Module: Mcp

Defined in:

app/controllers/mcp/landing_controller.rb,
app/controllers/mcp/sessions_controller.rb,
app/controllers/mcp/oauth_metadata_controller.rb,
app/controllers/mcp/dynamic_registration_controller.rb

Overview

RFC 7591 — OAuth 2.0 Dynamic Client Registration Protocol.

Lets MCP clients (Claude Code, Claude Desktop, Cursor, etc.) self-register a
Doorkeeper::Application without an admin manually creating one in the rails
console. Without this endpoint, every new dev/seat needs the OAuth flow run
manually via /mcp in Claude Code.

Spec: https://datatracker.ietf.org/doc/html/rfc7591

Surface:
POST /oauth/register
Content-Type: application/json
{ "redirect_uris": ["http://localhost:33418/callback"], ... }

201 Created
{ "client_id": "...", "client_secret": "...", "redirect_uris": [...], ... }

Open registration is allowed (no initial access token required) so the
auto-flow works on first connect. Created applications are still gated by
the Doorkeeper consent screen + mcp_access role on the resource owner, so
a registered client can't do anything until a real employee authorizes it.

Abuse mitigation is deferred to Rack::Attack on /oauth/register.

Defined Under Namespace

Modules: DiscoveryMetadata Classes: DynamicRegistrationController, LandingController, OauthMetadataController, SessionsController