Broxy
Download Disconnected

OAuth, discovery, and dynamic client registration

Broxy can authorize against downstream HTTP servers that require OAuth. The flow is automatic and UI-driven, with no manual token handling in most cases.

When you see the authorization flow (UI)

This applies to HTTP Streamable, HTTP SSE, and WebSocket servers.

Typical flow:

  1. Enable the server in the MCP list.
  2. The server card shows Authorization: <seconds> s.
  3. A dialog titled "Server Authorization" appears with the prompt "Authorize <server name>".
  4. Broxy opens your browser to complete sign-in.
  5. After success, the status changes to Connecting, then Available.

If you cancel the dialog or the flow fails, the server is saved as disabled and you can try again.

Discovery

Broxy discovers OAuth settings from the server:

step-up authorization.

  • Probes /.well-known/oauth-protected-resource/<mcp-path> and /.well-known/oauth-protected-resource.
  • If metadata is found, Broxy discovers authorization servers via OAuth 2.0 / OIDC metadata.
  • If metadata is unavailable, Broxy probes the MCP endpoint and parses WWW-Authenticate to trigger

PKCE is required. If S256 is not supported, authorization fails.

Dynamic client registration

If the server supports dynamic client registration:

  • Broxy registers a client automatically.
  • No client id or secret is required in the UI.
  • The registered client is stored securely and reused on the next launch.

If the server does not support dynamic registration, you must provide credentials in the configuration file (see below).

Token storage

  • OAuth tokens and registration data are stored in system secure storage when available.
  • If secure storage is unavailable, you may need to authorize again after restart.
  • Removing a server clears its cached OAuth entry.

Advanced: configuration file auth block

If you edit mcp.json, you can provide OAuth credentials manually:

{
  "mcpServers": {
    "secured": {
      "name": "Secured MCP",
      "transport": "http",
      "url": "https://mcp.example.com/mcp",
      "auth": {
        "type": "oauth",
        "clientId": "client-id",
        "clientSecret": "${CLIENT_SECRET}",
        "clientIdMetadataUrl": "https://auth.example.com/client-metadata",
        "redirectUri": "http://localhost:8080/callback",
        "authorizationServer": "https://auth.example.com",
        "tokenEndpointAuthMethod": "client_secret_post",
        "scopes": ["files:read"],
        "allowDynamicRegistration": true
      }
    }
  }
}

Notes:

pre-registered credentials.

OAuth discovery.

  • Use this only when the server does not support dynamic registration or you already have
  • Broxy includes the resource parameter in authorization and token requests.
  • If you set an Authorization header in the server's Headers field, Broxy will use it and skip
No documentation matches your search.