You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs-website/router/mcp.mdx
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,7 @@
1
1
---
2
2
title: 'MCP Gateway'
3
-
description: 'Connect AI models to your GraphQL APIs using the Model Context Protocol. The Cosmo Router MCP Gateway lets AI platforms like Claude, Cursor, and Windsurf discover and execute your operations through a secure, standardized interface.'
3
+
description: 'Connect AI models to your GraphQL APIs using the Model Context Protocol.'
Copy file name to clipboardExpand all lines: docs-website/router/mcp/configuration.mdx
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,7 +38,7 @@ storage_providers:
38
38
| `exclude_mutations` | Whether to exclude mutation operations from being exposed | `false` |
39
39
| `enable_arbitrary_operations` | Enables the `execute_graphql` built-in tool, allowing clients to run arbitrary GraphQL operations beyond the pre-defined operation set. | `false` |
40
40
| `expose_schema` | Enables the `get_schema` built-in tool, exposing the full GraphQL schema to MCP clients. | `false` |
41
-
| `omit_tool_name_prefix` | When enabled, MCP tool names omit the `execute_operation_` prefix. For example, `GetUser` becomes `get_user` instead of `execute_operation_get_user`. See [Operations — Omitting the Tool Name Prefix](/router/mcp/operations#omitting-the-tool-name-prefix). | `false` |
41
+
| `omit_tool_name_prefix` | When enabled, MCP tool names omit the `execute_operation_` prefix. For example, `GetUser` becomes `get_user` instead of `execute_operation_get_user`. See [Operations - Omitting the Tool Name Prefix](/router/mcp/operations#omitting-the-tool-name-prefix). | `false` |
42
42
43
43
For OAuth-specific configuration, see [OAuth 2.1 Authorization](/router/mcp/oauth/overview).
44
44
@@ -93,7 +93,7 @@ To configure sticky sessions:
93
93
2. Clients must include that value in subsequent requests as the `Mcp-Session-Id` request header
94
94
3. Your load balancer or reverse proxy must route requests with the same `Mcp-Session-Id` to the same instance
95
95
96
-
For details, see your load balancer or reverse proxy documentation (e.g., [F5 NGINX Plus — MCP Session Affinity](https://community.f5.com/kb/technicalarticles/mcp-session-affinity-with-f5-nginx-plus/341961)).
96
+
For details, see your load balancer or reverse proxy documentation (e.g., [F5 NGINX Plus - MCP Session Affinity](https://community.f5.com/kb/technicalarticles/mcp-session-affinity-with-f5-nginx-plus/341961)).
Copy file name to clipboardExpand all lines: docs-website/router/mcp/ide-setup.mdx
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,7 @@
1
1
---
2
2
title: 'IDE & AI Tool Setup'
3
-
description: 'Connect Claude Desktop, Cursor, Windsurf, VS Code, and other AI tools to your MCP Gateway. Includes header forwarding for authentication and tracing.'
3
+
description: 'Connect AI tools to your MCP Gateway. Includes header forwarding for authentication and tracing.'
@@ -10,14 +11,14 @@ This guide covers how to connect popular AI tools to your Cosmo Router MCP serve
10
11
11
12
<Info>Available since Router [0.260.0](https://github.com/wundergraph/cosmo/releases/tag/router%400.260.0)</Info>
12
13
13
-
The MCP server forwards most client headers to the Router — including authorization, custom, and tracing headers — but skips hop-by-hop and content negotiation headers (defined in [`headers.SkippedHeaders`](https://github.com/wundergraph/cosmo/blob/main/router/internal/headers/headers.go)). This allows you to:
14
+
The MCP server forwards most client headers to the Router - including authorization, custom, and tracing headers - but skips hop-by-hop and content negotiation headers (defined in [`headers.SkippedHeaders`](https://github.com/wundergraph/cosmo/blob/main/router/internal/headers/headers.go)). This allows you to:
14
15
15
16
- Leverage all authentication and authorization capabilities of your Cosmo Router
16
17
- Pass custom headers for tracing, debugging, or application-specific purposes
17
18
- Maintain consistent security and observability across all API consumers
18
19
19
20
<Info>
20
-
Headers are forwarded through the chain: MCP Client → MCP Server → Router → Subgraphs. The router's
21
+
Headers are forwarded through the chain: MCP Client -> MCP Server -> Router -> Subgraphs. The router's
21
22
[header forwarding rules](/router/proxy-capabilities/subgraph-request-header-operations) determine what ultimately
22
23
reaches your subgraphs.
23
24
</Info>
@@ -45,7 +46,7 @@ Go to **Settings** > **Tools & Integrations** > **MCP Servers** and add the foll
45
46
}
46
47
```
47
48
48
-
All `headers` fields are optional — include only what your setup requires.
49
+
All `headers` fields are optional - include only what your setup requires.
Copy file name to clipboardExpand all lines: docs-website/router/mcp/oauth/configuration.mdx
+15-7Lines changed: 15 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ icon: 'sliders-up'
11
11
|`oauth.enabled`| Enable OAuth 2.1 / JWKS-based authentication for the MCP server |`false`|
12
12
|`oauth.authorization_server_url`| Base URL of the OAuth 2.0 authorization server. Advertised via the [RFC 9728 metadata endpoint](#rfc-9728-protected-resource-metadata) so clients can discover authorization endpoints. | - |
13
13
|`oauth.scope_challenge_include_token_scopes`| When `true`, includes the token's existing scopes in the `scope` parameter of 403 responses. Works around MCP SDK scope accumulation bugs. See [Scope Challenge Behavior](/router/mcp/oauth/scopes#scope-challenge-behavior). |`false`|
14
-
|`oauth.max_scope_combinations`|Upper limit on scope combinations produced when computing the Cartesian product of `@requiresScopes` across fields. Increase for complex RBAC configurations.|`2048`|
14
+
|`oauth.max_scope_combinations`|Maximum scope combinations computed per operation. Raise for schemas with many overlapping `@requiresScopes`. |`2048`|
15
15
|`oauth.scopes.initialize`| Scopes required for **all** HTTP requests (checked before JSON-RPC parsing). This is the baseline scope needed to establish an MCP connection. |`[]`|
16
16
|`oauth.scopes.tools_list`| Scopes required for the `tools/list` MCP method. |`[]`|
17
17
|`oauth.scopes.tools_call`| Scopes required for the `tools/call` MCP method (any tool invocation). Per-tool and built-in tool scopes are enforced additively. |`[]`|
@@ -55,7 +55,7 @@ For development or testing, you can use a shared symmetric secret instead of a r
55
55
oauth:
56
56
jwks:
57
57
- secret: 'your-shared-secret'
58
-
symmetric_algorithm: 'HS256' # HS256, HS384, or HS512
58
+
symmetric_algorithm: 'HS256' # HS256, HS384, or HS512. For other algorithms, use a remote JWKS URL.
59
59
header_key_id: 'my-key-id'
60
60
```
61
61
@@ -76,7 +76,9 @@ Returned when the token is missing, invalid, expired, or signature verification
The `scope` parameter contains the `initialize` scopes (minimum scopes needed to connect). The `resource_metadata` URL points to the [RFC 9728 metadata endpoint](#rfc-9728-protected-resource-metadata) for OAuth discovery.
@@ -89,20 +91,26 @@ Returned when the token is valid but lacks required scopes. The exact `scope` pa
error_description="insufficient scopes for tool execute_operation_get_top_secret_facts"
100
108
```
101
109
102
110
The `scope` parameter always contains only the scopes needed for the specific operation that failed (unless `scope_challenge_include_token_scopes` is enabled).
103
111
104
112
<Info>
105
-
Per the MCP specification, HTTP-level authentication failures return only HTTP status codes and headers — no JSON-RPC
113
+
Per the MCP specification, HTTP-level authentication failures return only HTTP status codes and headers - no JSON-RPC
106
114
response body is included.
107
115
</Info>
108
116
@@ -146,7 +154,7 @@ The `scopes_supported` field is **automatically computed** as the union of:
146
154
The router performs startup validation when OAuth is enabled:
147
155
148
156
- If `oauth.jwks` is empty, the router exits with a fatal error to prevent starting an unprotected endpoint
149
-
- If `server.base_url` is empty, the router exits with a fatal error because it is required for RFC 9728 metadata discovery
157
+
- If `server.base_url` is empty, the router exits with a fatal error because it is required for [RFC 9728](https://datatracker.ietf.org/doc/rfc9728/) metadata discovery
Copy file name to clipboardExpand all lines: docs-website/router/mcp/oauth/overview.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ All scope enforcement happens at the HTTP transport level per the MCP specificat
16
16
17
17
## Token Validation
18
18
19
-
The MCP server validates JWT bearer tokens using JWKS (JSON Web Key Sets). You can configure one or more JWKS providers — either remote JWKS URLs (for production with providers like Keycloak, Auth0, Okta) or symmetric secrets (for development and testing).
19
+
The MCP server validates JWT bearer tokens using JWKS (JSON Web Key Sets). You can configure one or more JWKS providers - either remote JWKS URLs (for production with providers like Keycloak, Auth0, Okta) or symmetric secrets (for development and testing).
20
20
21
21
The MCP OAuth config uses the **same JWKS format** as the router's top-level [authentication configuration](/router/authentication-and-authorization), though it is configured independently. You can point the MCP JWKS to the same JWKS URL as your router authentication, or to a different identity provider entirely.
0 commit comments