Default port for the loopback callback server: in the registered range, below every OS ephemeral
range (Linux 32768+, Windows/macOS 49152+) so a fixed bind is not stolen by a transient connection,
and clear of well-known service/dev ports. Override via MCP_OAUTH_CALLBACK_PORT_ENV.
Static-clientId providers must register http://127.0.0.1:<port>/mcp/oauth/callback exactly.
Default port for the loopback callback server: in the registered range, below every OS ephemeral range (Linux 32768+, Windows/macOS 49152+) so a fixed bind is not stolen by a transient connection, and clear of well-known service/dev ports. Override via MCP_OAUTH_CALLBACK_PORT_ENV. Static-
clientIdproviders must registerhttp://127.0.0.1:<port>/mcp/oauth/callbackexactly.