@mcp-ts/sdk 1.6.0 → 1.6.2

package/dist/{tool-router-_O2tIwf7.d.mts → tool-router-BVaV1udm.d.mts}

@@ -1,5 +1,5 @@
 import { Tool } from '@modelcontextprotocol/sdk/types.js';
-import { u as ToolClientProvider, T as ToolClient } from './types-CfCoIsWI.mjs';
+import { u as ToolClientProvider, T as ToolClient } from './types-rIuN1CQi.mjs';
 
 /**
  * SchemaCompressor — Utilities for reducing tool schema token overhead.

package/dist/{tool-router-Bn9R0KWr.d.ts → tool-router-Dh2804tM.d.ts}

@@ -1,5 +1,5 @@
 import { Tool } from '@modelcontextprotocol/sdk/types.js';
-import { u as ToolClientProvider, T as ToolClient } from './types-CfCoIsWI.js';
+import { u as ToolClientProvider, T as ToolClient } from './types-rIuN1CQi.js';
 
 /**
  * SchemaCompressor — Utilities for reducing tool schema token overhead.

package/dist/{types-CfCoIsWI.d.mts → types-rIuN1CQi.d.mts}

@@ -102,6 +102,7 @@ interface ConnectParams {
     serverUrl: string;
     callbackUrl: string;
     transportType?: TransportType;
+    headers?: Record<string, string>;
 }
 interface DisconnectParams {
     sessionId: string;

package/dist/{types-CfCoIsWI.d.ts → types-rIuN1CQi.d.ts}

@@ -102,6 +102,7 @@ interface ConnectParams {
     serverUrl: string;
     callbackUrl: string;
     transportType?: TransportType;
+    headers?: Record<string, string>;
 }
 interface DisconnectParams {
     sessionId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-ts/sdk",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "publishConfig": {
     "access": "public"
   },

package/src/client/react/oauth-popup.tsx

@@ -42,6 +42,19 @@ export interface McpOAuthCallbackContentProps {
 
 const AUTH_CODE_MESSAGE = 'MCP_AUTH_CODE';
 const AUTH_RESULT_MESSAGE = 'MCP_AUTH_RESULT';
+const AUTH_CHANNEL_NAME = 'mcp-auth-channel';
+
+function createAuthBroadcastChannel(): BroadcastChannel | null {
+  if (typeof BroadcastChannel === 'undefined') {
+    return null;
+  }
+
+  try {
+    return new BroadcastChannel(AUTH_CHANNEL_NAME);
+  } catch {
+    return null;
+  }
+}
 
 function postPopupResult(
   popupWindow: WindowProxy | null,
@@ -51,13 +64,23 @@ function postPopupResult(
     error?: string;
   }
 ): void {
-  popupWindow?.postMessage(
-    {
-      type: AUTH_RESULT_MESSAGE,
-      ...result,
-    },
-    window.location.origin
-  );
+  const payload = {
+    type: AUTH_RESULT_MESSAGE,
+    ...result,
+  };
+
+  try {
+    popupWindow?.postMessage(payload, window.location.origin);
+  } catch {
+    // COOP can leave a WindowProxy reference that is no longer usable.
+    // The BroadcastChannel path below is the reliable fallback.
+  }
+
+  const channel = createAuthBroadcastChannel();
+  if (channel) {
+    channel.postMessage(payload);
+    channel.close();
+  }
 }
 
 /**
@@ -130,14 +153,16 @@ export function useMcpOAuthPopup<TConnection extends OAuthPopupConnectionLike>(
   finishAuth: (sessionId: string, code: string) => Promise<unknown>
 ): void {
   const pendingPopupsRef = useRef<Map<string, WindowProxy>>(new Map());
+  const processingCodesRef = useRef<Set<string>>(new Set());
 
   useEffect(() => {
     const handleMessage = async (event: MessageEvent) => {
-      if (event.origin !== window.location.origin) {
+      if (event.origin && event.origin !== window.location.origin) {
         return;
       }
 
-      if (event.data?.type !== AUTH_CODE_MESSAGE || !event.data.code) {
+      const code = typeof event.data?.code === 'string' ? event.data.code : '';
+      if (event.data?.type !== AUTH_CODE_MESSAGE || !code) {
         return;
       }
 
@@ -146,56 +171,84 @@ export function useMcpOAuthPopup<TConnection extends OAuthPopupConnectionLike>(
         : null;
       const targetSessionId = typeof event.data.sessionId === 'string' ? event.data.sessionId : '';
 
+      if (popupWindow && targetSessionId) {
+        pendingPopupsRef.current.set(targetSessionId, popupWindow);
+      }
+
       if (!targetSessionId) {
-        postPopupResult(popupWindow, {
-          success: false,
-          error: 'Missing OAuth session identifier',
-        });
+        if (popupWindow) {
+          postPopupResult(popupWindow, {
+            success: false,
+            error: 'Missing OAuth session identifier',
+          });
+        }
         return;
       }
 
       const targetSession = connections.find((connection) => connection.sessionId === targetSessionId);
       if (!targetSession) {
-        postPopupResult(popupWindow, {
-          sessionId: targetSessionId,
-          success: false,
-          error: 'OAuth session not found in the current client state',
-        });
+        if (popupWindow) {
+          postPopupResult(popupWindow, {
+            sessionId: targetSessionId,
+            success: false,
+            error: 'OAuth session not found in the current client state',
+          });
+        }
         return;
       }
 
-      if (popupWindow) {
-        pendingPopupsRef.current.set(targetSession.sessionId, popupWindow);
+      const codeKey = `${targetSession.sessionId}:${code}`;
+      if (processingCodesRef.current.has(codeKey)) {
+        return;
       }
+      processingCodesRef.current.add(codeKey);
 
       try {
-        await finishAuth(targetSession.sessionId, event.data.code);
+        await finishAuth(targetSession.sessionId, code);
       } catch (error) {
+        processingCodesRef.current.delete(codeKey);
         pendingPopupsRef.current.delete(targetSession.sessionId);
-        postPopupResult(popupWindow, {
-          sessionId: targetSession.sessionId,
-          success: false,
-          error: error instanceof Error ? error.message : 'Failed to finish auth',
-        });
+        if (popupWindow) {
+          postPopupResult(popupWindow, {
+            sessionId: targetSession.sessionId,
+            success: false,
+            error: error instanceof Error ? error.message : 'Failed to finish auth',
+          });
+        }
+      }
+    };
+
+    const channel = createAuthBroadcastChannel();
+    const handleChannelMessage = (event: MessageEvent) => {
+      if (event.data?.type === AUTH_CODE_MESSAGE) {
+        void handleMessage(event);
       }
     };
 
     window.addEventListener('message', handleMessage);
-    return () => window.removeEventListener('message', handleMessage);
+    channel?.addEventListener('message', handleChannelMessage);
+    
+    return () => {
+      window.removeEventListener('message', handleMessage);
+      channel?.removeEventListener('message', handleChannelMessage);
+      channel?.close();
+    };
   }, [connections, finishAuth]);
 
   useEffect(() => {
     for (const connection of connections) {
-      const popupWindow = pendingPopupsRef.current.get(connection.sessionId);
-      if (!popupWindow) {
-        continue;
-      }
+      const popupWindow = pendingPopupsRef.current.get(connection.sessionId) || null;
 
-      if (connection.state === 'AUTHENTICATED') {
+      if (connection.state === 'AUTHENTICATED' || connection.state === 'READY' || connection.state === 'CONNECTED') {
         postPopupResult(popupWindow, {
           sessionId: connection.sessionId,
           success: true,
         });
+        for (const codeKey of processingCodesRef.current) {
+          if (codeKey.startsWith(`${connection.sessionId}:`)) {
+            processingCodesRef.current.delete(codeKey);
+          }
+        }
         pendingPopupsRef.current.delete(connection.sessionId);
         continue;
       }
@@ -206,6 +259,11 @@ export function useMcpOAuthPopup<TConnection extends OAuthPopupConnectionLike>(
           success: false,
           error: connection.error || 'Failed to complete authorization',
         });
+        for (const codeKey of processingCodesRef.current) {
+          if (codeKey.startsWith(`${connection.sessionId}:`)) {
+            processingCodesRef.current.delete(codeKey);
+          }
+        }
         pendingPopupsRef.current.delete(connection.sessionId);
       }
     }
@@ -238,16 +296,13 @@ export function McpOAuthCallbackContent({
   const [phase, setPhase] = useState<'loading' | 'success' | 'error'>(debugPhase || 'loading');
   const [errorMessage, setErrorMessage] = useState('');
 
-  const openerMissing = typeof window !== 'undefined' ? !window.opener : false;
   const missingCode = !code;
   const missingSessionId = !sessionId;
-  const blockingError = openerMissing
-    ? 'Error: No opener window found. This window should be opened from the app.'
-    : missingCode
-      ? 'Error: No authorization code received.'
-      : missingSessionId
-        ? 'Error: No OAuth state received.'
-        : null;
+  const blockingError = missingCode
+    ? 'Error: No authorization code received.'
+    : missingSessionId
+      ? 'Error: No OAuth state received.'
+      : null;
 
   useEffect(() => {
     if (debugPhase) {
@@ -263,9 +318,9 @@ export function McpOAuthCallbackContent({
     }
 
     let closed = false;
-
+    const channel = createAuthBroadcastChannel();
     const handleResult = (event: MessageEvent) => {
-      if (event.origin !== window.location.origin) {
+      if (event.origin && event.origin !== window.location.origin) {
         return;
       }
 
@@ -280,6 +335,7 @@ export function McpOAuthCallbackContent({
       if (event.data.success) {
         setPhase('success');
         window.removeEventListener('message', handleResult);
+        channel?.close();
         closed = true;
         window.setTimeout(() => window.close(), 1200);
         return;
@@ -294,23 +350,27 @@ export function McpOAuthCallbackContent({
     };
 
     window.addEventListener('message', handleResult);
+    channel?.addEventListener('message', handleResult);
+
+    const payload = { type: AUTH_CODE_MESSAGE, code, sessionId };
 
-    try {
-      window.opener.postMessage(
-        { type: AUTH_CODE_MESSAGE, code, sessionId },
-        window.location.origin
-      );
-    } catch (error) {
-      console.error('Failed to communicate with opener:', error);
-      window.setTimeout(() => {
+    if (window.opener) {
+      try {
+        window.opener.postMessage(payload, window.location.origin);
+      } catch {
         setPhase('error');
         setErrorMessage('Error: Could not communicate with main window.');
-      }, 0);
+      }
+    }
+
+    if (channel) {
+      channel.postMessage(payload);
     }
 
     return () => {
       if (!closed) {
         window.removeEventListener('message', handleResult);
+        channel?.close();
       }
     };
   }, [blockingError, code, sessionId, debugPhase]);

package/src/server/handlers/sse-handler.ts

@@ -73,6 +73,16 @@ export interface SSEHandlerOptions {
 
 const DEFAULT_HEARTBEAT_INTERVAL = 30000;
 
+function normalizeHeaders(headers?: Record<string, string>): Record<string, string> | undefined {
+  if (!headers || typeof headers !== 'object') return undefined;
+
+  const entries = Object.entries(headers)
+    .map(([key, value]) => [key.trim(), String(value).trim()] as const)
+    .filter(([key, value]) => key.length > 0 && value.length > 0);
+
+  return entries.length > 0 ? Object.fromEntries(entries) : undefined;
+}
+
 // ============================================
 // SSEConnectionManager Class
 // ============================================
@@ -238,6 +248,7 @@ export class SSEConnectionManager {
    */
   private async connect(params: ConnectParams): Promise<ConnectResult> {
     const { serverName, serverUrl, callbackUrl, transportType } = params;
+    const headers = normalizeHeaders(params.headers);
 
     // Normalize serverId to max 12 chars to keep tool names under 64 chars (DeepSeek/OpenAI limits)
     // Tool name format: tool_<serverId>_<toolName> - with 12 char serverId leaves 46 chars for tool name
@@ -280,6 +291,7 @@ export class SSEConnectionManager {
         serverUrl,
         callbackUrl,
         transportType,
+        headers,
         ...clientMetadata, // Spread client metadata (clientName, clientUri, logoUri, policyUri)
       });
 

package/src/server/mcp/oauth-client.ts

@@ -238,9 +238,11 @@ export class MCPClient {
     }
 
     const baseUrl = new URL(this.serverUrl);
+    const hasAuthorizationHeader = Object.keys(this.headers || {})
+      .some((key) => key.toLowerCase() === 'authorization');
     const transportOptions = {
-      authProvider: this.oauthProvider!,
-      ...(this.headers && { headers: this.headers }),
+      ...(!hasAuthorizationHeader && { authProvider: this.oauthProvider! }),
+      ...(this.headers && { requestInit: { headers: this.headers } }),
       /**
        * Custom fetch implementation to handle connection timeouts.
        * Observation: SDK 1.24.0+ connections may hang indefinitely in some environments.
@@ -359,6 +361,7 @@ export class MCPClient {
         serverUrl: this.serverUrl,
         callbackUrl: this.callbackUrl,
         transportType: this.transportType || 'streamable_http',
+        headers: this.headers,
         createdAt: this.createdAt,
         active: false,
       }, Math.floor(STATE_EXPIRATION_MS / 1000)); // Short TTL until connection succeeds
@@ -388,6 +391,7 @@ export class MCPClient {
       serverUrl: this.serverUrl,
       callbackUrl: this.callbackUrl,
       transportType: (this.transportType || 'streamable_http') as TransportType,
+      headers: this.headers,
       createdAt: this.createdAt || Date.now(),
       active,
     };

package/src/shared/types.ts

@@ -204,6 +204,7 @@ export interface ConnectParams {
   serverUrl: string;
   callbackUrl: string;
   transportType?: TransportType;
+  headers?: Record<string, string>;
 }
 
 export interface DisconnectParams {