Protected ReadonlyaccountProtectedactiveProtected ReadonlycallbackProtected ReadonlycallbackProtectedcodeProtected ReadonlyconfigProtected ReadonlycredentialProtected ReadonlyfrontendProtected ReadonlyinteractiveProtected ReadonlykeyProtected ReadonlyserverProtected ReadonlystateThe URL to redirect the user agent to after authorization. Return undefined for non-interactive flows that don't require user interaction (e.g., client_credentials, jwt-bearer).
ProtectedaccountAborts this provider's OAuth flow: marks inactive and cancels the callback-service state, releasing any in-flight waitForAuthorization await and recording a cancellation message for a late-arriving browser callback.
Optionalmessage: stringLoads information about this OAuth client, as registered already with the
server, or returns undefined if the client is not registered with the
server.
Loads the PKCE code verifier for the current session, necessary to validate the authorization result.
ProtecteddeleteReturns previously saved discovery state, or undefined if none is cached.
When available, auth restores the discovery state (authorization server URL, resource metadata, etc.) instead of performing RFC 9728 discovery, reducing latency on subsequent calls.
Providers should clear cached discovery state on repeated authentication failures
(via invalidateCredentials with scope 'discovery' or 'all') to allow
re-discovery in case the authorization server has changed.
If implemented, provides a way for the client to invalidate (e.g. delete) the specified credentials, in the case where the server has indicated that they are no longer valid. This avoids requiring the user to intervene manually.
Marks the provider inactive (rejects further redirectToAuthorization calls) and drops the
in-memory PKCE verifier. Use cancel for the full cleanup that also aborts a pending
callback await.
ProtectedpublicProtectedreadProtectedreadInvoked to redirect the user agent to the given URL to begin the authorization flow.
If implemented, this permits the OAuth client to dynamically register with
the server. Client information saved this way should later be read via
clientInformation().
This method is not required to be implemented if client information is statically known (e.g., pre-registered).
Saves a PKCE code verifier for the current session, before redirecting to the authorization flow.
Saves the OAuth discovery state after RFC 9728 and authorization server metadata discovery. Providers can persist this state to avoid redundant discovery requests on subsequent auth calls.
This state can also be provided out-of-band (e.g., from a previous session or external configuration) to bootstrap the OAuth flow without discovery.
Called by auth after successful discovery.
Stores new OAuth tokens for the current session, after a successful authorization.
Returns a OAuth2 state parameter.
Loads any existing OAuth tokens for the current session, or returns
undefined if there are no saved tokens.
If defined, overrides the selection and validation of the RFC 8707 Resource Indicator. If left undefined, default validation behavior will be used.
Implementations must verify the returned resource matches the MCP server.
Optionalresource: stringProtectedwrite
Metadata about this OAuth client.