librechat-data-provider 0.8.501 → 0.8.503

package/dist/types/mcp.d.ts

@@ -34,16 +34,16 @@ export declare const StdioOptionsSchema: z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -61,6 +61,43 @@ export declare const StdioOptionsSchema: z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -78,6 +115,8 @@ export declare const StdioOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -93,6 +132,42 @@ export declare const StdioOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -183,6 +258,8 @@ export declare const StdioOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -202,6 +279,7 @@ export declare const StdioOptionsSchema: z.ZodObject<{
 }, {
     command: string;
     args: string[];
+    type?: "stdio" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -210,7 +288,6 @@ export declare const StdioOptionsSchema: z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "stdio" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -226,6 +303,8 @@ export declare const StdioOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -277,16 +356,16 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -304,6 +383,43 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -321,6 +437,42 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -336,6 +488,8 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -405,6 +559,8 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -421,6 +577,7 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
     }> | undefined;
 }, {
     url: string;
+    type?: "websocket" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -429,7 +586,6 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "websocket" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -445,6 +601,8 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -494,16 +652,16 @@ export declare const SSEOptionsSchema: z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -521,6 +679,43 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -538,6 +733,42 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -553,6 +784,8 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -596,6 +829,8 @@ export declare const SSEOptionsSchema: z.ZodObject<{
 } & {
     type: z.ZodDefault<z.ZodLiteral<"sse">>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "sse";
@@ -623,6 +858,8 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -638,8 +875,10 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     url: string;
+    type?: "sse" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -648,7 +887,6 @@ export declare const SSEOptionsSchema: z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "sse" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -664,6 +902,8 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -679,6 +919,7 @@ export declare const SSEOptionsSchema: z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>;
 export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
     /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -714,16 +955,16 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -741,6 +982,43 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -758,6 +1036,42 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -773,6 +1087,8 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -816,6 +1132,8 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
 } & {
     type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "streamable-http" | "http";
@@ -843,6 +1161,8 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -858,6 +1178,7 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     type: "streamable-http" | "http";
     url: string;
@@ -884,6 +1205,8 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -899,6 +1222,7 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>;
 export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -934,16 +1258,16 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -961,6 +1285,43 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -978,6 +1339,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -993,6 +1390,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -1083,6 +1482,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1102,6 +1503,7 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
 }, {
     command: string;
     args: string[];
+    type?: "stdio" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -1110,7 +1512,6 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "stdio" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -1126,6 +1527,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1176,16 +1579,16 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -1203,6 +1606,43 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -1220,6 +1660,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -1235,6 +1711,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -1304,6 +1782,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1320,6 +1800,7 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     }> | undefined;
 }, {
     url: string;
+    type?: "websocket" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -1328,7 +1809,6 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "websocket" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -1344,6 +1824,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1392,16 +1874,16 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -1419,6 +1901,43 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -1436,6 +1955,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -1451,6 +2006,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -1494,6 +2051,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
 } & {
     type: z.ZodDefault<z.ZodLiteral<"sse">>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "sse";
@@ -1521,6 +2080,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1536,8 +2097,10 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     url: string;
+    type?: "sse" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -1546,7 +2109,6 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "sse" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -1562,6 +2124,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1577,6 +2141,7 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>, z.ZodObject<{
     /** Display name for the MCP server - only letters, numbers, and spaces allowed */
     title: z.ZodOptional<z.ZodString>;
@@ -1611,16 +2176,16 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -1638,6 +2203,43 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -1655,6 +2257,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -1670,6 +2308,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -1713,6 +2353,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
 } & {
     type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "streamable-http" | "http";
@@ -1740,6 +2382,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1755,6 +2399,7 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     type: "streamable-http" | "http";
     url: string;
@@ -1781,6 +2426,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1796,6 +2443,7 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>]>;
 export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodObject<{
     /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -1831,16 +2479,16 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -1858,6 +2506,43 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -1875,6 +2560,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -1890,20 +2577,56 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
-    }>>;
-    /** Custom headers to send with OAuth requests (registration, discovery, token exchange, etc.) */
-    oauth_headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
-    /**
-     * API Key authentication configuration for SSE and Streamable HTTP transports
-     * - source: 'admin' means the key is provided by admin and shared by all users
-     * - source: 'user' means each user provides their own key via customUserVars
-     */
-    apiKey: z.ZodOptional<z.ZodObject<{
-        /** API key value (only for admin-provided mode, stored encrypted) */
-        key: z.ZodOptional<z.ZodString>;
-        /** Whether key is provided by admin or each user */
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>>;
+    /** Custom headers to send with OAuth requests (registration, discovery, token exchange, etc.) */
+    oauth_headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /**
+     * API Key authentication configuration for SSE and Streamable HTTP transports
+     * - source: 'admin' means the key is provided by admin and shared by all users
+     * - source: 'user' means each user provides their own key via customUserVars
+     */
+    apiKey: z.ZodOptional<z.ZodObject<{
+        /** API key value (only for admin-provided mode, stored encrypted) */
+        key: z.ZodOptional<z.ZodString>;
+        /** Whether key is provided by admin or each user */
         source: z.ZodEnum<["admin", "user"]>;
         /** How to format the authorization header */
         authorization_type: z.ZodEnum<["basic", "bearer", "custom"]>;
@@ -1980,6 +2703,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -1999,6 +2724,7 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
 }, {
     command: string;
     args: string[];
+    type?: "stdio" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -2007,7 +2733,6 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "stdio" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -2023,6 +2748,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2073,16 +2800,16 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -2100,6 +2827,43 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -2117,6 +2881,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -2132,6 +2932,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -2201,6 +3003,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2217,6 +3021,7 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     }> | undefined;
 }, {
     url: string;
+    type?: "websocket" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -2225,7 +3030,6 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "websocket" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -2241,6 +3045,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2289,16 +3095,16 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -2316,6 +3122,43 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -2333,6 +3176,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -2348,6 +3193,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -2391,6 +3272,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
 } & {
     type: z.ZodDefault<z.ZodLiteral<"sse">>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "sse";
@@ -2418,6 +3301,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2433,8 +3318,10 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     url: string;
+    type?: "sse" | undefined;
     title?: string | undefined;
     description?: string | undefined;
     startup?: boolean | undefined;
@@ -2443,7 +3330,6 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     sseReadTimeout?: number | undefined;
     initTimeout?: number | undefined;
     chatMenu?: boolean | undefined;
-    type?: "sse" | undefined;
     serverInstructions?: string | boolean | undefined;
     requiresOAuth?: boolean | undefined;
     oauth?: {
@@ -2459,6 +3345,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2474,6 +3362,7 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>, z.ZodObject<{
     /** Display name for the MCP server - only letters, numbers, and spaces allowed */
     title: z.ZodOptional<z.ZodString>;
@@ -2508,16 +3397,16 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
     /**
      * OAuth configuration for SSE and Streamable HTTP transports
      * - Optional: OAuth can be auto-discovered on 401 responses
-     * - Pre-configured values will skip discovery steps
+     * - Pre-configured confidential clients must pin both OAuth endpoints
      */
-    oauth: z.ZodOptional<z.ZodObject<{
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         /** OAuth authorization endpoint (optional - can be auto-discovered) */
         authorization_url: z.ZodOptional<z.ZodString>;
         /** OAuth token endpoint (optional - can be auto-discovered) */
         token_url: z.ZodOptional<z.ZodString>;
         /** OAuth client ID (optional - can use dynamic registration) */
         client_id: z.ZodOptional<z.ZodString>;
-        /** OAuth client secret (optional - can use dynamic registration) */
+        /** OAuth client secret (requires explicit authorization and token endpoints) */
         client_secret: z.ZodOptional<z.ZodString>;
         /** OAuth scopes to request */
         scope: z.ZodOptional<z.ZodString>;
@@ -2535,6 +3424,43 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
         skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        /**
+         * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
+         * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
+         * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
+         * automatically from Protected Resource Metadata) is the standards-conformant
+         * route; `audience` covers the providers that ignore it.
+         *
+         * When set, the value is forwarded as-is on `/authorize` (both pre-configured
+         * and DCR-discovered paths). Whether it is also forwarded on the
+         * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
+         *
+         * The `authorization_code` exchange intentionally never receives `audience` —
+         * Auth0 binds audience from the original `/authorize` request and embeds it
+         * in the issued access token; sending it again is redundant.
+         *
+         * No canonicalization is applied — the audience identifier is provider-defined
+         * and may differ from the MCP server URL. This field is only accepted from
+         * trusted/admin MCP configuration and is rejected from user-managed servers.
+         */
+        audience: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether to also forward `audience` on the `refresh_token` grant body.
+         *
+         * Default: `true`. Required for Auth0, which strips the API audience from
+         * refreshed access tokens unless `audience` is re-supplied on every refresh
+         * — without it the next MCP call 401s once the initial access token expires.
+         *
+         * Set to `false` for providers that document refresh requests as
+         * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
+         * strict OAuth 2.0 token endpoints). Those providers maintain the original
+         * `aud` claim across refreshes when the initial token was resource-bound,
+         * so the extra parameter is redundant and may be rejected as
+         * `invalid_request`.
+         *
+         * Ignored when `audience` itself is not configured.
+         */
+        forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
         /** OAuth revocation endpoint (optional - can be auto-discovered) */
         revocation_endpoint: z.ZodOptional<z.ZodString>;
         /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
@@ -2552,6 +3478,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }, {
@@ -2567,6 +3495,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     }>>;
@@ -2610,6 +3574,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
 } & {
     type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional outbound proxy URL for this remote MCP transport */
+    proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, "strip", z.ZodTypeAny, {
     type: "streamable-http" | "http";
@@ -2637,6 +3603,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2652,6 +3620,7 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }, {
     type: "streamable-http" | "http";
     url: string;
@@ -2678,6 +3647,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         response_types_supported?: string[] | undefined;
         code_challenge_methods_supported?: string[] | undefined;
         skip_code_challenge_check?: boolean | undefined;
+        audience?: string | undefined;
+        forward_audience_on_refresh?: boolean | undefined;
         revocation_endpoint?: string | undefined;
         revocation_endpoint_auth_methods_supported?: string[] | undefined;
     } | undefined;
@@ -2693,12 +3664,14 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
         description: string;
     }> | undefined;
     headers?: Record<string, string> | undefined;
+    proxy?: string | undefined;
 }>]>>;
 export type MCPOptions = z.infer<typeof MCPOptionsSchema>;
 /**
  * MCP Server configuration that comes from UI/API input only.
  * Omits server-managed fields like startup, timeout, customUserVars, etc.
- * Allows: title, description, url, iconPath, oauth (user credentials)
+ * Allows: title, description, url, iconPath, oauth (user credentials).
+ * Admin-only OAuth audience fields are rejected for user-managed servers.
  *
  * SECURITY: Stdio transport is intentionally excluded from user input.
  * Stdio allows arbitrary command execution and should only be configured
@@ -2714,41 +3687,314 @@ export type MCPOptions = z.infer<typeof MCPOptionsSchema>;
 export declare const MCPServerUserInputSchema: z.ZodUnion<[z.ZodObject<{
     [x: string]: z.ZodTypeAny;
     [x: number]: z.ZodTypeAny;
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
+        client_id: z.ZodOptional<z.ZodString>;
+        client_secret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodOptional<z.ZodString>;
+        redirect_uri: z.ZodOptional<z.ZodString>;
+        token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
+        grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        revocation_endpoint: z.ZodOptional<z.ZodString>;
+        revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    } & {
+        authorization_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        token_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        audience: z.ZodOptional<z.ZodNever>;
+        forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
+    }, "strip", z.ZodTypeAny, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>>;
 } & {
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, z.UnknownKeysParam, z.ZodTypeAny, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
     url?: unknown;
 }, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
     url?: unknown;
 }>, z.ZodObject<{
     [x: string]: z.ZodTypeAny;
     [x: number]: z.ZodTypeAny;
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
+        client_id: z.ZodOptional<z.ZodString>;
+        client_secret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodOptional<z.ZodString>;
+        redirect_uri: z.ZodOptional<z.ZodString>;
+        token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
+        grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        revocation_endpoint: z.ZodOptional<z.ZodString>;
+        revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    } & {
+        authorization_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        token_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        audience: z.ZodOptional<z.ZodNever>;
+        forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
+    }, "strip", z.ZodTypeAny, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>>;
 } & {
+    proxy: z.ZodOptional<z.ZodNever>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, z.UnknownKeysParam, z.ZodTypeAny, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
+    proxy?: unknown;
     url?: unknown;
 }, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
+    proxy?: unknown;
     url?: unknown;
 }>, z.ZodObject<{
     [x: string]: z.ZodTypeAny;
     [x: number]: z.ZodTypeAny;
+    oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
+        client_id: z.ZodOptional<z.ZodString>;
+        client_secret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodOptional<z.ZodString>;
+        redirect_uri: z.ZodOptional<z.ZodString>;
+        token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
+        grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
+        revocation_endpoint: z.ZodOptional<z.ZodString>;
+        revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    } & {
+        authorization_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        token_url: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+        audience: z.ZodOptional<z.ZodNever>;
+        forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
+    }, "strip", z.ZodTypeAny, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }, {
+        authorization_url?: string | undefined;
+        token_url?: string | undefined;
+        client_id?: string | undefined;
+        client_secret?: string | undefined;
+        scope?: string | undefined;
+        redirect_uri?: string | undefined;
+        token_exchange_method?: TokenExchangeMethodEnum | undefined;
+        grant_types_supported?: string[] | undefined;
+        token_endpoint_auth_methods_supported?: string[] | undefined;
+        response_types_supported?: string[] | undefined;
+        code_challenge_methods_supported?: string[] | undefined;
+        skip_code_challenge_check?: boolean | undefined;
+        audience?: undefined;
+        forward_audience_on_refresh?: undefined;
+        revocation_endpoint?: string | undefined;
+        revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    }>>;
 } & {
+    proxy: z.ZodOptional<z.ZodNever>;
     url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
 }, z.UnknownKeysParam, z.ZodTypeAny, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
+    proxy?: unknown;
     url?: unknown;
 }, {
     [x: string]: any;
     [x: number]: any;
+    oauth?: unknown;
+    proxy?: unknown;
     url?: unknown;
 }>]>;
 export type MCPServerUserInput = z.infer<typeof MCPServerUserInputSchema>;