.
-
-## Issues Addressed
-
-- **Fixes #592**: Implements client-side resource parameter passing to prevent token confusion attacks
-- **Related to #635**: Demonstrates server-side RFC 8707 validation in the demo OAuth provider
-
-## Overview
-
-This implementation adds resource parameter support to MCP's OAuth flow, explicitly binding access tokens to specific MCP servers. This prevents malicious servers from stealing OAuth tokens intended for other services.
-
-## Implementation Summary
-
-### 1. Core Auth Infrastructure
-
-#### Client-Side Changes (`src/client/`)
-- **auth.ts**: Added resource parameter support to authorization and token exchange flows
-- **Transport layers** (sse.ts, streamableHttp.ts): Automatically extract canonical server URIs for resource parameter
-
-#### Server-Side Changes (`src/server/auth/`)
-- **handlers/**: Updated authorize and token handlers to accept and pass through resource parameters
-- **provider.ts**: Extended provider interface to support resource parameters
-- **errors.ts**: Added `InvalidTargetError` for RFC 8707 compliance
-
-#### Shared Utilities (`src/shared/`)
-- **auth-utils.ts**: Created utilities for resource URI validation and canonicalization
-- **auth.ts**: Updated OAuth schemas to include resource parameter
-
-### 2. Demo OAuth Provider Enhancement (`src/examples/server/`)
-
-The demo provider demonstrates how to implement RFC 8707 validation:
-- Optional resource validation during authorization (via `DemoOAuthProviderConfig`)
-- Resource consistency checks during token exchange
-- Resource information included in token introspection
-- Support for validating resources against a configured server URL
-- Client-specific resource allowlists
-
-### 3. Resource URI Requirements
-
-Resource URIs follow RFC 8707 requirements:
-- **MUST NOT** include fragments (automatically removed by the SDK)
-- The SDK preserves all other URL components (scheme, host, port, path, query) exactly as provided
-- No additional canonicalization is performed to maintain compatibility with various server configurations
-
-## Client vs Server Implementation Differences
-
-### Client-Side Implementation
-- **Automatic resource extraction**: Transports automatically determine the server URI for resource parameter
-- **Transparent integration**: Resource parameter is added without changing existing auth APIs
-- **Fragment removal**: Fragments are automatically removed from URIs per RFC 8707
-- **Focus**: Ensuring resource parameter is correctly included in all OAuth requests
-
-### Server-Side Implementation
-- **Core handlers**: Pass through resource parameter without validation
-- **Demo provider**: Shows how to implement resource validation
-- **Provider flexibility**: Auth providers decide how to enforce resource restrictions
-- **Backward compatibility**: Servers work with clients that don't send resource parameter
-- **Focus**: Demonstrating best practices for resource validation
-
-## Testing Approach Differences
-
-### Client-Side Tests
-- **Unit tests**: Verify resource parameter is included in auth URLs and token requests
-- **Validation tests**: Ensure resource URI validation and canonicalization work correctly
-- **Integration focus**: Test interaction between transport layer and auth module
-
-### Server-Side Tests
-- **Handler tests**: Verify resource parameter is accepted and passed to providers
-- **Demo provider tests**: Comprehensive tests for server URL validation and client-specific allowlists
-- **Security tests**: Verify invalid resources are rejected with proper errors
-- **Configuration tests**: Test various demo provider configurations
-- **End-to-end tests**: Full OAuth flow with resource validation
-
-## Security Considerations
-
-1. **Token Binding**: Tokens are explicitly bound to the resource they're intended for
-2. **Validation**: Both client and server validate resource URIs to prevent attacks
-3. **Consistency**: Resource must match between authorization and token exchange
-4. **Introspection**: Resource information is included in token introspection responses
-
-## Migration Guide
-
-### For Client Developers
-No changes required - the SDK automatically includes the resource parameter based on the server URL.
-
-### For Server Developers
-1. Core server handlers automatically pass through the resource parameter
-2. Custom auth providers can implement resource validation as shown in the demo provider
-3. Demo provider configuration options:
-   - `serverUrl`: The canonical URL of the MCP server
-   - `validateResourceMatchesServer`: Enable strict resource validation
-4. Return `invalid_target` error for unauthorized resources
-5. Include resource in token introspection responses
-
-## Example Usage
-
-```typescript
-// Client automatically includes resource parameter
-const transport = new StreamableHttpClientTransport(
-  'https://api.example.com/mcp',
-  authProvider
-);
-
-// Demo provider configuration with resource validation
-const demoProviderConfig = {
-  serverUrl: 'https://api.example.com/mcp',
-  validateResourceMatchesServer: true  // Makes resource required and validates it
-};
-const provider = new DemoInMemoryAuthProvider(demoProviderConfig);
-```
-
-## Future Enhancements
-
-1. Add support for multiple resource parameters (RFC 8707 allows arrays)
-2. Implement resource-specific scope restrictions
-3. Add telemetry for resource parameter usage
-4. Create migration tooling for existing deployments
-
-## References
-
-- [RFC 8707 - Resource Indicators for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc8707)
-- [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)
-- [MCP Issue #544 - Security Vulnerability](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/544)
\ No newline at end of file
diff --git a/PR-DESCRIPTION.md b/PR-DESCRIPTION.md
deleted file mode 100644
index b4e48cbd2..000000000
--- a/PR-DESCRIPTION.md
+++ /dev/null
@@ -1,111 +0,0 @@
-# RFC 8707 Resource Indicators Implementation
-
-<!-- Provide a brief summary of your changes -->
-Implements RFC 8707 (Resource Indicators for OAuth 2.0) support in the MCP TypeScript SDK. This adds the `resource` parameter to OAuth authorization and token exchange flows, allowing access tokens to be explicitly bound to specific MCP servers. The implementation includes automatic resource extraction in client transports, server-side parameter passing, and demonstrates resource validation in the demo OAuth provider.
-
-(Fixes #592, Related to #635)
-
-## Motivation and Context
-<!-- Why is this change needed? What problem does it solve? -->
-This change addresses critical security vulnerabilities identified in https://github.com/modelcontextprotocol/modelcontextprotocol/issues/544. Without resource indicators, OAuth tokens intended for one MCP server could be stolen and misused by malicious servers. RFC 8707 prevents these token confusion attacks by explicitly binding tokens to their intended resources.
-
-Key problems solved:
-- Prevents token theft/confusion attacks where a malicious MCP server steals tokens meant for other services
-- Enables fine-grained access control by restricting OAuth clients to specific resources
-- Improves security posture by following OAuth 2.0 Security Best Current Practice recommendations
-
-## How Has This Been Tested?
-<!-- Have you tested this in a real application? Which scenarios were tested? -->
-Comprehensive test coverage has been added:
-
-**Client-side testing:**
-- Unit tests verify resource parameter inclusion in authorization URLs and token requests (512 new lines in auth.test.ts)
-- Transport layer tests ensure automatic resource extraction works correctly
-- Fragment removal and URI validation tests
-
-**Server-side testing:**
-- Authorization handler tests for resource parameter acceptance
-- Token handler tests for resource parameter passing
-- Demo provider tests for resource restrictions and validation (including server URL validation)
-- Proxy provider tests for resource parameter forwarding
-
-**Integration testing:**
-- End-to-end OAuth flow with resource validation
-- Resource validation example demonstrating real-world usage patterns
-- Tests for both clients with and without resource restrictions
-
-## Breaking Changes
-
-While the change is breaking at a protocol level, it should not require code changes from SDK users (just SDK version bumping).
-
-- **Client developers**: No code changes required. The SDK automatically extracts and includes the resource parameter from the server URL
-- **Server developers**: The core server handlers now pass through the resource parameter. Resource validation is demonstrated in the demo provider but remains optional for custom providers
-- **Auth providers**: Should be updated to accept and handle the resource parameter. The demo provider shows how to implement server URL validation and client-specific resource restrictions
-
-## Types of changes
-<!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
-- [x] Bug fix (non-breaking change which fixes an issue)
-- [x] New feature (non-breaking change which adds functionality)
-- [ ] Breaking change (fix or feature that would cause existing functionality to change)
-- [ ] Documentation update
-
-## Checklist
-<!-- Go over all the following points, and put an `x` in all the boxes that apply. -->
-- [x] I have read the [MCP Documentation](https://modelcontextprotocol.io)
-- [x] My code follows the repository's style guidelines
-- [x] New and existing tests pass locally
-- [x] I have added appropriate error handling
-- [x] I have added or updated documentation as needed
-
-## Additional context
-<!-- Add any other context, implementation notes, or design decisions -->
-
-### Server-Side Implementation Approach
-
-The core server implementation focuses on passing through the resource parameter without enforcing validation, maintaining backward compatibility and flexibility. The demo provider demonstrates how to implement RFC 8707 validation:
-
-1. **Core Server**: Handlers accept and forward the resource parameter to auth providers without validation
-2. **Demo Provider**: Shows how to implement comprehensive resource validation including:
-   - Server URL matching validation (configurable via `DemoOAuthProviderConfig`)
-   - Client-specific resource allowlists
-   - Warning logs for missing resource parameters
-   - Consistent resource validation between authorization and token exchange
-
-This separation allows:
-- Existing providers to continue working without modification
-- New providers to implement validation according to their security requirements
-- Gradual migration to RFC 8707 compliance
-- Different validation strategies for different deployment scenarios
-
-### Implementation Approach
-
-Resource URIs are used as-is with only fragment removal (per RFC requirement). This allows having different MCP servers under different subpaths (even w/ different query URLs) w/o sharing spilling their resource authorization to each other (to allow a variety of MCP server federation use cases).
-
-### Key Components Added
-1. **Shared utilities** (`auth-utils.ts`): Resource URI handling and validation
-2. **Client auth** modifications: Resource parameter support in authorization/token flows
-3. **Transport layers**: Automatic resource extraction from server URLs
-4. **Server handlers**: Resource parameter acceptance and forwarding
-5. **Demo provider**: Full RFC 8707 implementation with resource validation
-6. **Error handling**: New `InvalidTargetError` for RFC 8707 compliance
-
-### Example Usage
-```typescript
-// Client-side (automatic)
-const transport = new StreamableHttpClientTransport(
-  'https://api.example.com/mcp',
-  authProvider
-);
-
-// Demo provider configuration with validation
-const demoProviderConfig = {
-  serverUrl: 'https://api.example.com/mcp',
-  validateResourceMatchesServer: true  // Makes resource required and validates it matches serverUrl
-};
-const provider = new DemoInMemoryAuthProvider(demoProviderConfig);
-```
-
-### References
-- [RFC 8707 - Resource Indicators for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc8707)
-- Fixes #592: OAuth token confusion vulnerability - client-side resource parameter support
-- Related to #635: Demonstrates server-side RFC 8707 validation in demo provider
\ No newline at end of file

From b16a415623442f4f9e3f3385555afcdc30cf4fa3 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 11:15:38 +0100
Subject: [PATCH 074/147] cleanups

---
 src/client/auth.test.ts                       | 27 +++++++------------
 src/client/auth.ts                            | 16 ++++-------
 src/client/sse.ts                             |  3 ---
 src/client/streamableHttp.ts                  |  3 ---
 .../server/demoInMemoryOAuthProvider.ts       | 12 +++++++--
 src/examples/server/simpleStreamableHttp.ts   |  7 +----
 src/server/auth/handlers/authorize.ts         |  3 ---
 src/server/auth/handlers/token.ts             |  6 -----
 8 files changed, 25 insertions(+), 52 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 44516130a..2cd9a2d19 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -938,8 +938,7 @@ describe("OAuth Authorization", () => {
 
       // Call the auth function with a resource that has a fragment
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: new URL("https://api.example.com/mcp-server#fragment"),
+        serverUrl: "https://api.example.com/mcp-server#fragment",
       });
 
       expect(result).toBe("REDIRECT");
@@ -987,8 +986,7 @@ describe("OAuth Authorization", () => {
 
       // Call auth without authorization code (should trigger redirect)
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: new URL("https://api.example.com/mcp-server"),
+        serverUrl: "https://api.example.com/mcp-server",
       });
 
       expect(result).toBe("REDIRECT");
@@ -1048,9 +1046,8 @@ describe("OAuth Authorization", () => {
 
       // Call auth with authorization code
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
+        serverUrl: "https://api.example.com/mcp-server",
         authorizationCode: "auth-code-123",
-        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(result).toBe("AUTHORIZED");
@@ -1111,8 +1108,7 @@ describe("OAuth Authorization", () => {
 
       // Call auth with existing tokens (should trigger refresh)
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: new URL("https://api.example.com/mcp-server"),
+        serverUrl: "https://api.example.com/mcp-server",
       });
 
       expect(result).toBe("AUTHORIZED");
@@ -1160,8 +1156,7 @@ describe("OAuth Authorization", () => {
 
       // Call auth with empty resource parameter
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: undefined,
+        serverUrl: "https://api.example.com/mcp-server",
       });
 
       expect(result).toBe("REDIRECT");
@@ -1203,8 +1198,7 @@ describe("OAuth Authorization", () => {
 
       // Call auth with resource containing multiple # symbols
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: new URL("https://api.example.com/mcp-server#fragment#another"),
+        serverUrl: "https://api.example.com/mcp-server#fragment#another",
       });
 
       expect(result).toBe("REDIRECT");
@@ -1248,8 +1242,7 @@ describe("OAuth Authorization", () => {
       // This tests the security fix that prevents token confusion between
       // multiple MCP servers on the same domain
       const result1 = await auth(mockProvider, {
-        serverUrl: "https://api.example.com",
-        resource: new URL("https://api.example.com/mcp-server-1/v1"),
+        serverUrl: "https://api.example.com/mcp-server-1/v1",
       });
 
       expect(result1).toBe("REDIRECT");
@@ -1263,8 +1256,7 @@ describe("OAuth Authorization", () => {
 
       // Test with different path on same domain
       const result2 = await auth(mockProvider, {
-        serverUrl: "https://api.example.com",
-        resource: new URL("https://api.example.com/mcp-server-2/v1"),
+        serverUrl: "https://api.example.com/mcp-server-2/v1",
       });
 
       expect(result2).toBe("REDIRECT");
@@ -1308,8 +1300,7 @@ describe("OAuth Authorization", () => {
 
       // Call auth with resource containing query parameters
       const result = await auth(mockProvider, {
-        serverUrl: "https://resource.example.com",
-        resource: new URL("https://api.example.com/mcp-server?param=value&another=test"),
+        serverUrl: "https://api.example.com/mcp-server?param=value&another=test",
       });
 
       expect(result).toBe("REDIRECT");
diff --git a/src/client/auth.ts b/src/client/auth.ts
index e465ea3be..681cde997 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -94,19 +94,13 @@ export async function auth(
     authorizationCode,
     scope,
     resourceMetadataUrl,
-    resource
   }: {
     serverUrl: string | URL;
     authorizationCode?: string;
     scope?: string;
-    resourceMetadataUrl?: URL;
-    resource?: URL }): Promise<AuthResult> {
+    resourceMetadataUrl?: URL }): Promise<AuthResult> {
 
-  // Remove fragment from resource parameter if provided
-  let canonicalResource: URL | undefined;
-  if (resource) {
-    canonicalResource = resourceUrlFromServerUrl(new URL(resource));
-  }
+  const resource = resourceUrlFromServerUrl(typeof serverUrl === "string" ? new URL(serverUrl) : serverUrl);
 
   let authorizationServerUrl = serverUrl;
   try {
@@ -151,7 +145,7 @@ export async function auth(
       authorizationCode,
       codeVerifier,
       redirectUri: provider.redirectUrl,
-      resource: canonicalResource,
+      resource,
     });
 
     await provider.saveTokens(tokens);
@@ -168,7 +162,7 @@ export async function auth(
         metadata,
         clientInformation,
         refreshToken: tokens.refresh_token,
-        resource: canonicalResource,
+        resource,
       });
 
       await provider.saveTokens(newTokens);
@@ -187,7 +181,7 @@ export async function auth(
     state,
     redirectUrl: provider.redirectUrl,
     scope: scope || provider.clientMetadata.scope,
-    resource: canonicalResource,
+    resource,
   });
 
   await provider.saveCodeVerifier(codeVerifier);
diff --git a/src/client/sse.ts b/src/client/sse.ts
index 41f21de65..7a500c6be 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -90,7 +90,6 @@ export class SSEClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: resourceUrlFromServerUrl(new URL(this._url))
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -210,7 +209,6 @@ export class SSEClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: resourceUrlFromServerUrl(new URL(this._url))
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -249,7 +247,6 @@ export class SSEClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: resourceUrlFromServerUrl(new URL(this._url))
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 3534fb459..85a0ad105 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -153,7 +153,6 @@ export class StreamableHTTPClientTransport implements Transport {
       result = await auth(this._authProvider, { 
         serverUrl: this._url, 
         resourceMetadataUrl: this._resourceMetadataUrl,
-        resource: resourceUrlFromServerUrl(new URL(this._url))
       });
     } catch (error) {
       this.onerror?.(error as Error);
@@ -371,7 +370,6 @@ export class StreamableHTTPClientTransport implements Transport {
       serverUrl: this._url, 
       authorizationCode, 
       resourceMetadataUrl: this._resourceMetadataUrl,
-      resource: resourceUrlFromServerUrl(new URL(this._url))
     });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
@@ -423,7 +421,6 @@ export class StreamableHTTPClientTransport implements Transport {
           const result = await auth(this._authProvider, { 
             serverUrl: this._url, 
             resourceMetadataUrl: this._resourceMetadataUrl,
-            resource: resourceUrlFromServerUrl(new URL(this._url))
           });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 316d1f8a4..d6a643986 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -21,6 +21,14 @@ export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
   }
 }
 
+/**
+ * 🚨 DEMO ONLY - NOT FOR PRODUCTION
+ *
+ * This example demonstrates MCP OAuth flow but lacks some of the features required for production use,
+ * for example:
+ * - Persistent token storage
+ * - Rate limiting
+ */
 export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   clientsStore = new DemoInMemoryClientsStore();
   private codes = new Map<string, {
@@ -119,12 +127,12 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
   }
 
   async exchangeRefreshToken(
-    client: OAuthClientInformationFull,
+    _client: OAuthClientInformationFull,
     _refreshToken: string,
     _scopes?: string[],
     resource?: URL
   ): Promise<OAuthTokens> {
-    throw new Error('Refresh tokens not implemented for example demo');
+    throw new Error('Not implemented for example demo');
   }
 
   async verifyAccessToken(token: string): Promise<AuthInfo> {
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 65b6263ec..da5e740a6 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -282,12 +282,7 @@ if (useOAuth) {
   const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}`);
   const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-  // Configure the demo auth provider to validate resources match this server
-  const demoProviderConfig = {
-    serverUrl: mcpServerUrl.href,
-    validateResourceMatchesServer: false // Set to true to enable strict validation
-  };
-  const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, demoProviderConfig);
+  const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, mcpServerUrl);
 
   const tokenVerifier = {
     verifyAccessToken: async (token: string) => {
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index 17c88b45a..0a6283a8b 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -119,9 +119,6 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
       const { scope, code_challenge, resource } = parseResult.data;
       state = parseResult.data.state;
 
-      // Pass through the resource parameter to the provider
-      // The provider can decide how to validate it
-
       // Validate scopes
       let requestedScopes: string[] = [];
       if (scope !== undefined) {
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index 3ffd4cf28..1d97805bc 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -93,9 +93,6 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
 
           const { code, code_verifier, redirect_uri, resource } = parseResult.data;
 
-          // Pass through the resource parameter to the provider
-          // The provider can decide how to validate it
-
           const skipLocalPkceValidation = provider.skipLocalPkceValidation;
 
           // Perform local PKCE validation unless explicitly skipped 
@@ -127,9 +124,6 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
 
           const { refresh_token, scope, resource } = parseResult.data;
 
-          // Pass through the resource parameter to the provider
-          // The provider can decide how to validate it
-
           const scopes = scope?.split(" ");
           const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes, resource ? new URL(resource) : undefined);
           res.status(200).json(tokens);

From badb5dc990d9d782dbe41cd7f010c140e8308f53 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 11:23:41 +0100
Subject: [PATCH 075/147] fix tests

---
 src/client/auth.test.ts                               | 9 +++++----
 src/examples/server/demoInMemoryOAuthProvider.test.ts | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 2cd9a2d19..9ee4e6cf2 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -1125,7 +1125,7 @@ describe("OAuth Authorization", () => {
       expect(body.get("refresh_token")).toBe("refresh123");
     });
 
-    it("handles empty resource parameter", async () => {
+    it("handles derived resource parameter from serverUrl", async () => {
       // Mock successful metadata discovery
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
@@ -1154,17 +1154,18 @@ describe("OAuth Authorization", () => {
       (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
       (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
 
-      // Call auth with empty resource parameter
+      // Call auth with just serverUrl (resource is derived from it)
       const result = await auth(mockProvider, {
         serverUrl: "https://api.example.com/mcp-server",
       });
 
       expect(result).toBe("REDIRECT");
 
-      // Verify that empty resource is not included in the URL
+      // Verify that resource parameter is always included (derived from serverUrl)
       const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
       const authUrl: URL = redirectCall[0];
-      expect(authUrl.searchParams.has("resource")).toBe(false);
+      expect(authUrl.searchParams.has("resource")).toBe(true);
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 
     it("handles resource with multiple fragments", async () => {
diff --git a/src/examples/server/demoInMemoryOAuthProvider.test.ts b/src/examples/server/demoInMemoryOAuthProvider.test.ts
index 9bdcfdfa6..e3a478131 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.test.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.test.ts
@@ -178,7 +178,7 @@ describe('DemoInMemoryOAuthProvider', () => {
       await expect(provider.exchangeRefreshToken(
         mockClient,
         'refresh-token'
-      )).rejects.toThrow('Refresh tokens not implemented for example demo');
+      )).rejects.toThrow('Not implemented for example demo');
     });
   });
 

From 4f708a777f5bfd81bd590a4d647b310038beb551 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 17 Jun 2025 11:38:00 +0100
Subject: [PATCH 076/147] update latest protocol version

---
 src/client/auth.test.ts                            |  3 ++-
 .../stateManagementStreamableHttp.test.ts          | 14 +++++++-------
 src/types.test.ts                                  |  3 ++-
 src/types.ts                                       |  3 ++-
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 1b9fb0712..8f415c17f 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -1,3 +1,4 @@
+import { LATEST_PROTOCOL_VERSION } from '../types.js';
 import {
   discoverOAuthMetadata,
   startAuthorization,
@@ -202,7 +203,7 @@ describe("OAuth Authorization", () => {
       const [url, options] = calls[0];
       expect(url.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server");
       expect(options.headers).toEqual({
-        "MCP-Protocol-Version": "2025-03-26"
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
       });
     });
 
diff --git a/src/integration-tests/stateManagementStreamableHttp.test.ts b/src/integration-tests/stateManagementStreamableHttp.test.ts
index d12a4f993..4a191134b 100644
--- a/src/integration-tests/stateManagementStreamableHttp.test.ts
+++ b/src/integration-tests/stateManagementStreamableHttp.test.ts
@@ -5,7 +5,7 @@ import { Client } from '../client/index.js';
 import { StreamableHTTPClientTransport } from '../client/streamableHttp.js';
 import { McpServer } from '../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../server/streamableHttp.js';
-import { CallToolResultSchema, ListToolsResultSchema, ListResourcesResultSchema, ListPromptsResultSchema, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from '../types.js';
+import { CallToolResultSchema, ListToolsResultSchema, ListResourcesResultSchema, ListPromptsResultSchema, LATEST_PROTOCOL_VERSION } from '../types.js';
 import { z } from 'zod';
 
 describe('Streamable HTTP Transport Session Management', () => {
@@ -145,7 +145,7 @@ describe('Streamable HTTP Transport Session Management', () => {
         params: {}
       }, ListToolsResultSchema);
 
-      
+
     });
     it('should operate without session management', async () => {
       // Create and connect a client
@@ -220,15 +220,15 @@ describe('Streamable HTTP Transport Session Management', () => {
       });
 
       const transport = new StreamableHTTPClientTransport(baseUrl);
-      
+
       // Verify protocol version is not set before connecting
       expect(transport.protocolVersion).toBeUndefined();
-      
+
       await client.connect(transport);
-      
+
       // Verify protocol version is set after connecting
-      expect(transport.protocolVersion).toBe(DEFAULT_NEGOTIATED_PROTOCOL_VERSION);
-      
+      expect(transport.protocolVersion).toBe(LATEST_PROTOCOL_VERSION);
+
       // Clean up
       await transport.close();
     });
diff --git a/src/types.test.ts b/src/types.test.ts
index bc1091105..0115f2eda 100644
--- a/src/types.test.ts
+++ b/src/types.test.ts
@@ -12,7 +12,7 @@ describe("Types", () => {
 
     test("should have correct latest protocol version", () => {
         expect(LATEST_PROTOCOL_VERSION).toBeDefined();
-        expect(LATEST_PROTOCOL_VERSION).toBe("2025-03-26");
+        expect(LATEST_PROTOCOL_VERSION).toBe("2025-06-17");
     });
     test("should have correct supported protocol versions", () => {
         expect(SUPPORTED_PROTOCOL_VERSIONS).toBeDefined();
@@ -20,6 +20,7 @@ describe("Types", () => {
         expect(SUPPORTED_PROTOCOL_VERSIONS).toContain(LATEST_PROTOCOL_VERSION);
         expect(SUPPORTED_PROTOCOL_VERSIONS).toContain("2024-11-05");
         expect(SUPPORTED_PROTOCOL_VERSIONS).toContain("2024-10-07");
+        expect(SUPPORTED_PROTOCOL_VERSIONS).toContain("2025-03-26");
     });
 
     describe("ResourceLink", () => {
diff --git a/src/types.ts b/src/types.ts
index 1f7f6fa0d..a6f596233 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,9 +1,10 @@
 import { z, ZodTypeAny } from "zod";
 
-export const LATEST_PROTOCOL_VERSION = "2025-03-26";
+export const LATEST_PROTOCOL_VERSION = "2025-06-17";
 export const DEFAULT_NEGOTIATED_PROTOCOL_VERSION = "2025-03-26";
 export const SUPPORTED_PROTOCOL_VERSIONS = [
   LATEST_PROTOCOL_VERSION,
+  "2025-03-26",
   "2024-11-05",
   "2024-10-07",
 ];

From 515abb492fc722bc5925d777685147d5fc746580 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 11:53:26 +0100
Subject: [PATCH 077/147] fix lints

---
 src/client/sse.ts                                | 1 -
 src/client/streamableHttp.ts                     | 1 -
 src/examples/server/demoInMemoryOAuthProvider.ts | 2 +-
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/client/sse.ts b/src/client/sse.ts
index 7a500c6be..0a238d98d 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -2,7 +2,6 @@ import { EventSource, type ErrorEvent, type EventSourceInit } from "eventsource"
 import { Transport } from "../shared/transport.js";
 import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
-import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 export class SseError extends Error {
   constructor(
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index 85a0ad105..c810588f9 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -2,7 +2,6 @@ import { Transport } from "../shared/transport.js";
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
 import { auth, AuthResult, extractResourceMetadataUrl, OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { EventSourceParserStream } from "eventsource-parser/stream";
-import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 // Default reconnection options for StreamableHTTP connections
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS: StreamableHTTPReconnectionOptions = {
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index d6a643986..3133e4552 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -130,7 +130,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     _client: OAuthClientInformationFull,
     _refreshToken: string,
     _scopes?: string[],
-    resource?: URL
+    _resource?: URL
   ): Promise<OAuthTokens> {
     throw new Error('Not implemented for example demo');
   }

From 741a201a3d4bff3e98bb1003b444414f9602100e Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 17 Jun 2025 12:35:29 +0100
Subject: [PATCH 078/147] remove hasCustomTitle

---
 src/shared/metadataUtils.ts | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/src/shared/metadataUtils.ts b/src/shared/metadataUtils.ts
index 410827a5f..0119a6691 100644
--- a/src/shared/metadataUtils.ts
+++ b/src/shared/metadataUtils.ts
@@ -15,7 +15,7 @@ export function getDisplayName(metadata: BaseMetadata): string {
   if (metadata.title !== undefined && metadata.title !== '') {
     return metadata.title;
   }
-  
+
   // Then check for annotations.title (only present in Tool objects)
   if ('annotations' in metadata) {
     const metadataWithAnnotations = metadata as BaseMetadata & { annotations?: { title?: string } };
@@ -23,14 +23,7 @@ export function getDisplayName(metadata: BaseMetadata): string {
       return metadataWithAnnotations.annotations.title;
     }
   }
-  
+
   // Finally fall back to name
   return metadata.name;
 }
-
-/**
- * Checks if an object has a custom title different from its name.
- */
-export function hasCustomTitle(metadata: BaseMetadata): boolean {
-  return metadata.title !== undefined && metadata.title !== metadata.name;
-}
\ No newline at end of file

From 40f61d88a0e02f0e710cf19c053c562bf47de54f Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 17:05:34 +0100
Subject: [PATCH 079/147] show how to enable strict resource checking in mcp
 server

---
 .../server/demoInMemoryOAuthProvider.ts       |  3 +-
 src/examples/server/simpleStreamableHttp.ts   | 18 ++++++++++-
 src/server/auth/middleware/bearerAuth.test.ts | 31 +++++++++++++------
 src/server/auth/middleware/bearerAuth.ts      |  8 ++++-
 src/server/auth/provider.ts                   |  2 +-
 5 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 3133e4552..500f59b8a 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -41,7 +41,8 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     if (mcpServerUrl) {
       const expectedResource = resourceUrlFromServerUrl(mcpServerUrl);
       this.validateResource = (resource?: URL) => {
-        return !resource || resource.toString() !== expectedResource.toString();
+        if (!resource) return false;
+        return resource.toString() === expectedResource.toString();
       };
     }
   }
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index da5e740a6..a97fdf5a5 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -12,6 +12,13 @@ import { OAuthMetadata } from 'src/shared/auth.js';
 
 // Check for OAuth flag
 const useOAuth = process.argv.includes('--oauth');
+// Resource Indicator the OAuth tokens are checked against (RFC8707).
+const expectedOAuthResource = (iArg => iArg < 0 ? undefined: process.argv[iArg + 1])(process.argv.indexOf('--oauth-resource'));
+// Requires Resource Indicator check (implies protocol more recent than 2025-03-26)
+const strictOAuthResourceCheck = process.argv.includes('--oauth-resource-strict');
+if (strictOAuthResourceCheck && !expectedOAuthResource) {
+  throw new Error(`Strict resource indicator checking requires passing the expected resource with --oauth-resource https://...`);
+}
 
 // Create an MCP server with implementation details
 const getServer = () => {
@@ -285,7 +292,7 @@ if (useOAuth) {
   const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, mcpServerUrl);
 
   const tokenVerifier = {
-    verifyAccessToken: async (token: string) => {
+    verifyAccessToken: async (token: string, protocolVersion: string) => {
       const endpoint = oauthMetadata.introspection_endpoint;
 
       if (!endpoint) {
@@ -308,6 +315,15 @@ if (useOAuth) {
       }
 
       const data = await response.json();
+     
+      if (expectedOAuthResource) {
+        if (strictOAuthResourceCheck && !data.resource) {
+          throw new Error('Resource Indicator (RFC8707) missing');
+        }
+        if (data.resource && data.resource !== expectedOAuthResource) {
+          throw new Error(`Expected resource indicator ${expectedOAuthResource}, got: ${data.resource}`);
+        }
+      }
 
       // Convert the response to AuthInfo format
       return {
diff --git a/src/server/auth/middleware/bearerAuth.test.ts b/src/server/auth/middleware/bearerAuth.test.ts
index b8953e5c9..cae054d50 100644
--- a/src/server/auth/middleware/bearerAuth.test.ts
+++ b/src/server/auth/middleware/bearerAuth.test.ts
@@ -3,6 +3,7 @@ import { requireBearerAuth } from "./bearerAuth.js";
 import { AuthInfo } from "../types.js";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
+import { LATEST_PROTOCOL_VERSION } from '../../../types.js';
 
 // Mock verifier
 const mockVerifyAccessToken = jest.fn();
@@ -42,12 +43,13 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockRequest.auth).toEqual(validAuthInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -65,12 +67,13 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer expired-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("expired-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("expired-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(401);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -93,12 +96,13 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockRequest.auth).toEqual(nonExpiredAuthInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -115,6 +119,7 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({
@@ -124,7 +129,7 @@ describe("requireBearerAuth middleware", () => {
 
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(403);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -146,6 +151,7 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({
@@ -155,7 +161,7 @@ describe("requireBearerAuth middleware", () => {
 
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockRequest.auth).toEqual(authInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -204,6 +210,7 @@ describe("requireBearerAuth middleware", () => {
   it("should return 401 when token verification fails with InvalidTokenError", async () => {
     mockRequest.headers = {
       authorization: "Bearer invalid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new InvalidTokenError("Token expired"));
@@ -211,7 +218,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("invalid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("invalid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(401);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -226,6 +233,7 @@ describe("requireBearerAuth middleware", () => {
   it("should return 403 when access token has insufficient scopes", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new InsufficientScopeError("Required scopes: read, write"));
@@ -233,7 +241,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(403);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -248,6 +256,7 @@ describe("requireBearerAuth middleware", () => {
   it("should return 500 when a ServerError occurs", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new ServerError("Internal server issue"));
@@ -255,7 +264,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(500);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "server_error", error_description: "Internal server issue" })
@@ -266,6 +275,7 @@ describe("requireBearerAuth middleware", () => {
   it("should return 400 for generic OAuthError", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new OAuthError("custom_error", "Some OAuth error"));
@@ -273,7 +283,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(400);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "custom_error", error_description: "Some OAuth error" })
@@ -284,6 +294,7 @@ describe("requireBearerAuth middleware", () => {
   it("should return 500 when unexpected error occurs", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
+      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new Error("Unexpected error"));
@@ -291,7 +302,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
     expect(mockResponse.status).toHaveBeenCalledWith(500);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "server_error", error_description: "Internal Server Error" })
diff --git a/src/server/auth/middleware/bearerAuth.ts b/src/server/auth/middleware/bearerAuth.ts
index fd96055ab..4674089f9 100644
--- a/src/server/auth/middleware/bearerAuth.ts
+++ b/src/server/auth/middleware/bearerAuth.ts
@@ -2,6 +2,7 @@ import { RequestHandler } from "express";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
 import { AuthInfo } from "../types.js";
+import { DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from "../../../types.js";
 
 export type BearerAuthMiddlewareOptions = {
   /**
@@ -50,7 +51,12 @@ export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetad
         throw new InvalidTokenError("Invalid Authorization header format, expected 'Bearer TOKEN'");
       }
 
-      const authInfo = await verifier.verifyAccessToken(token);
+      let protocolVersion = req.headers["mcp-protocol-version"] ?? DEFAULT_NEGOTIATED_PROTOCOL_VERSION;
+      if (Array.isArray(protocolVersion)) {
+        protocolVersion = protocolVersion[protocolVersion.length - 1];
+      }
+
+      const authInfo = await verifier.verifyAccessToken(token, protocolVersion);
 
       // Check if token has the required scopes (if any)
       if (requiredScopes.length > 0) {
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
index 18beb2166..409e9dae4 100644
--- a/src/server/auth/provider.ts
+++ b/src/server/auth/provider.ts
@@ -80,5 +80,5 @@ export interface OAuthTokenVerifier {
   /**
    * Verifies an access token and returns information about it.
    */
-  verifyAccessToken(token: string): Promise<AuthInfo>;
+  verifyAccessToken(token: string, protocolVersion: string): Promise<AuthInfo>;
 }

From 617faccf8ec9f6e06a3164d689225f9271022ef5 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 17:08:21 +0100
Subject: [PATCH 080/147] Add test for default protocol version negotiation in
 bearerAuth middleware
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Tests that when mcp-protocol-version header is missing, the middleware
  uses DEFAULT_NEGOTIATED_PROTOCOL_VERSION when calling verifyAccessToken
- Ensures proper fallback behavior for protocol version negotiation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/server/auth/middleware/bearerAuth.test.ts | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/server/auth/middleware/bearerAuth.test.ts b/src/server/auth/middleware/bearerAuth.test.ts
index cae054d50..665ef9261 100644
--- a/src/server/auth/middleware/bearerAuth.test.ts
+++ b/src/server/auth/middleware/bearerAuth.test.ts
@@ -3,7 +3,7 @@ import { requireBearerAuth } from "./bearerAuth.js";
 import { AuthInfo } from "../types.js";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
-import { LATEST_PROTOCOL_VERSION } from '../../../types.js';
+import { LATEST_PROTOCOL_VERSION, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from '../../../types.js';
 
 // Mock verifier
 const mockVerifyAccessToken = jest.fn();
@@ -56,6 +56,28 @@ describe("requireBearerAuth middleware", () => {
     expect(mockResponse.json).not.toHaveBeenCalled();
   });
 
+  it("should use default negotiated protocol version when mcp-protocol-version header is missing", async () => {
+    const validAuthInfo: AuthInfo = {
+      token: "valid-token",
+      clientId: "client-123",
+      scopes: ["read", "write"],
+    };
+    mockVerifyAccessToken.mockResolvedValue(validAuthInfo);
+
+    mockRequest.headers = {
+      authorization: "Bearer valid-token",
+    };
+
+    const middleware = requireBearerAuth({ verifier: mockVerifier });
+    await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", DEFAULT_NEGOTIATED_PROTOCOL_VERSION);
+    expect(mockRequest.auth).toEqual(validAuthInfo);
+    expect(nextFunction).toHaveBeenCalled();
+    expect(mockResponse.status).not.toHaveBeenCalled();
+    expect(mockResponse.json).not.toHaveBeenCalled();
+  });
+
   it("should reject expired tokens", async () => {
     const expiredAuthInfo: AuthInfo = {
       token: "expired-token",

From 66465abdd91ac7c72c8397358cf4adbf4284fd33 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 17 Jun 2025 17:29:41 +0100
Subject: [PATCH 081/147] change version

---
 src/types.test.ts | 2 +-
 src/types.ts      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/types.test.ts b/src/types.test.ts
index 0115f2eda..0aee62a93 100644
--- a/src/types.test.ts
+++ b/src/types.test.ts
@@ -12,7 +12,7 @@ describe("Types", () => {
 
     test("should have correct latest protocol version", () => {
         expect(LATEST_PROTOCOL_VERSION).toBeDefined();
-        expect(LATEST_PROTOCOL_VERSION).toBe("2025-06-17");
+        expect(LATEST_PROTOCOL_VERSION).toBe("2025-06-18");
     });
     test("should have correct supported protocol versions", () => {
         expect(SUPPORTED_PROTOCOL_VERSIONS).toBeDefined();
diff --git a/src/types.ts b/src/types.ts
index a6f596233..e16b313de 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,6 +1,6 @@
 import { z, ZodTypeAny } from "zod";
 
-export const LATEST_PROTOCOL_VERSION = "2025-06-17";
+export const LATEST_PROTOCOL_VERSION = "2025-06-18";
 export const DEFAULT_NEGOTIATED_PROTOCOL_VERSION = "2025-03-26";
 export const SUPPORTED_PROTOCOL_VERSIONS = [
   LATEST_PROTOCOL_VERSION,

From c5922f8765c17e3ba070fd43e57b12071306623c Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Tue, 17 Jun 2025 10:07:59 -0700
Subject: [PATCH 082/147] Fix node 18 incompatibility caused by race condition
 with closing server by using a newly allocated port for each test

---
 src/server/streamableHttp.test.ts | 36 +++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index d36bb8f27..adbc9025a 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -1,5 +1,5 @@
 import { createServer, type Server, IncomingMessage, ServerResponse } from "node:http";
-import { AddressInfo } from "node:net";
+import { createServer as netCreateServer, AddressInfo } from "node:net";
 import { randomUUID } from "node:crypto";
 import { EventStore, StreamableHTTPServerTransport, EventId, StreamId } from "./streamableHttp.js";
 import { McpServer } from "./mcp.js";
@@ -7,6 +7,20 @@ import { CallToolResult, JSONRPCMessage } from "../types.js";
 import { z } from "zod";
 import { AuthInfo } from "./auth/types.js";
 
+async function getFreePort() {
+    return new Promise( res => {
+        const srv = netCreateServer();
+        srv.listen(0, () => {
+            const address = srv.address()!
+            if (typeof address === "string") {
+                throw new Error("Unexpected address type: " + typeof address);
+            }
+            const port = (address as AddressInfo).port;
+            srv.close((err) => res(port))
+        });
+    })
+}
+
 /**
  * Test server configuration for StreamableHTTPServerTransport tests
  */
@@ -1441,7 +1455,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
     it("should accept requests with allowed host headers", async () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
-        allowedHosts: ['localhost:3001'],
+        allowedHosts: ['localhost'],
         enableDnsRebindingProtection: true,
       });
       server = result.server;
@@ -1563,7 +1577,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
     it("should skip all validations when enableDnsRebindingProtection is false", async () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
-        allowedHosts: ['localhost:3001'],
+        allowedHosts: ['localhost'],
         allowedOrigins: ['http://localhost:3000'],
         enableDnsRebindingProtection: false,
       });
@@ -1591,7 +1605,7 @@ describe("StreamableHTTPServerTransport DNS rebinding protection", () => {
     it("should validate both host and origin when both are configured", async () => {
       const result = await createTestServerWithDnsProtection({
         sessionIdGenerator: undefined,
-        allowedHosts: ['localhost:3001'],
+        allowedHosts: ['localhost'],
         allowedOrigins: ['http://localhost:3001'],
         enableDnsRebindingProtection: true,
       });
@@ -1649,6 +1663,17 @@ async function createTestServerWithDnsProtection(config: {
     { capabilities: { logging: {} } }
   );
 
+  const port = await getFreePort();
+
+  if (config.allowedHosts) {
+    config.allowedHosts = config.allowedHosts.map(host => {
+      if (host.includes(':')) {
+        return host;
+      }
+      return `localhost:${port}`;
+    });
+  }
+
   const transport = new StreamableHTTPServerTransport({
     sessionIdGenerator: config.sessionIdGenerator,
     allowedHosts: config.allowedHosts,
@@ -1672,10 +1697,9 @@ async function createTestServerWithDnsProtection(config: {
   });
 
   await new Promise<void>((resolve) => {
-    httpServer.listen(3001, () => resolve());
+    httpServer.listen(port, () => resolve());
   });
 
-  const port = (httpServer.address() as AddressInfo).port;
   const serverUrl = new URL(`http://localhost:${port}/`);
 
   return {

From c2150f0cb0a5cc99ee7cdc314e51f828f5ee34f5 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Tue, 17 Jun 2025 18:41:37 +0100
Subject: [PATCH 083/147] Update README.md

---
 src/examples/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/examples/README.md b/src/examples/README.md
index 68e1ece23..c074c7577 100644
--- a/src/examples/README.md
+++ b/src/examples/README.md
@@ -76,6 +76,9 @@ npx tsx src/examples/server/simpleStreamableHttp.ts
 
 # To add a demo of authentication to this example, use:
 npx tsx src/examples/server/simpleStreamableHttp.ts --oauth
+
+# To mitigate impersonation risks, enable strict Resource Identifier verification:
+npx tsx src/examples/server/simpleStreamableHttp.ts --oauth --oauth-resource=https://some-mcp-server.com --oauth-resource-strict
 ```
 
 ##### JSON Response Mode Server

From bf72f87788dd8179611a4dfa2af19dd639e4698a Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:23:09 +0100
Subject: [PATCH 084/147] cleanups

---
 src/examples/README.md                           |  2 +-
 src/examples/server/demoInMemoryOAuthProvider.ts |  2 +-
 src/examples/server/simpleStreamableHttp.ts      | 16 +++++-----------
 src/server/auth/middleware/bearerAuth.ts         |  7 +------
 src/server/auth/provider.ts                      |  2 +-
 5 files changed, 9 insertions(+), 20 deletions(-)

diff --git a/src/examples/README.md b/src/examples/README.md
index c074c7577..ac92e8ded 100644
--- a/src/examples/README.md
+++ b/src/examples/README.md
@@ -78,7 +78,7 @@ npx tsx src/examples/server/simpleStreamableHttp.ts
 npx tsx src/examples/server/simpleStreamableHttp.ts --oauth
 
 # To mitigate impersonation risks, enable strict Resource Identifier verification:
-npx tsx src/examples/server/simpleStreamableHttp.ts --oauth --oauth-resource=https://some-mcp-server.com --oauth-resource-strict
+npx tsx src/examples/server/simpleStreamableHttp.ts --oauth --oauth-strict
 ```
 
 ##### JSON Response Mode Server
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 500f59b8a..5c34166e2 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -102,7 +102,7 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     }
 
     if (this.validateResource && !this.validateResource(codeData.params.resource)) {
-      throw new Error('Invalid resource');
+      throw new Error(`Invalid resource: ${codeData.params.resource}`);
     }
 
     this.codes.delete(authorizationCode);
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index a97fdf5a5..fdac53572 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -12,13 +12,7 @@ import { OAuthMetadata } from 'src/shared/auth.js';
 
 // Check for OAuth flag
 const useOAuth = process.argv.includes('--oauth');
-// Resource Indicator the OAuth tokens are checked against (RFC8707).
-const expectedOAuthResource = (iArg => iArg < 0 ? undefined: process.argv[iArg + 1])(process.argv.indexOf('--oauth-resource'));
-// Requires Resource Indicator check (implies protocol more recent than 2025-03-26)
-const strictOAuthResourceCheck = process.argv.includes('--oauth-resource-strict');
-if (strictOAuthResourceCheck && !expectedOAuthResource) {
-  throw new Error(`Strict resource indicator checking requires passing the expected resource with --oauth-resource https://...`);
-}
+const strictOAuth = process.argv.includes('--oauth-strict');
 
 // Create an MCP server with implementation details
 const getServer = () => {
@@ -292,7 +286,7 @@ if (useOAuth) {
   const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, mcpServerUrl);
 
   const tokenVerifier = {
-    verifyAccessToken: async (token: string, protocolVersion: string) => {
+    verifyAccessToken: async (token: string) => {
       const endpoint = oauthMetadata.introspection_endpoint;
 
       if (!endpoint) {
@@ -316,11 +310,11 @@ if (useOAuth) {
 
       const data = await response.json();
      
-      if (expectedOAuthResource) {
-        if (strictOAuthResourceCheck && !data.resource) {
+      if (strictOAuth) {
+        if (!data.resource) {
           throw new Error('Resource Indicator (RFC8707) missing');
         }
-        if (data.resource && data.resource !== expectedOAuthResource) {
+        if (data.resource !== expectedOAuthResource) {
           throw new Error(`Expected resource indicator ${expectedOAuthResource}, got: ${data.resource}`);
         }
       }
diff --git a/src/server/auth/middleware/bearerAuth.ts b/src/server/auth/middleware/bearerAuth.ts
index 4674089f9..a34625d1e 100644
--- a/src/server/auth/middleware/bearerAuth.ts
+++ b/src/server/auth/middleware/bearerAuth.ts
@@ -51,12 +51,7 @@ export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetad
         throw new InvalidTokenError("Invalid Authorization header format, expected 'Bearer TOKEN'");
       }
 
-      let protocolVersion = req.headers["mcp-protocol-version"] ?? DEFAULT_NEGOTIATED_PROTOCOL_VERSION;
-      if (Array.isArray(protocolVersion)) {
-        protocolVersion = protocolVersion[protocolVersion.length - 1];
-      }
-
-      const authInfo = await verifier.verifyAccessToken(token, protocolVersion);
+      const authInfo = await verifier.verifyAccessToken(token);
 
       // Check if token has the required scopes (if any)
       if (requiredScopes.length > 0) {
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
index 409e9dae4..18beb2166 100644
--- a/src/server/auth/provider.ts
+++ b/src/server/auth/provider.ts
@@ -80,5 +80,5 @@ export interface OAuthTokenVerifier {
   /**
    * Verifies an access token and returns information about it.
    */
-  verifyAccessToken(token: string, protocolVersion: string): Promise<AuthInfo>;
+  verifyAccessToken(token: string): Promise<AuthInfo>;
 }

From 4a88cac4c63bcf99a4f96452f0e70fb455df78ef Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:23:57 +0100
Subject: [PATCH 085/147] Update simpleStreamableHttp.ts

---
 src/examples/server/simpleStreamableHttp.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index fdac53572..3c7318fd0 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -314,8 +314,8 @@ if (useOAuth) {
         if (!data.resource) {
           throw new Error('Resource Indicator (RFC8707) missing');
         }
-        if (data.resource !== expectedOAuthResource) {
-          throw new Error(`Expected resource indicator ${expectedOAuthResource}, got: ${data.resource}`);
+        if (data.resource !== mcpServerUrl) {
+          throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.resource}`);
         }
       }
 

From d58c2eb114bb56596b0dc72cd20df2ddb092e088 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:26:28 +0100
Subject: [PATCH 086/147] Update simpleStreamableHttp.ts

---
 src/examples/server/simpleStreamableHttp.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 3c7318fd0..9ca48fdb0 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -280,7 +280,7 @@ app.use(express.json());
 let authMiddleware = null;
 if (useOAuth) {
   // Create auth middleware for MCP endpoints
-  const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}`);
+  const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
   const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
   const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, mcpServerUrl);

From aebb2ab197a04c7dc9933b4f6e36e37233ef7b42 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:39:29 +0100
Subject: [PATCH 087/147] Update simpleStreamableHttp.ts

---
 src/examples/server/simpleStreamableHttp.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 9ca48fdb0..068a01441 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -311,11 +311,11 @@ if (useOAuth) {
       const data = await response.json();
      
       if (strictOAuth) {
-        if (!data.resource) {
           throw new Error('Resource Indicator (RFC8707) missing');
+        if (!data.aud) {
         }
-        if (data.resource !== mcpServerUrl) {
-          throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.resource}`);
+        if (data.aud !== mcpServerUrl.href) {
+          throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.aud}`);
         }
       }
 

From 049170db7ca50a4148ba1e37f410926d0b90f212 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:41:09 +0100
Subject: [PATCH 088/147] minimize diff

---
 src/client/sse.ts            | 16 +++-------------
 src/client/streamableHttp.ts | 11 ++---------
 2 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/src/client/sse.ts b/src/client/sse.ts
index 0a238d98d..5aa99abb4 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -86,10 +86,7 @@ export class SSEClientTransport implements Transport {
 
     let result: AuthResult;
     try {
-      result = await auth(this._authProvider, { 
-        serverUrl: this._url, 
-        resourceMetadataUrl: this._resourceMetadataUrl,
-      });
+      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
     } catch (error) {
       this.onerror?.(error as Error);
       throw error;
@@ -204,11 +201,7 @@ export class SSEClientTransport implements Transport {
       throw new UnauthorizedError("No auth provider");
     }
 
-    const result = await auth(this._authProvider, { 
-      serverUrl: this._url, 
-      authorizationCode, 
-      resourceMetadataUrl: this._resourceMetadataUrl,
-    });
+    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -243,10 +236,7 @@ export class SSEClientTransport implements Transport {
 
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
 
-          const result = await auth(this._authProvider, { 
-            serverUrl: this._url, 
-            resourceMetadataUrl: this._resourceMetadataUrl,
-          });
+          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index c810588f9..f64c1ad88 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -365,11 +365,7 @@ export class StreamableHTTPClientTransport implements Transport {
       throw new UnauthorizedError("No auth provider");
     }
 
-    const result = await auth(this._authProvider, { 
-      serverUrl: this._url, 
-      authorizationCode, 
-      resourceMetadataUrl: this._resourceMetadataUrl,
-    });
+    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -417,10 +413,7 @@ export class StreamableHTTPClientTransport implements Transport {
 
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
 
-          const result = await auth(this._authProvider, { 
-            serverUrl: this._url, 
-            resourceMetadataUrl: this._resourceMetadataUrl,
-          });
+          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }

From b77361bd14e65e09aaa8e600e4bce7634f591df1 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:41:35 +0100
Subject: [PATCH 089/147] Update streamableHttp.ts

---
 src/client/streamableHttp.ts | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
index f64c1ad88..4117bb1b4 100644
--- a/src/client/streamableHttp.ts
+++ b/src/client/streamableHttp.ts
@@ -149,10 +149,7 @@ export class StreamableHTTPClientTransport implements Transport {
 
     let result: AuthResult;
     try {
-      result = await auth(this._authProvider, { 
-        serverUrl: this._url, 
-        resourceMetadataUrl: this._resourceMetadataUrl,
-      });
+      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
     } catch (error) {
       this.onerror?.(error as Error);
       throw error;

From 8475e43f15e25e316d51f004a9465b071a3d538c Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:48:20 +0100
Subject: [PATCH 090/147] drop redundant resource canonicalization tests

---
 src/client/auth.test.ts | 133 ----------------------------------------
 1 file changed, 133 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 9ee4e6cf2..c6d533432 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -907,54 +907,6 @@ describe("OAuth Authorization", () => {
       );
     });
 
-    it("canonicalizes resource URI by removing fragment", async () => {
-      // Mock successful metadata discovery
-      mockFetch.mockImplementation((url) => {
-        const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
-          return Promise.resolve({
-            ok: true,
-            status: 200,
-            json: async () => ({
-              issuer: "https://auth.example.com",
-              authorization_endpoint: "https://auth.example.com/authorize",
-              token_endpoint: "https://auth.example.com/token",
-              response_types_supported: ["code"],
-              code_challenge_methods_supported: ["S256"],
-            }),
-          });
-        }
-        return Promise.resolve({ ok: false, status: 404 });
-      });
-
-      // Mock provider methods
-      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
-        client_id: "test-client",
-        client_secret: "test-secret",
-      });
-      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
-      // Call the auth function with a resource that has a fragment
-      const result = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server#fragment",
-      });
-
-      expect(result).toBe("REDIRECT");
-
-      // Verify redirectToAuthorization was called with the canonicalized resource
-      expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
-        expect.objectContaining({
-          searchParams: expect.any(URLSearchParams),
-        })
-      );
-
-      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl: URL = redirectCall[0];
-      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
-    });
-
     it("passes resource parameter through authorization flow", async () => {
       // Mock successful metadata discovery
       mockFetch.mockImplementation((url) => {
@@ -1125,91 +1077,6 @@ describe("OAuth Authorization", () => {
       expect(body.get("refresh_token")).toBe("refresh123");
     });
 
-    it("handles derived resource parameter from serverUrl", async () => {
-      // Mock successful metadata discovery
-      mockFetch.mockImplementation((url) => {
-        const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
-          return Promise.resolve({
-            ok: true,
-            status: 200,
-            json: async () => ({
-              issuer: "https://auth.example.com",
-              authorization_endpoint: "https://auth.example.com/authorize",
-              token_endpoint: "https://auth.example.com/token",
-              response_types_supported: ["code"],
-              code_challenge_methods_supported: ["S256"],
-            }),
-          });
-        }
-        return Promise.resolve({ ok: false, status: 404 });
-      });
-
-      // Mock provider methods
-      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
-        client_id: "test-client",
-        client_secret: "test-secret",
-      });
-      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
-      // Call auth with just serverUrl (resource is derived from it)
-      const result = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server",
-      });
-
-      expect(result).toBe("REDIRECT");
-
-      // Verify that resource parameter is always included (derived from serverUrl)
-      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl: URL = redirectCall[0];
-      expect(authUrl.searchParams.has("resource")).toBe(true);
-      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
-    });
-
-    it("handles resource with multiple fragments", async () => {
-      // Mock successful metadata discovery
-      mockFetch.mockImplementation((url) => {
-        const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
-          return Promise.resolve({
-            ok: true,
-            status: 200,
-            json: async () => ({
-              issuer: "https://auth.example.com",
-              authorization_endpoint: "https://auth.example.com/authorize",
-              token_endpoint: "https://auth.example.com/token",
-              response_types_supported: ["code"],
-              code_challenge_methods_supported: ["S256"],
-            }),
-          });
-        }
-        return Promise.resolve({ ok: false, status: 404 });
-      });
-
-      // Mock provider methods
-      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
-        client_id: "test-client",
-        client_secret: "test-secret",
-      });
-      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
-      // Call auth with resource containing multiple # symbols
-      const result = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server#fragment#another",
-      });
-
-      expect(result).toBe("REDIRECT");
-
-      // Verify the resource is properly canonicalized (everything after first # removed)
-      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl: URL = redirectCall[0];
-      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
-    });
-
     it("verifies resource parameter distinguishes between different paths on same domain", async () => {
       // Mock successful metadata discovery
       mockFetch.mockImplementation((url) => {

From e5b2a5b880d21f768c868c12e0612255fd6a72ad Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:50:29 +0100
Subject: [PATCH 091/147] fix simpleStreamableHttp.ts

---
 src/examples/server/simpleStreamableHttp.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 068a01441..9eb87d92f 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -311,8 +311,8 @@ if (useOAuth) {
       const data = await response.json();
      
       if (strictOAuth) {
-          throw new Error('Resource Indicator (RFC8707) missing');
         if (!data.aud) {
+          throw new Error(`Resource Indicator (RFC8707) missing`);
         }
         if (data.aud !== mcpServerUrl.href) {
           throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.aud}`);

From 4fcbb6870bbdd3c582346c7e66887b2660575827 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:50:39 +0100
Subject: [PATCH 092/147] verify PRM resource

---
 src/client/auth.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 681cde997..5fa2dee24 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -110,6 +110,9 @@ export async function auth(
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
+    if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {
+      throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
+    }
   } catch (error) {
     console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }

From 68424ef7e6408a3e3b458e466a0dacdd5b8d0d99 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 11:59:19 +0100
Subject: [PATCH 093/147] simplify changes

---
 src/client/auth.test.ts                       |  88 --------
 .../server/demoInMemoryOAuthProvider.test.ts  | 200 ------------------
 .../server/demoInMemoryOAuthProvider.ts       |  11 +-
 3 files changed, 1 insertion(+), 298 deletions(-)
 delete mode 100644 src/examples/server/demoInMemoryOAuthProvider.test.ts

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index c6d533432..ec913ecd9 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -354,18 +354,6 @@ describe("OAuth Authorization", () => {
       expect(authorizationUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 
-    it("excludes resource parameter when not provided", async () => {
-      const { authorizationUrl } = await startAuthorization(
-        "https://auth.example.com",
-        {
-          clientInformation: validClientInfo,
-          redirectUrl: "http://localhost:3000/callback",
-        }
-      );
-
-      expect(authorizationUrl.searchParams.has("resource")).toBe(false);
-    });
-
     it("includes scope parameter when provided", async () => {
       const { authorizationUrl } = await startAuthorization(
         "https://auth.example.com",
@@ -535,24 +523,6 @@ describe("OAuth Authorization", () => {
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 
-    it("excludes resource parameter from token exchange when not provided", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validTokens,
-      });
-
-      await exchangeAuthorization("https://auth.example.com", {
-        clientInformation: validClientInfo,
-        authorizationCode: "code123",
-        codeVerifier: "verifier123",
-        redirectUri: "http://localhost:3000/callback",
-      });
-
-      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
-      expect(body.has("resource")).toBe(false);
-    });
-
     it("validates token response schema", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
@@ -659,22 +629,6 @@ describe("OAuth Authorization", () => {
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 
-    it("excludes resource parameter from refresh token request when not provided", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validTokensWithNewRefreshToken,
-      });
-
-      await refreshAuthorization("https://auth.example.com", {
-        clientInformation: validClientInfo,
-        refreshToken: "refresh123",
-      });
-
-      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
-      expect(body.has("resource")).toBe(false);
-    });
-
     it("exchanges refresh token for new tokens and keep existing refresh token if none is returned", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
@@ -1136,47 +1090,5 @@ describe("OAuth Authorization", () => {
       // Verify that the two resources are different (critical for security)
       expect(authUrl1.searchParams.get("resource")).not.toBe(authUrl2.searchParams.get("resource"));
     });
-
-    it("preserves query parameters in resource URI", async () => {
-      // Mock successful metadata discovery
-      mockFetch.mockImplementation((url) => {
-        const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
-          return Promise.resolve({
-            ok: true,
-            status: 200,
-            json: async () => ({
-              issuer: "https://auth.example.com",
-              authorization_endpoint: "https://auth.example.com/authorize",
-              token_endpoint: "https://auth.example.com/token",
-              response_types_supported: ["code"],
-              code_challenge_methods_supported: ["S256"],
-            }),
-          });
-        }
-        return Promise.resolve({ ok: false, status: 404 });
-      });
-
-      // Mock provider methods
-      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
-        client_id: "test-client",
-        client_secret: "test-secret",
-      });
-      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
-      // Call auth with resource containing query parameters
-      const result = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server?param=value&another=test",
-      });
-
-      expect(result).toBe("REDIRECT");
-
-      // Verify query parameters are preserved (only fragment is removed)
-      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl: URL = redirectCall[0];
-      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server?param=value&another=test");
-    });
   });
 });
diff --git a/src/examples/server/demoInMemoryOAuthProvider.test.ts b/src/examples/server/demoInMemoryOAuthProvider.test.ts
deleted file mode 100644
index e3a478131..000000000
--- a/src/examples/server/demoInMemoryOAuthProvider.test.ts
+++ /dev/null
@@ -1,200 +0,0 @@
-import { describe, it, expect, beforeEach } from '@jest/globals';
-import { DemoInMemoryAuthProvider, DemoInMemoryClientsStore } from './demoInMemoryOAuthProvider.js';
-import { OAuthClientInformationFull } from '../../shared/auth.js';
-import { Response } from 'express';
-
-describe('DemoInMemoryOAuthProvider', () => {
-  let provider: DemoInMemoryAuthProvider;
-  let clientsStore: DemoInMemoryClientsStore;
-  let mockClient: OAuthClientInformationFull;
-  let mockResponse: Partial<Response>;
-
-  beforeEach(() => {
-    provider = new DemoInMemoryAuthProvider();
-    clientsStore = provider.clientsStore as DemoInMemoryClientsStore;
-    
-    mockClient = {
-      client_id: 'test-client',
-      client_name: 'Test Client',
-      client_uri: 'https://example.com',
-      redirect_uris: ['https://example.com/callback'],
-      grant_types: ['authorization_code'],
-      response_types: ['code'],
-      scope: 'mcp:tools',
-      token_endpoint_auth_method: 'none',
-    };
-
-    mockResponse = {
-      redirect: jest.fn(),
-    };
-  });
-
-  describe('Basic authorization flow', () => {
-    it('should handle authorization successfully', async () => {
-      await clientsStore.registerClient(mockClient);
-      
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        resource: new URL('https://api.example.com/v1'),
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      expect(mockResponse.redirect).toHaveBeenCalled();
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      expect(redirectCall).toContain('code=');
-    });
-
-    it('should handle authorization without resource', async () => {
-      await clientsStore.registerClient(mockClient);
-      
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      expect(mockResponse.redirect).toHaveBeenCalled();
-    });
-
-    it('should preserve state parameter', async () => {
-      await clientsStore.registerClient(mockClient);
-      
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        state: 'test-state',
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      expect(redirectCall).toContain('state=test-state');
-    });
-  });
-
-  describe('Token exchange', () => {
-    let authorizationCode: string;
-
-    beforeEach(async () => {
-      await clientsStore.registerClient(mockClient);
-      
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectCall);
-      authorizationCode = url.searchParams.get('code')!;
-    });
-
-    it('should exchange authorization code for tokens', async () => {
-      const tokens = await provider.exchangeAuthorizationCode(
-        mockClient,
-        authorizationCode
-      );
-
-      expect(tokens).toHaveProperty('access_token');
-      expect(tokens.token_type).toBe('bearer');
-      expect(tokens.expires_in).toBe(3600);
-    });
-
-    it('should reject invalid authorization code', async () => {
-      await expect(provider.exchangeAuthorizationCode(
-        mockClient,
-        'invalid-code'
-      )).rejects.toThrow('Invalid authorization code');
-    });
-
-    it('should reject code from different client', async () => {
-      const otherClient: OAuthClientInformationFull = {
-        ...mockClient,
-        client_id: 'other-client'
-      };
-      
-      await clientsStore.registerClient(otherClient);
-
-      await expect(provider.exchangeAuthorizationCode(
-        otherClient,
-        authorizationCode
-      )).rejects.toThrow('Authorization code was not issued to this client');
-    });
-
-    it('should store resource in token when provided during authorization', async () => {
-      mockResponse.redirect = jest.fn();
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        resource: new URL('https://api.example.com/v1'),
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectCall);
-      const codeWithResource = url.searchParams.get('code')!;
-
-      const tokens = await provider.exchangeAuthorizationCode(
-        mockClient,
-        codeWithResource
-      );
-
-      const tokenDetails = provider.getTokenDetails(tokens.access_token);
-      expect(tokenDetails?.resource).toEqual(new URL('https://api.example.com/v1'));
-    });
-  });
-
-  describe('Token verification', () => {
-    it('should verify valid access token', async () => {
-      await clientsStore.registerClient(mockClient);
-      
-      await provider.authorize(mockClient, {
-        codeChallenge: 'test-challenge',
-        redirectUri: mockClient.redirect_uris[0],
-        scopes: ['mcp:tools']
-      }, mockResponse as Response);
-
-      const redirectCall = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectCall);
-      const code = url.searchParams.get('code')!;
-
-      const tokens = await provider.exchangeAuthorizationCode(mockClient, code);
-      const tokenInfo = await provider.verifyAccessToken(tokens.access_token);
-
-      expect(tokenInfo.clientId).toBe(mockClient.client_id);
-      expect(tokenInfo.scopes).toEqual(['mcp:tools']);
-    });
-
-    it('should reject invalid token', async () => {
-      await expect(provider.verifyAccessToken('invalid-token'))
-        .rejects.toThrow('Invalid or expired token');
-    });
-  });
-
-  describe('Refresh token', () => {
-    it('should throw error for refresh token (not implemented)', async () => {
-      await clientsStore.registerClient(mockClient);
-
-      await expect(provider.exchangeRefreshToken(
-        mockClient,
-        'refresh-token'
-      )).rejects.toThrow('Not implemented for example demo');
-    });
-  });
-
-  describe('Server URL validation', () => {
-    it('should accept mcpServerUrl configuration', () => {
-      const serverUrl = new URL('https://api.example.com/mcp');
-      const providerWithUrl = new DemoInMemoryAuthProvider({ mcpServerUrl: serverUrl });
-      
-      expect(providerWithUrl).toBeDefined();
-    });
-
-    it('should handle server URL with fragment', () => {
-      const serverUrl = new URL('https://api.example.com/mcp#fragment');
-      const providerWithUrl = new DemoInMemoryAuthProvider({ mcpServerUrl: serverUrl });
-      
-      expect(providerWithUrl).toBeDefined();
-    });
-  });
-});
\ No newline at end of file
diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index 5c34166e2..fe8d3f9cf 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -150,13 +150,6 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
       resource: tokenData.resource,
     };
   }
-
-  /**
-   * Get token details including resource information (for demo introspection endpoint)
-   */
-  getTokenDetails(token: string): AuthInfo | undefined {
-    return this.tokens.get(token);
-  }
 }
 
 
@@ -190,14 +183,12 @@ export const setupAuthServer = (authServerUrl: URL, mcpServerUrl: URL): OAuthMet
       }
 
       const tokenInfo = await provider.verifyAccessToken(token);
-      // For demo purposes, we'll add a method to get token details
-      const tokenDetails = provider.getTokenDetails(token);
       res.json({
         active: true,
         client_id: tokenInfo.clientId,
         scope: tokenInfo.scopes.join(' '),
         exp: tokenInfo.expiresAt,
-        ...(tokenDetails?.resource && { aud: tokenDetails.resource })
+        aud: tokenInfo.resource,
       });
       return
     } catch (error) {

From 9e2a565164b121671b0f34adca0f8edc7768fffb Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 12:01:51 +0100
Subject: [PATCH 094/147] minimize changes

---
 src/server/auth/handlers/authorize.test.ts    | 96 +------------------
 src/server/auth/middleware/bearerAuth.test.ts | 31 ++----
 2 files changed, 11 insertions(+), 116 deletions(-)

diff --git a/src/server/auth/handlers/authorize.test.ts b/src/server/auth/handlers/authorize.test.ts
index 2742d1e55..438db6a6e 100644
--- a/src/server/auth/handlers/authorize.test.ts
+++ b/src/server/auth/handlers/authorize.test.ts
@@ -277,7 +277,7 @@ describe('Authorization Handler', () => {
   });
 
   describe('Resource parameter validation', () => {
-    it('accepts valid resource parameter', async () => {
+    it('propagates resource parameter', async () => {
       const mockProviderWithResource = jest.spyOn(mockProvider, 'authorize');
       
       const response = await supertest(app)
@@ -302,100 +302,6 @@ describe('Authorization Handler', () => {
         expect.any(Object)
       );
     });
-
-    it('rejects invalid resource parameter (non-URL)', async () => {
-      const response = await supertest(app)
-        .get('/authorize')
-        .query({
-          client_id: 'valid-client',
-          redirect_uri: 'https://example.com/callback',
-          response_type: 'code',
-          code_challenge: 'challenge123',
-          code_challenge_method: 'S256',
-          resource: 'not-a-url'
-        });
-
-      expect(response.status).toBe(302);
-      const location = new URL(response.header.location);
-      expect(location.searchParams.get('error')).toBe('invalid_request');
-      expect(location.searchParams.get('error_description')).toContain('resource');
-    });
-
-    it('handles authorization without resource parameter', async () => {
-      const mockProviderWithoutResource = jest.spyOn(mockProvider, 'authorize');
-      
-      const response = await supertest(app)
-        .get('/authorize')
-        .query({
-          client_id: 'valid-client',
-          redirect_uri: 'https://example.com/callback',
-          response_type: 'code',
-          code_challenge: 'challenge123',
-          code_challenge_method: 'S256'
-        });
-
-      expect(response.status).toBe(302);
-      expect(mockProviderWithoutResource).toHaveBeenCalledWith(
-        validClient,
-        expect.objectContaining({
-          resource: undefined,
-          redirectUri: 'https://example.com/callback',
-          codeChallenge: 'challenge123'
-        }),
-        expect.any(Object)
-      );
-    });
-
-    it('passes multiple resources if provided', async () => {
-      const mockProviderWithResources = jest.spyOn(mockProvider, 'authorize');
-      
-      const response = await supertest(app)
-        .get('/authorize')
-        .query({
-          client_id: 'valid-client',
-          redirect_uri: 'https://example.com/callback',
-          response_type: 'code',
-          code_challenge: 'challenge123',
-          code_challenge_method: 'S256',
-          resource: 'https://api1.example.com/resource',
-          state: 'test-state'
-        });
-
-      expect(response.status).toBe(302);
-      expect(mockProviderWithResources).toHaveBeenCalledWith(
-        validClient,
-        expect.objectContaining({
-          resource: new URL('https://api1.example.com/resource'),
-          state: 'test-state'
-        }),
-        expect.any(Object)
-      );
-    });
-
-    it('validates resource parameter in POST requests', async () => {
-      const mockProviderPost = jest.spyOn(mockProvider, 'authorize');
-      
-      const response = await supertest(app)
-        .post('/authorize')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          redirect_uri: 'https://example.com/callback',
-          response_type: 'code',
-          code_challenge: 'challenge123',
-          code_challenge_method: 'S256',
-          resource: 'https://api.example.com/resource'
-        });
-
-      expect(response.status).toBe(302);
-      expect(mockProviderPost).toHaveBeenCalledWith(
-        validClient,
-        expect.objectContaining({
-          resource: new URL('https://api.example.com/resource')
-        }),
-        expect.any(Object)
-      );
-    });
   });
 
   describe('Successful authorization', () => {
diff --git a/src/server/auth/middleware/bearerAuth.test.ts b/src/server/auth/middleware/bearerAuth.test.ts
index 665ef9261..cf1a93593 100644
--- a/src/server/auth/middleware/bearerAuth.test.ts
+++ b/src/server/auth/middleware/bearerAuth.test.ts
@@ -3,7 +3,6 @@ import { requireBearerAuth } from "./bearerAuth.js";
 import { AuthInfo } from "../types.js";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
-import { LATEST_PROTOCOL_VERSION, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from '../../../types.js';
 
 // Mock verifier
 const mockVerifyAccessToken = jest.fn();
@@ -43,13 +42,12 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockRequest.auth).toEqual(validAuthInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -89,13 +87,12 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer expired-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("expired-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("expired-token");
     expect(mockResponse.status).toHaveBeenCalledWith(401);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -118,13 +115,12 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockRequest.auth).toEqual(nonExpiredAuthInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -141,7 +137,6 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({
@@ -151,7 +146,7 @@ describe("requireBearerAuth middleware", () => {
 
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(403);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -173,7 +168,6 @@ describe("requireBearerAuth middleware", () => {
 
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     const middleware = requireBearerAuth({
@@ -183,7 +177,7 @@ describe("requireBearerAuth middleware", () => {
 
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockRequest.auth).toEqual(authInfo);
     expect(nextFunction).toHaveBeenCalled();
     expect(mockResponse.status).not.toHaveBeenCalled();
@@ -232,7 +226,6 @@ describe("requireBearerAuth middleware", () => {
   it("should return 401 when token verification fails with InvalidTokenError", async () => {
     mockRequest.headers = {
       authorization: "Bearer invalid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new InvalidTokenError("Token expired"));
@@ -240,7 +233,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("invalid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("invalid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(401);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -255,7 +248,6 @@ describe("requireBearerAuth middleware", () => {
   it("should return 403 when access token has insufficient scopes", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new InsufficientScopeError("Required scopes: read, write"));
@@ -263,7 +255,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(403);
     expect(mockResponse.set).toHaveBeenCalledWith(
       "WWW-Authenticate",
@@ -278,7 +270,6 @@ describe("requireBearerAuth middleware", () => {
   it("should return 500 when a ServerError occurs", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new ServerError("Internal server issue"));
@@ -286,7 +277,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(500);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "server_error", error_description: "Internal server issue" })
@@ -297,7 +288,6 @@ describe("requireBearerAuth middleware", () => {
   it("should return 400 for generic OAuthError", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new OAuthError("custom_error", "Some OAuth error"));
@@ -305,7 +295,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(400);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "custom_error", error_description: "Some OAuth error" })
@@ -316,7 +306,6 @@ describe("requireBearerAuth middleware", () => {
   it("should return 500 when unexpected error occurs", async () => {
     mockRequest.headers = {
       authorization: "Bearer valid-token",
-      'mcp-protocol-version': LATEST_PROTOCOL_VERSION,
     };
 
     mockVerifyAccessToken.mockRejectedValue(new Error("Unexpected error"));
@@ -324,7 +313,7 @@ describe("requireBearerAuth middleware", () => {
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
 
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", LATEST_PROTOCOL_VERSION);
+    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token");
     expect(mockResponse.status).toHaveBeenCalledWith(500);
     expect(mockResponse.json).toHaveBeenCalledWith(
       expect.objectContaining({ error: "server_error", error_description: "Internal Server Error" })

From 6a01d0d4a59e437b135082e68d3923f9b6e9397a Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 12:07:38 +0100
Subject: [PATCH 095/147] shrink token.test.ts

---
 src/client/auth.ts                     |  2 +-
 src/server/auth/handlers/token.test.ts | 68 --------------------------
 2 files changed, 1 insertion(+), 69 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 5fa2dee24..fbe50e11d 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -93,7 +93,7 @@ export async function auth(
   { serverUrl,
     authorizationCode,
     scope,
-    resourceMetadataUrl,
+    resourceMetadataUrl
   }: {
     serverUrl: string | URL;
     authorizationCode?: string;
diff --git a/src/server/auth/handlers/token.test.ts b/src/server/auth/handlers/token.test.ts
index 63b47f53e..dda4e7553 100644
--- a/src/server/auth/handlers/token.test.ts
+++ b/src/server/auth/handlers/token.test.ts
@@ -307,74 +307,6 @@ describe('Token Handler', () => {
       );
     });
 
-    it('rejects invalid resource parameter (non-URL)', async () => {
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'authorization_code',
-          code: 'valid_code',
-          code_verifier: 'valid_verifier',
-          resource: 'not-a-url'
-        });
-
-      expect(response.status).toBe(400);
-      expect(response.body.error).toBe('invalid_request');
-      expect(response.body.error_description).toContain('resource');
-    });
-
-    it('handles authorization code exchange without resource parameter', async () => {
-      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
-      
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'authorization_code',
-          code: 'valid_code',
-          code_verifier: 'valid_verifier'
-        });
-
-      expect(response.status).toBe(200);
-      expect(mockExchangeCode).toHaveBeenCalledWith(
-        validClient,
-        'valid_code',
-        undefined, // code_verifier is undefined after PKCE validation
-        undefined, // redirect_uri
-        undefined  // resource parameter
-      );
-    });
-
-    it('passes resource with redirect_uri', async () => {
-      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
-      
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'authorization_code',
-          code: 'valid_code',
-          code_verifier: 'valid_verifier',
-          redirect_uri: 'https://example.com/callback',
-          resource: 'https://api.example.com/resource'
-        });
-
-      expect(response.status).toBe(200);
-      expect(mockExchangeCode).toHaveBeenCalledWith(
-        validClient,
-        'valid_code',
-        undefined, // code_verifier is undefined after PKCE validation
-        'https://example.com/callback', // redirect_uri
-        new URL('https://api.example.com/resource') // resource parameter
-      );
-    });
-
     it('passes through code verifier when using proxy provider', async () => {
       const originalFetch = global.fetch;
 

From 5c60c77c93bb7479affa889ffeb3b6dd5d53233a Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 12:09:00 +0100
Subject: [PATCH 096/147] shrink diff

---
 src/server/auth/middleware/bearerAuth.test.ts | 22 -------------------
 src/server/auth/middleware/bearerAuth.ts      |  1 -
 2 files changed, 23 deletions(-)

diff --git a/src/server/auth/middleware/bearerAuth.test.ts b/src/server/auth/middleware/bearerAuth.test.ts
index cf1a93593..b8953e5c9 100644
--- a/src/server/auth/middleware/bearerAuth.test.ts
+++ b/src/server/auth/middleware/bearerAuth.test.ts
@@ -54,28 +54,6 @@ describe("requireBearerAuth middleware", () => {
     expect(mockResponse.json).not.toHaveBeenCalled();
   });
 
-  it("should use default negotiated protocol version when mcp-protocol-version header is missing", async () => {
-    const validAuthInfo: AuthInfo = {
-      token: "valid-token",
-      clientId: "client-123",
-      scopes: ["read", "write"],
-    };
-    mockVerifyAccessToken.mockResolvedValue(validAuthInfo);
-
-    mockRequest.headers = {
-      authorization: "Bearer valid-token",
-    };
-
-    const middleware = requireBearerAuth({ verifier: mockVerifier });
-    await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
-
-    expect(mockVerifyAccessToken).toHaveBeenCalledWith("valid-token", DEFAULT_NEGOTIATED_PROTOCOL_VERSION);
-    expect(mockRequest.auth).toEqual(validAuthInfo);
-    expect(nextFunction).toHaveBeenCalled();
-    expect(mockResponse.status).not.toHaveBeenCalled();
-    expect(mockResponse.json).not.toHaveBeenCalled();
-  });
-
   it("should reject expired tokens", async () => {
     const expiredAuthInfo: AuthInfo = {
       token: "expired-token",
diff --git a/src/server/auth/middleware/bearerAuth.ts b/src/server/auth/middleware/bearerAuth.ts
index a34625d1e..fd96055ab 100644
--- a/src/server/auth/middleware/bearerAuth.ts
+++ b/src/server/auth/middleware/bearerAuth.ts
@@ -2,7 +2,6 @@ import { RequestHandler } from "express";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
 import { AuthInfo } from "../types.js";
-import { DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from "../../../types.js";
 
 export type BearerAuthMiddlewareOptions = {
   /**

From 354318f147c17e5c7ea8072e7d9ada206c393aa3 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 12:14:57 +0100
Subject: [PATCH 097/147] auth: don't fail the prm if the resource doesn't
 match

---
 src/client/auth.ts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index fbe50e11d..297eb9cfc 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -102,19 +102,20 @@ export async function auth(
 
   const resource = resourceUrlFromServerUrl(typeof serverUrl === "string" ? new URL(serverUrl) : serverUrl);
 
+  let resourceMetadata: OAuthProtectedResourceMetadata | undefined;
   let authorizationServerUrl = serverUrl;
   try {
-    const resourceMetadata = await discoverOAuthProtectedResourceMetadata(
-      resourceMetadataUrl || serverUrl);
-
+    resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, {resourceMetadataUrl});
+  } catch (error) {
+    console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
+  }
+  if (resourceMetadata) {
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
     if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {
       throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
     }
-  } catch (error) {
-    console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }
 
   const metadata = await discoverOAuthMetadata(authorizationServerUrl);

From bac384f242d96a09a94dff184cc1dcbd927c0bbe Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 12:23:48 +0100
Subject: [PATCH 098/147] simplify tests

---
 src/client/auth.test.ts | 60 -----------------------------------------
 1 file changed, 60 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index ec913ecd9..9cdc9e056 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -1030,65 +1030,5 @@ describe("OAuth Authorization", () => {
       expect(body.get("grant_type")).toBe("refresh_token");
       expect(body.get("refresh_token")).toBe("refresh123");
     });
-
-    it("verifies resource parameter distinguishes between different paths on same domain", async () => {
-      // Mock successful metadata discovery
-      mockFetch.mockImplementation((url) => {
-        const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
-          return Promise.resolve({
-            ok: true,
-            status: 200,
-            json: async () => ({
-              issuer: "https://auth.example.com",
-              authorization_endpoint: "https://auth.example.com/authorize",
-              token_endpoint: "https://auth.example.com/token",
-              response_types_supported: ["code"],
-              code_challenge_methods_supported: ["S256"],
-            }),
-          });
-        }
-        return Promise.resolve({ ok: false, status: 404 });
-      });
-
-      // Mock provider methods
-      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
-        client_id: "test-client",
-        client_secret: "test-secret",
-      });
-      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
-      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
-      // Test with different resource paths on same domain
-      // This tests the security fix that prevents token confusion between
-      // multiple MCP servers on the same domain
-      const result1 = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server-1/v1",
-      });
-
-      expect(result1).toBe("REDIRECT");
-
-      const redirectCall1 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl1: URL = redirectCall1[0];
-      expect(authUrl1.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-1/v1");
-
-      // Clear mock calls
-      (mockProvider.redirectToAuthorization as jest.Mock).mockClear();
-
-      // Test with different path on same domain
-      const result2 = await auth(mockProvider, {
-        serverUrl: "https://api.example.com/mcp-server-2/v1",
-      });
-
-      expect(result2).toBe("REDIRECT");
-
-      const redirectCall2 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
-      const authUrl2: URL = redirectCall2[0];
-      expect(authUrl2.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-2/v1");
-      
-      // Verify that the two resources are different (critical for security)
-      expect(authUrl1.searchParams.get("resource")).not.toBe(authUrl2.searchParams.get("resource"));
-    });
   });
 });

From a7f9c59401a4722b673751a2a3bf21ef91e4eca1 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 13:16:32 +0100
Subject: [PATCH 099/147] Fix SSE test resource URL validation errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixed 5 instances of hardcoded "https://resource.example.com" in OAuth
protected resource metadata mocks to use the actual resourceBaseUrl.href.
This resolves test failures where the auth validation was rejecting
requests because the resource URL in the metadata didn't match the
actual test server URL.

The failing tests were:
- attempts auth flow on 401 during SSE connection
- attempts auth flow on 401 during POST request
- refreshes expired token during SSE connection
- refreshes expired token during POST request
- redirects to authorization if refresh token flow fails

All SSE tests now pass (17/17).

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/client/sse.test.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/client/sse.test.ts b/src/client/sse.test.ts
index 714e1fddf..3cb4e8a3c 100644
--- a/src/client/sse.test.ts
+++ b/src/client/sse.test.ts
@@ -398,7 +398,7 @@ describe("SSEClientTransport", () => {
             'Content-Type': 'application/json',
           })
           .end(JSON.stringify({
-            resource: "https://resource.example.com",
+            resource: resourceBaseUrl.href,
             authorization_servers: [`${authBaseUrl}`],
           }));
           return;
@@ -450,7 +450,7 @@ describe("SSEClientTransport", () => {
                 'Content-Type': 'application/json',
               })
               .end(JSON.stringify({
-                resource: "https://resource.example.com",
+                resource: resourceBaseUrl.href,
                 authorization_servers: [`${authBaseUrl}`],
               }));
               return;
@@ -601,7 +601,7 @@ describe("SSEClientTransport", () => {
             'Content-Type': 'application/json',
           })
           .end(JSON.stringify({
-            resource: "https://resource.example.com",
+            resource: resourceBaseUrl.href,
             authorization_servers: [`${authBaseUrl}`],
           }));
           return;
@@ -723,7 +723,7 @@ describe("SSEClientTransport", () => {
             'Content-Type': 'application/json',
           })
           .end(JSON.stringify({
-            resource: "https://resource.example.com",
+            resource: resourceBaseUrl.href,
             authorization_servers: [`${authBaseUrl}`],
           }));
           return;
@@ -851,7 +851,7 @@ describe("SSEClientTransport", () => {
             'Content-Type': 'application/json',
           })
           .end(JSON.stringify({
-            resource: "https://resource.example.com",
+            resource: resourceBaseUrl.href,
             authorization_servers: [`${authBaseUrl}`],
           }));
           return;

From f0ea31cff96d5aee6bfd1a885dcf267b4be4c188 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 13:19:56 +0100
Subject: [PATCH 100/147] Update auth.test.ts

---
 src/client/auth.test.ts | 55 +++--------------------------------------
 1 file changed, 4 insertions(+), 51 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 9cdc9e056..cb726717a 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -324,6 +324,7 @@ describe("OAuth Authorization", () => {
           metadata: undefined,
           clientInformation: validClientInfo,
           redirectUrl: "http://localhost:3000/callback",
+          resource: new URL("https://api.example.com/mcp-server"),
         }
       );
 
@@ -338,20 +339,8 @@ describe("OAuth Authorization", () => {
       expect(authorizationUrl.searchParams.get("redirect_uri")).toBe(
         "http://localhost:3000/callback"
       );
-      expect(codeVerifier).toBe("test_verifier");
-    });
-
-    it("includes resource parameter when provided", async () => {
-      const { authorizationUrl } = await startAuthorization(
-        "https://auth.example.com",
-        {
-          clientInformation: validClientInfo,
-          redirectUrl: "http://localhost:3000/callback",
-          resource: new URL("https://api.example.com/mcp-server"),
-        }
-      );
-
       expect(authorizationUrl.searchParams.get("resource")).toBe("https://api.example.com/mcp-server");
+      expect(codeVerifier).toBe("test_verifier");
     });
 
     it("includes scope parameter when provided", async () => {
@@ -478,6 +467,7 @@ describe("OAuth Authorization", () => {
         authorizationCode: "code123",
         codeVerifier: "verifier123",
         redirectUri: "http://localhost:3000/callback",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(tokens).toEqual(validTokens);
@@ -500,26 +490,6 @@ describe("OAuth Authorization", () => {
       expect(body.get("client_id")).toBe("client123");
       expect(body.get("client_secret")).toBe("secret123");
       expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
-    });
-
-    it("includes resource parameter in token exchange when provided", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validTokens,
-      });
-
-      const tokens = await exchangeAuthorization("https://auth.example.com", {
-        clientInformation: validClientInfo,
-        authorizationCode: "code123",
-        codeVerifier: "verifier123",
-        redirectUri: "http://localhost:3000/callback",
-        resource: new URL("https://api.example.com/mcp-server"),
-      });
-
-      expect(tokens).toEqual(validTokens);
-      
-      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 
@@ -588,6 +558,7 @@ describe("OAuth Authorization", () => {
       const tokens = await refreshAuthorization("https://auth.example.com", {
         clientInformation: validClientInfo,
         refreshToken: "refresh123",
+        resource: new URL("https://api.example.com/mcp-server"),
       });
 
       expect(tokens).toEqual(validTokensWithNewRefreshToken);
@@ -608,24 +579,6 @@ describe("OAuth Authorization", () => {
       expect(body.get("refresh_token")).toBe("refresh123");
       expect(body.get("client_id")).toBe("client123");
       expect(body.get("client_secret")).toBe("secret123");
-    });
-
-    it("includes resource parameter in refresh token request when provided", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validTokensWithNewRefreshToken,
-      });
-
-      const tokens = await refreshAuthorization("https://auth.example.com", {
-        clientInformation: validClientInfo,
-        refreshToken: "refresh123",
-        resource: new URL("https://api.example.com/mcp-server"),
-      });
-
-      expect(tokens).toEqual(validTokensWithNewRefreshToken);
-      
-      const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
     });
 

From 3f07bdb223c2ff0d55f935fd427ad961b1b218cb Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 13:32:45 +0100
Subject: [PATCH 101/147] shrink tests

---
 src/server/auth/handlers/token.test.ts        | 108 ++----------------
 .../auth/providers/proxyProvider.test.ts      |  72 +-----------
 2 files changed, 8 insertions(+), 172 deletions(-)

diff --git a/src/server/auth/handlers/token.test.ts b/src/server/auth/handlers/token.test.ts
index dda4e7553..4b7fae025 100644
--- a/src/server/auth/handlers/token.test.ts
+++ b/src/server/auth/handlers/token.test.ts
@@ -264,12 +264,14 @@ describe('Token Handler', () => {
     });
 
     it('returns tokens for valid code exchange', async () => {
+      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
       const response = await supertest(app)
         .post('/token')
         .type('form')
         .send({
           client_id: 'valid-client',
           client_secret: 'valid-secret',
+          resource: 'https://api.example.com/resource',
           grant_type: 'authorization_code',
           code: 'valid_code',
           code_verifier: 'valid_verifier'
@@ -280,24 +282,6 @@ describe('Token Handler', () => {
       expect(response.body.token_type).toBe('bearer');
       expect(response.body.expires_in).toBe(3600);
       expect(response.body.refresh_token).toBe('mock_refresh_token');
-    });
-
-    it('accepts and passes resource parameter to provider', async () => {
-      const mockExchangeCode = jest.spyOn(mockProvider, 'exchangeAuthorizationCode');
-      
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'authorization_code',
-          code: 'valid_code',
-          code_verifier: 'valid_verifier',
-          resource: 'https://api.example.com/resource'
-        });
-
-      expect(response.status).toBe(200);
       expect(mockExchangeCode).toHaveBeenCalledWith(
         validClient,
         'valid_code',
@@ -465,12 +449,14 @@ describe('Token Handler', () => {
     });
 
     it('returns new tokens for valid refresh token', async () => {
+      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
       const response = await supertest(app)
         .post('/token')
         .type('form')
         .send({
           client_id: 'valid-client',
           client_secret: 'valid-secret',
+          resource: 'https://api.example.com/resource',
           grant_type: 'refresh_token',
           refresh_token: 'valid_refresh_token'
         });
@@ -480,39 +466,6 @@ describe('Token Handler', () => {
       expect(response.body.token_type).toBe('bearer');
       expect(response.body.expires_in).toBe(3600);
       expect(response.body.refresh_token).toBe('new_mock_refresh_token');
-    });
-
-    it('respects requested scopes on refresh', async () => {
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'refresh_token',
-          refresh_token: 'valid_refresh_token',
-          scope: 'profile email'
-        });
-
-      expect(response.status).toBe(200);
-      expect(response.body.scope).toBe('profile email');
-    });
-
-    it('accepts and passes resource parameter to provider on refresh', async () => {
-      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
-      
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'refresh_token',
-          refresh_token: 'valid_refresh_token',
-          resource: 'https://api.example.com/resource'
-        });
-
-      expect(response.status).toBe(200);
       expect(mockExchangeRefresh).toHaveBeenCalledWith(
         validClient,
         'valid_refresh_token',
@@ -521,48 +474,7 @@ describe('Token Handler', () => {
       );
     });
 
-    it('rejects invalid resource parameter (non-URL) on refresh', async () => {
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'refresh_token',
-          refresh_token: 'valid_refresh_token',
-          resource: 'not-a-url'
-        });
-
-      expect(response.status).toBe(400);
-      expect(response.body.error).toBe('invalid_request');
-      expect(response.body.error_description).toContain('resource');
-    });
-
-    it('handles refresh token exchange without resource parameter', async () => {
-      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
-      
-      const response = await supertest(app)
-        .post('/token')
-        .type('form')
-        .send({
-          client_id: 'valid-client',
-          client_secret: 'valid-secret',
-          grant_type: 'refresh_token',
-          refresh_token: 'valid_refresh_token'
-        });
-
-      expect(response.status).toBe(200);
-      expect(mockExchangeRefresh).toHaveBeenCalledWith(
-        validClient,
-        'valid_refresh_token',
-        undefined, // scopes
-        undefined  // resource parameter
-      );
-    });
-
-    it('passes resource with scopes on refresh', async () => {
-      const mockExchangeRefresh = jest.spyOn(mockProvider, 'exchangeRefreshToken');
-      
+    it('respects requested scopes on refresh', async () => {
       const response = await supertest(app)
         .post('/token')
         .type('form')
@@ -571,17 +483,11 @@ describe('Token Handler', () => {
           client_secret: 'valid-secret',
           grant_type: 'refresh_token',
           refresh_token: 'valid_refresh_token',
-          scope: 'profile email',
-          resource: 'https://api.example.com/resource'
+          scope: 'profile email'
         });
 
       expect(response.status).toBe(200);
-      expect(mockExchangeRefresh).toHaveBeenCalledWith(
-        validClient,
-        'valid_refresh_token',
-        ['profile', 'email'], // scopes
-        new URL('https://api.example.com/resource') // resource parameter
-      );
+      expect(response.body.scope).toBe('profile email');
     });
   });
 
diff --git a/src/server/auth/providers/proxyProvider.test.ts b/src/server/auth/providers/proxyProvider.test.ts
index b834c6592..4e98d0dc0 100644
--- a/src/server/auth/providers/proxyProvider.test.ts
+++ b/src/server/auth/providers/proxyProvider.test.ts
@@ -88,6 +88,7 @@ describe("Proxy OAuth Server Provider", () => {
           codeChallenge: "test-challenge",
           state: "test-state",
           scopes: ["read", "write"],
+          resource: new URL('https://api.example.com/resource'),
         },
         mockResponse
       );
@@ -100,52 +101,10 @@ describe("Proxy OAuth Server Provider", () => {
       expectedUrl.searchParams.set("code_challenge_method", "S256");
       expectedUrl.searchParams.set("state", "test-state");
       expectedUrl.searchParams.set("scope", "read write");
-
-      expect(mockResponse.redirect).toHaveBeenCalledWith(expectedUrl.toString());
-    });
-
-    it('includes resource parameter in authorization redirect', async () => {
-      await provider.authorize(
-        validClient,
-        {
-          redirectUri: 'https://example.com/callback',
-          codeChallenge: 'test-challenge',
-          state: 'test-state',
-          scopes: ['read', 'write'],
-          resource: new URL('https://api.example.com/resource')
-        },
-        mockResponse
-      );
-
-      const expectedUrl = new URL('https://auth.example.com/authorize');
-      expectedUrl.searchParams.set('client_id', 'test-client');
-      expectedUrl.searchParams.set('response_type', 'code');
-      expectedUrl.searchParams.set('redirect_uri', 'https://example.com/callback');
-      expectedUrl.searchParams.set('code_challenge', 'test-challenge');
-      expectedUrl.searchParams.set('code_challenge_method', 'S256');
-      expectedUrl.searchParams.set('state', 'test-state');
-      expectedUrl.searchParams.set('scope', 'read write');
       expectedUrl.searchParams.set('resource', 'https://api.example.com/resource');
 
       expect(mockResponse.redirect).toHaveBeenCalledWith(expectedUrl.toString());
     });
-
-    it('handles authorization without resource parameter', async () => {
-      await provider.authorize(
-        validClient,
-        {
-          redirectUri: 'https://example.com/callback',
-          codeChallenge: 'test-challenge',
-          state: 'test-state',
-          scopes: ['read']
-        },
-        mockResponse
-      );
-
-      const redirectUrl = (mockResponse.redirect as jest.Mock).mock.calls[0][0];
-      const url = new URL(redirectUrl);
-      expect(url.searchParams.has('resource')).toBe(false);
-    });
   });
 
   describe("token exchange", () => {
@@ -282,35 +241,6 @@ describe("Proxy OAuth Server Provider", () => {
       );
       expect(tokens).toEqual(mockTokenResponse);
     });
-
-    it('handles refresh token exchange without resource parameter', async () => {
-      const tokens = await provider.exchangeRefreshToken(
-        validClient,
-        'test-refresh-token',
-        ['read']
-      );
-
-      const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
-      const body = fetchCall[1].body as string;
-      expect(body).not.toContain('resource=');
-      expect(tokens).toEqual(mockTokenResponse);
-    });
-
-    it('includes both scope and resource parameters in refresh', async () => {
-      const tokens = await provider.exchangeRefreshToken(
-        validClient,
-        'test-refresh-token',
-        ['profile', 'email'],
-        new URL('https://api.example.com/resource')
-      );
-
-      const fetchCall = (global.fetch as jest.Mock).mock.calls[0];
-      const body = fetchCall[1].body as string;
-      expect(body).toContain('scope=profile+email');
-      expect(body).toContain('resource=' + encodeURIComponent('https://api.example.com/resource'));
-      expect(tokens).toEqual(mockTokenResponse);
-    });
-
   });
 
   describe("client registration", () => {

From e76faf6a18bcd25724649a57b07c410957510192 Mon Sep 17 00:00:00 2001
From: joeyzzeng <joeyzzeng@tencent.com>
Date: Wed, 18 Jun 2025 21:34:42 +0800
Subject: [PATCH 102/147] fix: skip validation if tool reports error

---
 src/server/mcp.test.ts | 66 ++++++++++++++++++++++++++++++++++++++++++
 src/server/mcp.ts      |  2 +-
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 7fb6bd55c..242f05297 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -1204,6 +1204,72 @@ describe("tool()", () => {
     ).rejects.toThrow(/Tool test has an output schema but no structured content was provided/);
   });
 
+    /***
+   * Test: Tool with Output Schema Must Provide Structured Content
+   */
+    test("should not throw error when tool with outputSchema returns no structuredContent and isError is true", async () => {
+      const mcpServer = new McpServer({
+        name: "test server",
+        version: "1.0",
+      });
+  
+      const client = new Client({
+        name: "test client",
+        version: "1.0",
+      });
+  
+      // Register a tool with outputSchema that returns only content without structuredContent
+      mcpServer.registerTool(
+        "test",
+        {
+          description: "Test tool with output schema but missing structured content",
+          inputSchema: {
+            input: z.string(),
+          },
+          outputSchema: {
+            processedInput: z.string(),
+            resultType: z.string(),
+          },
+        },
+        async ({ input }) => ({
+          // Only return content without structuredContent
+          content: [
+            {
+              type: "text",
+              text: `Processed: ${input}`,
+            },
+          ],
+          isError: true,
+        })
+      );
+  
+      const [clientTransport, serverTransport] =
+        InMemoryTransport.createLinkedPair();
+  
+      await Promise.all([
+        client.connect(clientTransport),
+        mcpServer.server.connect(serverTransport),
+      ]);
+  
+      // Call the tool and expect it to not throw an error
+      await expect(
+        client.callTool({
+          name: "test",
+          arguments: {
+            input: "hello",
+          },
+        }),
+      ).resolves.toStrictEqual({
+        content: [
+          {
+            type: "text",
+            text: `Processed: hello`,
+          },
+        ],
+        isError: true,
+      });
+    });
+
   /***
    * Test: Schema Validation Failure for Invalid Structured Content
    */
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 3d9673da7..9440708d9 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -200,7 +200,7 @@ export class McpServer {
           }
         }
 
-        if (tool.outputSchema) {
+        if (tool.outputSchema && (result.isError !== true)) {
           if (!result.structuredContent) {
             throw new McpError(
               ErrorCode.InvalidParams,

From 4b3db9bbebb1fa93e0e59841a3fc8842996ba43f Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 15:06:16 +0100
Subject: [PATCH 103/147] stricter PRM check overridable w/
 OAuthClientProvider.validateProtectedResourceMetadata

---
 src/client/auth.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 297eb9cfc..7097eab0b 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -72,6 +72,13 @@ export interface OAuthClientProvider {
    * the authorization result.
    */
   codeVerifier(): string | Promise<string>;
+
+  /**
+   * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
+   *
+   * Implementations must verify the provider
+   */
+  validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
 }
 
 export type AuthResult = "AUTHORIZED" | "REDIRECT";
@@ -109,11 +116,13 @@ export async function auth(
   } catch (error) {
     console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }
-  if (resourceMetadata) {
+  if (provider.validateProtectedResourceMetadata) {
+    await provider.validateProtectedResourceMetadata(resourceMetadata);
+  } else if (resourceMetadata) {
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
-    if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {
+    if (resourceMetadata.resource !== resource.href) {
       throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
     }
   }

From f854b58443a856ef06f58e33e8f49c40f74d9eb9 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Wed, 18 Jun 2025 15:26:58 +0100
Subject: [PATCH 104/147] test validateProtectedResourceMetadata override

---
 src/client/auth.test.ts | 61 +++++++++++++++++++++++++++++++++++++++++
 src/client/auth.ts      |  2 +-
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index cb726717a..194c11245 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -983,5 +983,66 @@ describe("OAuth Authorization", () => {
       expect(body.get("grant_type")).toBe("refresh_token");
       expect(body.get("refresh_token")).toBe("refresh123");
     });
+
+    it("skips default PRM resource validation when custom validateProtectedResourceMetadata is provided", async () => {
+      const mockValidateProtectedResourceMetadata = jest.fn().mockResolvedValue(undefined);
+      const providerWithCustomValidation = {
+        ...mockProvider,
+        validateProtectedResourceMetadata: mockValidateProtectedResourceMetadata,
+      };
+
+      // Mock protected resource metadata with mismatched resource URL
+      // This would normally throw an error in default validation, but should be skipped
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+        
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              resource: "https://different-resource.example.com/mcp-server", // Mismatched resource
+              authorization_servers: ["https://auth.example.com"],
+            }),
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+        
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (providerWithCustomValidation.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (providerWithCustomValidation.tokens as jest.Mock).mockResolvedValue(undefined);
+      (providerWithCustomValidation.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (providerWithCustomValidation.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth - should succeed despite resource mismatch because custom validation overrides default
+      const result = await auth(providerWithCustomValidation, {
+        serverUrl: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("REDIRECT");
+      
+      // Verify custom validation method was called
+      expect(mockValidateProtectedResourceMetadata).toHaveBeenCalledWith({
+        resource: "https://different-resource.example.com/mcp-server",
+        authorization_servers: ["https://auth.example.com"],
+      });
+    });
   });
 });
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 7097eab0b..4d604d28a 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -76,7 +76,7 @@ export interface OAuthClientProvider {
   /**
    * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
    *
-   * Implementations must verify the provider
+   * Implementations must verify the resource matches the MCP server.
    */
   validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
 }

From dada5f66f570f312a910bae095c481915b2f80c4 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Wed, 18 Jun 2025 15:52:56 +0100
Subject: [PATCH 105/147] wip helper func

---
 src/client/auth.ts | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 4d604d28a..bef7965f1 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -78,7 +78,7 @@ export interface OAuthClientProvider {
    *
    * Implementations must verify the resource matches the MCP server.
    */
-  validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
+  validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 
 export type AuthResult = "AUTHORIZED" | "REDIRECT";
@@ -107,26 +107,19 @@ export async function auth(
     scope?: string;
     resourceMetadataUrl?: URL }): Promise<AuthResult> {
 
-  const resource = resourceUrlFromServerUrl(typeof serverUrl === "string" ? new URL(serverUrl) : serverUrl);
-
   let resourceMetadata: OAuthProtectedResourceMetadata | undefined;
   let authorizationServerUrl = serverUrl;
   try {
     resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, {resourceMetadataUrl});
-  } catch (error) {
-    console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
-  }
-  if (provider.validateProtectedResourceMetadata) {
-    await provider.validateProtectedResourceMetadata(resourceMetadata);
-  } else if (resourceMetadata) {
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
-    if (resourceMetadata.resource !== resource.href) {
-      throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
-    }
+  } catch (error) {
+    console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }
 
+  const resource: URL | undefined = await selectResourceURL(serverUrl, provider, resourceMetadata);
+
   const metadata = await discoverOAuthMetadata(authorizationServerUrl);
 
   // Handle client registration if needed
@@ -202,6 +195,19 @@ export async function auth(
   return "REDIRECT";
 }
 
+async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
+  if (provider.validateResourceURL) {
+    return await provider.validateResourceURL(serverUrl, resourceMetadata?.resource);
+  }
+
+  const resource = resourceUrlFromServerUrl(typeof serverUrl === "string" ? new URL(serverUrl) : serverUrl);
+  if (resourceMetadata && resourceMetadata.resource !== resource.href) {
+    throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
+  }
+
+  return resource;
+}
+
 /**
  * Extract resource_metadata from response header.
  */

From 4c51230fc2022f15573eea6ec6c7b9f3bbbdea91 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Wed, 18 Jun 2025 16:00:12 +0100
Subject: [PATCH 106/147] fix tests

---
 src/client/auth.test.ts | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 194c11245..91422de0e 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -849,7 +849,7 @@ describe("OAuth Authorization", () => {
       });
 
       expect(result).toBe("REDIRECT");
-      
+
       // Verify the authorization URL includes the resource parameter
       expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
         expect.objectContaining({
@@ -866,7 +866,7 @@ describe("OAuth Authorization", () => {
       // Mock successful metadata discovery and token exchange
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
-        
+
         if (urlString.includes("/.well-known/oauth-authorization-server")) {
           return Promise.resolve({
             ok: true,
@@ -891,7 +891,7 @@ describe("OAuth Authorization", () => {
             }),
           });
         }
-        
+
         return Promise.resolve({ ok: false, status: 404 });
       });
 
@@ -912,11 +912,11 @@ describe("OAuth Authorization", () => {
       expect(result).toBe("AUTHORIZED");
 
       // Find the token exchange call
-      const tokenCall = mockFetch.mock.calls.find(call => 
+      const tokenCall = mockFetch.mock.calls.find(call =>
         call[0].toString().includes("/token")
       );
       expect(tokenCall).toBeDefined();
-      
+
       const body = tokenCall![1].body as URLSearchParams;
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
       expect(body.get("code")).toBe("auth-code-123");
@@ -926,7 +926,7 @@ describe("OAuth Authorization", () => {
       // Mock successful metadata discovery and token refresh
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
-        
+
         if (urlString.includes("/.well-known/oauth-authorization-server")) {
           return Promise.resolve({
             ok: true,
@@ -950,7 +950,7 @@ describe("OAuth Authorization", () => {
             }),
           });
         }
-        
+
         return Promise.resolve({ ok: false, status: 404 });
       });
 
@@ -973,29 +973,29 @@ describe("OAuth Authorization", () => {
       expect(result).toBe("AUTHORIZED");
 
       // Find the token refresh call
-      const tokenCall = mockFetch.mock.calls.find(call => 
+      const tokenCall = mockFetch.mock.calls.find(call =>
         call[0].toString().includes("/token")
       );
       expect(tokenCall).toBeDefined();
-      
+
       const body = tokenCall![1].body as URLSearchParams;
       expect(body.get("resource")).toBe("https://api.example.com/mcp-server");
       expect(body.get("grant_type")).toBe("refresh_token");
       expect(body.get("refresh_token")).toBe("refresh123");
     });
 
-    it("skips default PRM resource validation when custom validateProtectedResourceMetadata is provided", async () => {
-      const mockValidateProtectedResourceMetadata = jest.fn().mockResolvedValue(undefined);
+    it("skips default PRM resource validation when custom validateResourceURL is provided", async () => {
+      const mockValidateResourceURL = jest.fn().mockResolvedValue(undefined);
       const providerWithCustomValidation = {
         ...mockProvider,
-        validateProtectedResourceMetadata: mockValidateProtectedResourceMetadata,
+        validateResourceURL: mockValidateResourceURL,
       };
 
       // Mock protected resource metadata with mismatched resource URL
       // This would normally throw an error in default validation, but should be skipped
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
-        
+
         if (urlString.includes("/.well-known/oauth-protected-resource")) {
           return Promise.resolve({
             ok: true,
@@ -1018,7 +1018,7 @@ describe("OAuth Authorization", () => {
             }),
           });
         }
-        
+
         return Promise.resolve({ ok: false, status: 404 });
       });
 
@@ -1037,12 +1037,12 @@ describe("OAuth Authorization", () => {
       });
 
       expect(result).toBe("REDIRECT");
-      
+
       // Verify custom validation method was called
-      expect(mockValidateProtectedResourceMetadata).toHaveBeenCalledWith({
-        resource: "https://different-resource.example.com/mcp-server",
-        authorization_servers: ["https://auth.example.com"],
-      });
+      expect(mockValidateResourceURL).toHaveBeenCalledWith(
+        "https://api.example.com/mcp-server",
+        "https://different-resource.example.com/mcp-server"
+      );
     });
   });
 });

From 86bed6aaacd4491cbd0621e24836fdcc5cd1ca34 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Wed, 18 Jun 2025 16:05:14 +0100
Subject: [PATCH 107/147] adjust comment

---
 src/client/auth.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index bef7965f1..28d9d8339 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -74,9 +74,11 @@ export interface OAuthClientProvider {
   codeVerifier(): string | Promise<string>;
 
   /**
-   * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
+   * If defined, overrides the selection and validation of the
+   * RFC 8707 Resource Indicator. If left undefined, default
+   * validation behavior will be used.
    *
-   * Implementations must verify the resource matches the MCP server.
+   * Implementations must verify the returned resource matches the MCP server.
    */
   validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }

From e7a5e331f1df4d506f526cabce207117ed9084ea Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Wed, 18 Jun 2025 20:11:18 +0100
Subject: [PATCH 108/147] rename decline to reject

---
 README.md                                   |  2 +-
 src/examples/client/simpleStreamableHttp.ts |  8 ++++----
 src/examples/server/simpleStreamableHttp.ts |  6 +++---
 src/server/index.test.ts                    | 10 +++++-----
 src/server/mcp.test.ts                      |  2 +-
 src/types.ts                                |  2 +-
 6 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 9fa07de34..aa8f9304c 100644
--- a/README.md
+++ b/README.md
@@ -930,7 +930,7 @@ Client-side: Handle elicitation requests
 ```typescript
 // This is a placeholder - implement based on your UI framework
 async function getInputFromUser(message: string, schema: any): Promise<{
-  action: "accept" | "decline" | "cancel";
+  action: "accept" | "reject" | "cancel";
   data?: Record<string, any>;
 }> {
   // This should be implemented depending on the app
diff --git a/src/examples/client/simpleStreamableHttp.ts b/src/examples/client/simpleStreamableHttp.ts
index ddb274196..02db131ef 100644
--- a/src/examples/client/simpleStreamableHttp.ts
+++ b/src/examples/client/simpleStreamableHttp.ts
@@ -363,7 +363,7 @@ async function connect(url?: string): Promise<void> {
             continue;
           } else {
             console.log('Maximum attempts reached. Declining request.');
-            return { action: 'decline' };
+            return { action: 'reject' };
           }
         }
 
@@ -381,7 +381,7 @@ async function connect(url?: string): Promise<void> {
             continue;
           } else {
             console.log('Maximum attempts reached. Declining request.');
-            return { action: 'decline' };
+            return { action: 'reject' };
           }
         }
 
@@ -408,13 +408,13 @@ async function connect(url?: string): Promise<void> {
             console.log('Please re-enter the information...');
             continue;
           } else {
-            return { action: 'decline' };
+            return { action: 'reject' };
           }
         }
       }
 
       console.log('Maximum attempts reached. Declining request.');
-      return { action: 'decline' };
+      return { action: 'reject' };
     });
 
     transport = new StreamableHTTPClientTransport(
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 98d85c948..40e96a44a 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -205,12 +205,12 @@ const getServer = () => {
               },
             ],
           };
-        } else if (result.action === 'decline') {
+        } else if (result.action === 'reject') {
           return {
             content: [
               {
                 type: 'text',
-                text: `No information was collected. User declined to provide ${infoType} information.`,
+                text: `No information was collected. User rejectd to provide ${infoType} information.`,
               },
             ],
           };
@@ -458,7 +458,7 @@ if (useOAuth) {
       }
 
       const data = await response.json();
-     
+
       if (strictOAuth) {
         if (!data.aud) {
           throw new Error(`Resource Indicator (RFC8707) missing`);
diff --git a/src/server/index.test.ts b/src/server/index.test.ts
index ce54247a0..48b7f7340 100644
--- a/src/server/index.test.ts
+++ b/src/server/index.test.ts
@@ -505,7 +505,7 @@ test("should reject elicitation response with invalid data", async () => {
   ).rejects.toThrow(/does not match requested schema/);
 });
 
-test("should allow elicitation decline and cancel without validation", async () => {
+test("should allow elicitation reject and cancel without validation", async () => {
   const server = new Server(
     {
       name: "test server",
@@ -524,7 +524,7 @@ test("should allow elicitation decline and cancel without validation", async ()
 
   const client = new Client(
     {
-      name: "test client", 
+      name: "test client",
       version: "1.0",
     },
     {
@@ -538,7 +538,7 @@ test("should allow elicitation decline and cancel without validation", async ()
   client.setRequestHandler(ElicitRequestSchema, (request) => {
     requestCount++;
     if (requestCount === 1) {
-      return { action: "decline" };
+      return { action: "reject" };
     } else {
       return { action: "cancel" };
     }
@@ -559,14 +559,14 @@ test("should allow elicitation decline and cancel without validation", async ()
     required: ["name"],
   };
 
-  // Test decline - should not validate
+  // Test reject - should not validate
   await expect(
     server.elicitInput({
       message: "Please provide your name",
       requestedSchema: schema,
     }),
   ).resolves.toEqual({
-    action: "decline",
+    action: "reject",
   });
 
   // Test cancel - should not validate  
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 7fb6bd55c..50df25b53 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -4157,7 +4157,7 @@ describe("elicitInput()", () => {
     // Mock availability check to return false
     checkAvailability.mockResolvedValue(false);
 
-    // Set up client to decline alternative date checking
+    // Set up client to reject alternative date checking
     client.setRequestHandler(ElicitRequestSchema, async () => {
       return {
         action: "accept",
diff --git a/src/types.ts b/src/types.ts
index e16b313de..3606a6be7 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1237,7 +1237,7 @@ export const ElicitResultSchema = ResultSchema.extend({
   /**
    * The user's response action.
    */
-  action: z.enum(["accept", "decline", "cancel"]),
+  action: z.enum(["accept", "reject", "cancel"]),
   /**
    * The collected user input content (only present if action is "accept").
    */

From 54a8556696256dc563596757123cdc628b57910e Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Wed, 18 Jun 2025 20:21:24 +0100
Subject: [PATCH 109/147] bump version

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c676d07f8..d14ac4f43 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.12.3",
+  "version": "1.13.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.12.3",
+      "version": "1.13.0",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index 6b184f31d..4516ef292 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.12.3",
+  "version": "1.13.0",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

From 2f9530bdf9b956c18d0647f757c212b7f7d3ead1 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Wed, 18 Jun 2025 20:33:35 +0100
Subject: [PATCH 110/147] fix typo

---
 src/examples/server/simpleStreamableHttp.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 40e96a44a..37c5f0be7 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -210,7 +210,7 @@ const getServer = () => {
             content: [
               {
                 type: 'text',
-                text: `No information was collected. User rejectd to provide ${infoType} information.`,
+                text: `No information was collected. User rejected ${infoType} information request.`,
               },
             ],
           };

From b293911df72f6191a8262beba4495fcaf80abb08 Mon Sep 17 00:00:00 2001
From: "Kent C. Dodds" <me+github@kentcdodds.com>
Date: Wed, 18 Jun 2025 21:56:22 -0600
Subject: [PATCH 111/147] add overloads for registerResource method in
 McpServer class

Otherwise, TypeScript can't properly distinguish the type of callback
---
 src/server/mcp.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 3d9673da7..ee85ab595 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -613,6 +613,18 @@ export class McpServer {
    * Registers a resource with a config object and callback.
    * For static resources, use a URI string. For dynamic resources, use a ResourceTemplate.
    */
+  registerResource(
+    name: string,
+    uriOrTemplate: string,
+    config: ResourceMetadata,
+    readCallback: ReadResourceCallback
+  ): RegisteredResource;
+  registerResource(
+    name: string,
+    uriOrTemplate: ResourceTemplate,
+    config: ResourceMetadata,
+    readCallback: ReadResourceTemplateCallback
+  ): RegisteredResourceTemplate;
   registerResource(
     name: string,
     uriOrTemplate: string | ResourceTemplate,

From 2a238905df96dda86d84fc6b05971c8e160e8b37 Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Thu, 19 Jun 2025 11:44:43 +0100
Subject: [PATCH 112/147] simpleStreamableHttp: fix example code (#660)

---
 .../server/demoInMemoryOAuthProvider.ts       | 24 +++++++++----------
 src/examples/server/simpleStreamableHttp.ts   |  2 +-
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/examples/server/demoInMemoryOAuthProvider.ts b/src/examples/server/demoInMemoryOAuthProvider.ts
index fe8d3f9cf..274a504a1 100644
--- a/src/examples/server/demoInMemoryOAuthProvider.ts
+++ b/src/examples/server/demoInMemoryOAuthProvider.ts
@@ -35,17 +35,8 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
     params: AuthorizationParams,
     client: OAuthClientInformationFull}>();
   private tokens = new Map<string, AuthInfo>();
-  private validateResource?: (resource?: URL) => boolean;
-
-  constructor({mcpServerUrl}: {mcpServerUrl?: URL} = {}) {
-    if (mcpServerUrl) {
-      const expectedResource = resourceUrlFromServerUrl(mcpServerUrl);
-      this.validateResource = (resource?: URL) => {
-        if (!resource) return false;
-        return resource.toString() === expectedResource.toString();
-      };
-    }
-  }
+
+  constructor(private validateResource?: (resource?: URL) => boolean) {}
 
   async authorize(
     client: OAuthClientInformationFull,
@@ -153,13 +144,20 @@ export class DemoInMemoryAuthProvider implements OAuthServerProvider {
 }
 
 
-export const setupAuthServer = (authServerUrl: URL, mcpServerUrl: URL): OAuthMetadata => {
+export const setupAuthServer = ({authServerUrl, mcpServerUrl, strictResource}: {authServerUrl: URL, mcpServerUrl: URL, strictResource: boolean}): OAuthMetadata => {
   // Create separate auth server app
   // NOTE: This is a separate app on a separate port to illustrate
   // how to separate an OAuth Authorization Server from a Resource
   // server in the SDK. The SDK is not intended to be provide a standalone
   // authorization server.
-  const provider = new DemoInMemoryAuthProvider({mcpServerUrl});
+
+  const validateResource = strictResource ? (resource?: URL) => {
+    if (!resource) return false;
+    const expectedResource = resourceUrlFromServerUrl(mcpServerUrl);
+    return resource.toString() === expectedResource.toString();
+  } : undefined;
+
+  const provider = new DemoInMemoryAuthProvider(validateResource);
   const authApp = express();
   authApp.use(express.json());
   // For introspection requests
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 37c5f0be7..6406bc213 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -432,7 +432,7 @@ if (useOAuth) {
   const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
   const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-  const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl, mcpServerUrl);
+  const oauthMetadata: OAuthMetadata = setupAuthServer({authServerUrl, mcpServerUrl, strictResource: strictOAuth});
 
   const tokenVerifier = {
     verifyAccessToken: async (token: string) => {

From 87da0e0c3a96d9d3bc251d158c42579aeef0b6fd Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Thu, 19 Jun 2025 17:52:24 +0100
Subject: [PATCH 113/147] adjust default validation for resource parameter in
 client flow, and server example

---
 src/client/auth.test.ts                     |  2 +-
 src/client/auth.ts                          | 14 +++----
 src/examples/server/simpleStreamableHttp.ts |  3 +-
 src/shared/auth-utils.test.ts               | 35 +++++++++++++++-
 src/shared/auth-utils.ts                    | 44 ++++++++++++++++++++-
 5 files changed, 85 insertions(+), 13 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index b99e4c903..532e13a39 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -1041,7 +1041,7 @@ describe("OAuth Authorization", () => {
 
       // Verify custom validation method was called
       expect(mockValidateResourceURL).toHaveBeenCalledWith(
-        "https://api.example.com/mcp-server",
+        new URL("https://api.example.com/mcp-server"),
         "https://different-resource.example.com/mcp-server"
       );
     });
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 28d9d8339..c97d4f0bd 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -2,7 +2,7 @@ import pkceChallenge from "pkce-challenge";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
 import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js";
 import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
-import { resourceUrlFromServerUrl } from "../shared/auth-utils.js";
+import { checkResourceAllowed, resourceUrlFromServerUrl } from "../shared/auth-utils.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
@@ -198,13 +198,13 @@ export async function auth(
 }
 
 async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
+  const resource = resourceUrlFromServerUrl(serverUrl);
   if (provider.validateResourceURL) {
-    return await provider.validateResourceURL(serverUrl, resourceMetadata?.resource);
-  }
-
-  const resource = resourceUrlFromServerUrl(typeof serverUrl === "string" ? new URL(serverUrl) : serverUrl);
-  if (resourceMetadata && resourceMetadata.resource !== resource.href) {
-    throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
+    return await provider.validateResourceURL(resource, resourceMetadata?.resource);
+  } else if (resourceMetadata) {
+    if (!checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
+      throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource} (or origin)`);
+    }
   }
 
   return resource;
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
index 6406bc213..09d30da2a 100644
--- a/src/examples/server/simpleStreamableHttp.ts
+++ b/src/examples/server/simpleStreamableHttp.ts
@@ -9,6 +9,7 @@ import { CallToolResult, GetPromptResult, isInitializeRequest, PrimitiveSchemaDe
 import { InMemoryEventStore } from '../shared/inMemoryEventStore.js';
 import { setupAuthServer } from './demoInMemoryOAuthProvider.js';
 import { OAuthMetadata } from 'src/shared/auth.js';
+import { checkResourceAllowed } from 'src/shared/auth-utils.js';
 
 // Check for OAuth flag
 const useOAuth = process.argv.includes('--oauth');
@@ -463,7 +464,7 @@ if (useOAuth) {
         if (!data.aud) {
           throw new Error(`Resource Indicator (RFC8707) missing`);
         }
-        if (data.aud !== mcpServerUrl.href) {
+        if (!checkResourceAllowed({ requestedResource: data.aud, configuredResource: mcpServerUrl })) {
           throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.aud}`);
         }
       }
diff --git a/src/shared/auth-utils.test.ts b/src/shared/auth-utils.test.ts
index c35bb1228..c1fa7bdf1 100644
--- a/src/shared/auth-utils.test.ts
+++ b/src/shared/auth-utils.test.ts
@@ -1,4 +1,4 @@
-import { resourceUrlFromServerUrl } from './auth-utils.js';
+import { resourceUrlFromServerUrl, checkResourceAllowed } from './auth-utils.js';
 
 describe('auth-utils', () => {
   describe('resourceUrlFromServerUrl', () => {
@@ -27,4 +27,35 @@ describe('auth-utils', () => {
       expect(resourceUrlFromServerUrl(new URL('https://example.com/path/')).href).toBe('https://example.com/path/');
     });
   });
-});
\ No newline at end of file
+
+  describe('resourceMatches', () => {
+    it('should match identical URLs', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/path', configuredResource: 'https://example.com/path' })).toBe(true);
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/', configuredResource: 'https://example.com/' })).toBe(true);
+    });
+
+    it('should not match URLs with different paths', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/path1', configuredResource: 'https://example.com/path2' })).toBe(false);
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/', configuredResource: 'https://example.com/path' })).toBe(false);
+    });
+
+    it('should not match URLs with different domains', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/path', configuredResource: 'https://example.org/path' })).toBe(false);
+    });
+
+    it('should not match URLs with different ports', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com:8080/path', configuredResource: 'https://example.com/path' })).toBe(false);
+    });
+
+    it('should not match URLs where one path is a sub-path of another', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/mcpxxxx', configuredResource: 'https://example.com/mcp' })).toBe(false);
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/folder', configuredResource: 'https://example.com/folder/subfolder' })).toBe(false);
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/api/v1', configuredResource: 'https://example.com/api' })).toBe(true);
+    });
+
+    it('should handle trailing slashes vs no trailing slashes', () => {
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/mcp/', configuredResource: 'https://example.com/mcp' })).toBe(true);
+      expect(checkResourceAllowed({ requestedResource: 'https://example.com/folder', configuredResource: 'https://example.com/folder/' })).toBe(false);
+    });
+  });
+});
diff --git a/src/shared/auth-utils.ts b/src/shared/auth-utils.ts
index 086d812f6..97a77c01d 100644
--- a/src/shared/auth-utils.ts
+++ b/src/shared/auth-utils.ts
@@ -7,8 +7,48 @@
  * RFC 8707 section 2 states that resource URIs "MUST NOT include a fragment component".
  * Keeps everything else unchanged (scheme, domain, port, path, query).
  */
-export function resourceUrlFromServerUrl(url: URL): URL {
-  const resourceURL = new URL(url.href);
+export function resourceUrlFromServerUrl(url: URL | string ): URL {
+  const resourceURL = typeof url === "string" ? new URL(url) : new URL(url.href);
   resourceURL.hash = ''; // Remove fragment
   return resourceURL;
 }
+
+/**
+ * Checks if a requested resource URL matches a configured resource URL.
+ * A requested resource matches if it has the same scheme, domain, port,
+ * and its path starts with the configured resource's path.
+ *
+ * @param requestedResource The resource URL being requested
+ * @param configuredResource The resource URL that has been configured
+ * @returns true if the requested resource matches the configured resource, false otherwise
+ */
+ export function checkResourceAllowed(
+   { requestedResource, configuredResource }: {
+     requestedResource: URL | string;
+     configuredResource: URL | string
+   }
+ ): boolean {
+   const requested = typeof requestedResource === "string" ? new URL(requestedResource) : new URL(requestedResource.href);
+   const configured = typeof configuredResource === "string" ? new URL(configuredResource) : new URL(configuredResource.href);
+
+   // Compare the origin (scheme, domain, and port)
+   if (requested.origin !== configured.origin) {
+     return false;
+   }
+
+   // Handle cases like requested=/foo and configured=/foo/
+   if (requested.pathname.length < configured.pathname.length) {
+     return false
+   }
+
+   // Check if the requested path starts with the configured path
+   // Ensure both paths end with / for proper comparison
+   // This ensures that if we have paths like "/api" and "/api/users",
+   // we properly detect that "/api/users" is a subpath of "/api"
+   // By adding a trailing slash if missing, we avoid false positives
+   // where paths like "/api123" would incorrectly match "/api"
+   const requestedPath = requested.pathname.endsWith('/') ? requested.pathname : requested.pathname + '/';
+   const configuredPath = configured.pathname.endsWith('/') ? configured.pathname : configured.pathname + '/';
+
+   return requestedPath.startsWith(configuredPath);
+ }

From eff548c06f493ffaa3de9d38a33e5b32b0b4e093 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Thu, 19 Jun 2025 18:02:00 +0100
Subject: [PATCH 114/147] adjust to provided resource

---
 src/client/auth.test.ts | 61 +++++++++++++++++++++++++++++++++++++++++
 src/client/auth.ts      |  9 ++++--
 2 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 532e13a39..f95cb2ca8 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -1045,5 +1045,66 @@ describe("OAuth Authorization", () => {
         "https://different-resource.example.com/mcp-server"
       );
     });
+
+    it("uses prefix of server URL from PRM resource as resource parameter", async () => {
+      // Mock successful metadata discovery with resource URL that is a prefix of requested URL
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              // Resource is a prefix of the requested server URL
+              resource: "https://api.example.com/",
+              authorization_servers: ["https://auth.example.com"],
+            }),
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with a URL that has the resource as prefix
+      const result = await auth(mockProvider, {
+        serverUrl: "https://api.example.com/mcp-server/endpoint",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify the authorization URL includes the resource parameter from PRM
+      expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
+        expect.objectContaining({
+          searchParams: expect.any(URLSearchParams),
+        })
+      );
+
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      // Should use the PRM's resource value, not the full requested URL
+      expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/");
+    });
   });
 });
diff --git a/src/client/auth.ts b/src/client/auth.ts
index c97d4f0bd..680fefd08 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -197,12 +197,15 @@ export async function auth(
   return "REDIRECT";
 }
 
-async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
-  const resource = resourceUrlFromServerUrl(serverUrl);
+export async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
+  let resource = resourceUrlFromServerUrl(serverUrl);
   if (provider.validateResourceURL) {
     return await provider.validateResourceURL(resource, resourceMetadata?.resource);
   } else if (resourceMetadata) {
-    if (!checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
+    if (checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
+      // If the resource mentioned in metadata is valid, prefer it since it is what the server is telling us to request.
+      resource = new URL(resourceMetadata.resource);
+    } else {
       throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource} (or origin)`);
     }
   }

From 744b9eade60424709e7a8b0e6741fbd3306af81f Mon Sep 17 00:00:00 2001
From: Olivier Chafik <ochafik@anthropic.com>
Date: Thu, 19 Jun 2025 18:56:25 +0100
Subject: [PATCH 115/147] build: add watching script targets for build & simple
 streamable http server (#663)

---
 package.json | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 4516ef292..bb8022faf 100644
--- a/package.json
+++ b/package.json
@@ -36,8 +36,11 @@
   ],
   "scripts": {
     "build": "npm run build:esm && npm run build:cjs",
-    "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
-    "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
+    "build:esm": "mkdir -p dist/esm && echo '{\"type\": \"module\"}' > dist/esm/package.json && tsc -p tsconfig.prod.json",
+    "build:esm:w": "npm run build:esm -- -w",
+    "build:cjs": "mkdir -p dist/cjs && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json && tsc -p tsconfig.cjs.json",
+    "build:cjs:w": "npm run build:cjs -- -w",
+    "examples:simple-server:w": "tsx --watch src/examples/server/simpleStreamableHttp.ts --oauth",
     "prepack": "npm run build:esm && npm run build:cjs",
     "lint": "eslint src/",
     "test": "jest",

From f4b8a48ded019a54a38d3d150a013427d6cbdbc6 Mon Sep 17 00:00:00 2001
From: Ashwin Bhat <ashwin@anthropic.com>
Date: Thu, 19 Jun 2025 22:34:13 -0700
Subject: [PATCH 116/147] feat: remove console statements from SDK code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove all console.log, console.warn, and console.error from src/client and src/server
- Add ESLint no-console rule for client and server directories (excluding tests)
- Keep console statements in test files, examples, and CLI tools as intended

Addresses feedback in PR #665

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 eslint.config.mjs                        |  7 ++++++
 src/client/auth.ts                       | 10 +++-----
 src/client/index.ts                      |  4 +--
 src/server/auth/handlers/authorize.ts    |  2 --
 src/server/auth/handlers/register.ts     |  1 -
 src/server/auth/handlers/revoke.ts       | 31 ++++++++++++++----------
 src/server/auth/handlers/token.ts        |  2 --
 src/server/auth/middleware/bearerAuth.ts |  1 -
 src/server/auth/middleware/clientAuth.ts |  1 -
 9 files changed, 31 insertions(+), 28 deletions(-)

diff --git a/eslint.config.mjs b/eslint.config.mjs
index 515114cf2..d792f015f 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -15,5 +15,12 @@ export default tseslint.config(
                 { "argsIgnorePattern": "^_" }
             ]
         }
+    },
+    {
+        files: ["src/client/**/*.ts", "src/server/**/*.ts"],
+        ignores: ["**/*.test.ts"],
+        rules: {
+            "no-console": "error"
+        }
     }
 );
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 28d9d8339..f84efa05e 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -116,8 +116,8 @@ export async function auth(
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
-  } catch (error) {
-    console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
+  } catch {
+    // Ignore errors and fall back to /.well-known/oauth-authorization-server
   }
 
   const resource: URL | undefined = await selectResourceURL(serverUrl, provider, resourceMetadata);
@@ -175,8 +175,8 @@ export async function auth(
 
       await provider.saveTokens(newTokens);
       return "AUTHORIZED";
-    } catch (error) {
-      console.error("Could not refresh OAuth tokens:", error);
+    } catch {
+      // Could not refresh OAuth tokens
     }
   }
 
@@ -222,7 +222,6 @@ export function extractResourceMetadataUrl(res: Response): URL | undefined {
 
   const [type, scheme] = authenticateHeader.split(' ');
   if (type.toLowerCase() !== 'bearer' || !scheme) {
-    console.log("Invalid WWW-Authenticate header format, expected 'Bearer'");
     return undefined;
   }
   const regex = /resource_metadata="([^"]*)"/;
@@ -235,7 +234,6 @@ export function extractResourceMetadataUrl(res: Response): URL | undefined {
   try {
     return new URL(match[1]);
   } catch {
-    console.log("Invalid resource metadata url: ", match[1]);
     return undefined;
   }
 }
diff --git a/src/client/index.ts b/src/client/index.ts
index f3d440b99..3e8d8ec80 100644
--- a/src/client/index.ts
+++ b/src/client/index.ts
@@ -486,8 +486,8 @@ export class Client<
         try {
           const validator = this._ajv.compile(tool.outputSchema);
           this._cachedToolOutputValidators.set(tool.name, validator);
-        } catch (error) {
-          console.warn(`Failed to compile output schema for tool ${tool.name}: ${error}`);
+        } catch {
+          // Ignore schema compilation errors
         }
       }
     }
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
index 0a6283a8b..126ce006b 100644
--- a/src/server/auth/handlers/authorize.ts
+++ b/src/server/auth/handlers/authorize.ts
@@ -99,7 +99,6 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
         const status = error instanceof ServerError ? 500 : 400;
         res.status(status).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error looking up client:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }
@@ -146,7 +145,6 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
       if (error instanceof OAuthError) {
         res.redirect(302, createErrorRedirect(redirect_uri, error, state));
       } else {
-        console.error("Unexpected error during authorization:", error);
         const serverError = new ServerError("Internal Server Error");
         res.redirect(302, createErrorRedirect(redirect_uri, serverError, state));
       }
diff --git a/src/server/auth/handlers/register.ts b/src/server/auth/handlers/register.ts
index 30b7cdf8f..c31373484 100644
--- a/src/server/auth/handlers/register.ts
+++ b/src/server/auth/handlers/register.ts
@@ -104,7 +104,6 @@ export function clientRegistrationHandler({
         const status = error instanceof ServerError ? 500 : 400;
         res.status(status).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error registering client:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }
diff --git a/src/server/auth/handlers/revoke.ts b/src/server/auth/handlers/revoke.ts
index 95e8b4b32..0d1b30e07 100644
--- a/src/server/auth/handlers/revoke.ts
+++ b/src/server/auth/handlers/revoke.ts
@@ -9,7 +9,7 @@ import {
   InvalidRequestError,
   ServerError,
   TooManyRequestsError,
-  OAuthError
+  OAuthError,
 } from "../errors.js";
 
 export type RevocationHandlerOptions = {
@@ -21,7 +21,10 @@ export type RevocationHandlerOptions = {
   rateLimit?: Partial<RateLimitOptions> | false;
 };
 
-export function revocationHandler({ provider, rateLimit: rateLimitConfig }: RevocationHandlerOptions): RequestHandler {
+export function revocationHandler({
+  provider,
+  rateLimit: rateLimitConfig,
+}: RevocationHandlerOptions): RequestHandler {
   if (!provider.revokeToken) {
     throw new Error("Auth provider does not support revoking tokens");
   }
@@ -37,21 +40,25 @@ export function revocationHandler({ provider, rateLimit: rateLimitConfig }: Revo
 
   // Apply rate limiting unless explicitly disabled
   if (rateLimitConfig !== false) {
-    router.use(rateLimit({
-      windowMs: 15 * 60 * 1000, // 15 minutes
-      max: 50, // 50 requests per windowMs
-      standardHeaders: true,
-      legacyHeaders: false,
-      message: new TooManyRequestsError('You have exceeded the rate limit for token revocation requests').toResponseObject(),
-      ...rateLimitConfig
-    }));
+    router.use(
+      rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 50, // 50 requests per windowMs
+        standardHeaders: true,
+        legacyHeaders: false,
+        message: new TooManyRequestsError(
+          "You have exceeded the rate limit for token revocation requests"
+        ).toResponseObject(),
+        ...rateLimitConfig,
+      })
+    );
   }
 
   // Authenticate and extract client details
   router.use(authenticateClient({ clientsStore: provider.clientsStore }));
 
   router.post("/", async (req, res) => {
-    res.setHeader('Cache-Control', 'no-store');
+    res.setHeader("Cache-Control", "no-store");
 
     try {
       const parseResult = OAuthTokenRevocationRequestSchema.safeParse(req.body);
@@ -62,7 +69,6 @@ export function revocationHandler({ provider, rateLimit: rateLimitConfig }: Revo
       const client = req.client;
       if (!client) {
         // This should never happen
-        console.error("Missing client information after authentication");
         throw new ServerError("Internal Server Error");
       }
 
@@ -73,7 +79,6 @@ export function revocationHandler({ provider, rateLimit: rateLimitConfig }: Revo
         const status = error instanceof ServerError ? 500 : 400;
         res.status(status).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error revoking token:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
index 1d97805bc..b2ab74391 100644
--- a/src/server/auth/handlers/token.ts
+++ b/src/server/auth/handlers/token.ts
@@ -80,7 +80,6 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
       const client = req.client;
       if (!client) {
         // This should never happen
-        console.error("Missing client information after authentication");
         throw new ServerError("Internal Server Error");
       }
 
@@ -143,7 +142,6 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
         const status = error instanceof ServerError ? 500 : 400;
         res.status(status).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error exchanging token:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }
diff --git a/src/server/auth/middleware/bearerAuth.ts b/src/server/auth/middleware/bearerAuth.ts
index fd96055ab..91f763a9b 100644
--- a/src/server/auth/middleware/bearerAuth.ts
+++ b/src/server/auth/middleware/bearerAuth.ts
@@ -88,7 +88,6 @@ export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetad
       } else if (error instanceof OAuthError) {
         res.status(400).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error authenticating bearer token:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }
diff --git a/src/server/auth/middleware/clientAuth.ts b/src/server/auth/middleware/clientAuth.ts
index 76049c118..ecd9a7b65 100644
--- a/src/server/auth/middleware/clientAuth.ts
+++ b/src/server/auth/middleware/clientAuth.ts
@@ -64,7 +64,6 @@ export function authenticateClient({ clientsStore }: ClientAuthenticationMiddlew
         const status = error instanceof ServerError ? 500 : 400;
         res.status(status).json(error.toResponseObject());
       } else {
-        console.error("Unexpected error authenticating client:", error);
         const serverError = new ServerError("Internal Server Error");
         res.status(500).json(serverError.toResponseObject());
       }

From fc9ca5ff2efc7ee3f54484d2a906d5fdf528bae4 Mon Sep 17 00:00:00 2001
From: sushichan044 <71284054+sushichan044@users.noreply.github.com>
Date: Fri, 20 Jun 2025 16:47:53 +0900
Subject: [PATCH 117/147] fix: update ToolCallback type to include output
 arguments for better type safety

---
 src/server/mcp.test.ts |  3 +-
 src/server/mcp.ts      | 68 +++++++++++++++++++++++++++---------------
 2 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 50df25b53..7e299bb08 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -1248,8 +1248,7 @@ describe("tool()", () => {
           processedInput: input,
           resultType: "structured",
           // Missing required 'timestamp' field
-          someExtraField: "unexpected" // Extra field not in schema
-        },
+        } as unknown as { processedInput: string; resultType: string; timestamp: string }, // Type assertion to bypass TypeScript validation for testing purposes
       })
     );
 
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 3d9673da7..e48970d67 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -169,7 +169,7 @@ export class McpServer {
           }
 
           const args = parseResult.data;
-          const cb = tool.callback as ToolCallback<ZodRawShape>;
+          const cb = tool.callback as ToolCallback<ZodRawShape, ZodRawShape>;
           try {
             result = await Promise.resolve(cb(args, extra));
           } catch (error) {
@@ -184,7 +184,7 @@ export class McpServer {
             };
           }
         } else {
-          const cb = tool.callback as ToolCallback<undefined>;
+          const cb = tool.callback as ToolCallback<undefined, ZodRawShape>;
           try {
             result = await Promise.resolve(cb(extra));
           } catch (error) {
@@ -760,7 +760,7 @@ export class McpServer {
     inputSchema: ZodRawShape | undefined,
     outputSchema: ZodRawShape | undefined,
     annotations: ToolAnnotations | undefined,
-    callback: ToolCallback<ZodRawShape | undefined>
+    callback: ToolCallback<ZodRawShape | undefined, ZodRawShape | undefined>
   ): RegisteredTool {
     const registeredTool: RegisteredTool = {
       title,
@@ -917,7 +917,7 @@ export class McpServer {
       outputSchema?: OutputArgs;
       annotations?: ToolAnnotations;
     },
-    cb: ToolCallback<InputArgs>
+    cb: ToolCallback<InputArgs, OutputArgs>
   ): RegisteredTool {
     if (this._registeredTools[name]) {
       throw new Error(`Tool ${name} is already registered`);
@@ -932,7 +932,7 @@ export class McpServer {
       inputSchema,
       outputSchema,
       annotations,
-      cb as ToolCallback<ZodRawShape | undefined>
+      cb as ToolCallback<ZodRawShape | undefined, ZodRawShape | undefined>
     );
   }
 
@@ -1126,6 +1126,16 @@ export class ResourceTemplate {
   }
 }
 
+/**
+ * Type helper to create a strongly-typed CallToolResult with structuredContent
+ */
+type TypedCallToolResult<OutputArgs extends undefined | ZodRawShape> =
+  OutputArgs extends ZodRawShape
+    ? CallToolResult & {
+        structuredContent?: z.objectOutputType<OutputArgs, ZodTypeAny>;
+      }
+    : CallToolResult;
+
 /**
  * Callback for a tool handler registered with Server.tool().
  *
@@ -1136,13 +1146,21 @@ export class ResourceTemplate {
  * - `content` if the tool does not have an outputSchema
  * - Both fields are optional but typically one should be provided
  */
-export type ToolCallback<Args extends undefined | ZodRawShape = undefined> =
-  Args extends ZodRawShape
+export type ToolCallback<
+  InputArgs extends undefined | ZodRawShape = undefined,
+  OutputArgs extends undefined | ZodRawShape = undefined
+> = InputArgs extends ZodRawShape
   ? (
-    args: z.objectOutputType<Args, ZodTypeAny>,
-    extra: RequestHandlerExtra<ServerRequest, ServerNotification>,
-  ) => CallToolResult | Promise<CallToolResult>
-  : (extra: RequestHandlerExtra<ServerRequest, ServerNotification>) => CallToolResult | Promise<CallToolResult>;
+      args: z.objectOutputType<InputArgs, ZodTypeAny>,
+      extra: RequestHandlerExtra<ServerRequest, ServerNotification>
+    ) =>
+      | TypedCallToolResult<OutputArgs>
+      | Promise<TypedCallToolResult<OutputArgs>>
+  : (
+      extra: RequestHandlerExtra<ServerRequest, ServerNotification>
+    ) =>
+      | TypedCallToolResult<OutputArgs>
+      | Promise<TypedCallToolResult<OutputArgs>>;
 
 export type RegisteredTool = {
   title?: string;
@@ -1150,22 +1168,24 @@ export type RegisteredTool = {
   inputSchema?: AnyZodObject;
   outputSchema?: AnyZodObject;
   annotations?: ToolAnnotations;
-  callback: ToolCallback<undefined | ZodRawShape>;
+  callback: ToolCallback<ZodRawShape | undefined, ZodRawShape | undefined>;
   enabled: boolean;
   enable(): void;
   disable(): void;
-  update<InputArgs extends ZodRawShape, OutputArgs extends ZodRawShape>(
-    updates: {
-      name?: string | null,
-      title?: string,
-      description?: string,
-      paramsSchema?: InputArgs,
-      outputSchema?: OutputArgs,
-      annotations?: ToolAnnotations,
-      callback?: ToolCallback<InputArgs>,
-      enabled?: boolean
-    }): void
-  remove(): void
+  update<
+    InputArgs extends ZodRawShape,
+    OutputArgs extends ZodRawShape
+  >(updates: {
+    name?: string | null;
+    title?: string;
+    description?: string;
+    paramsSchema?: InputArgs;
+    outputSchema?: OutputArgs;
+    annotations?: ToolAnnotations;
+    callback?: ToolCallback<InputArgs, OutputArgs>
+    enabled?: boolean
+  }): void;
+  remove(): void;
 };
 
 const EMPTY_OBJECT_JSON_SCHEMA = {

From 08808a45e01d89366548b95af7c1a2159b474cf9 Mon Sep 17 00:00:00 2001
From: sushichan044 <71284054+sushichan044@users.noreply.github.com>
Date: Fri, 20 Jun 2025 16:48:05 +0900
Subject: [PATCH 118/147] test: add type assertion to bypass type check

---
 src/examples/server/mcpServerOutputSchema.ts | 4 ++--
 src/server/mcp.test.ts                       | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/examples/server/mcpServerOutputSchema.ts b/src/examples/server/mcpServerOutputSchema.ts
index 75bfe6900..dce2d42ef 100644
--- a/src/examples/server/mcpServerOutputSchema.ts
+++ b/src/examples/server/mcpServerOutputSchema.ts
@@ -43,7 +43,7 @@ server.registerTool(
     void country;
     // Simulate weather API call
     const temp_c = Math.round((Math.random() * 35 - 5) * 10) / 10;
-    const conditions = ["sunny", "cloudy", "rainy", "stormy", "snowy"][Math.floor(Math.random() * 5)];
+    const conditions = ["sunny", "cloudy", "rainy", "stormy", "snowy"][Math.floor(Math.random() * 5)] as unknown as "sunny" | "cloudy" | "rainy" | "stormy" | "snowy";
 
     const structuredContent = {
       temperature: {
@@ -77,4 +77,4 @@ async function main() {
 main().catch((error) => {
   console.error("Server error:", error);
   process.exit(1);
-});
\ No newline at end of file
+});
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 7e299bb08..1a17d7894 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -1248,6 +1248,7 @@ describe("tool()", () => {
           processedInput: input,
           resultType: "structured",
           // Missing required 'timestamp' field
+          someExtraField: "unexpected" // Extra field not in schema
         } as unknown as { processedInput: string; resultType: string; timestamp: string }, // Type assertion to bypass TypeScript validation for testing purposes
       })
     );

From 9edb6196001fc6582c911f7c0650116161760fd5 Mon Sep 17 00:00:00 2001
From: Samuel Jensen <44519206+nichtsam@users.noreply.github.com>
Date: Sat, 10 May 2025 00:51:54 +0200
Subject: [PATCH 119/147] make protocol class not overwrite existing hooks when
 connecting transports

---
 src/shared/protocol.test.ts | 16 ++++++++++++++++
 src/shared/protocol.ts      | 10 +++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/shared/protocol.test.ts b/src/shared/protocol.test.ts
index 5c6b72d25..b16db73f3 100644
--- a/src/shared/protocol.test.ts
+++ b/src/shared/protocol.test.ts
@@ -65,6 +65,22 @@ describe("protocol tests", () => {
     expect(oncloseMock).toHaveBeenCalled();
   });
 
+  test("should not overwrite existing hooks when connecting transports", async () => {
+    const oncloseMock = jest.fn();
+    const onerrorMock = jest.fn();
+    const onmessageMock = jest.fn();
+    transport.onclose = oncloseMock;
+    transport.onerror = onerrorMock;
+    transport.onmessage = onmessageMock;
+    await protocol.connect(transport);
+    transport.onclose();
+    transport.onerror(new Error());
+    transport.onmessage("");
+    expect(oncloseMock).toHaveBeenCalled();
+    expect(onerrorMock).toHaveBeenCalled();
+    expect(onmessageMock).toHaveBeenCalled();
+  });
+
   describe("_meta preservation with onprogress", () => {
     test("should preserve existing _meta when adding progressToken", async () => {
       await protocol.connect(transport);
diff --git a/src/shared/protocol.ts b/src/shared/protocol.ts
index a04f26eb2..942f096ad 100644
--- a/src/shared/protocol.ts
+++ b/src/shared/protocol.ts
@@ -279,15 +279,21 @@ export abstract class Protocol<
    */
   async connect(transport: Transport): Promise<void> {
     this._transport = transport;
+    const _onclose = this.transport?.onclose;
     this._transport.onclose = () => {
+      _onclose?.();
       this._onclose();
     };
 
+    const _onerror = this.transport?.onerror;
     this._transport.onerror = (error: Error) => {
+      _onerror?.(error);
       this._onerror(error);
     };
 
+    const _onmessage = this._transport?.onmessage;
     this._transport.onmessage = (message, extra) => {
+      _onmessage?.(message, extra);
       if (isJSONRPCResponse(message) || isJSONRPCError(message)) {
         this._onresponse(message);
       } else if (isJSONRPCRequest(message)) {
@@ -295,7 +301,9 @@ export abstract class Protocol<
       } else if (isJSONRPCNotification(message)) {
         this._onnotification(message);
       } else {
-        this._onerror(new Error(`Unknown message type: ${JSON.stringify(message)}`));
+        this._onerror(
+          new Error(`Unknown message type: ${JSON.stringify(message)}`),
+        );
       }
     };
 

From d89e85413303896f768cc9d44203515b129cba91 Mon Sep 17 00:00:00 2001
From: Chris Dickinson <chris@dylibso.com>
Date: Fri, 20 Jun 2025 12:54:29 -0700
Subject: [PATCH 120/147] fix(client/sse): extract protected resource from
 eventsource 401

Previously the SSE connection would always default to the
`/.well-known/oauth-protected-resource` URI, ignoring the `resource_metadata`
portion of the `www-authenticate` returned in a 401.

Extract the metadata from the initial 401, so RS servers with
custom protected resource URIs (as in RFC9728, [section 3.1][1]))
continue to work as expected.

[1]: https://datatracker.ietf.org/doc/html/rfc9728#section-3.1
---
 src/client/sse.ts | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/client/sse.ts b/src/client/sse.ts
index 5aa99abb4..2546d508a 100644
--- a/src/client/sse.ts
+++ b/src/client/sse.ts
@@ -117,23 +117,35 @@ export class SSEClientTransport implements Transport {
   }
 
   private _startOrAuth(): Promise<void> {
+    const fetchImpl = (this?._eventSourceInit?.fetch || fetch) as typeof fetch
     return new Promise((resolve, reject) => {
       this._eventSource = new EventSource(
         this._url.href,
-        this._eventSourceInit ?? {
-          fetch: (url, init) => this._commonHeaders().then((headers) => fetch(url, {
-            ...init,
-            headers: {
-              ...headers,
-              Accept: "text/event-stream"
+        {
+          ...this._eventSourceInit,
+          fetch: async (url, init) => {
+            const headers = await this._commonHeaders()
+            const response = await fetchImpl(url, {
+              ...init,
+              headers: new Headers({
+                ...headers,
+                Accept: "text/event-stream"
+              })
+            })
+
+            if (response.status === 401 && response.headers.has('www-authenticate')) {
+              this._resourceMetadataUrl = extractResourceMetadataUrl(response);
             }
-          })),
+
+            return response
+          },
         },
       );
       this._abortController = new AbortController();
 
       this._eventSource.onerror = (event) => {
         if (event.code === 401 && this._authProvider) {
+
           this._authThenStart().then(resolve, reject);
           return;
         }

From 9c3ef4f9447ef941dc797ea2597ab40ee4ce2e42 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 23 Jun 2025 14:31:50 +0100
Subject: [PATCH 121/147] 1.13.1

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d14ac4f43..016adf948 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.0",
+  "version": "1.13.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.13.0",
+      "version": "1.13.1",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index bb8022faf..0439e6808 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.0",
+  "version": "1.13.1",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

From 4f24b8bc6faaea456d92f8296fbc84a560c3c8c6 Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Tue, 24 Jun 2025 04:36:54 +0800
Subject: [PATCH 122/147] Fix `/.well-known/oauth-authorization-server`
 dropping path

---
 src/client/auth.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index d953e1f0a..35105daa4 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -297,7 +297,9 @@ export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
-  const url = new URL("/.well-known/oauth-authorization-server", authorizationServerUrl);
+  const wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
+  const url = new URL(wellKnownPath, authorizationServerUrl);
+
   let response: Response;
   try {
     response = await fetch(url, {

From da6ac79c1e2bcc1979f03ccaaf61094b5c9d4adf Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Tue, 24 Jun 2025 04:41:26 +0800
Subject: [PATCH 123/147] Fix missing issuer

---
 src/client/auth.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 35105daa4..33a9a6b9b 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -297,6 +297,8 @@ export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
+  const issuer = new URL(authorizationServerUrl);
+
   const wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
   const url = new URL(wellKnownPath, authorizationServerUrl);
 

From 622070135242f9276b87de59b47a301fa7062cdc Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Mon, 23 Jun 2025 17:13:13 -0400
Subject: [PATCH 124/147] Fix trailing slash

---
 src/client/auth.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 33a9a6b9b..cba14a9c5 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -299,8 +299,12 @@ export async function discoverOAuthMetadata(
 ): Promise<OAuthMetadata | undefined> {
   const issuer = new URL(authorizationServerUrl);
 
-  const wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
-  const url = new URL(wellKnownPath, authorizationServerUrl);
+  let wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
+  if (issuer.pathname.endsWith('/')) {
+    // Strip trailing slash from pathname
+    wellKnownPath = wellKnownPath.slice(0, -1);
+  }
+  const url = new URL(wellKnownPath, issuer);
 
   let response: Response;
   try {

From 1ff08e41d7088a63f208034a0f3bf3acfe5bf03e Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Mon, 23 Jun 2025 17:32:08 -0400
Subject: [PATCH 125/147] Add path test

---
 src/client/auth.test.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index f95cb2ca8..511b351fb 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -207,6 +207,24 @@ describe("OAuth Authorization", () => {
       });
     });
 
+    it("returns metadata when discovery succeeds with path", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validMetadata,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/path/name");
+      expect(metadata).toEqual(validMetadata);
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1);
+      const [url, options] = calls[0];
+      expect(url.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server/path/name");
+      expect(options.headers).toEqual({
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
+      });
+    });
+
     it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
       // Set up a counter to control behavior
       let callCount = 0;

From 03da7cfc66cf416c214bdf3236c775d7c4794c5a Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 24 Jun 2025 11:38:55 +0100
Subject: [PATCH 126/147] fallback

---
 src/client/auth.test.ts | 120 ++++++++++++++++++++++++++++++++++++++++
 src/client/auth.ts      |  88 ++++++++++++++++++++++-------
 2 files changed, 187 insertions(+), 21 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 511b351fb..b689d188b 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -225,6 +225,126 @@ describe("OAuth Authorization", () => {
       });
     });
 
+    it("falls back to root discovery when path-aware discovery returns 404", async () => {
+      // First call (path-aware) returns 404
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+      
+      // Second call (root fallback) succeeds
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validMetadata,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/path/name");
+      expect(metadata).toEqual(validMetadata);
+      
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(2);
+      
+      // First call should be path-aware
+      const [firstUrl, firstOptions] = calls[0];
+      expect(firstUrl.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server/path/name");
+      expect(firstOptions.headers).toEqual({
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
+      });
+      
+      // Second call should be root fallback
+      const [secondUrl, secondOptions] = calls[1];
+      expect(secondUrl.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server");
+      expect(secondOptions.headers).toEqual({
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
+      });
+    });
+
+    it("returns undefined when both path-aware and root discovery return 404", async () => {
+      // First call (path-aware) returns 404
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+      
+      // Second call (root fallback) also returns 404
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/path/name");
+      expect(metadata).toBeUndefined();
+      
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(2);
+    });
+
+    it("does not fallback when the original URL is already at root path", async () => {
+      // First call (path-aware for root) returns 404
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/");
+      expect(metadata).toBeUndefined();
+      
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1); // Should not attempt fallback
+      
+      const [url] = calls[0];
+      expect(url.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server");
+    });
+
+    it("does not fallback when the original URL has no path", async () => {
+      // First call (path-aware for no path) returns 404
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com");
+      expect(metadata).toBeUndefined();
+      
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1); // Should not attempt fallback
+      
+      const [url] = calls[0];
+      expect(url.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server");
+    });
+
+    it("falls back when path-aware discovery encounters CORS error", async () => {
+      // First call (path-aware) fails with TypeError (CORS)
+      mockFetch.mockImplementationOnce(() => Promise.reject(new TypeError("CORS error")));
+      
+      // Retry path-aware without headers (simulating CORS retry)
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+      
+      // Second call (root fallback) succeeds
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validMetadata,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/deep/path");
+      expect(metadata).toEqual(validMetadata);
+      
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(3);
+      
+      // Final call should be root fallback
+      const [lastUrl, lastOptions] = calls[2];
+      expect(lastUrl.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server");
+      expect(lastOptions.headers).toEqual({
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
+      });
+    });
+
     it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
       // Set up a counter to control behavior
       let callCount = 0;
diff --git a/src/client/auth.ts b/src/client/auth.ts
index cba14a9c5..e0e93fc0e 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -293,36 +293,82 @@ export async function discoverOAuthProtectedResourceMetadata(
  * If the server returns a 404 for the well-known endpoint, this function will
  * return `undefined`. Any other errors will be thrown as exceptions.
  */
+/**
+ * Helper function to handle fetch with CORS retry logic
+ */
+async function fetchWithCorsRetry(
+  url: URL,
+  headers: Record<string, string>,
+): Promise<Response> {
+  try {
+    return await fetch(url, { headers });
+  } catch (error) {
+    // CORS errors come back as TypeError, retry without headers
+    if (error instanceof TypeError) {
+      return await fetch(url);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Constructs the well-known path for OAuth metadata discovery
+ */
+function buildWellKnownPath(pathname: string): string {
+  let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+  if (pathname.endsWith('/')) {
+    // Strip trailing slash from pathname to avoid double slashes
+    wellKnownPath = wellKnownPath.slice(0, -1);
+  }
+  return wellKnownPath;
+}
+
+/**
+ * Tries to discover OAuth metadata at a specific URL
+ */
+async function tryMetadataDiscovery(
+  url: URL,
+  protocolVersion: string,
+): Promise<Response> {
+  const headers = {
+    "MCP-Protocol-Version": protocolVersion
+  };
+  return await fetchWithCorsRetry(url, headers);
+}
+
+/**
+ * Determines if fallback to root discovery should be attempted
+ */
+function shouldAttemptFallback(response: Response, pathname: string): boolean {
+  return response.status === 404 && pathname !== '/';
+}
+
 export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
   const issuer = new URL(authorizationServerUrl);
+  const protocolVersion = opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION;
 
-  let wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
-  if (issuer.pathname.endsWith('/')) {
-    // Strip trailing slash from pathname
-    wellKnownPath = wellKnownPath.slice(0, -1);
-  }
-  const url = new URL(wellKnownPath, issuer);
+  // Try path-aware discovery first (RFC 8414 compliant)
+  const wellKnownPath = buildWellKnownPath(issuer.pathname);
+  const pathAwareUrl = new URL(wellKnownPath, issuer);
+  let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
 
-  let response: Response;
-  try {
-    response = await fetch(url, {
-      headers: {
-        "MCP-Protocol-Version": opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION
+  // If path-aware discovery fails with 404, try fallback to root discovery
+  if (shouldAttemptFallback(response, issuer.pathname)) {
+    try {
+      const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
+      response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+      
+      if (response.status === 404) {
+        return undefined;
       }
-    });
-  } catch (error) {
-    // CORS errors come back as TypeError
-    if (error instanceof TypeError) {
-      response = await fetch(url);
-    } else {
-      throw error;
+    } catch {
+      // If fallback fails, return undefined
+      return undefined;
     }
-  }
-
-  if (response.status === 404) {
+  } else if (response.status === 404) {
     return undefined;
   }
 

From 15a2277c8994a403dfedaf52d27eae73fdc359af Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Tue, 24 Jun 2025 14:47:54 +0100
Subject: [PATCH 127/147] refactor resource selection to not include resource
 if PRM is not present

---
 src/client/auth.test.ts | 231 ++++++++++++++++++++++++++++++++++++++--
 src/client/auth.ts      |  27 +++--
 2 files changed, 241 insertions(+), 17 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index b689d188b..8e77c0a5b 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -954,10 +954,19 @@ describe("OAuth Authorization", () => {
     });
 
     it("passes resource parameter through authorization flow", async () => {
-      // Mock successful metadata discovery
+      // Mock successful metadata discovery - need to include protected resource metadata
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              resource: "https://api.example.com/mcp-server",
+              authorization_servers: ["https://auth.example.com"],
+            }),
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
           return Promise.resolve({
             ok: true,
             status: 200,
@@ -1002,11 +1011,20 @@ describe("OAuth Authorization", () => {
     });
 
     it("includes resource in token exchange when authorization code is provided", async () => {
-      // Mock successful metadata discovery and token exchange
+      // Mock successful metadata discovery and token exchange - need protected resource metadata
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
 
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              resource: "https://api.example.com/mcp-server",
+              authorization_servers: ["https://auth.example.com"],
+            }),
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
           return Promise.resolve({
             ok: true,
             status: 200,
@@ -1062,11 +1080,20 @@ describe("OAuth Authorization", () => {
     });
 
     it("includes resource in token refresh", async () => {
-      // Mock successful metadata discovery and token refresh
+      // Mock successful metadata discovery and token refresh - need protected resource metadata
       mockFetch.mockImplementation((url) => {
         const urlString = url.toString();
 
-        if (urlString.includes("/.well-known/oauth-authorization-server")) {
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              resource: "https://api.example.com/mcp-server",
+              authorization_servers: ["https://auth.example.com"],
+            }),
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
           return Promise.resolve({
             ok: true,
             status: 200,
@@ -1244,5 +1271,197 @@ describe("OAuth Authorization", () => {
       // Should use the PRM's resource value, not the full requested URL
       expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/");
     });
+
+    it("excludes resource parameter when Protected Resource Metadata is not present", async () => {
+      // Mock metadata discovery where protected resource metadata is not available (404)
+      // but authorization server metadata is available
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          // Protected resource metadata not available
+          return Promise.resolve({
+            ok: false,
+            status: 404,
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        }
+
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth - should not include resource parameter
+      const result = await auth(mockProvider, {
+        serverUrl: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("REDIRECT");
+
+      // Verify the authorization URL does NOT include the resource parameter
+      expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
+        expect.objectContaining({
+          searchParams: expect.any(URLSearchParams),
+        })
+      );
+
+      const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+      const authUrl: URL = redirectCall[0];
+      // Resource parameter should not be present when PRM is not available
+      expect(authUrl.searchParams.has("resource")).toBe(false);
+    });
+
+    it("excludes resource parameter in token exchange when Protected Resource Metadata is not present", async () => {
+      // Mock metadata discovery - no protected resource metadata, but auth server metadata available
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: false,
+            status: 404,
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        } else if (urlString.includes("/token")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              access_token: "access123",
+              token_type: "Bearer",
+              expires_in: 3600,
+              refresh_token: "refresh123",
+            }),
+          });
+        }
+
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods for token exchange
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.codeVerifier as jest.Mock).mockResolvedValue("test-verifier");
+      (mockProvider.saveTokens as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with authorization code
+      const result = await auth(mockProvider, {
+        serverUrl: "https://api.example.com/mcp-server",
+        authorizationCode: "auth-code-123",
+      });
+
+      expect(result).toBe("AUTHORIZED");
+
+      // Find the token exchange call
+      const tokenCall = mockFetch.mock.calls.find(call =>
+        call[0].toString().includes("/token")
+      );
+      expect(tokenCall).toBeDefined();
+
+      const body = tokenCall![1].body as URLSearchParams;
+      // Resource parameter should not be present when PRM is not available
+      expect(body.has("resource")).toBe(false);
+      expect(body.get("code")).toBe("auth-code-123");
+    });
+
+    it("excludes resource parameter in token refresh when Protected Resource Metadata is not present", async () => {
+      // Mock metadata discovery - no protected resource metadata, but auth server metadata available
+      mockFetch.mockImplementation((url) => {
+        const urlString = url.toString();
+
+        if (urlString.includes("/.well-known/oauth-protected-resource")) {
+          return Promise.resolve({
+            ok: false,
+            status: 404,
+          });
+        } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        } else if (urlString.includes("/token")) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              access_token: "new-access123",
+              token_type: "Bearer",
+              expires_in: 3600,
+            }),
+          });
+        }
+
+        return Promise.resolve({ ok: false, status: 404 });
+      });
+
+      // Mock provider methods for token refresh
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+        client_id: "test-client",
+        client_secret: "test-secret",
+      });
+      (mockProvider.tokens as jest.Mock).mockResolvedValue({
+        access_token: "old-access",
+        refresh_token: "refresh123",
+      });
+      (mockProvider.saveTokens as jest.Mock).mockResolvedValue(undefined);
+
+      // Call auth with existing tokens (should trigger refresh)
+      const result = await auth(mockProvider, {
+        serverUrl: "https://api.example.com/mcp-server",
+      });
+
+      expect(result).toBe("AUTHORIZED");
+
+      // Find the token refresh call
+      const tokenCall = mockFetch.mock.calls.find(call =>
+        call[0].toString().includes("/token")
+      );
+      expect(tokenCall).toBeDefined();
+
+      const body = tokenCall![1].body as URLSearchParams;
+      // Resource parameter should not be present when PRM is not available
+      expect(body.has("resource")).toBe(false);
+      expect(body.get("grant_type")).toBe("refresh_token");
+      expect(body.get("refresh_token")).toBe("refresh123");
+    });
   });
 });
diff --git a/src/client/auth.ts b/src/client/auth.ts
index e0e93fc0e..376905743 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -198,19 +198,24 @@ export async function auth(
 }
 
 export async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
-  let resource = resourceUrlFromServerUrl(serverUrl);
+  const defaultResource = resourceUrlFromServerUrl(serverUrl);
+
+  // If provider has custom validation, delegate to it
   if (provider.validateResourceURL) {
-    return await provider.validateResourceURL(resource, resourceMetadata?.resource);
-  } else if (resourceMetadata) {
-    if (checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
-      // If the resource mentioned in metadata is valid, prefer it since it is what the server is telling us to request.
-      resource = new URL(resourceMetadata.resource);
-    } else {
-      throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource} (or origin)`);
-    }
+    return await provider.validateResourceURL(defaultResource, resourceMetadata?.resource);
+  }
+
+  // Only include resource parameter when Protected Resource Metadata is present
+  if (!resourceMetadata) {
+    return undefined;
   }
 
-  return resource;
+  // Validate that the metadata's resource is compatible with our request
+  if (!checkResourceAllowed({ requestedResource: defaultResource, configuredResource: resourceMetadata.resource })) {
+    throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${defaultResource} (or origin)`);
+  }
+  // Prefer the resource from metadata since it's what the server is telling us to request
+  return new URL(resourceMetadata.resource);
 }
 
 /**
@@ -360,7 +365,7 @@ export async function discoverOAuthMetadata(
     try {
       const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
       response = await tryMetadataDiscovery(rootUrl, protocolVersion);
-      
+
       if (response.status === 404) {
         return undefined;
       }

From c20a47a79f38f617ffd9ef0df1106651891d9ea7 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 24 Jun 2025 17:09:29 +0100
Subject: [PATCH 128/147] small fixes

---
 src/server/mcp.test.ts | 108 ++++++++++++++++++++---------------------
 src/server/mcp.ts      |   2 +-
 2 files changed, 53 insertions(+), 57 deletions(-)

diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index 242f05297..e09ab5117 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -1203,72 +1203,68 @@ describe("tool()", () => {
       }),
     ).rejects.toThrow(/Tool test has an output schema but no structured content was provided/);
   });
-
-    /***
+  /***
    * Test: Tool with Output Schema Must Provide Structured Content
    */
-    test("should not throw error when tool with outputSchema returns no structuredContent and isError is true", async () => {
-      const mcpServer = new McpServer({
-        name: "test server",
-        version: "1.0",
-      });
-  
-      const client = new Client({
-        name: "test client",
-        version: "1.0",
-      });
-  
-      // Register a tool with outputSchema that returns only content without structuredContent
-      mcpServer.registerTool(
-        "test",
-        {
-          description: "Test tool with output schema but missing structured content",
-          inputSchema: {
-            input: z.string(),
-          },
-          outputSchema: {
-            processedInput: z.string(),
-            resultType: z.string(),
-          },
+  test("should skip outputSchema validation when isError is true", async () => {
+    const mcpServer = new McpServer({
+      name: "test server",
+      version: "1.0",
+    });
+
+    const client = new Client({
+      name: "test client",
+      version: "1.0",
+    });
+
+    mcpServer.registerTool(
+      "test",
+      {
+        description: "Test tool with output schema but missing structured content",
+        inputSchema: {
+          input: z.string(),
         },
-        async ({ input }) => ({
-          // Only return content without structuredContent
-          content: [
-            {
-              type: "text",
-              text: `Processed: ${input}`,
-            },
-          ],
-          isError: true,
-        })
-      );
-  
-      const [clientTransport, serverTransport] =
-        InMemoryTransport.createLinkedPair();
-  
-      await Promise.all([
-        client.connect(clientTransport),
-        mcpServer.server.connect(serverTransport),
-      ]);
-  
-      // Call the tool and expect it to not throw an error
-      await expect(
-        client.callTool({
-          name: "test",
-          arguments: {
-            input: "hello",
-          },
-        }),
-      ).resolves.toStrictEqual({
+        outputSchema: {
+          processedInput: z.string(),
+          resultType: z.string(),
+        },
+      },
+      async ({ input }) => ({
         content: [
           {
             type: "text",
-            text: `Processed: hello`,
+            text: `Processed: ${input}`,
           },
         ],
         isError: true,
-      });
+      })
+    );
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+
+    await Promise.all([
+      client.connect(clientTransport),
+      mcpServer.server.connect(serverTransport),
+    ]);
+
+    await expect(
+      client.callTool({
+        name: "test",
+        arguments: {
+          input: "hello",
+        },
+      }),
+    ).resolves.toStrictEqual({
+      content: [
+        {
+          type: "text",
+          text: `Processed: hello`,
+        },
+      ],
+      isError: true,
     });
+  });
 
   /***
    * Test: Schema Validation Failure for Invalid Structured Content
diff --git a/src/server/mcp.ts b/src/server/mcp.ts
index 9440708d9..67da78ffb 100644
--- a/src/server/mcp.ts
+++ b/src/server/mcp.ts
@@ -200,7 +200,7 @@ export class McpServer {
           }
         }
 
-        if (tool.outputSchema && (result.isError !== true)) {
+        if (tool.outputSchema && !result.isError) {
           if (!result.structuredContent) {
             throw new McpError(
               ErrorCode.InvalidParams,

From 166da76b0070a431c9f254a59e799a8c927f84fb Mon Sep 17 00:00:00 2001
From: Konstantin Konstantinov <konstantin@mach5technology.com>
Date: Tue, 24 Jun 2025 19:39:37 +0300
Subject: [PATCH 129/147] extra parameter - remain optional for backwards
 compatibility

---
 package-lock.json            | 1 +
 src/server/sse.ts            | 4 ++--
 src/server/streamableHttp.ts | 2 +-
 src/server/types/types.ts    | 2 +-
 src/shared/protocol.ts       | 6 +++---
 src/shared/transport.ts      | 2 +-
 6 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9dd8236bd..016adf948 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,5 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
+  "version": "1.13.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
diff --git a/src/server/sse.ts b/src/server/sse.ts
index 06c0bc8d4..a54e5788f 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -20,7 +20,7 @@ export class SSEServerTransport implements Transport {
   private _sessionId: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
-  onmessage?: (message: JSONRPCMessage, extra: { authInfo?: AuthInfo, requestInfo: RequestInfo }) => void;
+  onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
 
   /**
    * Creates a new SSE server transport, which will direct the client to POST messages to the relative or absolute URL identified by `_endpoint`.
@@ -119,7 +119,7 @@ export class SSEServerTransport implements Transport {
   /**
    * Handle a client message, regardless of how it arrived. This can be used to inform the server of messages that arrive via a means different than HTTP POST.
    */
-  async handleMessage(message: unknown, extra: MessageExtraInfo): Promise<void> {
+  async handleMessage(message: unknown, extra?: MessageExtraInfo): Promise<void> {
     let parsedMessage: JSONRPCMessage;
     try {
       parsedMessage = JSONRPCMessageSchema.parse(message);
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index b5f8aca77..807743eb2 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -114,7 +114,7 @@ export class StreamableHTTPServerTransport implements Transport {
   sessionId?: string;
   onclose?: () => void;
   onerror?: (error: Error) => void;
-  onmessage?: (message: JSONRPCMessage, extra: MessageExtraInfo) => void;
+  onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
 
   constructor(options: StreamableHTTPServerTransportOptions) {
     this.sessionIdGenerator = options.sessionIdGenerator;
diff --git a/src/server/types/types.ts b/src/server/types/types.ts
index 1114e50b7..3892af6cb 100644
--- a/src/server/types/types.ts
+++ b/src/server/types/types.ts
@@ -22,7 +22,7 @@ export interface MessageExtraInfo {
   /**
    * The request information.
    */
-  requestInfo: RequestInfo;
+  requestInfo?: RequestInfo;
 
   /**
    * The authentication information.
diff --git a/src/shared/protocol.ts b/src/shared/protocol.ts
index ae539c177..33afd70ee 100644
--- a/src/shared/protocol.ts
+++ b/src/shared/protocol.ts
@@ -131,7 +131,7 @@ export type RequestHandlerExtra<SendRequestT extends Request,
     /**
      * The original HTTP request.
      */
-    requestInfo: RequestInfo;
+    requestInfo?: RequestInfo;
 
     /**
      * Sends a notification that relates to the current request being handled.
@@ -345,7 +345,7 @@ export abstract class Protocol<
       );
   }
 
-  private _onrequest(request: JSONRPCRequest, extra: MessageExtraInfo): void {
+  private _onrequest(request: JSONRPCRequest, extra?: MessageExtraInfo): void {
     const handler =
       this._requestHandlers.get(request.method) ?? this.fallbackRequestHandler;
 
@@ -381,7 +381,7 @@ export abstract class Protocol<
         this.request(r, resultSchema, { ...options, relatedRequestId: request.id }),
       authInfo: extra?.authInfo,
       requestId: request.id,
-      requestInfo: extra.requestInfo
+      requestInfo: extra?.requestInfo
     };
 
     // Starting with Promise.resolve() puts any synchronous errors into the monad as well.
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
index 60434a680..69fce10ed 100644
--- a/src/shared/transport.ts
+++ b/src/shared/transport.ts
@@ -70,7 +70,7 @@ export interface Transport {
    * 
    * The requestInfo can be used to get the original request information (headers, etc.)
    */
-  onmessage?: (message: JSONRPCMessage, extra: MessageExtraInfo) => void;
+  onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
 
   /**
    * The session ID generated for this connection.

From 05d98bb3a4b8feab427bf71f11c77b2266132a7b Mon Sep 17 00:00:00 2001
From: Chris Dickinson <chris@dylibso.com>
Date: Wed, 25 Jun 2025 03:20:26 -0700
Subject: [PATCH 130/147] feat(shared/auth): support software_statement in
 OAuthClientMetadata (#696)

Per [Section 3.1.1][ref], `software_statement` is an OPTIONAL member
of the client creation request, which may contain a JWT encoding claims
about client software.

[ref]: https://datatracker.ietf.org/doc/html/rfc7591#section-3.1.1
---
 src/shared/auth.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/shared/auth.ts b/src/shared/auth.ts
index 65b800e79..b906de3d7 100644
--- a/src/shared/auth.ts
+++ b/src/shared/auth.ts
@@ -98,6 +98,7 @@ export const OAuthClientMetadataSchema = z.object({
   jwks: z.any().optional(),
   software_id: z.string().optional(),
   software_version: z.string().optional(),
+  software_statement: z.string().optional(),
 }).strip();
 
 /**

From 606c278668c4328b2592da73f59d1b98b2ccf062 Mon Sep 17 00:00:00 2001
From: Konstantin Konstantinov <konstantin@mach5technology.com>
Date: Wed, 25 Jun 2025 16:24:30 +0300
Subject: [PATCH 131/147] clean up tests - remove mockRequestInfo

---
 src/client/index.test.ts     | 15 ++++-----------
 src/server/index.test.ts     | 16 ++++------------
 src/server/mcp.test.ts       | 13 ++-----------
 src/server/sse.test.ts       |  2 +-
 src/server/sse.ts            |  3 +--
 src/server/streamableHttp.ts |  3 +--
 src/server/types/types.ts    | 31 -------------------------------
 src/shared/protocol.ts       |  3 ++-
 src/shared/transport.ts      |  3 +--
 src/types.ts                 | 31 +++++++++++++++++++++++++++++++
 10 files changed, 47 insertions(+), 73 deletions(-)
 delete mode 100644 src/server/types/types.ts

diff --git a/src/client/index.test.ts b/src/client/index.test.ts
index 02d6781c9..abd0c34e4 100644
--- a/src/client/index.test.ts
+++ b/src/client/index.test.ts
@@ -21,14 +21,7 @@ import {
 import { Transport } from "../shared/transport.js";
 import { Server } from "../server/index.js";
 import { InMemoryTransport } from "../inMemory.js";
-import { RequestInfo } from "../server/types/types.js";
-
-const mockRequestInfo: RequestInfo = {
-  headers: {
-    'content-type': 'application/json',
-    'accept': 'application/json',
-  },
-};
+
 /***
  * Test: Initialize with Matching Protocol Version
  */
@@ -50,7 +43,7 @@ test("should initialize with matching protocol version", async () => {
             },
             instructions: "test instructions",
           },
-        }, { requestInfo: mockRequestInfo });
+        });
       }
       return Promise.resolve();
     }),
@@ -108,7 +101,7 @@ test("should initialize with supported older protocol version", async () => {
               version: "1.0",
             },
           },
-        }, { requestInfo: mockRequestInfo });
+        });
       }
       return Promise.resolve();
     }),
@@ -158,7 +151,7 @@ test("should reject unsupported protocol version", async () => {
               version: "1.0",
             },
           },
-        }, { requestInfo: mockRequestInfo });
+        });
       }
       return Promise.resolve();
     }),
diff --git a/src/server/index.test.ts b/src/server/index.test.ts
index 137b89348..d91b90a9c 100644
--- a/src/server/index.test.ts
+++ b/src/server/index.test.ts
@@ -15,19 +15,11 @@ import {
   ListResourcesRequestSchema,
   ListToolsRequestSchema,
   SetLevelRequestSchema,
-  ErrorCode,
+  ErrorCode
 } from "../types.js";
 import { Transport } from "../shared/transport.js";
 import { InMemoryTransport } from "../inMemory.js";
 import { Client } from "../client/index.js";
-import { RequestInfo } from "./types/types.js";
-
-const mockRequestInfo: RequestInfo = {
-  headers: {
-    'content-type': 'application/json',
-    'traceparent': '00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01',
-  },
-};
 
 test("should accept latest protocol version", async () => {
   let sendPromiseResolve: (value: unknown) => void;
@@ -86,7 +78,7 @@ test("should accept latest protocol version", async () => {
         version: "1.0",
       },
     },
-  }, { requestInfo: mockRequestInfo });
+  });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
@@ -147,7 +139,7 @@ test("should accept supported older protocol version", async () => {
         version: "1.0",
       },
     },
-  }, { requestInfo: mockRequestInfo });
+  });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
@@ -207,7 +199,7 @@ test("should handle unsupported protocol version", async () => {
         version: "1.0",
       },
     },
-  }, { requestInfo: mockRequestInfo });
+  });
 
   await expect(sendPromise).resolves.toBeUndefined();
 });
diff --git a/src/server/mcp.test.ts b/src/server/mcp.test.ts
index d208d51e6..0764ffe88 100644
--- a/src/server/mcp.test.ts
+++ b/src/server/mcp.test.ts
@@ -14,21 +14,13 @@ import {
   LoggingMessageNotificationSchema,
   Notification,
   TextContent,
-  ElicitRequestSchema,
+  ElicitRequestSchema
 } from "../types.js";
 import { ResourceTemplate } from "./mcp.js";
 import { completable } from "./completable.js";
 import { UriTemplate } from "../shared/uriTemplate.js";
-import { RequestInfo } from "./types/types.js";
 import { getDisplayName } from "../shared/metadataUtils.js";
 
-const mockRequestInfo: RequestInfo = {
-  headers: {
-    'content-type': 'application/json',
-    'accept': 'application/json',
-  },
-};
-
 describe("McpServer", () => {
   /***
    * Test: Basic Server Instance
@@ -222,8 +214,7 @@ describe("ResourceTemplate", () => {
       signal: abortController.signal,
       requestId: 'not-implemented',
       sendRequest: () => { throw new Error("Not implemented") },
-      sendNotification: () => { throw new Error("Not implemented") }, 
-      requestInfo: mockRequestInfo
+      sendNotification: () => { throw new Error("Not implemented") }
     });
     expect(result?.resources).toHaveLength(1);
     expect(list).toHaveBeenCalled();
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 7edef6af0..703cc5146 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -232,7 +232,7 @@ describe('SSEServerTransport', () => {
       );
     });
 
-     /***
+  /**
    * Test: Tool With Request Info
    */
   it("should pass request info to tool callback", async () => {
diff --git a/src/server/sse.ts b/src/server/sse.ts
index a54e5788f..de4dd60a6 100644
--- a/src/server/sse.ts
+++ b/src/server/sse.ts
@@ -1,11 +1,10 @@
 import { randomUUID } from "node:crypto";
 import { IncomingMessage, ServerResponse } from "node:http";
 import { Transport } from "../shared/transport.js";
-import { JSONRPCMessage, JSONRPCMessageSchema } from "../types.js";
+import { JSONRPCMessage, JSONRPCMessageSchema, MessageExtraInfo, RequestInfo } from "../types.js";
 import getRawBody from "raw-body";
 import contentType from "content-type";
 import { AuthInfo } from "./auth/types.js";
-import { MessageExtraInfo, RequestInfo } from "./types/types.js";
 import { URL } from 'url';
 
 const MAXIMUM_MESSAGE_SIZE = "4mb";
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
index 807743eb2..677da45ea 100644
--- a/src/server/streamableHttp.ts
+++ b/src/server/streamableHttp.ts
@@ -1,11 +1,10 @@
 import { IncomingMessage, ServerResponse } from "node:http";
 import { Transport } from "../shared/transport.js";
-import { isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId, SUPPORTED_PROTOCOL_VERSIONS, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from "../types.js";
+import { MessageExtraInfo, RequestInfo, isInitializeRequest, isJSONRPCError, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema, RequestId, SUPPORTED_PROTOCOL_VERSIONS, DEFAULT_NEGOTIATED_PROTOCOL_VERSION } from "../types.js";
 import getRawBody from "raw-body";
 import contentType from "content-type";
 import { randomUUID } from "node:crypto";
 import { AuthInfo } from "./auth/types.js";
-import { MessageExtraInfo, RequestInfo } from "./types/types.js";
 
 const MAXIMUM_MESSAGE_SIZE = "4mb";
 
diff --git a/src/server/types/types.ts b/src/server/types/types.ts
deleted file mode 100644
index 3892af6cb..000000000
--- a/src/server/types/types.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import { AuthInfo } from "../auth/types.js";
-
-/**
- * Headers that are compatible with both Node.js and the browser.
- */
-export type IsomorphicHeaders = Record<string, string | string[] | undefined>;
-
-/**
- * Information about the incoming request.
- */
-export interface RequestInfo {
-  /**
-   * The headers of the request.
-   */
-  headers: IsomorphicHeaders;
-}
-
-/**
- * Extra information about a message.
- */
-export interface MessageExtraInfo {
-  /**
-   * The request information.
-   */
-  requestInfo?: RequestInfo;
-
-  /**
-   * The authentication information.
-   */
-  authInfo?: AuthInfo;
-}
\ No newline at end of file
diff --git a/src/shared/protocol.ts b/src/shared/protocol.ts
index 33afd70ee..35839a4f8 100644
--- a/src/shared/protocol.ts
+++ b/src/shared/protocol.ts
@@ -22,10 +22,11 @@ import {
   Result,
   ServerCapabilities,
   RequestMeta,
+  MessageExtraInfo,
+  RequestInfo,
 } from "../types.js";
 import { Transport, TransportSendOptions } from "./transport.js";
 import { AuthInfo } from "../server/auth/types.js";
-import { MessageExtraInfo, RequestInfo } from "../server/types/types.js";
 
 /**
  * Callback for progress notifications.
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
index 69fce10ed..96b291fab 100644
--- a/src/shared/transport.ts
+++ b/src/shared/transport.ts
@@ -1,5 +1,4 @@
-import { MessageExtraInfo } from "../server/types/types.js";
-import { JSONRPCMessage, RequestId } from "../types.js";
+import { JSONRPCMessage, MessageExtraInfo, RequestId } from "../types.js";
 
 /**
  * Options for sending a JSON-RPC message.
diff --git a/src/types.ts b/src/types.ts
index 3606a6be7..f66d2c4b6 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,4 +1,5 @@
 import { z, ZodTypeAny } from "zod";
+import { AuthInfo } from "./server/auth/types.js";
 
 export const LATEST_PROTOCOL_VERSION = "2025-06-18";
 export const DEFAULT_NEGOTIATED_PROTOCOL_VERSION = "2025-03-26";
@@ -1463,6 +1464,36 @@ type Flatten<T> = T extends Primitive
 
 type Infer<Schema extends ZodTypeAny> = Flatten<z.infer<Schema>>;
 
+/**
+ * Headers that are compatible with both Node.js and the browser.
+ */
+export type IsomorphicHeaders = Record<string, string | string[] | undefined>;
+
+/**
+ * Information about the incoming request.
+ */
+export interface RequestInfo {
+  /**
+   * The headers of the request.
+   */
+  headers: IsomorphicHeaders;
+}
+
+/**
+ * Extra information about a message.
+ */
+export interface MessageExtraInfo {
+  /**
+   * The request information.
+   */
+  requestInfo?: RequestInfo;
+
+  /**
+   * The authentication information.
+   */
+  authInfo?: AuthInfo;
+}
+
 /* JSON-RPC types */
 export type ProgressToken = Infer<typeof ProgressTokenSchema>;
 export type Cursor = Infer<typeof CursorSchema>;

From 7a64f974936fd27faf063df8f9e952740bce9ad4 Mon Sep 17 00:00:00 2001
From: Rishi Nandha Vanchi <49914358+RishiNandha@users.noreply.github.com>
Date: Wed, 25 Jun 2025 20:08:15 +0530
Subject: [PATCH 132/147] Add: Sampling Example to README

---
 README.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/README.md b/README.md
index aa8f9304c..0d8d8f7c9 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@
   - [Tools](#tools)
   - [Prompts](#prompts)
   - [Completions](#completions)
+  - [Sampling](#sampling)
 - [Running Your Server](#running-your-server)
   - [stdio](#stdio)
   - [Streamable HTTP](#streamable-http)
@@ -382,6 +383,37 @@ import { getDisplayName } from "@modelcontextprotocol/sdk/shared/metadataUtils.j
 const displayName = getDisplayName(tool);
 ```
 
+### Sampling
+
+MCP servers can also request MCP client LLMs for responses. Below is an example of a sampling request sent just after connecting to the Client
+
+```typescript
+// Result sent back from LLM follow the CreateMessageSchema
+import {CreateMessageResult} from "@modelcontextprotocol/sdk/types.js";
+
+// Async Function to send a sampling request to the LLM at top-level
+async function samplingExample(server: McpServer): Promise<CreateMessageResult> {	
+	const samplingText = "Text prompt to send to LLM";
+	const result = await McpServer.server.createMessage(
+		{
+			messages : [{
+				role: "user",
+				content: {
+					text: samplingText,
+				type: "text"
+				}
+			}],
+			maxTokens: 1000
+		}
+	);
+	return result;
+}
+
+// Sampling request just after connecting to MCP Client
+server.connect(transport);
+samplingExample(server);
+```
+
 ## Running Your Server
 
 MCP servers in TypeScript need to be connected to a transport to communicate with clients. How you start the server depends on the choice of transport:

From b232faf7987852cd063ec1bda03cba533b5e324e Mon Sep 17 00:00:00 2001
From: Rishi Nandha Vanchi <49914358+RishiNandha@users.noreply.github.com>
Date: Wed, 25 Jun 2025 20:09:54 +0530
Subject: [PATCH 133/147] Fixed Tabs

---
 README.md | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 0d8d8f7c9..4f7ed1067 100644
--- a/README.md
+++ b/README.md
@@ -393,20 +393,20 @@ import {CreateMessageResult} from "@modelcontextprotocol/sdk/types.js";
 
 // Async Function to send a sampling request to the LLM at top-level
 async function samplingExample(server: McpServer): Promise<CreateMessageResult> {	
-	const samplingText = "Text prompt to send to LLM";
-	const result = await McpServer.server.createMessage(
-		{
-			messages : [{
-				role: "user",
-				content: {
-					text: samplingText,
-				type: "text"
-				}
-			}],
-			maxTokens: 1000
-		}
-	);
-	return result;
+  const samplingText = "Text prompt to send to LLM";
+  const result = await McpServer.server.createMessage(
+    {
+      messages : [{
+        role: "user",
+        content: {
+          text: samplingText,
+          type: "text"
+        }
+      }],
+      maxTokens: 1000
+    }
+  );
+  return result;
 }
 
 // Sampling request just after connecting to MCP Client

From ca9924b20b52014d0b0e8a2fed143caf2d2e37c5 Mon Sep 17 00:00:00 2001
From: Rishi Nandha Vanchi <49914358+RishiNandha@users.noreply.github.com>
Date: Wed, 25 Jun 2025 20:10:57 +0530
Subject: [PATCH 134/147] Changed example

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4f7ed1067..5e2afd061 100644
--- a/README.md
+++ b/README.md
@@ -393,7 +393,7 @@ import {CreateMessageResult} from "@modelcontextprotocol/sdk/types.js";
 
 // Async Function to send a sampling request to the LLM at top-level
 async function samplingExample(server: McpServer): Promise<CreateMessageResult> {	
-  const samplingText = "Text prompt to send to LLM";
+  const samplingText = "Example Sampling Prompt";
   const result = await McpServer.server.createMessage(
     {
       messages : [{

From 5f96ae4d8954daf656a9b69a73b249f748cfc75d Mon Sep 17 00:00:00 2001
From: Achintha Isuru <achinthaisuru444@gmail.com>
Date: Wed, 25 Jun 2025 11:34:44 -0400
Subject: [PATCH 135/147] update PR#633 to address the comment about improving
 the example

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index abf57afb9..de297dc9f 100644
--- a/README.md
+++ b/README.md
@@ -508,7 +508,7 @@ app.listen(3000);
 > ```ts
 > app.use(
 >   cors({
->     origin: '*',
+>     origin: ['https://your-remote-domain.com, https://your-other-remote-domain.com'],
 >     exposedHeaders: ['mcp-session-id'],
 >     allowedHeaders: ['Content-Type', 'mcp-session-id'],
 >   })

From 362acfc1ce435f97987cf786838523645073f8fa Mon Sep 17 00:00:00 2001
From: Christian Bromann <git@bromann.dev>
Date: Thu, 26 Jun 2025 09:51:26 -0700
Subject: [PATCH 136/147] Update package-lock.json

---
 package-lock.json | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3b5d6e36f..d6e1b9f5a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,20 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-<<<<<<< cb/sse-tests -- Incoming Change
-  "version": "1.10.2",
-=======
   "version": "1.13.1",
->>>>>>> main -- Current Change
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-<<<<<<< cb/sse-tests -- Incoming Change
-      "version": "1.10.2",
-=======
       "version": "1.13.1",
->>>>>>> main -- Current Change
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",

From f76652bb100ee59470359ea440502cb1c02e7c56 Mon Sep 17 00:00:00 2001
From: Christian Bromann <git@bromann.dev>
Date: Thu, 26 Jun 2025 10:22:27 -0700
Subject: [PATCH 137/147] Update src/server/sse.test.ts

---
 src/server/sse.test.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index 4aceb734d..32c894f07 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -418,7 +418,12 @@ describe('SSEServerTransport', () => {
       }, {
         authInfo: {
           token: 'test-token',
-        }
+        },
+        requestInfo: {
+          headers: {
+            'content-type': 'application/json',
+          },
+        },
       });
     });
   });

From 9d678ce5912c86c1d12867b9a726365d9295c1a9 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Thu, 26 Jun 2025 18:52:24 +0100
Subject: [PATCH 138/147] 1.13.2

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d6e1b9f5a..9f1d43a33 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.13.1",
+      "version": "1.13.2",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index 0439e6808..8feb10aff 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

From 8bc7374f5ee69d4af79d6703fee244231a4b3d95 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Thu, 26 Jun 2025 16:12:26 -0700
Subject: [PATCH 139/147] Fix merge conflict

---
 src/server/sse.test.ts | 72 ++++++++++++++++++++++++++++--------------
 1 file changed, 48 insertions(+), 24 deletions(-)

diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
index a0a06cb9c..a7f180961 100644
--- a/src/server/sse.test.ts
+++ b/src/server/sse.test.ts
@@ -469,8 +469,10 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          host: 'localhost:3000',
-          'content-type': 'application/json',
+          headers: {
+            host: 'localhost:3000',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -489,8 +491,10 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          host: 'evil.com',
-          'content-type': 'application/json',
+          headers: {
+            host: 'evil.com',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -509,7 +513,9 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          'content-type': 'application/json',
+          headers: {
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -530,8 +536,10 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          origin: 'http://localhost:3000',
-          'content-type': 'application/json',
+          headers: {
+            origin: 'http://localhost:3000',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -550,8 +558,10 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          origin: 'http://evil.com',
-          'content-type': 'application/json',
+          headers: {
+            origin: 'http://evil.com',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -569,7 +579,9 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          'content-type': 'application/json',
+          headers: {
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -585,7 +597,9 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          'content-type': 'application/json; charset=utf-8',
+          headers: {
+            'content-type': 'application/json; charset=utf-8',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -601,7 +615,9 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          'content-type': 'text/plain',
+          headers: {
+            'content-type': 'text/plain',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -623,9 +639,11 @@ describe('SSEServerTransport', () => {
         await transport.start();
 
         const mockReq = createMockRequest({
-          host: 'evil.com',
-          origin: 'http://evil.com',
-          'content-type': 'text/plain',
+          headers: {
+            host: 'evil.com',
+            origin: 'http://evil.com',
+            'content-type': 'text/plain',
+          }
         });
         const mockHandleRes = createMockResponse();
 
@@ -650,9 +668,11 @@ describe('SSEServerTransport', () => {
 
         // Valid host, invalid origin
         const mockReq1 = createMockRequest({
-          host: 'localhost:3000',
-          origin: 'http://evil.com',
-          'content-type': 'application/json',
+          headers: {
+            host: 'localhost:3000',
+            origin: 'http://evil.com',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes1 = createMockResponse();
 
@@ -663,9 +683,11 @@ describe('SSEServerTransport', () => {
 
         // Invalid host, valid origin
         const mockReq2 = createMockRequest({
-          host: 'evil.com',
-          origin: 'http://localhost:3000',
-          'content-type': 'application/json',
+          headers: {
+            host: 'evil.com',
+            origin: 'http://localhost:3000',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes2 = createMockResponse();
 
@@ -676,9 +698,11 @@ describe('SSEServerTransport', () => {
 
         // Both valid
         const mockReq3 = createMockRequest({
-          host: 'localhost:3000',
-          origin: 'http://localhost:3000',
-          'content-type': 'application/json',
+          headers: {
+            host: 'localhost:3000',
+            origin: 'http://localhost:3000',
+            'content-type': 'application/json',
+          }
         });
         const mockHandleRes3 = createMockResponse();
 

From 53ad0a01d56a978da8ca37cff99e484113cdf337 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Fri, 27 Jun 2025 14:14:21 +0100
Subject: [PATCH 140/147] fix lint

---
 src/server/streamableHttp.test.ts | 54 +++++++++++++++----------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
index f93e7e96e..502435ead 100644
--- a/src/server/streamableHttp.test.ts
+++ b/src/server/streamableHttp.test.ts
@@ -8,17 +8,17 @@ import { z } from "zod";
 import { AuthInfo } from "./auth/types.js";
 
 async function getFreePort() {
-    return new Promise( res => {
-        const srv = netCreateServer();
-        srv.listen(0, () => {
-            const address = srv.address()!
-            if (typeof address === "string") {
-                throw new Error("Unexpected address type: " + typeof address);
-            }
-            const port = (address as AddressInfo).port;
-            srv.close((err) => res(port))
-        });
-    })
+  return new Promise(res => {
+    const srv = netCreateServer();
+    srv.listen(0, () => {
+      const address = srv.address()!
+      if (typeof address === "string") {
+        throw new Error("Unexpected address type: " + typeof address);
+      }
+      const port = (address as AddressInfo).port;
+      srv.close((_err) => res(port))
+    });
+  })
 }
 
 /**
@@ -377,7 +377,7 @@ describe("StreamableHTTPServerTransport", () => {
         return { content: [{ type: "text", text: `Hello, ${name}!` }, { type: "text", text: `${JSON.stringify(requestInfo)}` }] };
       }
     );
-   
+
     const toolCallMessage: JSONRPCMessage = {
       jsonrpc: "2.0",
       method: "tools/call",
@@ -828,7 +828,7 @@ describe("StreamableHTTPServerTransport", () => {
 
       // Send request with matching protocol version
       const response = await sendPostRequest(baseUrl, TEST_MESSAGES.toolsList, sessionId);
-      
+
       expect(response.status).toBe(200);
     });
 
@@ -846,7 +846,7 @@ describe("StreamableHTTPServerTransport", () => {
         },
         body: JSON.stringify(TEST_MESSAGES.toolsList),
       });
-      
+
       expect(response.status).toBe(200);
     });
 
@@ -864,7 +864,7 @@ describe("StreamableHTTPServerTransport", () => {
         },
         body: JSON.stringify(TEST_MESSAGES.toolsList),
       });
-      
+
       expect(response.status).toBe(400);
       const errorData = await response.json();
       expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
@@ -872,13 +872,13 @@ describe("StreamableHTTPServerTransport", () => {
 
     it("should accept when protocol version differs from negotiated version", async () => {
       sessionId = await initializeServer();
-      
+
       // Spy on console.warn to verify warning is logged
       const warnSpy = jest.spyOn(console, 'warn').mockImplementation();
 
       // Send request with different but supported protocol version
       const response = await fetch(baseUrl, {
-        method: "POST", 
+        method: "POST",
         headers: {
           "Content-Type": "application/json",
           Accept: "application/json, text/event-stream",
@@ -887,10 +887,10 @@ describe("StreamableHTTPServerTransport", () => {
         },
         body: JSON.stringify(TEST_MESSAGES.toolsList),
       });
-      
+
       // Request should still succeed
       expect(response.status).toBe(200);
-      
+
       warnSpy.mockRestore();
     });
 
@@ -906,7 +906,7 @@ describe("StreamableHTTPServerTransport", () => {
           "mcp-protocol-version": "invalid-version",
         },
       });
-      
+
       expect(response.status).toBe(400);
       const errorData = await response.json();
       expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
@@ -923,7 +923,7 @@ describe("StreamableHTTPServerTransport", () => {
           "mcp-protocol-version": "invalid-version",
         },
       });
-      
+
       expect(response.status).toBe(400);
       const errorData = await response.json();
       expectErrorResponse(errorData, -32000, /Bad Request: Unsupported protocol version \(supported versions: .+\)/);
@@ -965,12 +965,12 @@ describe("StreamableHTTPServerTransport with AuthInfo", () => {
       method: "tools/call",
       params: {
         name: "profile",
-        arguments: {active: true},
+        arguments: { active: true },
       },
       id: "call-1",
     };
 
-    const response = await sendPostRequest(baseUrl, toolCallMessage, sessionId, {'authorization': 'Bearer test-token'});
+    const response = await sendPostRequest(baseUrl, toolCallMessage, sessionId, { 'authorization': 'Bearer test-token' });
     expect(response.status).toBe(200);
 
     const text = await readSSEEvent(response);
@@ -992,7 +992,7 @@ describe("StreamableHTTPServerTransport with AuthInfo", () => {
       id: "call-1",
     });
   });
-  
+
   it("should calls tool without authInfo when it is optional", async () => {
     sessionId = await initializeServer();
 
@@ -1001,7 +1001,7 @@ describe("StreamableHTTPServerTransport with AuthInfo", () => {
       method: "tools/call",
       params: {
         name: "profile",
-        arguments: {active: false},
+        arguments: { active: false },
       },
       id: "call-1",
     };
@@ -1485,7 +1485,7 @@ describe("StreamableHTTPServerTransport in stateless mode", () => {
     // Open first SSE stream
     const stream1 = await fetch(baseUrl, {
       method: "GET",
-      headers: { 
+      headers: {
         Accept: "text/event-stream",
         "mcp-protocol-version": "2025-03-26"
       },
@@ -1495,7 +1495,7 @@ describe("StreamableHTTPServerTransport in stateless mode", () => {
     // Open second SSE stream - should still be rejected, stateless mode still only allows one
     const stream2 = await fetch(baseUrl, {
       method: "GET",
-      headers: { 
+      headers: {
         Accept: "text/event-stream",
         "mcp-protocol-version": "2025-03-26"
       },

From fb303d748fe7b05b25d5bc938c43c3ae8871e778 Mon Sep 17 00:00:00 2001
From: sushichan044 <71284054+sushichan044@users.noreply.github.com>
Date: Sat, 28 Jun 2025 14:56:02 +0900
Subject: [PATCH 141/147] tidying up

---
 src/examples/server/mcpServerOutputSchema.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/examples/server/mcpServerOutputSchema.ts b/src/examples/server/mcpServerOutputSchema.ts
index dce2d42ef..de3b363ed 100644
--- a/src/examples/server/mcpServerOutputSchema.ts
+++ b/src/examples/server/mcpServerOutputSchema.ts
@@ -43,7 +43,14 @@ server.registerTool(
     void country;
     // Simulate weather API call
     const temp_c = Math.round((Math.random() * 35 - 5) * 10) / 10;
-    const conditions = ["sunny", "cloudy", "rainy", "stormy", "snowy"][Math.floor(Math.random() * 5)] as unknown as "sunny" | "cloudy" | "rainy" | "stormy" | "snowy";
+    const conditionCandidates = [
+      "sunny",
+      "cloudy",
+      "rainy",
+      "stormy",
+      "snowy",
+    ] as const;
+    const conditions = conditionCandidates[Math.floor(Math.random() * conditionCandidates.length)];
 
     const structuredContent = {
       temperature: {

From 3d6acd3d9ac50eaed334b5c96e16ee033f2abbd8 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 30 Jun 2025 16:23:19 +0100
Subject: [PATCH 142/147] add an example and update readme

---
 README.md                                   | 77 +++++++++++++++------
 src/examples/server/toolWithSampleServer.ts | 57 +++++++++++++++
 2 files changed, 111 insertions(+), 23 deletions(-)
 create mode 100644 src/examples/server/toolWithSampleServer.ts

diff --git a/README.md b/README.md
index 5e2afd061..f8143501c 100644
--- a/README.md
+++ b/README.md
@@ -385,35 +385,66 @@ const displayName = getDisplayName(tool);
 
 ### Sampling
 
-MCP servers can also request MCP client LLMs for responses. Below is an example of a sampling request sent just after connecting to the Client
+MCP servers can request LLM completions from connected clients that support sampling.
 
 ```typescript
-// Result sent back from LLM follow the CreateMessageSchema
-import {CreateMessageResult} from "@modelcontextprotocol/sdk/types.js";
-
-// Async Function to send a sampling request to the LLM at top-level
-async function samplingExample(server: McpServer): Promise<CreateMessageResult> {	
-  const samplingText = "Example Sampling Prompt";
-  const result = await McpServer.server.createMessage(
-    {
-      messages : [{
-        role: "user",
-        content: {
-          text: samplingText,
-          type: "text"
-        }
-      }],
-      maxTokens: 1000
-    }
-  );
-  return result;
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+
+const mcpServer = new McpServer({
+  name: "tools-with-sample-server",
+  version: "1.0.0",
+});
+
+// Tool that uses LLM sampling to summarize any text
+mcpServer.registerTool(
+  "summarize",
+  {
+    description: "Summarize any text using an LLM",
+    inputSchema: {
+      text: z.string().describe("Text to summarize"),
+    },
+  },
+  async ({ text }) => {
+    // Call the LLM through MCP sampling
+    const response = await mcpServer.server.createMessage({
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `Please summarize the following text concisely:\n\n${text}`,
+          },
+        },
+      ],
+      maxTokens: 500,
+    });
+
+    return {
+      content: [
+        {
+          type: "text",
+          text: response.content.type === "text" ? response.content.text : "Unable to generate summary",
+        },
+      ],
+    };
+  }
+);
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await mcpServer.connect(transport);
+  console.log("MCP server is running...");
 }
 
-// Sampling request just after connecting to MCP Client
-server.connect(transport);
-samplingExample(server);
+main().catch((error) => {
+  console.error("Server error:", error);
+  process.exit(1);
+});
 ```
 
+
 ## Running Your Server
 
 MCP servers in TypeScript need to be connected to a transport to communicate with clients. How you start the server depends on the choice of transport:
diff --git a/src/examples/server/toolWithSampleServer.ts b/src/examples/server/toolWithSampleServer.ts
new file mode 100644
index 000000000..7e92f33b3
--- /dev/null
+++ b/src/examples/server/toolWithSampleServer.ts
@@ -0,0 +1,57 @@
+
+// Run with: npx tsx src/examples/server/toolWithSampleServer.ts
+
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+
+const mcpServer = new McpServer({
+  name: "tools-with-sample-server",
+  version: "1.0.0",
+});
+
+// Tool that uses LLM sampling to summarize any text
+mcpServer.registerTool(
+  "summarize",
+  {
+    description: "Summarize any text using an LLM",
+    inputSchema: {
+      text: z.string().describe("Text to summarize"),
+    },
+  },
+  async ({ text }) => {
+    // Call the LLM through MCP sampling
+    const response = await mcpServer.server.createMessage({
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `Please summarize the following text concisely:\n\n${text}`,
+          },
+        },
+      ],
+      maxTokens: 500,
+    });
+
+    return {
+      content: [
+        {
+          type: "text",
+          text: response.content.type === "text" ? response.content.text : "Unable to generate summary",
+        },
+      ],
+    };
+  }
+);
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await mcpServer.connect(transport);
+  console.log("MCP server is running...");
+}
+
+main().catch((error) => {
+  console.error("Server error:", error);
+  process.exit(1);
+});
\ No newline at end of file

From a8fa0b342ac0411d0827e48820400e5d048baa45 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Mon, 30 Jun 2025 16:25:26 +0100
Subject: [PATCH 143/147] build

---
 src/examples/server/toolWithSampleServer.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/examples/server/toolWithSampleServer.ts b/src/examples/server/toolWithSampleServer.ts
index 7e92f33b3..44e5cecbb 100644
--- a/src/examples/server/toolWithSampleServer.ts
+++ b/src/examples/server/toolWithSampleServer.ts
@@ -1,8 +1,8 @@
 
 // Run with: npx tsx src/examples/server/toolWithSampleServer.ts
 
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { McpServer } from "../../server/mcp.js";
+import { StdioServerTransport } from "../../server/stdio.js";
 import { z } from "zod";
 
 const mcpServer = new McpServer({

From 6f5e53b44b7c3a7db80d2f204e713c820e627492 Mon Sep 17 00:00:00 2001
From: Glen Maddern <glen@cloudflare.com>
Date: Wed, 2 Jul 2025 01:24:27 +1000
Subject: [PATCH 144/147] Returning undefined from `discoverOAuthMetadata` for
 CORS errors (#717)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Returning undefined from `discoverOAuthMetadata` for CORS errors

This behaviour was already happening for the root URL, but the new `fetchWithCorsRetry` logic differed.

The issue was if the server returns a 404 for `/.well-known/oauth-authorization-server/xyz` that didn't have the `access-control-allow-origin`, a TypeError was being thrown. There was logic there already to handle a TypeError for a _preflight_ request (cause by custom headers), but not the fallback. I refactored so all combinations return `undefined`.

* Add test for CORS error handling that should return undefined

This test covers the scenario where both the initial request with headers
and the retry without headers fail with CORS TypeErrors. The desired
behavior is to return undefined instead of throwing.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix test comment

---------

Co-authored-by: Glen Maddern <glen@glenmaddern.com>
Co-authored-by: Paul Carleton <paulc@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>
---
 src/client/auth.test.ts | 13 ++++++++++++
 src/client/auth.ts      | 47 +++++++++++++++++++----------------------
 2 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 8e77c0a5b..8155e1342 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -403,6 +403,19 @@ describe("OAuth Authorization", () => {
       expect(mockFetch).toHaveBeenCalledTimes(2);
     });
 
+    it("returns undefined when both CORS requests fail in fetchWithCorsRetry", async () => {
+      // fetchWithCorsRetry tries with headers (fails with CORS), then retries without headers (also fails with CORS)
+      // simulating a 404 w/o headers set. We want this to return undefined, not throw TypeError
+      mockFetch.mockImplementation(() => {
+        // Both the initial request with headers and retry without headers fail with CORS TypeError
+        return Promise.reject(new TypeError("Failed to fetch"));
+      });
+
+      // This should return undefined (the desired behavior after the fix)
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/path");
+      expect(metadata).toBeUndefined();
+    });
+
     it("returns undefined when discovery endpoint returns 404", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: false,
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 376905743..71101a428 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -292,25 +292,24 @@ export async function discoverOAuthProtectedResourceMetadata(
   return OAuthProtectedResourceMetadataSchema.parse(await response.json());
 }
 
-/**
- * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
- *
- * If the server returns a 404 for the well-known endpoint, this function will
- * return `undefined`. Any other errors will be thrown as exceptions.
- */
 /**
  * Helper function to handle fetch with CORS retry logic
  */
 async function fetchWithCorsRetry(
   url: URL,
-  headers: Record<string, string>,
-): Promise<Response> {
+  headers?: Record<string, string>,
+): Promise<Response | undefined> {
   try {
     return await fetch(url, { headers });
   } catch (error) {
-    // CORS errors come back as TypeError, retry without headers
     if (error instanceof TypeError) {
-      return await fetch(url);
+      if (headers) {
+        // CORS errors come back as TypeError, retry without headers
+        return fetchWithCorsRetry(url)
+      } else {
+        // We're getting CORS errors on retry too, return undefined
+        return undefined
+      }
     }
     throw error;
   }
@@ -334,7 +333,7 @@ function buildWellKnownPath(pathname: string): string {
 async function tryMetadataDiscovery(
   url: URL,
   protocolVersion: string,
-): Promise<Response> {
+): Promise<Response | undefined> {
   const headers = {
     "MCP-Protocol-Version": protocolVersion
   };
@@ -344,10 +343,16 @@ async function tryMetadataDiscovery(
 /**
  * Determines if fallback to root discovery should be attempted
  */
-function shouldAttemptFallback(response: Response, pathname: string): boolean {
-  return response.status === 404 && pathname !== '/';
+function shouldAttemptFallback(response: Response | undefined, pathname: string): boolean {
+  return !response || response.status === 404 && pathname !== '/';
 }
 
+/**
+ * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
 export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
@@ -362,18 +367,10 @@ export async function discoverOAuthMetadata(
 
   // If path-aware discovery fails with 404, try fallback to root discovery
   if (shouldAttemptFallback(response, issuer.pathname)) {
-    try {
-      const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
-      response = await tryMetadataDiscovery(rootUrl, protocolVersion);
-
-      if (response.status === 404) {
-        return undefined;
-      }
-    } catch {
-      // If fallback fails, return undefined
-      return undefined;
-    }
-  } else if (response.status === 404) {
+    const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
+    response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+  }
+  if (!response || response.status === 404) {
     return undefined;
   }
 

From cfec7d9b39363495c9d5ca77e1b489f41bb262d3 Mon Sep 17 00:00:00 2001
From: ihrpr <inna@anthropic.com>
Date: Tue, 1 Jul 2025 16:43:50 +0100
Subject: [PATCH 145/147] 1.13.3

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5f7cb0f55..16b90a3b7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.2",
+  "version": "1.13.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.13.2",
+      "version": "1.13.3",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index 31bc3562c..e50619668 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.13.2",
+  "version": "1.13.3",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

From e36695bf66d9f9de75d75b51bbdcd9d3dc1b89fe Mon Sep 17 00:00:00 2001
From: Glen Maddern <glen@cloudflare.com>
Date: Fri, 30 May 2025 09:56:43 +1000
Subject: [PATCH 146/147] Refactoring OAuthErrors

This makes it possible to parse them from JSON, using OAUTH_ERRORS

Invalidating credentials & retrying when server OAuth errors occur

Updated existing tests

Added some initial test coverage

refactored to avoid recursion as recommended
---
 src/client/auth.test.ts                       |  53 +++---
 src/client/auth.ts                            |  99 +++++++++-
 src/client/sse.test.ts                        | 173 ++++++++++++++++++
 src/client/streamableHttp.test.ts             | 158 ++++++++++++++++
 src/server/auth/errors.ts                     | 104 ++++++-----
 src/server/auth/middleware/bearerAuth.test.ts |   4 +-
 6 files changed, 508 insertions(+), 83 deletions(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index 8155e1342..04c8bcffe 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -10,6 +10,7 @@ import {
   auth,
   type OAuthClientProvider,
 } from "./auth.js";
+import {ServerError} from "../server/auth/errors.js";
 
 // Mock fetch globally
 const mockFetch = jest.fn();
@@ -427,10 +428,7 @@ describe("OAuth Authorization", () => {
     });
 
     it("throws on non-404 errors", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 500,
-      });
+      mockFetch.mockResolvedValueOnce(new Response(null, { status: 500 }));
 
       await expect(
         discoverOAuthMetadata("https://auth.example.com")
@@ -438,14 +436,15 @@ describe("OAuth Authorization", () => {
     });
 
     it("validates metadata schema", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => ({
-          // Missing required fields
-          issuer: "https://auth.example.com",
-        }),
-      });
+      mockFetch.mockResolvedValueOnce(
+        Response.json(
+          {
+            // Missing required fields
+            issuer: "https://auth.example.com",
+          },
+          { status: 200 }
+        )
+      );
 
       await expect(
         discoverOAuthMetadata("https://auth.example.com")
@@ -666,10 +665,12 @@ describe("OAuth Authorization", () => {
     });
 
     it("throws on error response", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 400,
-      });
+      mockFetch.mockResolvedValueOnce(
+        Response.json(
+          new ServerError("Token exchange failed").toResponseObject(),
+          { status: 400 }
+        )
+      );
 
       await expect(
         exchangeAuthorization("https://auth.example.com", {
@@ -769,10 +770,12 @@ describe("OAuth Authorization", () => {
     });
 
     it("throws on error response", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 400,
-      });
+      mockFetch.mockResolvedValueOnce(
+        Response.json(
+          new ServerError("Token refresh failed").toResponseObject(),
+          { status: 400 }
+        )
+      );
 
       await expect(
         refreshAuthorization("https://auth.example.com", {
@@ -857,10 +860,12 @@ describe("OAuth Authorization", () => {
     });
 
     it("throws on error response", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 400,
-      });
+      mockFetch.mockResolvedValueOnce(
+        Response.json(
+          new ServerError("Dynamic client registration failed").toResponseObject(),
+          { status: 400 }
+        )
+      );
 
       await expect(
         registerClient("https://auth.example.com", {
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 71101a428..d03a65640 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -1,8 +1,24 @@
 import pkceChallenge from "pkce-challenge";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
-import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js";
+import {
+  OAuthClientMetadata,
+  OAuthClientInformation,
+  OAuthTokens,
+  OAuthMetadata,
+  OAuthClientInformationFull,
+  OAuthProtectedResourceMetadata,
+  OAuthErrorResponseSchema
+} from "../shared/auth.js";
 import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
 import { checkResourceAllowed, resourceUrlFromServerUrl } from "../shared/auth-utils.js";
+import {
+  InvalidClientError,
+  InvalidGrantError,
+  OAUTH_ERRORS,
+  OAuthError,
+  ServerError,
+  UnauthorizedClientError
+} from "../server/auth/errors.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
@@ -81,6 +97,13 @@ export interface OAuthClientProvider {
    * Implementations must verify the returned resource matches the MCP server.
    */
   validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
+
+  /**
+   * If implemented, provides a way for the client to invalidate (e.g. delete) the specified
+   * credentials, in the case where the server has indicated that they are no longer valid.
+   * This avoids requiring the user to intervene manually.
+   */
+  invalidateCredentials?(scope: 'all' | 'client' | 'tokens' | 'verifier'): void | Promise<void>;
 }
 
 export type AuthResult = "AUTHORIZED" | "REDIRECT";
@@ -91,6 +114,33 @@ export class UnauthorizedError extends Error {
   }
 }
 
+/**
+ * Parses an OAuth error response from a string or Response object.
+ *
+ * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec
+ * and an instance of the appropriate OAuthError subclass will be returned.
+ * If parsing fails, it falls back to a generic ServerError that includes
+ * the response status (if available) and original content.
+ *
+ * @param input - A Response object or string containing the error response
+ * @returns A Promise that resolves to an OAuthError instance
+ */
+export async function parseErrorResponse(input: Response | string): Promise<OAuthError> {
+  const statusCode = input instanceof Response ? input.status : undefined;
+  const body = input instanceof Response ? await input.text() : input;
+
+  try {
+    const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+    const { error, error_description, error_uri } = result;
+    const errorClass = OAUTH_ERRORS[error] || ServerError;
+    return new errorClass(error_description || '', error_uri);
+  } catch (error) {
+    // Not a valid OAuth error response, but try to inform the user of the raw data anyway
+    const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ''}Invalid OAuth error response: ${error}. Raw body: ${body}`;
+    return new ServerError(errorMessage);
+  }
+}
+
 /**
  * Orchestrates the full auth flow with a server.
  *
@@ -98,6 +148,31 @@ export class UnauthorizedError extends Error {
  * instead of linking together the other lower-level functions in this module.
  */
 export async function auth(
+  provider: OAuthClientProvider,
+  options: {
+    serverUrl: string | URL;
+    authorizationCode?: string;
+    scope?: string;
+    resourceMetadataUrl?: URL }): Promise<AuthResult> {
+
+  try {
+    return await authInternal(provider, options);
+  } catch (error) {
+    // Handle recoverable error types by invalidating credentials and retrying
+    if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {
+      await provider.invalidateCredentials?.('all');
+      return await authInternal(provider, options);
+    } else if (error instanceof InvalidGrantError) {
+      await provider.invalidateCredentials?.('tokens');
+      return await authInternal(provider, options);
+    }
+
+    // Throw otherwise
+    throw error
+  }
+}
+
+async function authInternal(
   provider: OAuthClientProvider,
   { serverUrl,
     authorizationCode,
@@ -157,7 +232,7 @@ export async function auth(
     });
 
     await provider.saveTokens(tokens);
-    return "AUTHORIZED";
+    return "AUTHORIZED"
   }
 
   const tokens = await provider.tokens();
@@ -174,9 +249,15 @@ export async function auth(
       });
 
       await provider.saveTokens(newTokens);
-      return "AUTHORIZED";
-    } catch {
-      // Could not refresh OAuth tokens
+      return "AUTHORIZED"
+    } catch (error) {
+      // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
+      if (!(error instanceof OAuthError) || error instanceof ServerError) {
+        // Could not refresh OAuth tokens
+      } else {
+        // Refresh failed for another reason, re-throw
+        throw error;
+      }
     }
   }
 
@@ -194,7 +275,7 @@ export async function auth(
 
   await provider.saveCodeVerifier(codeVerifier);
   await provider.redirectToAuthorization(authorizationUrl);
-  return "REDIRECT";
+  return "REDIRECT"
 }
 
 export async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
@@ -523,7 +604,7 @@ export async function exchangeAuthorization(
   });
 
   if (!response.ok) {
-    throw new Error(`Token exchange failed: HTTP ${response.status}`);
+    throw await parseErrorResponse(response);
   }
 
   return OAuthTokensSchema.parse(await response.json());
@@ -587,7 +668,7 @@ export async function refreshAuthorization(
     body: params,
   });
   if (!response.ok) {
-    throw new Error(`Token refresh failed: HTTP ${response.status}`);
+    throw await parseErrorResponse(response);
   }
 
   return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });
@@ -627,7 +708,7 @@ export async function registerClient(
   });
 
   if (!response.ok) {
-    throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+    throw await parseErrorResponse(response);
   }
 
   return OAuthClientInformationFullSchema.parse(await response.json());
diff --git a/src/client/sse.test.ts b/src/client/sse.test.ts
index 3cb4e8a3c..f35d8072c 100644
--- a/src/client/sse.test.ts
+++ b/src/client/sse.test.ts
@@ -4,6 +4,7 @@ import { JSONRPCMessage } from "../types.js";
 import { SSEClientTransport } from "./sse.js";
 import { OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { OAuthTokens } from "../shared/auth.js";
+import { InvalidClientError, InvalidGrantError, UnauthorizedClientError } from "../server/auth/errors.js";
 
 describe("SSEClientTransport", () => {
   let resourceServer: Server;
@@ -331,6 +332,7 @@ describe("SSEClientTransport", () => {
         redirectToAuthorization: jest.fn(),
         saveCodeVerifier: jest.fn(),
         codeVerifier: jest.fn(),
+        invalidateCredentials: jest.fn(),
       };
     });
 
@@ -879,5 +881,176 @@ describe("SSEClientTransport", () => {
       await expect(() => transport.start()).rejects.toThrow(UnauthorizedError);
       expect(mockAuthProvider.redirectToAuthorization).toHaveBeenCalled();
     });
+
+    it("invalidates all credentials on InvalidClientError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+
+      let baseUrl = resourceBaseUrl;
+
+      // Create server that returns InvalidClientError on token refresh
+      const server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return InvalidClientError
+          const error = new InvalidClientError("Client authentication failed");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(InvalidClientError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+    });
+
+    it("invalidates all credentials on UnauthorizedClientError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+
+      let baseUrl = resourceBaseUrl;
+
+      const server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return UnauthorizedClientError
+          const error = new UnauthorizedClientError("Client not authorized");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(UnauthorizedClientError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+    });
+
+    it("invalidates tokens on InvalidGrantError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+      let baseUrl = resourceBaseUrl;
+
+      const server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return InvalidGrantError
+          const error = new InvalidGrantError("Invalid refresh token");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(InvalidGrantError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('tokens');
+    });
   });
 });
diff --git a/src/client/streamableHttp.test.ts b/src/client/streamableHttp.test.ts
index 11dfe7d41..18c0ffa62 100644
--- a/src/client/streamableHttp.test.ts
+++ b/src/client/streamableHttp.test.ts
@@ -1,6 +1,7 @@
 import { StreamableHTTPClientTransport, StreamableHTTPReconnectionOptions } from "./streamableHttp.js";
 import { OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { JSONRPCMessage } from "../types.js";
+import { InvalidClientError, InvalidGrantError, UnauthorizedClientError } from "../server/auth/errors.js";
 
 
 describe("StreamableHTTPClientTransport", () => {
@@ -17,6 +18,7 @@ describe("StreamableHTTPClientTransport", () => {
       redirectToAuthorization: jest.fn(),
       saveCodeVerifier: jest.fn(),
       codeVerifier: jest.fn(),
+      invalidateCredentials: jest.fn(),
     };
     transport = new StreamableHTTPClientTransport(new URL("http://localhost:1234/mcp"), { authProvider: mockAuthProvider });
     jest.spyOn(global, "fetch");
@@ -563,4 +565,160 @@ describe("StreamableHTTPClientTransport", () => {
     await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
     expect(mockAuthProvider.redirectToAuthorization.mock.calls).toHaveLength(1);
   });
+
+  it("invalidates all credentials on InvalidClientError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    const unauthedResponse = {
+      ok: false,
+      status: 401,
+      statusText: "Unauthorized",
+      headers: new Headers()
+    };
+    (global.fetch as jest.Mock)
+      // Initial connection
+      .mockResolvedValueOnce(unauthedResponse)
+      // Resource discovery
+      .mockResolvedValueOnce(unauthedResponse)
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with InvalidClientError
+      .mockResolvedValueOnce(Response.json(
+        new InvalidClientError("Client authentication failed").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+  });
+
+  it("invalidates all credentials on UnauthorizedClientError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    const unauthedResponse = {
+      ok: false,
+      status: 401,
+      statusText: "Unauthorized",
+      headers: new Headers()
+    };
+    (global.fetch as jest.Mock)
+      // Initial connection
+      .mockResolvedValueOnce(unauthedResponse)
+      // Resource discovery
+      .mockResolvedValueOnce(unauthedResponse)
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with UnauthorizedClientError
+      .mockResolvedValueOnce(Response.json(
+        new UnauthorizedClientError("Client not authorized").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+  });
+
+  it("invalidates tokens on InvalidGrantError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    const unauthedResponse = {
+      ok: false,
+      status: 401,
+      statusText: "Unauthorized",
+      headers: new Headers()
+    };
+    (global.fetch as jest.Mock)
+      // Initial connection
+      .mockResolvedValueOnce(unauthedResponse)
+      // Resource discovery
+      .mockResolvedValueOnce(unauthedResponse)
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with InvalidGrantError
+      .mockResolvedValueOnce(Response.json(
+        new InvalidGrantError("Invalid refresh token").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('tokens');
+  });
 });
diff --git a/src/server/auth/errors.ts b/src/server/auth/errors.ts
index 428199ce8..791b3b86c 100644
--- a/src/server/auth/errors.ts
+++ b/src/server/auth/errors.ts
@@ -4,8 +4,9 @@ import { OAuthErrorResponse } from "../../shared/auth.js";
  * Base class for all OAuth errors
  */
 export class OAuthError extends Error {
+  static errorCode: string;
+
   constructor(
-    public readonly errorCode: string,
     message: string,
     public readonly errorUri?: string
   ) {
@@ -28,6 +29,10 @@ export class OAuthError extends Error {
 
     return response;
   }
+
+  get errorCode(): string {
+    return (this.constructor as typeof OAuthError).errorCode
+  }
 }
 
 /**
@@ -36,9 +41,7 @@ export class OAuthError extends Error {
  * or is otherwise malformed.
  */
 export class InvalidRequestError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_request", message, errorUri);
-  }
+  static errorCode = "invalid_request";
 }
 
 /**
@@ -46,9 +49,7 @@ export class InvalidRequestError extends OAuthError {
  * authentication included, or unsupported authentication method).
  */
 export class InvalidClientError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_client", message, errorUri);
-  }
+  static errorCode = "invalid_client";
 }
 
 /**
@@ -57,9 +58,7 @@ export class InvalidClientError extends OAuthError {
  * authorization request, or was issued to another client.
  */
 export class InvalidGrantError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_grant", message, errorUri);
-  }
+  static errorCode = "invalid_grant";
 }
 
 /**
@@ -67,9 +66,7 @@ export class InvalidGrantError extends OAuthError {
  * this authorization grant type.
  */
 export class UnauthorizedClientError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("unauthorized_client", message, errorUri);
-  }
+  static errorCode = "unauthorized_client";
 }
 
 /**
@@ -77,9 +74,7 @@ export class UnauthorizedClientError extends OAuthError {
  * by the authorization server.
  */
 export class UnsupportedGrantTypeError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("unsupported_grant_type", message, errorUri);
-  }
+  static errorCode = "unsupported_grant_type";
 }
 
 /**
@@ -87,18 +82,14 @@ export class UnsupportedGrantTypeError extends OAuthError {
  * exceeds the scope granted by the resource owner.
  */
 export class InvalidScopeError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_scope", message, errorUri);
-  }
+  static errorCode = "invalid_scope";
 }
 
 /**
  * Access denied error - The resource owner or authorization server denied the request.
  */
 export class AccessDeniedError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("access_denied", message, errorUri);
-  }
+  static errorCode = "access_denied";
 }
 
 /**
@@ -106,9 +97,7 @@ export class AccessDeniedError extends OAuthError {
  * that prevented it from fulfilling the request.
  */
 export class ServerError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("server_error", message, errorUri);
-  }
+  static errorCode = "server_error";
 }
 
 /**
@@ -116,9 +105,7 @@ export class ServerError extends OAuthError {
  * handle the request due to a temporary overloading or maintenance of the server.
  */
 export class TemporarilyUnavailableError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("temporarily_unavailable", message, errorUri);
-  }
+  static errorCode = "temporarily_unavailable";
 }
 
 /**
@@ -126,9 +113,7 @@ export class TemporarilyUnavailableError extends OAuthError {
  * obtaining an authorization code using this method.
  */
 export class UnsupportedResponseTypeError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("unsupported_response_type", message, errorUri);
-  }
+  static errorCode = "unsupported_response_type";
 }
 
 /**
@@ -136,9 +121,7 @@ export class UnsupportedResponseTypeError extends OAuthError {
  * the requested token type.
  */
 export class UnsupportedTokenTypeError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("unsupported_token_type", message, errorUri);
-  }
+  static errorCode = "unsupported_token_type";
 }
 
 /**
@@ -146,9 +129,7 @@ export class UnsupportedTokenTypeError extends OAuthError {
  * or invalid for other reasons.
  */
 export class InvalidTokenError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_token", message, errorUri);
-  }
+  static errorCode = "invalid_token";
 }
 
 /**
@@ -156,9 +137,7 @@ export class InvalidTokenError extends OAuthError {
  * (Custom, non-standard error)
  */
 export class MethodNotAllowedError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("method_not_allowed", message, errorUri);
-  }
+  static errorCode = "method_not_allowed";
 }
 
 /**
@@ -166,9 +145,7 @@ export class MethodNotAllowedError extends OAuthError {
  * (Custom, non-standard error based on RFC 6585)
  */
 export class TooManyRequestsError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("too_many_requests", message, errorUri);
-  }
+  static errorCode = "too_many_requests";
 }
 
 /**
@@ -176,16 +153,47 @@ export class TooManyRequestsError extends OAuthError {
  * (Custom error for dynamic client registration - RFC 7591)
  */
 export class InvalidClientMetadataError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("invalid_client_metadata", message, errorUri);
-  }
+  static errorCode = "invalid_client_metadata";
 }
 
 /**
  * Insufficient scope error - The request requires higher privileges than provided by the access token.
  */
 export class InsufficientScopeError extends OAuthError {
-  constructor(message: string, errorUri?: string) {
-    super("insufficient_scope", message, errorUri);
+  static errorCode = "insufficient_scope";
+}
+
+/**
+ * A utility class for defining one-off error codes
+ */
+export class CustomOAuthError extends OAuthError {
+  constructor(private readonly customErrorCode: string, message: string, errorUri?: string) {
+    super(message, errorUri);
+  }
+
+  get errorCode(): string {
+    return this.customErrorCode;
   }
 }
+
+/**
+ * A full list of all OAuthErrors, enabling parsing from error responses
+ */
+export const OAUTH_ERRORS = {
+  [InvalidRequestError.errorCode]: InvalidRequestError,
+  [InvalidClientError.errorCode]: InvalidClientError,
+  [InvalidGrantError.errorCode]: InvalidGrantError,
+  [UnauthorizedClientError.errorCode]: UnauthorizedClientError,
+  [UnsupportedGrantTypeError.errorCode]: UnsupportedGrantTypeError,
+  [InvalidScopeError.errorCode]: InvalidScopeError,
+  [AccessDeniedError.errorCode]: AccessDeniedError,
+  [ServerError.errorCode]: ServerError,
+  [TemporarilyUnavailableError.errorCode]: TemporarilyUnavailableError,
+  [UnsupportedResponseTypeError.errorCode]: UnsupportedResponseTypeError,
+  [UnsupportedTokenTypeError.errorCode]: UnsupportedTokenTypeError,
+  [InvalidTokenError.errorCode]: InvalidTokenError,
+  [MethodNotAllowedError.errorCode]: MethodNotAllowedError,
+  [TooManyRequestsError.errorCode]: TooManyRequestsError,
+  [InvalidClientMetadataError.errorCode]: InvalidClientMetadataError,
+  [InsufficientScopeError.errorCode]: InsufficientScopeError,
+} as const;
diff --git a/src/server/auth/middleware/bearerAuth.test.ts b/src/server/auth/middleware/bearerAuth.test.ts
index b8953e5c9..4e5e1429d 100644
--- a/src/server/auth/middleware/bearerAuth.test.ts
+++ b/src/server/auth/middleware/bearerAuth.test.ts
@@ -1,7 +1,7 @@
 import { Request, Response } from "express";
 import { requireBearerAuth } from "./bearerAuth.js";
 import { AuthInfo } from "../types.js";
-import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
+import { InsufficientScopeError, InvalidTokenError, CustomOAuthError, ServerError } from "../errors.js";
 import { OAuthTokenVerifier } from "../provider.js";
 
 // Mock verifier
@@ -268,7 +268,7 @@ describe("requireBearerAuth middleware", () => {
       authorization: "Bearer valid-token",
     };
 
-    mockVerifyAccessToken.mockRejectedValue(new OAuthError("custom_error", "Some OAuth error"));
+    mockVerifyAccessToken.mockRejectedValue(new CustomOAuthError("custom_error", "Some OAuth error"));
 
     const middleware = requireBearerAuth({ verifier: mockVerifier });
     await middleware(mockRequest as Request, mockResponse as Response, nextFunction);

From 877f4bfb3e36c4df071171ee9185e220715c451b Mon Sep 17 00:00:00 2001
From: Glen Maddern <glen@cloudflare.com>
Date: Fri, 30 May 2025 13:27:17 +1000
Subject: [PATCH 147/147] Trying pkg.pr.new

---
 .github/workflows/publish.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 000000000..e69efd02a
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,23 @@
+name: Publish Any Commit
+on:
+  pull_request:
+  push:
+    branches:
+      - '**'
+    tags:
+      - '!**'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: npm
+
+      - run: npm ci
+      - run: npm run build
+      - run: npx pkg-pr-new publish