actionmcp 0.72.0 → 0.80.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2875f1eaab23887a9cafbff393229ab35a733822b4b20487cff5b4556cd602c9
-  data.tar.gz: ac60fbba55e7e06960644c70f790cd0f4f8909d1b6d1137b3f002bdeda29575c
+  metadata.gz: ea96963047c8bb5e9fa9fd88163a14798c8780a531fa1600e3681bd92ca1b4fe
+  data.tar.gz: aae9fc897bd554fba0442735b184d9eac03a381c3b07e052869ce76ce714555d
 SHA512:
-  metadata.gz: 9fe34b128238c04f1dcb8a08af77b17aafcf7c0bf5fd1ce670d0c8bfdd0aefcea6d284d1c223cb3572645e5101aa71021381eb1d0379851114c075102311c156
-  data.tar.gz: 3817b2aa867d773afad8cb9db19fca5e1dc1d1425d1b02912a62cd15fba6cde28b3e7333114a98ccc8fe551c15d481f77d02c6eb549bf3ae971d95a2a2ff013b
+  metadata.gz: 47947a7bba2e39a33b1793cbf8af4a38dcf26e0eebcc19989b143d4279f8f71fc05c646169d4739dd8e52f23c2f34df5a232d4cd414e6872cc636ab4c5a22ae5
+  data.tar.gz: 8e2b06ddaf6b1174035dc3e4a6315aaf8d624ac5a096d647f252c40c533f5d20ebf02b3b8b5355d81617de98dfccf63d4342ec540558f8dbc5072043aee11c4a

data/README.md

@@ -576,7 +576,7 @@ This will create:
 
 ActionMCP provides a Gateway system similar to ActionCable's Connection for handling authentication. The Gateway allows you to authenticate users and make them available throughout your MCP components.
 
-ActionMCP supports multiple authentication methods including OAuth 2.1, JWT tokens, and no authentication for development. For detailed OAuth 2.1 configuration and usage, see the [OAuth Authentication Guide](OAUTH.md).
+ActionMCP uses a Gateway pattern with pluggable identifiers for authentication. You can implement custom authentication strategies using session-based auth, API keys, bearer tokens, or integrate with existing authentication systems like Warden, Devise, or external OAuth providers.
 
 ### Creating an ApplicationGateway
 

data/app/controllers/action_mcp/application_controller.rb

@@ -28,7 +28,9 @@ module ActionMCP
     end
 
     # Handles GET requests for establishing server-initiated SSE streams (2025-03-26 spec).
-    # @route GET /
+    # <rails-lens:routes:begin>
+    # ROUTE: /, name: mcp_get, via: GET
+    # <rails-lens:routes:end>
     def show
       unless request.accepts.any? { |type| type.to_s == "text/event-stream" }
         return render_not_acceptable("Client must accept 'text/event-stream' for GET requests.")
@@ -158,7 +160,9 @@ module ActionMCP
     end
 
     # Handles POST requests containing client JSON-RPC messages according to 2025-03-26 spec.
-    # @route POST /mcp
+    # <rails-lens:routes:begin>
+    # ROUTE: /, name: mcp_post, via: POST
+    # <rails-lens:routes:end>
     def create
       unless post_accept_headers_valid?
         id = extract_jsonrpc_id_from_request
@@ -227,7 +231,9 @@ module ActionMCP
     end
 
     # Handles DELETE requests for session termination (2025-03-26 spec).
-    # @route DELETE /
+    # <rails-lens:routes:begin>
+    # ROUTE: /, name: mcp_delete, via: DELETE
+    # <rails-lens:routes:end>
     def destroy
       session_id_from_header = extract_session_id
       return render_bad_request("Mcp-Session-Id header is required for DELETE requests.") unless session_id_from_header
@@ -521,21 +527,23 @@ module ActionMCP
       gateway_class = ActionMCP.configuration.gateway_class
       return unless gateway_class # Skip if no gateway configured
 
-      gateway = gateway_class.new(request)
-      gateway.call
-    rescue ActionMCP::UnauthorizedError => e
-      render_unauthorized(e.message)
+      begin
+        gateway = gateway_class.new(request)
+        gateway.call
+      rescue ActionMCP::UnauthorizedError => e
+        render_unauthorized(e.message)
+      rescue StandardError => e
+        Rails.logger.error "Gateway authentication error: #{e.class} - #{e.message}"
+        render_unauthorized("Authentication system error")
+      end
     end
 
     # Renders an unauthorized response
     def render_unauthorized(message = "Unauthorized", id = nil)
       id ||= extract_jsonrpc_id_from_request
 
-      # Add WWW-Authenticate header for OAuth discovery as per spec
-      auth_methods = ActionMCP.configuration.authentication_methods || []
-      response.headers["WWW-Authenticate"] = 'Bearer realm="MCP API"' if auth_methods.include?("oauth")
-
-      render json: { jsonrpc: "2.0", id: id, error: { code: -32_000, message: message } }, status: :unauthorized
+      # Return JSON-RPC error with 200 status as per MCP specification
+      render json: { jsonrpc: "2.0", id: id, error: { code: -32_000, message: message } }
     end
   end
 end

data/app/models/action_mcp/session/message.rb

@@ -1,29 +1,40 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_session_messages"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_session_messages
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "direction", type = "string", nullable = false, default = "client" },
+#   { name = "message_type", type = "string", nullable = false },
+#   { name = "jsonrpc_id", type = "string", nullable = true },
+#   { name = "message_json", type = "json", nullable = true },
+#   { name = "is_ping", type = "boolean", nullable = false, default = "0" },
+#   { name = "request_acknowledged", type = "boolean", nullable = false, default = "0" },
+#   { name = "request_cancelled", type = "boolean", nullable = false, default = "0" },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id                   :integer          not null, primary key
-#  direction            :string           default("client"), not null
-#  is_ping              :boolean          default(FALSE), not null
-#  message_json         :json
-#  message_type         :string           not null
-#  request_acknowledged :boolean          default(FALSE), not null
-#  request_cancelled    :boolean          default(FALSE), not null
-#  created_at           :datetime         not null
-#  updated_at           :datetime         not null
-#  jsonrpc_id           :string
-#  session_id           :string           not null
+# indexes = [
+#   { name = "index_action_mcp_session_messages_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_session_messages_on_session_id  (session_id)
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade ON UPDATE => cascade
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id", on_delete = "cascade", on_update = "cascade" }
+# ]
 #
+# == Notes
+# - Column 'message_json' should probably have NOT NULL constraint
+# - String column 'session_id' has no length limit - consider adding one
+# - String column 'direction' has no length limit - consider adding one
+# - String column 'message_type' has no length limit - consider adding one
+# - String column 'jsonrpc_id' has no length limit - consider adding one
+# - Column 'message_type' is commonly used in queries - consider adding an index
+# - Column 'is_ping' uses non-conventional prefix - consider removing 'is_' or 'has_'
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     #

data/app/models/action_mcp/session/resource.rb

@@ -1,29 +1,44 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_session_resources"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_session_resources
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "uri", type = "string", nullable = false },
+#   { name = "name", type = "string", nullable = true },
+#   { name = "description", type = "text", nullable = true },
+#   { name = "mime_type", type = "string", nullable = false },
+#   { name = "created_by_tool", type = "boolean", nullable = true, default = "0" },
+#   { name = "last_accessed_at", type = "datetime", nullable = true },
+#   { name = "metadata", type = "json", nullable = true },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id               :integer          not null, primary key
-#  created_by_tool  :boolean          default(FALSE)
-#  description      :text
-#  last_accessed_at :datetime
-#  metadata         :json
-#  mime_type        :string           not null
-#  name             :string
-#  uri              :string           not null
-#  created_at       :datetime         not null
-#  updated_at       :datetime         not null
-#  session_id       :string           not null
+# indexes = [
+#   { name = "index_action_mcp_session_resources_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_session_resources_on_session_id  (session_id)
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id", on_delete = "cascade" }
+# ]
 #
+# == Notes
+# - Association 'session' should specify inverse_of
+# - Column 'name' should probably have NOT NULL constraint
+# - Column 'description' should probably have NOT NULL constraint
+# - Column 'created_by_tool' should probably have NOT NULL constraint
+# - Column 'metadata' should probably have NOT NULL constraint
+# - String column 'session_id' has no length limit - consider adding one
+# - String column 'uri' has no length limit - consider adding one
+# - String column 'name' has no length limit - consider adding one
+# - String column 'mime_type' has no length limit - consider adding one
+# - Large text column 'description' is frequently queried - consider separate storage
+# - Column 'mime_type' is commonly used in queries - consider adding an index
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     #

data/app/models/action_mcp/session/sse_event.rb

@@ -1,26 +1,32 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_sse_events"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_sse_events
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "event_id", type = "integer", nullable = false },
+#   { name = "data", type = "text", nullable = false },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id         :integer          not null, primary key
-#  data       :text             not null
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  event_id   :integer          not null
-#  session_id :string           not null
+# indexes = [
+#   { name = "index_action_mcp_sse_events_on_created_at", columns = ["created_at"] },
+#   { name = "index_action_mcp_sse_events_on_session_id_and_event_id", columns = ["session_id", "event_id"], unique = true },
+#   { name = "index_action_mcp_sse_events_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_sse_events_on_created_at               (created_at)
-#  index_action_mcp_sse_events_on_session_id               (session_id)
-#  index_action_mcp_sse_events_on_session_id_and_event_id  (session_id,event_id) UNIQUE
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id)
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id" }
+# ]
 #
+# == Notes
+# - Association 'session' should specify inverse_of
+# - String column 'session_id' has no length limit - consider adding one
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     # Represents a Server-Sent Event (SSE) in an MCP session

data/app/models/action_mcp/session/subscription.rb

@@ -1,24 +1,31 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_session_subscriptions"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_session_subscriptions
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "uri", type = "string", nullable = false },
+#   { name = "last_notification_at", type = "datetime", nullable = true },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id                   :integer          not null, primary key
-#  last_notification_at :datetime
-#  uri                  :string           not null
-#  created_at           :datetime         not null
-#  updated_at           :datetime         not null
-#  session_id           :string           not null
+# indexes = [
+#   { name = "index_action_mcp_session_subscriptions_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_session_subscriptions_on_session_id  (session_id)
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id", on_delete = "cascade" }
+# ]
 #
+# == Notes
+# - Consider adding counter cache for 'session'
+# - String column 'session_id' has no length limit - consider adding one
+# - String column 'uri' has no length limit - consider adding one
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     #

data/app/models/action_mcp/session.rb

@@ -1,39 +1,49 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_sessions"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_sessions
-#
-#  id                     :string           not null, primary key
-#  authentication_method  :string           default("none")
-#  client_capabilities    :json
-#  client_info            :json
-#  consents               :json             not null
-#  ended_at               :datetime
-#  initialized            :boolean          default(FALSE), not null
-#  messages_count         :integer          default(0), not null
-#  oauth_access_token     :string
-#  oauth_refresh_token    :string
-#  oauth_token_expires_at :datetime
-#  oauth_user_context     :json
-#  prompt_registry        :json
-#  protocol_version       :string
-#  resource_registry      :json
-#  role                   :string           default("server"), not null
-#  server_capabilities    :json
-#  server_info            :json
-#  sse_event_counter      :integer          default(0), not null
-#  status                 :string           default("pre_initialize"), not null
-#  tool_registry          :json
-#  created_at             :datetime         not null
-#  updated_at             :datetime         not null
-#
-# Indexes
-#
-#  index_action_mcp_sessions_on_authentication_method   (authentication_method)
-#  index_action_mcp_sessions_on_oauth_access_token      (oauth_access_token) UNIQUE
-#  index_action_mcp_sessions_on_oauth_token_expires_at  (oauth_token_expires_at)
+# columns = [
+#   { name = "id", type = "string", primary_key = true, nullable = false },
+#   { name = "role", type = "string", nullable = false, default = "server" },
+#   { name = "status", type = "string", nullable = false, default = "pre_initialize" },
+#   { name = "ended_at", type = "datetime", nullable = true },
+#   { name = "protocol_version", type = "string", nullable = true },
+#   { name = "server_capabilities", type = "json", nullable = true },
+#   { name = "client_capabilities", type = "json", nullable = true },
+#   { name = "server_info", type = "json", nullable = true },
+#   { name = "client_info", type = "json", nullable = true },
+#   { name = "initialized", type = "boolean", nullable = false, default = "0" },
+#   { name = "messages_count", type = "integer", nullable = false, default = "0" },
+#   { name = "sse_event_counter", type = "integer", nullable = false, default = "0" },
+#   { name = "tool_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "prompt_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "resource_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false },
+#   { name = "consents", type = "json", nullable = false, default = "{}" }
+# ]
 #
+# == Notes
+# - Association 'messages' has N+1 query risk. Consider using includes/preload
+# - Association 'subscriptions' has N+1 query risk. Consider using includes/preload
+# - Association 'resources' has N+1 query risk. Consider using includes/preload
+# - Association 'sse_events' has N+1 query risk. Consider using includes/preload
+# - Column 'protocol_version' should probably have NOT NULL constraint
+# - Column 'server_capabilities' should probably have NOT NULL constraint
+# - Column 'client_capabilities' should probably have NOT NULL constraint
+# - Column 'server_info' should probably have NOT NULL constraint
+# - Column 'client_info' should probably have NOT NULL constraint
+# - Column 'tool_registry' should probably have NOT NULL constraint
+# - Column 'prompt_registry' should probably have NOT NULL constraint
+# - Column 'resource_registry' should probably have NOT NULL constraint
+# - String column 'id' has no length limit - consider adding one
+# - String column 'role' has no length limit - consider adding one
+# - String column 'status' has no length limit - consider adding one
+# - String column 'protocol_version' has no length limit - consider adding one
+# - Column 'status' is commonly used in queries - consider adding an index
+# <rails-lens:schema:end>
 module ActionMCP
   ##
   # Represents an MCP session, which is a connection between a client and a server.
@@ -362,93 +372,6 @@ module ActionMCP
       resource_registry == [ "*" ]
     end
 
-    # OAuth Session Management
-    # Required by MCP 2025-03-26 specification for session binding
-
-    # Store OAuth token and user context in session
-    def store_oauth_token(access_token:, expires_at:, refresh_token: nil, user_context: {})
-      update!(
-        oauth_access_token: access_token,
-        oauth_refresh_token: refresh_token,
-        oauth_token_expires_at: expires_at,
-        oauth_user_context: user_context,
-        authentication_method: "oauth"
-      )
-    end
-
-    # Retrieve OAuth token information
-    def oauth_token_info
-      return nil unless oauth_access_token
-
-      {
-        access_token: oauth_access_token,
-        refresh_token: oauth_refresh_token,
-        expires_at: oauth_token_expires_at,
-        user_context: oauth_user_context || {},
-        authentication_method: authentication_method
-      }
-    end
-
-    # Check if OAuth token is valid and not expired
-    def oauth_token_valid?
-      return false unless oauth_access_token
-      return true unless oauth_token_expires_at
-
-      oauth_token_expires_at > Time.current
-    end
-
-    # Clear OAuth token data
-    def clear_oauth_token!
-      update!(
-        oauth_access_token: nil,
-        oauth_refresh_token: nil,
-        oauth_token_expires_at: nil,
-        oauth_user_context: nil,
-        authentication_method: "none"
-      )
-    end
-
-    # Update OAuth token (for refresh flow)
-    def update_oauth_token(access_token:, expires_at:, refresh_token: nil)
-      update!(
-        oauth_access_token: access_token,
-        oauth_refresh_token: refresh_token,
-        oauth_token_expires_at: expires_at
-      )
-    end
-
-    # Get user information from OAuth context
-    def oauth_user
-      return nil unless oauth_user_context.is_a?(Hash)
-
-      OpenStruct.new(oauth_user_context)
-    end
-
-    # Check if session is authenticated via OAuth
-    def oauth_authenticated?
-      authentication_method == "oauth" && oauth_token_valid?
-    end
-
-    # Find session by OAuth access token (class method)
-    def self.find_by_oauth_token(access_token)
-      find_by(oauth_access_token: access_token)
-    end
-
-    # Find sessions with expired OAuth tokens (class method)
-    def self.with_expired_oauth_tokens
-      where("oauth_token_expires_at IS NOT NULL AND oauth_token_expires_at < ?", Time.current)
-    end
-
-    # Cleanup expired OAuth tokens (class method)
-    def self.cleanup_expired_oauth_tokens
-      with_expired_oauth_tokens.update_all(
-        oauth_access_token: nil,
-        oauth_refresh_token: nil,
-        oauth_token_expires_at: nil,
-        oauth_user_context: nil,
-        authentication_method: "none"
-      )
-    end
 
     # Consent management methods as per MCP specification
     # These methods manage user consents for tools and resources

data/config/routes.rb

@@ -3,19 +3,6 @@
 ActionMCP::Engine.routes.draw do
   get "/up", to: "/rails/health#show", as: :action_mcp_health_check
 
-  # OAuth 2.1 metadata endpoints
-  get "/.well-known/oauth-authorization-server", to: "oauth/metadata#authorization_server",
-                                                 as: :oauth_authorization_server_metadata
-  get "/.well-known/oauth-protected-resource", to: "oauth/metadata#protected_resource",
-                                               as: :oauth_protected_resource_metadata
-
-  # OAuth 2.1 endpoints
-  get "/oauth/authorize", to: "oauth/endpoints#authorize", as: :oauth_authorize
-  post "/oauth/token", to: "oauth/endpoints#token", as: :oauth_token
-  post "/oauth/introspect", to: "oauth/endpoints#introspect", as: :oauth_introspect
-  post "/oauth/revoke", to: "oauth/endpoints#revoke", as: :oauth_revoke
-  post "/oauth/register", to: "oauth/registration#create", as: :oauth_register
-
   # MCP 2025-03-26 Spec routes
   get "/", to: "application#show", as: :mcp_get
   post "/", to: "application#create", as: :mcp_post

data/db/migrate/20250727000001_remove_oauth_support.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+class RemoveOauthSupport < ActiveRecord::Migration[8.0]
+  def change
+    # Remove OAuth tables
+    drop_table :action_mcp_oauth_clients, if_exists: true do |t|
+      t.string :client_id, null: false
+      t.string :client_secret
+      t.string :client_name
+      t.json :redirect_uris, default: []
+      t.json :grant_types, default: [ "authorization_code" ]
+      t.json :response_types, default: [ "code" ]
+      t.string :token_endpoint_auth_method, default: "client_secret_basic"
+      t.text :scope
+      t.boolean :active, default: true
+      t.integer :client_id_issued_at
+      t.integer :client_secret_expires_at
+      t.string :registration_access_token
+      t.json :metadata, default: {}
+      t.datetime :created_at, null: false
+      t.datetime :updated_at, null: false
+    end
+
+    drop_table :action_mcp_oauth_tokens, if_exists: true do |t|
+      t.string :token, null: false
+      t.string :token_type, null: false
+      t.string :client_id, null: false
+      t.string :user_id
+      t.text :scope
+      t.datetime :expires_at
+      t.boolean :revoked, default: false
+      t.string :redirect_uri
+      t.string :code_challenge
+      t.string :code_challenge_method
+      t.string :access_token
+      t.json :metadata, default: {}
+      t.datetime :created_at, null: false
+      t.datetime :updated_at, null: false
+    end
+
+    # Remove OAuth columns from sessions table
+    if table_exists?(:action_mcp_sessions)
+      remove_column :action_mcp_sessions, :oauth_access_token, :string if column_exists?(:action_mcp_sessions, :oauth_access_token)
+      remove_column :action_mcp_sessions, :oauth_refresh_token, :string if column_exists?(:action_mcp_sessions, :oauth_refresh_token)
+      remove_column :action_mcp_sessions, :oauth_token_expires_at, :datetime if column_exists?(:action_mcp_sessions, :oauth_token_expires_at)
+      remove_column :action_mcp_sessions, :oauth_user_context, :json if column_exists?(:action_mcp_sessions, :oauth_user_context)
+    end
+  end
+
+  private
+
+  def table_exists?(table_name)
+    ActiveRecord::Base.connection.table_exists?(table_name)
+  end
+
+  def column_exists?(table_name, column_name)
+    ActiveRecord::Base.connection.column_exists?(table_name, column_name)
+  end
+end

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -15,12 +15,9 @@ module ActionMCP
 
       attr_reader :session_id, :last_event_id, :protocol_version
 
-      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, jwt_provider: nil,
-                     protocol_version: nil, **options)
+      def initialize(url, session_store:, session_id: nil, protocol_version: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
-        @oauth_provider = oauth_provider
-        @jwt_provider = jwt_provider
         @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
         @negotiated_protocol_version = nil
         @last_event_id = nil
@@ -105,8 +102,6 @@ module ActionMCP
         # Add MCP-Protocol-Version header for GET requests when we have a negotiated version
         headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
 
-        headers.merge!(oauth_headers)
-        headers.merge!(jwt_headers)
         log_debug("Final GET headers: #{headers}")
         headers
       end
@@ -122,8 +117,6 @@ module ActionMCP
         # Only include when we have a negotiated version from previous handshake
         headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
 
-        headers.merge!(oauth_headers)
-        headers.merge!(jwt_headers)
         log_debug("Final POST headers: #{headers}")
         headers
       end
@@ -208,7 +201,6 @@ module ActionMCP
           # Accepted - message received, no immediate response
           log_debug("Message accepted (202)")
         when 401
-          handle_authentication_error(response)
           raise AuthenticationError, "Authentication required"
         when 405
           # Method not allowed - server doesn't support this operation
@@ -305,43 +297,6 @@ module ActionMCP
         log_debug("Saved session state")
       end
 
-      def oauth_headers
-        return {} unless @oauth_provider&.authenticated?
-
-        headers = @oauth_provider.authorization_headers
-        log_debug("OAuth headers: #{headers}") unless headers.empty?
-        headers
-      rescue StandardError => e
-        log_error("Failed to get OAuth headers: #{e.message}")
-        {}
-      end
-
-      def jwt_headers
-        return {} unless @jwt_provider&.authenticated?
-
-        headers = @jwt_provider.authorization_headers
-        log_debug("JWT headers: #{headers}") unless headers.empty?
-        headers
-      rescue StandardError => e
-        log_error("Failed to get JWT headers: #{e.message}")
-        {}
-      end
-
-      def handle_authentication_error(response)
-        # Check for OAuth challenge in WWW-Authenticate header
-        www_auth = response.headers["www-authenticate"]
-        return unless www_auth&.include?("Bearer")
-
-        if @oauth_provider
-          log_debug("Received OAuth challenge, clearing OAuth tokens")
-          @oauth_provider.clear_tokens!
-        end
-
-        return unless @jwt_provider
-
-        log_debug("Received Bearer challenge, clearing JWT tokens")
-        @jwt_provider.clear_tokens!
-      end
 
       def user_agent
         "ActionMCP-StreamableHTTP/#{ActionMCP.gem_version}"