Skip to content

Fix MCP OAuth callback URL leaking instance name#28183

Merged
elithrar merged 2 commits into
productionfrom
sync-docs-pr-868
Feb 8, 2026
Merged

Fix MCP OAuth callback URL leaking instance name#28183
elithrar merged 2 commits into
productionfrom
sync-docs-pr-868

Conversation

@agents-git-bot

@agents-git-bot agents-git-bot Bot commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Document the new callbackPath option for addMcpServer() that prevents instance name leakage in MCP OAuth callback URLs when using sendIdentityOnConnect: false.

Changes

  • Add callbackPath parameter to addMcpServer() API reference
  • Document security requirement: callbackPath is required when sendIdentityOnConnect is false
  • Add dedicated security section with example showing how to route custom callback paths
  • Explain that callback matching uses the state parameter, not URL path matching

Context

This documentation sync corresponds to cloudflare/agents#868, which fixes a security issue where the default OAuth callback URL exposed sensitive instance names even when developers opted out of identity disclosure via sendIdentityOnConnect: false.

The new callbackPath parameter allows developers to specify a custom callback path that does not include the instance name, and route it to the correct agent instance using getAgentByName().

Test plan

  • Review documentation for accuracy and clarity
  • Verify examples follow Cloudflare docs style guide
  • Confirm TypeScript examples are properly formatted
  • Check links and cross-references

🤖 Generated with Claude Code

Add documentation for the new callbackPath parameter in addMcpServer() that allows custom OAuth callback URL paths. This is required when sendIdentityOnConnect is false to prevent instance name leakage.

Changes:
- Add callbackPath parameter to addMcpServer() API reference
- Add security section explaining when and why callbackPath is required
- Include example showing how to route custom callback paths with getAgentByName
- Note that callback matching uses state parameter, not URL path

Relates to cloudflare/agents#868

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@agents-git-bot
agents-git-bot Bot requested a review from a team February 8, 2026 15:40
@agents-git-bot
agents-git-bot Bot requested a review from a team as a code owner February 8, 2026 15:40
@github-actions github-actions Bot added product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/s labels Feb 8, 2026
@github-actions

github-actions Bot commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/agents/ @irvinebroque, @rita3ko, @elithrar, @thomasgauvin, @threepointone, @whoiskatrin, @cloudflare/pcx-technical-writing, @cloudflare/ai-agents, @cloudflare/dev-plat-leads

@elithrar

elithrar commented Feb 8, 2026

Copy link
Copy Markdown
Collaborator

/bonk review/fix

Co-authored-by: elithrar <elithrar@users.noreply.github.com>
@ask-bonk

ask-bonk Bot commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

Review Summary

The PR documents the new callbackPath option for addMcpServer() that prevents MCP OAuth callback URLs from leaking sensitive instance names. The content and structure are good. I found and fixed two issues in the code example:

Fixes Applied

  1. Missing export on SecureAgent class (mcp-client-api.mdx:202): Agent classes must be exported as named exports to work as Durable Object bindings. Changed class SecureAgent to export class SecureAgent, consistent with the pattern used in webhooks.mdx, cross-domain-authentication.mdx, and other docs showing full module examples.

  2. Missing await on routeAgentRequest (mcp-client-api.mdx:239): routeAgentRequest() returns Promise<Response>, so without await the || fallback would never trigger (a Promise object is always truthy). Changed to (await routeAgentRequest(request, env)) ?? which is the correct pattern used throughout the routing docs (routing.mdx, webhooks.mdx, quick-start.mdx).

Items That Look Correct

  • getAgentByName(env.SecureAgent, instanceName) — correct signature matching all other docs usage
  • await on getAgentByName — correctly present
  • getInstanceNameFromSession — clearly marked as a placeholder with an explanatory comment
  • Agent import — correctly included in the import statement
  • API reference additions (callbackPath parameter, updated agentsPrefix description) — accurate and well-written
  • The :::note[How callback matching works] admonition — helpful context about state parameter-based matching

github run

@github-actions

github-actions Bot commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

@elithrar
elithrar merged commit 7a51e65 into production Feb 8, 2026
9 checks passed
@elithrar
elithrar deleted the sync-docs-pr-868 branch February 8, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants