Fix MCP OAuth callback URL leaking instance name#28183
Conversation
Add documentation for the new callbackPath parameter in addMcpServer() that allows custom OAuth callback URL paths. This is required when sendIdentityOnConnect is false to prevent instance name leakage. Changes: - Add callbackPath parameter to addMcpServer() API reference - Add security section explaining when and why callbackPath is required - Include example showing how to route custom callback paths with getAgentByName - Note that callback matching uses state parameter, not URL path Relates to cloudflare/agents#868 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
/bonk review/fix |
Co-authored-by: elithrar <elithrar@users.noreply.github.com>
Review SummaryThe PR documents the new Fixes Applied
Items That Look Correct
|
|
Preview URL: https://57ac3f18.preview.developers.cloudflare.com Files with changes (up to 15) |
Summary
Document the new
callbackPathoption foraddMcpServer()that prevents instance name leakage in MCP OAuth callback URLs when usingsendIdentityOnConnect: false.Changes
callbackPathparameter toaddMcpServer()API referencecallbackPathis required whensendIdentityOnConnectisfalsestateparameter, not URL path matchingContext
This documentation sync corresponds to cloudflare/agents#868, which fixes a security issue where the default OAuth callback URL exposed sensitive instance names even when developers opted out of identity disclosure via
sendIdentityOnConnect: false.The new
callbackPathparameter allows developers to specify a custom callback path that does not include the instance name, and route it to the correct agent instance usinggetAgentByName().Test plan
🤖 Generated with Claude Code