Skip to content

Commit efc872e

Browse files
committed
docs(mcp): address PR review comments
1 parent fa91049 commit efc872e

7 files changed

Lines changed: 60 additions & 37 deletions

File tree

docs-website/router/mcp.mdx

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
title: 'MCP Gateway'
3-
description: 'Connect AI models to your GraphQL APIs using the Model Context Protocol. The Cosmo Router MCP Gateway lets AI platforms like Claude, Cursor, and Windsurf discover and execute your operations through a secure, standardized interface.'
3+
description: 'Connect AI models to your GraphQL APIs using the Model Context Protocol.'
4+
keywords: ['MCP', 'Model Context Protocol', 'MCP Gateway', 'Claude', 'Cursor', 'Windsurf', 'AI', 'GraphQL']
45
icon: 'robot'
56
---
67

docs-website/router/mcp/configuration.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ storage_providers:
3838
| `exclude_mutations` | Whether to exclude mutation operations from being exposed | `false` |
3939
| `enable_arbitrary_operations` | Enables the `execute_graphql` built-in tool, allowing clients to run arbitrary GraphQL operations beyond the pre-defined operation set. | `false` |
4040
| `expose_schema` | Enables the `get_schema` built-in tool, exposing the full GraphQL schema to MCP clients. | `false` |
41-
| `omit_tool_name_prefix` | When enabled, MCP tool names omit the `execute_operation_` prefix. For example, `GetUser` becomes `get_user` instead of `execute_operation_get_user`. See [Operations Omitting the Tool Name Prefix](/router/mcp/operations#omitting-the-tool-name-prefix). | `false` |
41+
| `omit_tool_name_prefix` | When enabled, MCP tool names omit the `execute_operation_` prefix. For example, `GetUser` becomes `get_user` instead of `execute_operation_get_user`. See [Operations - Omitting the Tool Name Prefix](/router/mcp/operations#omitting-the-tool-name-prefix). | `false` |
4242

4343
For OAuth-specific configuration, see [OAuth 2.1 Authorization](/router/mcp/oauth/overview).
4444

@@ -93,7 +93,7 @@ To configure sticky sessions:
9393
2. Clients must include that value in subsequent requests as the `Mcp-Session-Id` request header
9494
3. Your load balancer or reverse proxy must route requests with the same `Mcp-Session-Id` to the same instance
9595

96-
For details, see your load balancer or reverse proxy documentation (e.g., [F5 NGINX Plus MCP Session Affinity](https://community.f5.com/kb/technicalarticles/mcp-session-affinity-with-f5-nginx-plus/341961)).
96+
For details, see your load balancer or reverse proxy documentation (e.g., [F5 NGINX Plus - MCP Session Affinity](https://community.f5.com/kb/technicalarticles/mcp-session-affinity-with-f5-nginx-plus/341961)).
9797

9898
## CORS
9999

docs-website/router/mcp/ide-setup.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
title: 'IDE & AI Tool Setup'
3-
description: 'Connect Claude Desktop, Cursor, Windsurf, VS Code, and other AI tools to your MCP Gateway. Includes header forwarding for authentication and tracing.'
3+
description: 'Connect AI tools to your MCP Gateway. Includes header forwarding for authentication and tracing.'
4+
keywords: ['MCP', 'Claude Desktop', 'Cursor', 'Windsurf', 'VS Code', 'IDE', 'AI tools']
45
icon: 'display-code'
56
---
67

@@ -10,14 +11,14 @@ This guide covers how to connect popular AI tools to your Cosmo Router MCP serve
1011

1112
<Info>Available since Router [0.260.0](https://github.com/wundergraph/cosmo/releases/tag/router%400.260.0)</Info>
1213

13-
The MCP server forwards most client headers to the Router including authorization, custom, and tracing headers but skips hop-by-hop and content negotiation headers (defined in [`headers.SkippedHeaders`](https://github.com/wundergraph/cosmo/blob/main/router/internal/headers/headers.go)). This allows you to:
14+
The MCP server forwards most client headers to the Router - including authorization, custom, and tracing headers - but skips hop-by-hop and content negotiation headers (defined in [`headers.SkippedHeaders`](https://github.com/wundergraph/cosmo/blob/main/router/internal/headers/headers.go)). This allows you to:
1415

1516
- Leverage all authentication and authorization capabilities of your Cosmo Router
1617
- Pass custom headers for tracing, debugging, or application-specific purposes
1718
- Maintain consistent security and observability across all API consumers
1819

1920
<Info>
20-
Headers are forwarded through the chain: MCP Client MCP Server Router Subgraphs. The router's
21+
Headers are forwarded through the chain: MCP Client -> MCP Server -> Router -> Subgraphs. The router's
2122
[header forwarding rules](/router/proxy-capabilities/subgraph-request-header-operations) determine what ultimately
2223
reaches your subgraphs.
2324
</Info>
@@ -45,7 +46,7 @@ Go to **Settings** > **Tools & Integrations** > **MCP Servers** and add the foll
4546
}
4647
```
4748

48-
All `headers` fields are optional include only what your setup requires.
49+
All `headers` fields are optional - include only what your setup requires.
4950

5051
### Claude Desktop
5152

docs-website/router/mcp/oauth/configuration.mdx

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ icon: 'sliders-up'
1111
| `oauth.enabled` | Enable OAuth 2.1 / JWKS-based authentication for the MCP server | `false` |
1212
| `oauth.authorization_server_url` | Base URL of the OAuth 2.0 authorization server. Advertised via the [RFC 9728 metadata endpoint](#rfc-9728-protected-resource-metadata) so clients can discover authorization endpoints. | - |
1313
| `oauth.scope_challenge_include_token_scopes` | When `true`, includes the token's existing scopes in the `scope` parameter of 403 responses. Works around MCP SDK scope accumulation bugs. See [Scope Challenge Behavior](/router/mcp/oauth/scopes#scope-challenge-behavior). | `false` |
14-
| `oauth.max_scope_combinations` | Upper limit on scope combinations produced when computing the Cartesian product of `@requiresScopes` across fields. Increase for complex RBAC configurations. | `2048` |
14+
| `oauth.max_scope_combinations` | Maximum scope combinations computed per operation. Raise for schemas with many overlapping `@requiresScopes`. | `2048` |
1515
| `oauth.scopes.initialize` | Scopes required for **all** HTTP requests (checked before JSON-RPC parsing). This is the baseline scope needed to establish an MCP connection. | `[]` |
1616
| `oauth.scopes.tools_list` | Scopes required for the `tools/list` MCP method. | `[]` |
1717
| `oauth.scopes.tools_call` | Scopes required for the `tools/call` MCP method (any tool invocation). Per-tool and built-in tool scopes are enforced additively. | `[]` |
@@ -55,7 +55,7 @@ For development or testing, you can use a shared symmetric secret instead of a r
5555
oauth:
5656
jwks:
5757
- secret: 'your-shared-secret'
58-
symmetric_algorithm: 'HS256' # HS256, HS384, or HS512
58+
symmetric_algorithm: 'HS256' # HS256, HS384, or HS512. For other algorithms, use a remote JWKS URL.
5959
header_key_id: 'my-key-id'
6060
```
6161

@@ -76,7 +76,9 @@ Returned when the token is missing, invalid, expired, or signature verification
7676

7777
```
7878
HTTP/1.1 401 Unauthorized
79-
WWW-Authenticate: Bearer realm="mcp", scope="mcp:connect", resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp"
79+
WWW-Authenticate: Bearer realm="mcp",
80+
scope="mcp:connect",
81+
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp"
8082
```
8183
8284
The `scope` parameter contains the `initialize` scopes (minimum scopes needed to connect). The `resource_metadata` URL points to the [RFC 9728 metadata endpoint](#rfc-9728-protected-resource-metadata) for OAuth discovery.
@@ -89,20 +91,26 @@ Returned when the token is valid but lacks required scopes. The exact `scope` pa
8991
9092
```
9193
HTTP/1.1 403 Forbidden
92-
WWW-Authenticate: Bearer error="insufficient_scope", scope="mcp:tools:execute", resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp", error_description="missing required scopes: mcp:tools:execute"
94+
WWW-Authenticate: Bearer error="insufficient_scope",
95+
scope="mcp:tools:execute",
96+
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp",
97+
error_description="missing required scopes: mcp:tools:execute"
9398
```
9499
95100
**Per-tool rejection** (e.g., calling a tool that requires `read:fact`):
96101
97102
```
98103
HTTP/1.1 403 Forbidden
99-
WWW-Authenticate: Bearer error="insufficient_scope", scope="read:fact", resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp", error_description="insufficient scopes for tool execute_operation_get_top_secret_facts"
104+
WWW-Authenticate: Bearer error="insufficient_scope",
105+
scope="read:fact",
106+
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource/mcp",
107+
error_description="insufficient scopes for tool execute_operation_get_top_secret_facts"
100108
```
101109
102110
The `scope` parameter always contains only the scopes needed for the specific operation that failed (unless `scope_challenge_include_token_scopes` is enabled).
103111
104112
<Info>
105-
Per the MCP specification, HTTP-level authentication failures return only HTTP status codes and headers no JSON-RPC
113+
Per the MCP specification, HTTP-level authentication failures return only HTTP status codes and headers - no JSON-RPC
106114
response body is included.
107115
</Info>
108116
@@ -146,7 +154,7 @@ The `scopes_supported` field is **automatically computed** as the union of:
146154
The router performs startup validation when OAuth is enabled:
147155

148156
- If `oauth.jwks` is empty, the router exits with a fatal error to prevent starting an unprotected endpoint
149-
- If `server.base_url` is empty, the router exits with a fatal error because it is required for RFC 9728 metadata discovery
157+
- If `server.base_url` is empty, the router exits with a fatal error because it is required for [RFC 9728](https://datatracker.ietf.org/doc/rfc9728/) metadata discovery
150158

151159
## Full Configuration Example
152160

docs-website/router/mcp/oauth/overview.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ All scope enforcement happens at the HTTP transport level per the MCP specificat
1616

1717
## Token Validation
1818

19-
The MCP server validates JWT bearer tokens using JWKS (JSON Web Key Sets). You can configure one or more JWKS providers either remote JWKS URLs (for production with providers like Keycloak, Auth0, Okta) or symmetric secrets (for development and testing).
19+
The MCP server validates JWT bearer tokens using JWKS (JSON Web Key Sets). You can configure one or more JWKS providers - either remote JWKS URLs (for production with providers like Keycloak, Auth0, Okta) or symmetric secrets (for development and testing).
2020

2121
The MCP OAuth config uses the **same JWKS format** as the router's top-level [authentication configuration](/router/authentication-and-authorization), though it is configured independently. You can point the MCP JWKS to the same JWKS URL as your router authentication, or to a different identity provider entirely.
2222

0 commit comments

Comments
 (0)