GET /api/mcp/oauth/callback

MCP OAuth Callback

OAuth redirect callback endpoint for MCP server authentication. Receives the authorization code from the OAuth provider after user authenticates in a browser popup.

Overview

OAuth callback endpoint that receives the authorization code from an OAuth provider (GitHub, Notion, etc.) after the user authenticates in a browser popup. This endpoint is auth-exempt because it’s the redirect target for the OAuth provider.

The flow works as follows:

  1. Mudabbir opens a browser popup with the OAuth provider’s authorization URL
  2. The user authenticates and grants permissions
  3. The OAuth provider redirects back to this endpoint with code and state parameters
  4. Mudabbir resolves the pending OAuth flow and completes the MCP server connection

Query Parameters

code string
Authorization code from the OAuth provider
state string
OAuth state parameter for CSRF protection and flow matching

Response

Returns an HTML page. On success, the page auto-closes the browser popup tab.

GET /api/mcp/oauth/callback?code=abc123&state=xyz789

This endpoint is not called directly — it’s the redirect target configured in the OAuth flow.

<html><body>
<h3>Authenticated! You can close this tab.</h3>
<script>window.close()</script>
</body></html>
<html><body>
<h3>OAuth flow expired or not found.</h3>
</body></html>
Request
curl -X GET "http://localhost:8888/api/mcp/oauth/callback" \
  -H "Content-Type: application/json"
const response = await fetch("http://localhost:8888/api/mcp/oauth/callback", {
  method: "GET",
  headers: {
    "Content-Type": "application/json"
},
});

const data = await response.json();
console.log(data);
import requests

response = requests.get(
    "http://localhost:8888/api/mcp/oauth/callback",
    headers={'Content-Type':'application/json'},
)

print(response.json())
package main

import (
    "fmt"
    "net/http"
    "io"
)

func main() {
    req, _ := http.NewRequest("GET", "http://localhost:8888/api/mcp/oauth/callback", nil)
    req.Header.Set("Content-Type", "application/json")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    body, _ := io.ReadAll(resp.Body)
    fmt.Println(string(body))
}
Response
Send a request to see the response