Skip to content

docs(mcp): OAuth 2.1 step-up authorization and docs restructure (ENG-9125) #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
asoorm wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(mcp): OAuth 2.1 step-up authorization and docs restructure (ENG-9125) #260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion docs/docs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,18 @@
"router/configuration/template-expressions"
]
},
"router/mcp",
{
"group": "MCP Gateway",
"icon": "robot",
"pages": [
"router/mcp",
"router/mcp/quickstart",
"router/mcp/operations",
"router/mcp/configuration",
"router/mcp/oauth",
"router/mcp/ide-setup"
]
},
{
"group": "Custom Modules",
"icon": "cubes",
Expand Down
433 changes: 57 additions & 376 deletions docs/router/mcp.mdx
View file
Open in desktop

Large diffs are not rendered by default.

132 changes: 132 additions & 0 deletions docs/router/mcp/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
---
title: "Configuration"
description: "Complete reference for all MCP Gateway configuration options, including session handling, storage providers, and environment variables."
icon: "sliders-up"
---

## Basic Configuration

To enable MCP in your Cosmo Router, add the following to your `config.yaml`:

```yaml
mcp:
enabled: true
server:
listen_addr: "localhost:5025"
graph_name: "my-graph"
exclude_mutations: true
storage:
provider_id: "mcp"

storage_providers:
file_system:
- id: "mcp"
path: "operations"
```

## Configuration Options

| Option | Description | Default |
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `enabled` | Enable or disable the MCP server | `false` |
| `server.listen_addr` | The address and port where the MCP server will listen for requests | `localhost:5025` |
| `server.base_url` | The public base URL of the MCP server. **Required when OAuth is enabled.** Used for the RFC 9728 metadata endpoint and `resource_metadata` in `WWW-Authenticate` headers. Set this to your externally-reachable URL when behind a reverse proxy or load balancer. | - |
| `router_url` | Custom URL to use for the router GraphQL endpoint in MCP responses. Use this when your router is behind a proxy. | - |
| `storage.provider_id` | The ID of a storage provider to use for loading GraphQL operations. Only `file_system` providers are supported. | - |
| `session.stateless` | Whether the MCP server should operate in stateless mode. When `true`, no server-side session state is maintained between requests. | `true` |
| `graph_name` | The name of the graph this router exposes via MCP. Converted to kebab-case and used to build the MCP server name (`wundergraph-cosmo-<kebab-case-name>`) and for logging; it does not select a different graph. For example, `MyGraph` becomes `wundergraph-cosmo-my-graph`. | `mygraph` |
| `exclude_mutations` | Whether to exclude mutation operations from being exposed | `false` |
| `enable_arbitrary_operations` | Enables the `execute_graphql` built-in tool, allowing clients to run arbitrary GraphQL operations beyond the pre-defined operation set. | `false` |
| `expose_schema` | Enables the `get_schema` built-in tool, exposing the full GraphQL schema to MCP clients. | `false` |
| `omit_tool_name_prefix` | When enabled, MCP tool names omit the `execute_operation_` prefix. For example, `GetUser` becomes `get_user` instead of `execute_operation_get_user`. See [Operations — Omitting the Tool Name Prefix](/router/mcp/operations#omitting-the-tool-name-prefix). | `false` |

For OAuth-specific configuration, see [OAuth 2.1 Authorization](/router/mcp/oauth).

## Environment Variables

All MCP options can also be set via environment variables:

| Environment Variable | Configuration Path |
| -------------------------------- | ------------------------------------ |
| `MCP_ENABLED` | `mcp.enabled` |
| `MCP_SERVER_LISTEN_ADDR` | `mcp.server.listen_addr` |
| `MCP_SERVER_BASE_URL` | `mcp.server.base_url` |
| `MCP_ROUTER_URL` | `mcp.router_url` |
| `MCP_STORAGE_PROVIDER_ID` | `mcp.storage.provider_id` |
| `MCP_SESSION_STATELESS` | `mcp.session.stateless` |
| `MCP_GRAPH_NAME` | `mcp.graph_name` |
| `MCP_EXCLUDE_MUTATIONS` | `mcp.exclude_mutations` |
| `MCP_ENABLE_ARBITRARY_OPERATIONS`| `mcp.enable_arbitrary_operations` |
| `MCP_EXPOSE_SCHEMA` | `mcp.expose_schema` |
| `MCP_OMIT_TOOL_NAME_PREFIX` | `mcp.omit_tool_name_prefix` |

When OAuth is enabled, the following additional environment variables are available:

| Environment Variable | Configuration Path |
| ------------------------------------------------- | --------------------------------------------------- |
| `MCP_OAUTH_ENABLED` | `mcp.oauth.enabled` |
| `MCP_OAUTH_AUTHORIZATION_SERVER_URL` | `mcp.oauth.authorization_server_url` |
| `MCP_OAUTH_SCOPE_CHALLENGE_INCLUDE_TOKEN_SCOPES` | `mcp.oauth.scope_challenge_include_token_scopes` |

## Storage Providers

MCP loads operations from a configured file system storage provider. This allows you to centralize the configuration of operation sources:

```yaml
storage_providers:
file_system:
- id: "mcp"
path: "operations" # Relative to the router binary
```

Then reference this storage provider in your MCP configuration:

```yaml
mcp:
storage:
provider_id: "mcp"
```

A storage provider **must** be specified to load GraphQL operations. See [Storage Providers](/router/storage-providers) for more details on configuring storage providers.

## Session Handling

The MCP server uses the Streamable HTTP transport and maintains per-session state via the `Mcp-Session-Id` header. When deploying multiple Router instances, you need **sticky sessions** to ensure all requests for a session reach the same instance.

To configure sticky sessions:

1. The Router returns a unique `Mcp-Session-Id` response header when a session is established
2. Clients must include that value in subsequent requests as the `Mcp-Session-Id` request header
3. Your load balancer or reverse proxy must route requests with the same `Mcp-Session-Id` to the same instance

For details, see your load balancer or reverse proxy documentation (e.g., [F5 NGINX Plus — MCP Session Affinity](https://community.f5.com/kb/technicalarticles/mcp-session-affinity-with-f5-nginx-plus/341961)).

<Info>
The `session.stateless` configuration option is reserved for future use. Currently, the MCP server always operates in stateful mode regardless of this setting.
</Info>

## CORS

The MCP server automatically configures CORS to allow cross-origin requests from MCP clients. It sets `Access-Control-Allow-Origin: *` and allows the required MCP headers (`Mcp-Protocol-Version`, `Mcp-Session-Id`, `Authorization`, `Last-Event-ID`). The `Mcp-Session-Id` and `WWW-Authenticate` headers are exposed in responses. If you have additional CORS headers configured on the router, they are merged with the MCP-specific headers.

## Full Configuration Example

```yaml
mcp:
enabled: true
server:
listen_addr: "localhost:5025"
router_url: "https://your-public-router-url.example.com/graphql"
graph_name: "my-graph"
exclude_mutations: true
enable_arbitrary_operations: false
expose_schema: false
omit_tool_name_prefix: false
storage:
provider_id: "mcp"

storage_providers:
file_system:
- id: "mcp"
path: "operations"
```
134 changes: 134 additions & 0 deletions docs/router/mcp/ide-setup.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
---
title: "IDE & AI Tool Setup"
description: "Connect Claude Desktop, Cursor, Windsurf, VS Code, and other AI tools to your MCP Gateway. Includes header forwarding for authentication and tracing."
icon: "display-code"
---

This guide covers how to connect popular AI tools to your Cosmo Router MCP server and configure header forwarding for authentication, tracing, and custom headers.

## Header Forwarding

<Info>
Available since Router [0.260.0](https://github.com/wundergraph/cosmo/releases/tag/router%400.260.0)
</Info>

The MCP server forwards **all headers** from MCP clients to the Router, including authorization headers, custom headers, and tracing headers. This allows you to:

- Leverage all authentication and authorization capabilities of your Cosmo Router
- Pass custom headers for tracing, debugging, or application-specific purposes
- Maintain consistent security and observability across all API consumers

<Info>
All headers sent by MCP clients are forwarded through the complete chain: MCP Client → MCP Server → Router → Subgraphs. The router's [header forwarding rules](/router/proxy-capabilities/subgraph-request-header-operations) determine what ultimately reaches your subgraphs.
</Info>

## IDE Setup Guides

### Cursor

<Note>Requires Cursor v0.48.0+ for Streamable HTTP support.</Note>

Go to **Settings** > **Tools & Integrations** > **MCP Servers** and add the following to the `mcp.json` file:

```json
{
"mcpServers": {
"my-graph": {
"url": "http://localhost:5025/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY",
"X-Trace-Id": "cursor-session-123",
"X-Client": "cursor"
}
}
}
}
```

All `headers` fields are optional — include only what your setup requires.

### Claude Desktop

Requires the latest version of Claude Desktop. Go to **Settings** > **Developer** and click on **Edit Config**. Add the following to the `claude_desktop_config.json` file:

```json
{
"mcpServers": {
"my-graph": {
"command": "npx",
"args": ["-y", "mcp-remote", "http://localhost:5025/mcp"]
}
}
}
```

After saving, **restart Claude Desktop** for changes to take effect.
Comment on lines +50 to +65
Copy link
Copy Markdown
Contributor

@Noroth Noroth Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude code is very important nowadays. We could include it as well


### Windsurf

Windsurf supports Streamable HTTP servers with a `serverUrl` field:

```json
{
"mcpServers": {
"my-graph": {
"serverUrl": "http://localhost:5025/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY",
"X-Trace-Id": "windsurf-session-456",
"X-Client": "windsurf"
}
}
}
}
```

### VS Code

Click **View** > **Command Palette** > **MCP: Add Server** and use the URL `http://localhost:5025/mcp` to complete the configuration.

For more information, see the [VS Code MCP Servers documentation](https://code.visualstudio.com/docs/copilot/chat/mcp-servers).

### Other MCP-compatible Tools

Other tools and AI models that support the MCP protocol typically provide similar ways to configure the server URL and authentication headers. Check the documentation for your specific AI tool for the exact configuration syntax.

## Common Header Patterns

### Authentication & Authorization

Pass authorization tokens to secure your GraphQL operations:

```json
{
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
```

### Tracing

Include trace IDs for request correlation and debugging:

```json
{
"headers": {
"X-Trace-Id": "trace-123",
"X-Request-Id": "req-456"
}
}
```

### Custom Headers

Pass application-specific headers for business logic:

```json
{
"headers": {
"X-Tenant-Id": "tenant-abc",
"X-Feature-Flag": "new-feature-enabled"
}
}
```
Loading