librechat-data-provider 0.8.502 → 0.8.504

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/data-service-BFGYAHRx.mjs +6519 -0
  2. package/dist/data-service-BFGYAHRx.mjs.map +1 -0
  3. package/dist/data-service-Dk-uLruo.js +8518 -0
  4. package/dist/data-service-Dk-uLruo.js.map +1 -0
  5. package/dist/index.js +6592 -2
  6. package/dist/index.js.map +1 -1
  7. package/dist/index.mjs +6161 -0
  8. package/dist/index.mjs.map +1 -0
  9. package/dist/react-query/index.js +361 -0
  10. package/dist/react-query/index.js.map +1 -0
  11. package/dist/react-query/index.mjs +326 -0
  12. package/dist/react-query/index.mjs.map +1 -0
  13. package/dist/types/accessPermissions.d.ts +13 -10
  14. package/dist/types/actions.d.ts +2 -2
  15. package/dist/types/api-endpoints.d.ts +19 -10
  16. package/dist/types/bedrock.d.ts +258 -212
  17. package/dist/types/config.d.ts +4823 -2612
  18. package/dist/types/data-service.d.ts +28 -8
  19. package/dist/types/file-config.d.ts +12 -12
  20. package/dist/types/generate.d.ts +66 -53
  21. package/dist/types/keys.d.ts +7 -0
  22. package/dist/types/limits.d.ts +2 -0
  23. package/dist/types/mcp.d.ts +1774 -249
  24. package/dist/types/models.d.ts +347 -206
  25. package/dist/types/parameterSettings.d.ts +6 -0
  26. package/dist/types/parsers.d.ts +8 -8
  27. package/dist/types/permissions.d.ts +65 -9
  28. package/dist/types/react-query/react-query-service.d.ts +1 -31
  29. package/dist/types/request.d.ts +1 -1
  30. package/dist/types/roles.d.ts +52 -0
  31. package/dist/types/schemas.d.ts +409 -143
  32. package/dist/types/types/agents.d.ts +15 -1
  33. package/dist/types/types/files.d.ts +1 -1
  34. package/dist/types/types/mutations.d.ts +1 -0
  35. package/dist/types/types/queries.d.ts +16 -3
  36. package/dist/types/types/skills.d.ts +72 -9
  37. package/dist/types/types.d.ts +48 -5
  38. package/package.json +11 -13
  39. package/dist/index.es.js +0 -2
  40. package/dist/index.es.js.map +0 -1
  41. package/dist/react-query/index.es.js +0 -2
  42. package/dist/react-query/index.es.js.map +0 -1
  43. package/dist/types/balance.spec.d.ts +0 -1
  44. package/dist/types/cloudfront-config.spec.d.ts +0 -1
  45. package/dist/types/codeEnvRef.spec.d.ts +0 -1
  46. package/dist/types/config.spec.d.ts +0 -1
  47. package/dist/types/file-config.spec.d.ts +0 -1
  48. package/dist/types/roles.spec.d.ts +0 -1
  49. package/dist/types/schemas.spec.d.ts +0 -1
package/dist/types/mcp.d.ts CHANGED
@@ -34,21 +34,21 @@ export declare const StdioOptionsSchema: z.ZodObject<{
34
34
  /**
35
35
  * OAuth configuration for SSE and Streamable HTTP transports
36
36
  * - Optional: OAuth can be auto-discovered on 401 responses
37
- * - Pre-configured values will skip discovery steps
37
+ * - Pre-configured confidential clients must pin both OAuth endpoints
38
38
  */
39
- oauth: z.ZodOptional<z.ZodObject<{
39
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
40
40
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
41
- authorization_url: z.ZodOptional<z.ZodString>;
41
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
42
42
  /** OAuth token endpoint (optional - can be auto-discovered) */
43
- token_url: z.ZodOptional<z.ZodString>;
43
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
44
44
  /** OAuth client ID (optional - can use dynamic registration) */
45
45
  client_id: z.ZodOptional<z.ZodString>;
46
- /** OAuth client secret (optional - can use dynamic registration) */
46
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
47
47
  client_secret: z.ZodOptional<z.ZodString>;
48
48
  /** OAuth scopes to request */
49
49
  scope: z.ZodOptional<z.ZodString>;
50
50
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
51
- redirect_uri: z.ZodOptional<z.ZodString>;
51
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
52
52
  /** Token exchange method */
53
53
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
54
54
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -61,8 +61,45 @@ export declare const StdioOptionsSchema: z.ZodObject<{
61
61
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
62
62
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
63
63
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
64
+ /**
65
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
66
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
67
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
68
+ * automatically from Protected Resource Metadata) is the standards-conformant
69
+ * route; `audience` covers the providers that ignore it.
70
+ *
71
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
72
+ * and DCR-discovered paths). Whether it is also forwarded on the
73
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
74
+ *
75
+ * The `authorization_code` exchange intentionally never receives `audience` —
76
+ * Auth0 binds audience from the original `/authorize` request and embeds it
77
+ * in the issued access token; sending it again is redundant.
78
+ *
79
+ * No canonicalization is applied — the audience identifier is provider-defined
80
+ * and may differ from the MCP server URL. This field is only accepted from
81
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
82
+ */
83
+ audience: z.ZodOptional<z.ZodString>;
84
+ /**
85
+ * Whether to also forward `audience` on the `refresh_token` grant body.
86
+ *
87
+ * Default: `true`. Required for Auth0, which strips the API audience from
88
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
89
+ * — without it the next MCP call 401s once the initial access token expires.
90
+ *
91
+ * Set to `false` for providers that document refresh requests as
92
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
93
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
94
+ * `aud` claim across refreshes when the initial token was resource-bound,
95
+ * so the extra parameter is redundant and may be rejected as
96
+ * `invalid_request`.
97
+ *
98
+ * Ignored when `audience` itself is not configured.
99
+ */
100
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
64
101
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
65
- revocation_endpoint: z.ZodOptional<z.ZodString>;
102
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
66
103
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
67
104
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
68
105
  }, "strip", z.ZodTypeAny, {
@@ -78,6 +115,8 @@ export declare const StdioOptionsSchema: z.ZodObject<{
78
115
  response_types_supported?: string[] | undefined;
79
116
  code_challenge_methods_supported?: string[] | undefined;
80
117
  skip_code_challenge_check?: boolean | undefined;
118
+ audience?: string | undefined;
119
+ forward_audience_on_refresh?: boolean | undefined;
81
120
  revocation_endpoint?: string | undefined;
82
121
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
83
122
  }, {
@@ -93,6 +132,42 @@ export declare const StdioOptionsSchema: z.ZodObject<{
93
132
  response_types_supported?: string[] | undefined;
94
133
  code_challenge_methods_supported?: string[] | undefined;
95
134
  skip_code_challenge_check?: boolean | undefined;
135
+ audience?: string | undefined;
136
+ forward_audience_on_refresh?: boolean | undefined;
137
+ revocation_endpoint?: string | undefined;
138
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
139
+ }>, {
140
+ authorization_url?: string | undefined;
141
+ token_url?: string | undefined;
142
+ client_id?: string | undefined;
143
+ client_secret?: string | undefined;
144
+ scope?: string | undefined;
145
+ redirect_uri?: string | undefined;
146
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
147
+ grant_types_supported?: string[] | undefined;
148
+ token_endpoint_auth_methods_supported?: string[] | undefined;
149
+ response_types_supported?: string[] | undefined;
150
+ code_challenge_methods_supported?: string[] | undefined;
151
+ skip_code_challenge_check?: boolean | undefined;
152
+ audience?: string | undefined;
153
+ forward_audience_on_refresh?: boolean | undefined;
154
+ revocation_endpoint?: string | undefined;
155
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
156
+ }, {
157
+ authorization_url?: string | undefined;
158
+ token_url?: string | undefined;
159
+ client_id?: string | undefined;
160
+ client_secret?: string | undefined;
161
+ scope?: string | undefined;
162
+ redirect_uri?: string | undefined;
163
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
164
+ grant_types_supported?: string[] | undefined;
165
+ token_endpoint_auth_methods_supported?: string[] | undefined;
166
+ response_types_supported?: string[] | undefined;
167
+ code_challenge_methods_supported?: string[] | undefined;
168
+ skip_code_challenge_check?: boolean | undefined;
169
+ audience?: string | undefined;
170
+ forward_audience_on_refresh?: boolean | undefined;
96
171
  revocation_endpoint?: string | undefined;
97
172
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
98
173
  }>>;
@@ -113,12 +188,12 @@ export declare const StdioOptionsSchema: z.ZodObject<{
113
188
  /** Custom header name when authorization_type is 'custom' */
114
189
  custom_header: z.ZodOptional<z.ZodString>;
115
190
  }, "strip", z.ZodTypeAny, {
116
- source: "admin" | "user";
191
+ source: "user" | "admin";
117
192
  authorization_type: "custom" | "basic" | "bearer";
118
193
  key?: string | undefined;
119
194
  custom_header?: string | undefined;
120
195
  }, {
121
- source: "admin" | "user";
196
+ source: "user" | "admin";
122
197
  authorization_type: "custom" | "basic" | "bearer";
123
198
  key?: string | undefined;
124
199
  custom_header?: string | undefined;
@@ -126,15 +201,24 @@ export declare const StdioOptionsSchema: z.ZodObject<{
126
201
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
127
202
  title: z.ZodString;
128
203
  description: z.ZodString;
204
+ /**
205
+ * Whether the field holds a secret and should be masked in the UI.
206
+ * Defaults to masked when omitted; set to `false` for non-secret setup
207
+ * values (e.g. username, project key, base URL) to render as plain text.
208
+ */
209
+ sensitive: z.ZodOptional<z.ZodBoolean>;
129
210
  }, "strip", z.ZodTypeAny, {
130
- title: string;
131
211
  description: string;
132
- }, {
133
212
  title: string;
213
+ sensitive?: boolean | undefined;
214
+ }, {
134
215
  description: string;
216
+ title: string;
217
+ sensitive?: boolean | undefined;
135
218
  }>>>;
136
219
  } & {
137
220
  type: z.ZodDefault<z.ZodLiteral<"stdio">>;
221
+ obo: z.ZodOptional<z.ZodUndefined>;
138
222
  /**
139
223
  * The executable to run to start the server.
140
224
  */
@@ -160,14 +244,15 @@ export declare const StdioOptionsSchema: z.ZodObject<{
160
244
  type: "stdio";
161
245
  command: string;
162
246
  args: string[];
163
- title?: string | undefined;
164
247
  description?: string | undefined;
248
+ title?: string | undefined;
249
+ chatMenu?: boolean | undefined;
250
+ env?: Record<string, string> | undefined;
165
251
  startup?: boolean | undefined;
166
252
  iconPath?: string | undefined;
167
253
  timeout?: number | undefined;
168
254
  sseReadTimeout?: number | undefined;
169
255
  initTimeout?: number | undefined;
170
- chatMenu?: boolean | undefined;
171
256
  serverInstructions?: string | boolean | undefined;
172
257
  requiresOAuth?: boolean | undefined;
173
258
  oauth?: {
@@ -183,34 +268,38 @@ export declare const StdioOptionsSchema: z.ZodObject<{
183
268
  response_types_supported?: string[] | undefined;
184
269
  code_challenge_methods_supported?: string[] | undefined;
185
270
  skip_code_challenge_check?: boolean | undefined;
271
+ audience?: string | undefined;
272
+ forward_audience_on_refresh?: boolean | undefined;
186
273
  revocation_endpoint?: string | undefined;
187
274
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
188
275
  } | undefined;
189
276
  oauth_headers?: Record<string, string> | undefined;
190
277
  apiKey?: {
191
- source: "admin" | "user";
278
+ source: "user" | "admin";
192
279
  authorization_type: "custom" | "basic" | "bearer";
193
280
  key?: string | undefined;
194
281
  custom_header?: string | undefined;
195
282
  } | undefined;
196
283
  customUserVars?: Record<string, {
197
- title: string;
198
284
  description: string;
285
+ title: string;
286
+ sensitive?: boolean | undefined;
199
287
  }> | undefined;
200
- env?: Record<string, string> | undefined;
288
+ obo?: undefined;
201
289
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
202
290
  }, {
203
291
  command: string;
204
292
  args: string[];
205
- title?: string | undefined;
293
+ type?: "stdio" | undefined;
206
294
  description?: string | undefined;
295
+ title?: string | undefined;
296
+ chatMenu?: boolean | undefined;
297
+ env?: Record<string, string> | undefined;
207
298
  startup?: boolean | undefined;
208
299
  iconPath?: string | undefined;
209
300
  timeout?: number | undefined;
210
301
  sseReadTimeout?: number | undefined;
211
302
  initTimeout?: number | undefined;
212
- chatMenu?: boolean | undefined;
213
- type?: "stdio" | undefined;
214
303
  serverInstructions?: string | boolean | undefined;
215
304
  requiresOAuth?: boolean | undefined;
216
305
  oauth?: {
@@ -226,21 +315,24 @@ export declare const StdioOptionsSchema: z.ZodObject<{
226
315
  response_types_supported?: string[] | undefined;
227
316
  code_challenge_methods_supported?: string[] | undefined;
228
317
  skip_code_challenge_check?: boolean | undefined;
318
+ audience?: string | undefined;
319
+ forward_audience_on_refresh?: boolean | undefined;
229
320
  revocation_endpoint?: string | undefined;
230
321
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
231
322
  } | undefined;
232
323
  oauth_headers?: Record<string, string> | undefined;
233
324
  apiKey?: {
234
- source: "admin" | "user";
325
+ source: "user" | "admin";
235
326
  authorization_type: "custom" | "basic" | "bearer";
236
327
  key?: string | undefined;
237
328
  custom_header?: string | undefined;
238
329
  } | undefined;
239
330
  customUserVars?: Record<string, {
240
- title: string;
241
331
  description: string;
332
+ title: string;
333
+ sensitive?: boolean | undefined;
242
334
  }> | undefined;
243
- env?: Record<string, string> | undefined;
335
+ obo?: undefined;
244
336
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
245
337
  }>;
246
338
  export declare const WebSocketOptionsSchema: z.ZodObject<{
@@ -277,21 +369,21 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
277
369
  /**
278
370
  * OAuth configuration for SSE and Streamable HTTP transports
279
371
  * - Optional: OAuth can be auto-discovered on 401 responses
280
- * - Pre-configured values will skip discovery steps
372
+ * - Pre-configured confidential clients must pin both OAuth endpoints
281
373
  */
282
- oauth: z.ZodOptional<z.ZodObject<{
374
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
283
375
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
284
- authorization_url: z.ZodOptional<z.ZodString>;
376
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
285
377
  /** OAuth token endpoint (optional - can be auto-discovered) */
286
- token_url: z.ZodOptional<z.ZodString>;
378
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
287
379
  /** OAuth client ID (optional - can use dynamic registration) */
288
380
  client_id: z.ZodOptional<z.ZodString>;
289
- /** OAuth client secret (optional - can use dynamic registration) */
381
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
290
382
  client_secret: z.ZodOptional<z.ZodString>;
291
383
  /** OAuth scopes to request */
292
384
  scope: z.ZodOptional<z.ZodString>;
293
385
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
294
- redirect_uri: z.ZodOptional<z.ZodString>;
386
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
295
387
  /** Token exchange method */
296
388
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
297
389
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -304,8 +396,45 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
304
396
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
305
397
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
306
398
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
399
+ /**
400
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
401
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
402
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
403
+ * automatically from Protected Resource Metadata) is the standards-conformant
404
+ * route; `audience` covers the providers that ignore it.
405
+ *
406
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
407
+ * and DCR-discovered paths). Whether it is also forwarded on the
408
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
409
+ *
410
+ * The `authorization_code` exchange intentionally never receives `audience` —
411
+ * Auth0 binds audience from the original `/authorize` request and embeds it
412
+ * in the issued access token; sending it again is redundant.
413
+ *
414
+ * No canonicalization is applied — the audience identifier is provider-defined
415
+ * and may differ from the MCP server URL. This field is only accepted from
416
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
417
+ */
418
+ audience: z.ZodOptional<z.ZodString>;
419
+ /**
420
+ * Whether to also forward `audience` on the `refresh_token` grant body.
421
+ *
422
+ * Default: `true`. Required for Auth0, which strips the API audience from
423
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
424
+ * — without it the next MCP call 401s once the initial access token expires.
425
+ *
426
+ * Set to `false` for providers that document refresh requests as
427
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
428
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
429
+ * `aud` claim across refreshes when the initial token was resource-bound,
430
+ * so the extra parameter is redundant and may be rejected as
431
+ * `invalid_request`.
432
+ *
433
+ * Ignored when `audience` itself is not configured.
434
+ */
435
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
307
436
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
308
- revocation_endpoint: z.ZodOptional<z.ZodString>;
437
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
309
438
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
310
439
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
311
440
  }, "strip", z.ZodTypeAny, {
@@ -321,6 +450,42 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
321
450
  response_types_supported?: string[] | undefined;
322
451
  code_challenge_methods_supported?: string[] | undefined;
323
452
  skip_code_challenge_check?: boolean | undefined;
453
+ audience?: string | undefined;
454
+ forward_audience_on_refresh?: boolean | undefined;
455
+ revocation_endpoint?: string | undefined;
456
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
457
+ }, {
458
+ authorization_url?: string | undefined;
459
+ token_url?: string | undefined;
460
+ client_id?: string | undefined;
461
+ client_secret?: string | undefined;
462
+ scope?: string | undefined;
463
+ redirect_uri?: string | undefined;
464
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
465
+ grant_types_supported?: string[] | undefined;
466
+ token_endpoint_auth_methods_supported?: string[] | undefined;
467
+ response_types_supported?: string[] | undefined;
468
+ code_challenge_methods_supported?: string[] | undefined;
469
+ skip_code_challenge_check?: boolean | undefined;
470
+ audience?: string | undefined;
471
+ forward_audience_on_refresh?: boolean | undefined;
472
+ revocation_endpoint?: string | undefined;
473
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
474
+ }>, {
475
+ authorization_url?: string | undefined;
476
+ token_url?: string | undefined;
477
+ client_id?: string | undefined;
478
+ client_secret?: string | undefined;
479
+ scope?: string | undefined;
480
+ redirect_uri?: string | undefined;
481
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
482
+ grant_types_supported?: string[] | undefined;
483
+ token_endpoint_auth_methods_supported?: string[] | undefined;
484
+ response_types_supported?: string[] | undefined;
485
+ code_challenge_methods_supported?: string[] | undefined;
486
+ skip_code_challenge_check?: boolean | undefined;
487
+ audience?: string | undefined;
488
+ forward_audience_on_refresh?: boolean | undefined;
324
489
  revocation_endpoint?: string | undefined;
325
490
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
326
491
  }, {
@@ -336,6 +501,8 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
336
501
  response_types_supported?: string[] | undefined;
337
502
  code_challenge_methods_supported?: string[] | undefined;
338
503
  skip_code_challenge_check?: boolean | undefined;
504
+ audience?: string | undefined;
505
+ forward_audience_on_refresh?: boolean | undefined;
339
506
  revocation_endpoint?: string | undefined;
340
507
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
341
508
  }>>;
@@ -356,12 +523,12 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
356
523
  /** Custom header name when authorization_type is 'custom' */
357
524
  custom_header: z.ZodOptional<z.ZodString>;
358
525
  }, "strip", z.ZodTypeAny, {
359
- source: "admin" | "user";
526
+ source: "user" | "admin";
360
527
  authorization_type: "custom" | "basic" | "bearer";
361
528
  key?: string | undefined;
362
529
  custom_header?: string | undefined;
363
530
  }, {
364
- source: "admin" | "user";
531
+ source: "user" | "admin";
365
532
  authorization_type: "custom" | "basic" | "bearer";
366
533
  key?: string | undefined;
367
534
  custom_header?: string | undefined;
@@ -369,27 +536,36 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
369
536
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
370
537
  title: z.ZodString;
371
538
  description: z.ZodString;
539
+ /**
540
+ * Whether the field holds a secret and should be masked in the UI.
541
+ * Defaults to masked when omitted; set to `false` for non-secret setup
542
+ * values (e.g. username, project key, base URL) to render as plain text.
543
+ */
544
+ sensitive: z.ZodOptional<z.ZodBoolean>;
372
545
  }, "strip", z.ZodTypeAny, {
373
- title: string;
374
546
  description: string;
375
- }, {
376
547
  title: string;
548
+ sensitive?: boolean | undefined;
549
+ }, {
377
550
  description: string;
551
+ title: string;
552
+ sensitive?: boolean | undefined;
378
553
  }>>>;
379
554
  } & {
380
555
  type: z.ZodDefault<z.ZodLiteral<"websocket">>;
556
+ obo: z.ZodOptional<z.ZodUndefined>;
381
557
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
382
558
  }, "strip", z.ZodTypeAny, {
383
559
  type: "websocket";
384
560
  url: string;
385
- title?: string | undefined;
386
561
  description?: string | undefined;
562
+ title?: string | undefined;
563
+ chatMenu?: boolean | undefined;
387
564
  startup?: boolean | undefined;
388
565
  iconPath?: string | undefined;
389
566
  timeout?: number | undefined;
390
567
  sseReadTimeout?: number | undefined;
391
568
  initTimeout?: number | undefined;
392
- chatMenu?: boolean | undefined;
393
569
  serverInstructions?: string | boolean | undefined;
394
570
  requiresOAuth?: boolean | undefined;
395
571
  oauth?: {
@@ -405,31 +581,35 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
405
581
  response_types_supported?: string[] | undefined;
406
582
  code_challenge_methods_supported?: string[] | undefined;
407
583
  skip_code_challenge_check?: boolean | undefined;
584
+ audience?: string | undefined;
585
+ forward_audience_on_refresh?: boolean | undefined;
408
586
  revocation_endpoint?: string | undefined;
409
587
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
410
588
  } | undefined;
411
589
  oauth_headers?: Record<string, string> | undefined;
412
590
  apiKey?: {
413
- source: "admin" | "user";
591
+ source: "user" | "admin";
414
592
  authorization_type: "custom" | "basic" | "bearer";
415
593
  key?: string | undefined;
416
594
  custom_header?: string | undefined;
417
595
  } | undefined;
418
596
  customUserVars?: Record<string, {
419
- title: string;
420
597
  description: string;
598
+ title: string;
599
+ sensitive?: boolean | undefined;
421
600
  }> | undefined;
601
+ obo?: undefined;
422
602
  }, {
423
603
  url: string;
424
- title?: string | undefined;
604
+ type?: "websocket" | undefined;
425
605
  description?: string | undefined;
606
+ title?: string | undefined;
607
+ chatMenu?: boolean | undefined;
426
608
  startup?: boolean | undefined;
427
609
  iconPath?: string | undefined;
428
610
  timeout?: number | undefined;
429
611
  sseReadTimeout?: number | undefined;
430
612
  initTimeout?: number | undefined;
431
- chatMenu?: boolean | undefined;
432
- type?: "websocket" | undefined;
433
613
  serverInstructions?: string | boolean | undefined;
434
614
  requiresOAuth?: boolean | undefined;
435
615
  oauth?: {
@@ -445,20 +625,24 @@ export declare const WebSocketOptionsSchema: z.ZodObject<{
445
625
  response_types_supported?: string[] | undefined;
446
626
  code_challenge_methods_supported?: string[] | undefined;
447
627
  skip_code_challenge_check?: boolean | undefined;
628
+ audience?: string | undefined;
629
+ forward_audience_on_refresh?: boolean | undefined;
448
630
  revocation_endpoint?: string | undefined;
449
631
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
450
632
  } | undefined;
451
633
  oauth_headers?: Record<string, string> | undefined;
452
634
  apiKey?: {
453
- source: "admin" | "user";
635
+ source: "user" | "admin";
454
636
  authorization_type: "custom" | "basic" | "bearer";
455
637
  key?: string | undefined;
456
638
  custom_header?: string | undefined;
457
639
  } | undefined;
458
640
  customUserVars?: Record<string, {
459
- title: string;
460
641
  description: string;
642
+ title: string;
643
+ sensitive?: boolean | undefined;
461
644
  }> | undefined;
645
+ obo?: undefined;
462
646
  }>;
463
647
  export declare const SSEOptionsSchema: z.ZodObject<{
464
648
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -494,21 +678,21 @@ export declare const SSEOptionsSchema: z.ZodObject<{
494
678
  /**
495
679
  * OAuth configuration for SSE and Streamable HTTP transports
496
680
  * - Optional: OAuth can be auto-discovered on 401 responses
497
- * - Pre-configured values will skip discovery steps
681
+ * - Pre-configured confidential clients must pin both OAuth endpoints
498
682
  */
499
- oauth: z.ZodOptional<z.ZodObject<{
683
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
500
684
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
501
- authorization_url: z.ZodOptional<z.ZodString>;
685
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
502
686
  /** OAuth token endpoint (optional - can be auto-discovered) */
503
- token_url: z.ZodOptional<z.ZodString>;
687
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
504
688
  /** OAuth client ID (optional - can use dynamic registration) */
505
689
  client_id: z.ZodOptional<z.ZodString>;
506
- /** OAuth client secret (optional - can use dynamic registration) */
690
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
507
691
  client_secret: z.ZodOptional<z.ZodString>;
508
692
  /** OAuth scopes to request */
509
693
  scope: z.ZodOptional<z.ZodString>;
510
694
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
511
- redirect_uri: z.ZodOptional<z.ZodString>;
695
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
512
696
  /** Token exchange method */
513
697
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
514
698
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -521,8 +705,45 @@ export declare const SSEOptionsSchema: z.ZodObject<{
521
705
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
522
706
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
523
707
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
708
+ /**
709
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
710
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
711
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
712
+ * automatically from Protected Resource Metadata) is the standards-conformant
713
+ * route; `audience` covers the providers that ignore it.
714
+ *
715
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
716
+ * and DCR-discovered paths). Whether it is also forwarded on the
717
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
718
+ *
719
+ * The `authorization_code` exchange intentionally never receives `audience` —
720
+ * Auth0 binds audience from the original `/authorize` request and embeds it
721
+ * in the issued access token; sending it again is redundant.
722
+ *
723
+ * No canonicalization is applied — the audience identifier is provider-defined
724
+ * and may differ from the MCP server URL. This field is only accepted from
725
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
726
+ */
727
+ audience: z.ZodOptional<z.ZodString>;
728
+ /**
729
+ * Whether to also forward `audience` on the `refresh_token` grant body.
730
+ *
731
+ * Default: `true`. Required for Auth0, which strips the API audience from
732
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
733
+ * — without it the next MCP call 401s once the initial access token expires.
734
+ *
735
+ * Set to `false` for providers that document refresh requests as
736
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
737
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
738
+ * `aud` claim across refreshes when the initial token was resource-bound,
739
+ * so the extra parameter is redundant and may be rejected as
740
+ * `invalid_request`.
741
+ *
742
+ * Ignored when `audience` itself is not configured.
743
+ */
744
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
524
745
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
525
- revocation_endpoint: z.ZodOptional<z.ZodString>;
746
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
526
747
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
527
748
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
528
749
  }, "strip", z.ZodTypeAny, {
@@ -538,6 +759,42 @@ export declare const SSEOptionsSchema: z.ZodObject<{
538
759
  response_types_supported?: string[] | undefined;
539
760
  code_challenge_methods_supported?: string[] | undefined;
540
761
  skip_code_challenge_check?: boolean | undefined;
762
+ audience?: string | undefined;
763
+ forward_audience_on_refresh?: boolean | undefined;
764
+ revocation_endpoint?: string | undefined;
765
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
766
+ }, {
767
+ authorization_url?: string | undefined;
768
+ token_url?: string | undefined;
769
+ client_id?: string | undefined;
770
+ client_secret?: string | undefined;
771
+ scope?: string | undefined;
772
+ redirect_uri?: string | undefined;
773
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
774
+ grant_types_supported?: string[] | undefined;
775
+ token_endpoint_auth_methods_supported?: string[] | undefined;
776
+ response_types_supported?: string[] | undefined;
777
+ code_challenge_methods_supported?: string[] | undefined;
778
+ skip_code_challenge_check?: boolean | undefined;
779
+ audience?: string | undefined;
780
+ forward_audience_on_refresh?: boolean | undefined;
781
+ revocation_endpoint?: string | undefined;
782
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
783
+ }>, {
784
+ authorization_url?: string | undefined;
785
+ token_url?: string | undefined;
786
+ client_id?: string | undefined;
787
+ client_secret?: string | undefined;
788
+ scope?: string | undefined;
789
+ redirect_uri?: string | undefined;
790
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
791
+ grant_types_supported?: string[] | undefined;
792
+ token_endpoint_auth_methods_supported?: string[] | undefined;
793
+ response_types_supported?: string[] | undefined;
794
+ code_challenge_methods_supported?: string[] | undefined;
795
+ skip_code_challenge_check?: boolean | undefined;
796
+ audience?: string | undefined;
797
+ forward_audience_on_refresh?: boolean | undefined;
541
798
  revocation_endpoint?: string | undefined;
542
799
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
543
800
  }, {
@@ -553,6 +810,8 @@ export declare const SSEOptionsSchema: z.ZodObject<{
553
810
  response_types_supported?: string[] | undefined;
554
811
  code_challenge_methods_supported?: string[] | undefined;
555
812
  skip_code_challenge_check?: boolean | undefined;
813
+ audience?: string | undefined;
814
+ forward_audience_on_refresh?: boolean | undefined;
556
815
  revocation_endpoint?: string | undefined;
557
816
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
558
817
  }>>;
@@ -573,12 +832,12 @@ export declare const SSEOptionsSchema: z.ZodObject<{
573
832
  /** Custom header name when authorization_type is 'custom' */
574
833
  custom_header: z.ZodOptional<z.ZodString>;
575
834
  }, "strip", z.ZodTypeAny, {
576
- source: "admin" | "user";
835
+ source: "user" | "admin";
577
836
  authorization_type: "custom" | "basic" | "bearer";
578
837
  key?: string | undefined;
579
838
  custom_header?: string | undefined;
580
839
  }, {
581
- source: "admin" | "user";
840
+ source: "user" | "admin";
582
841
  authorization_type: "custom" | "basic" | "bearer";
583
842
  key?: string | undefined;
584
843
  custom_header?: string | undefined;
@@ -586,28 +845,53 @@ export declare const SSEOptionsSchema: z.ZodObject<{
586
845
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
587
846
  title: z.ZodString;
588
847
  description: z.ZodString;
848
+ /**
849
+ * Whether the field holds a secret and should be masked in the UI.
850
+ * Defaults to masked when omitted; set to `false` for non-secret setup
851
+ * values (e.g. username, project key, base URL) to render as plain text.
852
+ */
853
+ sensitive: z.ZodOptional<z.ZodBoolean>;
589
854
  }, "strip", z.ZodTypeAny, {
590
- title: string;
591
855
  description: string;
592
- }, {
593
856
  title: string;
857
+ sensitive?: boolean | undefined;
858
+ }, {
594
859
  description: string;
860
+ title: string;
861
+ sensitive?: boolean | undefined;
595
862
  }>>>;
596
863
  } & {
597
864
  type: z.ZodDefault<z.ZodLiteral<"sse">>;
598
865
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
866
+ /**
867
+ * On-Behalf-Of (OBO) token exchange configuration.
868
+ * When configured, LibreChat exchanges the logged-in user's federated access token
869
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
870
+ * The exchanged token is injected as a Bearer Authorization header automatically.
871
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
872
+ */
873
+ obo: z.ZodOptional<z.ZodObject<{
874
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
875
+ scopes: z.ZodString;
876
+ }, "strip", z.ZodTypeAny, {
877
+ scopes: string;
878
+ }, {
879
+ scopes: string;
880
+ }>>;
881
+ /** Optional outbound proxy URL for this remote MCP transport */
882
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
599
883
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
600
884
  }, "strip", z.ZodTypeAny, {
601
885
  type: "sse";
602
886
  url: string;
603
- title?: string | undefined;
604
887
  description?: string | undefined;
888
+ title?: string | undefined;
889
+ chatMenu?: boolean | undefined;
605
890
  startup?: boolean | undefined;
606
891
  iconPath?: string | undefined;
607
892
  timeout?: number | undefined;
608
893
  sseReadTimeout?: number | undefined;
609
894
  initTimeout?: number | undefined;
610
- chatMenu?: boolean | undefined;
611
895
  serverInstructions?: string | boolean | undefined;
612
896
  requiresOAuth?: boolean | undefined;
613
897
  oauth?: {
@@ -623,32 +907,39 @@ export declare const SSEOptionsSchema: z.ZodObject<{
623
907
  response_types_supported?: string[] | undefined;
624
908
  code_challenge_methods_supported?: string[] | undefined;
625
909
  skip_code_challenge_check?: boolean | undefined;
910
+ audience?: string | undefined;
911
+ forward_audience_on_refresh?: boolean | undefined;
626
912
  revocation_endpoint?: string | undefined;
627
913
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
628
914
  } | undefined;
629
915
  oauth_headers?: Record<string, string> | undefined;
630
916
  apiKey?: {
631
- source: "admin" | "user";
917
+ source: "user" | "admin";
632
918
  authorization_type: "custom" | "basic" | "bearer";
633
919
  key?: string | undefined;
634
920
  custom_header?: string | undefined;
635
921
  } | undefined;
636
922
  customUserVars?: Record<string, {
637
- title: string;
638
923
  description: string;
924
+ title: string;
925
+ sensitive?: boolean | undefined;
639
926
  }> | undefined;
927
+ obo?: {
928
+ scopes: string;
929
+ } | undefined;
640
930
  headers?: Record<string, string> | undefined;
931
+ proxy?: string | undefined;
641
932
  }, {
642
933
  url: string;
643
- title?: string | undefined;
934
+ type?: "sse" | undefined;
644
935
  description?: string | undefined;
936
+ title?: string | undefined;
937
+ chatMenu?: boolean | undefined;
645
938
  startup?: boolean | undefined;
646
939
  iconPath?: string | undefined;
647
940
  timeout?: number | undefined;
648
941
  sseReadTimeout?: number | undefined;
649
942
  initTimeout?: number | undefined;
650
- chatMenu?: boolean | undefined;
651
- type?: "sse" | undefined;
652
943
  serverInstructions?: string | boolean | undefined;
653
944
  requiresOAuth?: boolean | undefined;
654
945
  oauth?: {
@@ -664,21 +955,28 @@ export declare const SSEOptionsSchema: z.ZodObject<{
664
955
  response_types_supported?: string[] | undefined;
665
956
  code_challenge_methods_supported?: string[] | undefined;
666
957
  skip_code_challenge_check?: boolean | undefined;
958
+ audience?: string | undefined;
959
+ forward_audience_on_refresh?: boolean | undefined;
667
960
  revocation_endpoint?: string | undefined;
668
961
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
669
962
  } | undefined;
670
963
  oauth_headers?: Record<string, string> | undefined;
671
964
  apiKey?: {
672
- source: "admin" | "user";
965
+ source: "user" | "admin";
673
966
  authorization_type: "custom" | "basic" | "bearer";
674
967
  key?: string | undefined;
675
968
  custom_header?: string | undefined;
676
969
  } | undefined;
677
970
  customUserVars?: Record<string, {
678
- title: string;
679
971
  description: string;
972
+ title: string;
973
+ sensitive?: boolean | undefined;
680
974
  }> | undefined;
975
+ obo?: {
976
+ scopes: string;
977
+ } | undefined;
681
978
  headers?: Record<string, string> | undefined;
979
+ proxy?: string | undefined;
682
980
  }>;
683
981
  export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
684
982
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -714,21 +1012,21 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
714
1012
  /**
715
1013
  * OAuth configuration for SSE and Streamable HTTP transports
716
1014
  * - Optional: OAuth can be auto-discovered on 401 responses
717
- * - Pre-configured values will skip discovery steps
1015
+ * - Pre-configured confidential clients must pin both OAuth endpoints
718
1016
  */
719
- oauth: z.ZodOptional<z.ZodObject<{
1017
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
720
1018
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
721
- authorization_url: z.ZodOptional<z.ZodString>;
1019
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
722
1020
  /** OAuth token endpoint (optional - can be auto-discovered) */
723
- token_url: z.ZodOptional<z.ZodString>;
1021
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
724
1022
  /** OAuth client ID (optional - can use dynamic registration) */
725
1023
  client_id: z.ZodOptional<z.ZodString>;
726
- /** OAuth client secret (optional - can use dynamic registration) */
1024
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
727
1025
  client_secret: z.ZodOptional<z.ZodString>;
728
1026
  /** OAuth scopes to request */
729
1027
  scope: z.ZodOptional<z.ZodString>;
730
1028
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
731
- redirect_uri: z.ZodOptional<z.ZodString>;
1029
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
732
1030
  /** Token exchange method */
733
1031
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
734
1032
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -741,8 +1039,45 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
741
1039
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
742
1040
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
743
1041
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
1042
+ /**
1043
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
1044
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
1045
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
1046
+ * automatically from Protected Resource Metadata) is the standards-conformant
1047
+ * route; `audience` covers the providers that ignore it.
1048
+ *
1049
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
1050
+ * and DCR-discovered paths). Whether it is also forwarded on the
1051
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
1052
+ *
1053
+ * The `authorization_code` exchange intentionally never receives `audience` —
1054
+ * Auth0 binds audience from the original `/authorize` request and embeds it
1055
+ * in the issued access token; sending it again is redundant.
1056
+ *
1057
+ * No canonicalization is applied — the audience identifier is provider-defined
1058
+ * and may differ from the MCP server URL. This field is only accepted from
1059
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
1060
+ */
1061
+ audience: z.ZodOptional<z.ZodString>;
1062
+ /**
1063
+ * Whether to also forward `audience` on the `refresh_token` grant body.
1064
+ *
1065
+ * Default: `true`. Required for Auth0, which strips the API audience from
1066
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
1067
+ * — without it the next MCP call 401s once the initial access token expires.
1068
+ *
1069
+ * Set to `false` for providers that document refresh requests as
1070
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
1071
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
1072
+ * `aud` claim across refreshes when the initial token was resource-bound,
1073
+ * so the extra parameter is redundant and may be rejected as
1074
+ * `invalid_request`.
1075
+ *
1076
+ * Ignored when `audience` itself is not configured.
1077
+ */
1078
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
744
1079
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
745
- revocation_endpoint: z.ZodOptional<z.ZodString>;
1080
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
746
1081
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
747
1082
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
748
1083
  }, "strip", z.ZodTypeAny, {
@@ -758,6 +1093,42 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
758
1093
  response_types_supported?: string[] | undefined;
759
1094
  code_challenge_methods_supported?: string[] | undefined;
760
1095
  skip_code_challenge_check?: boolean | undefined;
1096
+ audience?: string | undefined;
1097
+ forward_audience_on_refresh?: boolean | undefined;
1098
+ revocation_endpoint?: string | undefined;
1099
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1100
+ }, {
1101
+ authorization_url?: string | undefined;
1102
+ token_url?: string | undefined;
1103
+ client_id?: string | undefined;
1104
+ client_secret?: string | undefined;
1105
+ scope?: string | undefined;
1106
+ redirect_uri?: string | undefined;
1107
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1108
+ grant_types_supported?: string[] | undefined;
1109
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1110
+ response_types_supported?: string[] | undefined;
1111
+ code_challenge_methods_supported?: string[] | undefined;
1112
+ skip_code_challenge_check?: boolean | undefined;
1113
+ audience?: string | undefined;
1114
+ forward_audience_on_refresh?: boolean | undefined;
1115
+ revocation_endpoint?: string | undefined;
1116
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1117
+ }>, {
1118
+ authorization_url?: string | undefined;
1119
+ token_url?: string | undefined;
1120
+ client_id?: string | undefined;
1121
+ client_secret?: string | undefined;
1122
+ scope?: string | undefined;
1123
+ redirect_uri?: string | undefined;
1124
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1125
+ grant_types_supported?: string[] | undefined;
1126
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1127
+ response_types_supported?: string[] | undefined;
1128
+ code_challenge_methods_supported?: string[] | undefined;
1129
+ skip_code_challenge_check?: boolean | undefined;
1130
+ audience?: string | undefined;
1131
+ forward_audience_on_refresh?: boolean | undefined;
761
1132
  revocation_endpoint?: string | undefined;
762
1133
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
763
1134
  }, {
@@ -773,6 +1144,8 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
773
1144
  response_types_supported?: string[] | undefined;
774
1145
  code_challenge_methods_supported?: string[] | undefined;
775
1146
  skip_code_challenge_check?: boolean | undefined;
1147
+ audience?: string | undefined;
1148
+ forward_audience_on_refresh?: boolean | undefined;
776
1149
  revocation_endpoint?: string | undefined;
777
1150
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
778
1151
  }>>;
@@ -793,12 +1166,12 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
793
1166
  /** Custom header name when authorization_type is 'custom' */
794
1167
  custom_header: z.ZodOptional<z.ZodString>;
795
1168
  }, "strip", z.ZodTypeAny, {
796
- source: "admin" | "user";
1169
+ source: "user" | "admin";
797
1170
  authorization_type: "custom" | "basic" | "bearer";
798
1171
  key?: string | undefined;
799
1172
  custom_header?: string | undefined;
800
1173
  }, {
801
- source: "admin" | "user";
1174
+ source: "user" | "admin";
802
1175
  authorization_type: "custom" | "basic" | "bearer";
803
1176
  key?: string | undefined;
804
1177
  custom_header?: string | undefined;
@@ -806,28 +1179,53 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
806
1179
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
807
1180
  title: z.ZodString;
808
1181
  description: z.ZodString;
1182
+ /**
1183
+ * Whether the field holds a secret and should be masked in the UI.
1184
+ * Defaults to masked when omitted; set to `false` for non-secret setup
1185
+ * values (e.g. username, project key, base URL) to render as plain text.
1186
+ */
1187
+ sensitive: z.ZodOptional<z.ZodBoolean>;
809
1188
  }, "strip", z.ZodTypeAny, {
810
- title: string;
811
1189
  description: string;
812
- }, {
813
1190
  title: string;
1191
+ sensitive?: boolean | undefined;
1192
+ }, {
814
1193
  description: string;
1194
+ title: string;
1195
+ sensitive?: boolean | undefined;
815
1196
  }>>>;
816
1197
  } & {
817
1198
  type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
818
1199
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
1200
+ /**
1201
+ * On-Behalf-Of (OBO) token exchange configuration.
1202
+ * When configured, LibreChat exchanges the logged-in user's federated access token
1203
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
1204
+ * The exchanged token is injected as a Bearer Authorization header automatically.
1205
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
1206
+ */
1207
+ obo: z.ZodOptional<z.ZodObject<{
1208
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
1209
+ scopes: z.ZodString;
1210
+ }, "strip", z.ZodTypeAny, {
1211
+ scopes: string;
1212
+ }, {
1213
+ scopes: string;
1214
+ }>>;
1215
+ /** Optional outbound proxy URL for this remote MCP transport */
1216
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
819
1217
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
820
1218
  }, "strip", z.ZodTypeAny, {
821
1219
  type: "streamable-http" | "http";
822
1220
  url: string;
823
- title?: string | undefined;
824
1221
  description?: string | undefined;
1222
+ title?: string | undefined;
1223
+ chatMenu?: boolean | undefined;
825
1224
  startup?: boolean | undefined;
826
1225
  iconPath?: string | undefined;
827
1226
  timeout?: number | undefined;
828
1227
  sseReadTimeout?: number | undefined;
829
1228
  initTimeout?: number | undefined;
830
- chatMenu?: boolean | undefined;
831
1229
  serverInstructions?: string | boolean | undefined;
832
1230
  requiresOAuth?: boolean | undefined;
833
1231
  oauth?: {
@@ -843,32 +1241,39 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
843
1241
  response_types_supported?: string[] | undefined;
844
1242
  code_challenge_methods_supported?: string[] | undefined;
845
1243
  skip_code_challenge_check?: boolean | undefined;
1244
+ audience?: string | undefined;
1245
+ forward_audience_on_refresh?: boolean | undefined;
846
1246
  revocation_endpoint?: string | undefined;
847
1247
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
848
1248
  } | undefined;
849
1249
  oauth_headers?: Record<string, string> | undefined;
850
1250
  apiKey?: {
851
- source: "admin" | "user";
1251
+ source: "user" | "admin";
852
1252
  authorization_type: "custom" | "basic" | "bearer";
853
1253
  key?: string | undefined;
854
1254
  custom_header?: string | undefined;
855
1255
  } | undefined;
856
1256
  customUserVars?: Record<string, {
857
- title: string;
858
1257
  description: string;
1258
+ title: string;
1259
+ sensitive?: boolean | undefined;
859
1260
  }> | undefined;
1261
+ obo?: {
1262
+ scopes: string;
1263
+ } | undefined;
860
1264
  headers?: Record<string, string> | undefined;
1265
+ proxy?: string | undefined;
861
1266
  }, {
862
1267
  type: "streamable-http" | "http";
863
1268
  url: string;
864
- title?: string | undefined;
865
1269
  description?: string | undefined;
1270
+ title?: string | undefined;
1271
+ chatMenu?: boolean | undefined;
866
1272
  startup?: boolean | undefined;
867
1273
  iconPath?: string | undefined;
868
1274
  timeout?: number | undefined;
869
1275
  sseReadTimeout?: number | undefined;
870
1276
  initTimeout?: number | undefined;
871
- chatMenu?: boolean | undefined;
872
1277
  serverInstructions?: string | boolean | undefined;
873
1278
  requiresOAuth?: boolean | undefined;
874
1279
  oauth?: {
@@ -884,21 +1289,28 @@ export declare const StreamableHTTPOptionsSchema: z.ZodObject<{
884
1289
  response_types_supported?: string[] | undefined;
885
1290
  code_challenge_methods_supported?: string[] | undefined;
886
1291
  skip_code_challenge_check?: boolean | undefined;
1292
+ audience?: string | undefined;
1293
+ forward_audience_on_refresh?: boolean | undefined;
887
1294
  revocation_endpoint?: string | undefined;
888
1295
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
889
1296
  } | undefined;
890
1297
  oauth_headers?: Record<string, string> | undefined;
891
1298
  apiKey?: {
892
- source: "admin" | "user";
1299
+ source: "user" | "admin";
893
1300
  authorization_type: "custom" | "basic" | "bearer";
894
1301
  key?: string | undefined;
895
1302
  custom_header?: string | undefined;
896
1303
  } | undefined;
897
1304
  customUserVars?: Record<string, {
898
- title: string;
899
1305
  description: string;
1306
+ title: string;
1307
+ sensitive?: boolean | undefined;
900
1308
  }> | undefined;
1309
+ obo?: {
1310
+ scopes: string;
1311
+ } | undefined;
901
1312
  headers?: Record<string, string> | undefined;
1313
+ proxy?: string | undefined;
902
1314
  }>;
903
1315
  export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
904
1316
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -934,21 +1346,21 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
934
1346
  /**
935
1347
  * OAuth configuration for SSE and Streamable HTTP transports
936
1348
  * - Optional: OAuth can be auto-discovered on 401 responses
937
- * - Pre-configured values will skip discovery steps
1349
+ * - Pre-configured confidential clients must pin both OAuth endpoints
938
1350
  */
939
- oauth: z.ZodOptional<z.ZodObject<{
1351
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
940
1352
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
941
- authorization_url: z.ZodOptional<z.ZodString>;
1353
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
942
1354
  /** OAuth token endpoint (optional - can be auto-discovered) */
943
- token_url: z.ZodOptional<z.ZodString>;
1355
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
944
1356
  /** OAuth client ID (optional - can use dynamic registration) */
945
1357
  client_id: z.ZodOptional<z.ZodString>;
946
- /** OAuth client secret (optional - can use dynamic registration) */
1358
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
947
1359
  client_secret: z.ZodOptional<z.ZodString>;
948
1360
  /** OAuth scopes to request */
949
1361
  scope: z.ZodOptional<z.ZodString>;
950
1362
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
951
- redirect_uri: z.ZodOptional<z.ZodString>;
1363
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
952
1364
  /** Token exchange method */
953
1365
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
954
1366
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -961,8 +1373,45 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
961
1373
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
962
1374
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
963
1375
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
1376
+ /**
1377
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
1378
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
1379
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
1380
+ * automatically from Protected Resource Metadata) is the standards-conformant
1381
+ * route; `audience` covers the providers that ignore it.
1382
+ *
1383
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
1384
+ * and DCR-discovered paths). Whether it is also forwarded on the
1385
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
1386
+ *
1387
+ * The `authorization_code` exchange intentionally never receives `audience` —
1388
+ * Auth0 binds audience from the original `/authorize` request and embeds it
1389
+ * in the issued access token; sending it again is redundant.
1390
+ *
1391
+ * No canonicalization is applied — the audience identifier is provider-defined
1392
+ * and may differ from the MCP server URL. This field is only accepted from
1393
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
1394
+ */
1395
+ audience: z.ZodOptional<z.ZodString>;
1396
+ /**
1397
+ * Whether to also forward `audience` on the `refresh_token` grant body.
1398
+ *
1399
+ * Default: `true`. Required for Auth0, which strips the API audience from
1400
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
1401
+ * — without it the next MCP call 401s once the initial access token expires.
1402
+ *
1403
+ * Set to `false` for providers that document refresh requests as
1404
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
1405
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
1406
+ * `aud` claim across refreshes when the initial token was resource-bound,
1407
+ * so the extra parameter is redundant and may be rejected as
1408
+ * `invalid_request`.
1409
+ *
1410
+ * Ignored when `audience` itself is not configured.
1411
+ */
1412
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
964
1413
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
965
- revocation_endpoint: z.ZodOptional<z.ZodString>;
1414
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
966
1415
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
967
1416
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
968
1417
  }, "strip", z.ZodTypeAny, {
@@ -978,6 +1427,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
978
1427
  response_types_supported?: string[] | undefined;
979
1428
  code_challenge_methods_supported?: string[] | undefined;
980
1429
  skip_code_challenge_check?: boolean | undefined;
1430
+ audience?: string | undefined;
1431
+ forward_audience_on_refresh?: boolean | undefined;
1432
+ revocation_endpoint?: string | undefined;
1433
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1434
+ }, {
1435
+ authorization_url?: string | undefined;
1436
+ token_url?: string | undefined;
1437
+ client_id?: string | undefined;
1438
+ client_secret?: string | undefined;
1439
+ scope?: string | undefined;
1440
+ redirect_uri?: string | undefined;
1441
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1442
+ grant_types_supported?: string[] | undefined;
1443
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1444
+ response_types_supported?: string[] | undefined;
1445
+ code_challenge_methods_supported?: string[] | undefined;
1446
+ skip_code_challenge_check?: boolean | undefined;
1447
+ audience?: string | undefined;
1448
+ forward_audience_on_refresh?: boolean | undefined;
1449
+ revocation_endpoint?: string | undefined;
1450
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1451
+ }>, {
1452
+ authorization_url?: string | undefined;
1453
+ token_url?: string | undefined;
1454
+ client_id?: string | undefined;
1455
+ client_secret?: string | undefined;
1456
+ scope?: string | undefined;
1457
+ redirect_uri?: string | undefined;
1458
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1459
+ grant_types_supported?: string[] | undefined;
1460
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1461
+ response_types_supported?: string[] | undefined;
1462
+ code_challenge_methods_supported?: string[] | undefined;
1463
+ skip_code_challenge_check?: boolean | undefined;
1464
+ audience?: string | undefined;
1465
+ forward_audience_on_refresh?: boolean | undefined;
981
1466
  revocation_endpoint?: string | undefined;
982
1467
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
983
1468
  }, {
@@ -993,6 +1478,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
993
1478
  response_types_supported?: string[] | undefined;
994
1479
  code_challenge_methods_supported?: string[] | undefined;
995
1480
  skip_code_challenge_check?: boolean | undefined;
1481
+ audience?: string | undefined;
1482
+ forward_audience_on_refresh?: boolean | undefined;
996
1483
  revocation_endpoint?: string | undefined;
997
1484
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
998
1485
  }>>;
@@ -1013,12 +1500,12 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1013
1500
  /** Custom header name when authorization_type is 'custom' */
1014
1501
  custom_header: z.ZodOptional<z.ZodString>;
1015
1502
  }, "strip", z.ZodTypeAny, {
1016
- source: "admin" | "user";
1503
+ source: "user" | "admin";
1017
1504
  authorization_type: "custom" | "basic" | "bearer";
1018
1505
  key?: string | undefined;
1019
1506
  custom_header?: string | undefined;
1020
1507
  }, {
1021
- source: "admin" | "user";
1508
+ source: "user" | "admin";
1022
1509
  authorization_type: "custom" | "basic" | "bearer";
1023
1510
  key?: string | undefined;
1024
1511
  custom_header?: string | undefined;
@@ -1026,15 +1513,24 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1026
1513
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
1027
1514
  title: z.ZodString;
1028
1515
  description: z.ZodString;
1516
+ /**
1517
+ * Whether the field holds a secret and should be masked in the UI.
1518
+ * Defaults to masked when omitted; set to `false` for non-secret setup
1519
+ * values (e.g. username, project key, base URL) to render as plain text.
1520
+ */
1521
+ sensitive: z.ZodOptional<z.ZodBoolean>;
1029
1522
  }, "strip", z.ZodTypeAny, {
1030
- title: string;
1031
1523
  description: string;
1032
- }, {
1033
1524
  title: string;
1525
+ sensitive?: boolean | undefined;
1526
+ }, {
1034
1527
  description: string;
1528
+ title: string;
1529
+ sensitive?: boolean | undefined;
1035
1530
  }>>>;
1036
1531
  } & {
1037
1532
  type: z.ZodDefault<z.ZodLiteral<"stdio">>;
1533
+ obo: z.ZodOptional<z.ZodUndefined>;
1038
1534
  /**
1039
1535
  * The executable to run to start the server.
1040
1536
  */
@@ -1060,14 +1556,15 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1060
1556
  type: "stdio";
1061
1557
  command: string;
1062
1558
  args: string[];
1063
- title?: string | undefined;
1064
1559
  description?: string | undefined;
1560
+ title?: string | undefined;
1561
+ chatMenu?: boolean | undefined;
1562
+ env?: Record<string, string> | undefined;
1065
1563
  startup?: boolean | undefined;
1066
1564
  iconPath?: string | undefined;
1067
1565
  timeout?: number | undefined;
1068
1566
  sseReadTimeout?: number | undefined;
1069
1567
  initTimeout?: number | undefined;
1070
- chatMenu?: boolean | undefined;
1071
1568
  serverInstructions?: string | boolean | undefined;
1072
1569
  requiresOAuth?: boolean | undefined;
1073
1570
  oauth?: {
@@ -1083,34 +1580,38 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1083
1580
  response_types_supported?: string[] | undefined;
1084
1581
  code_challenge_methods_supported?: string[] | undefined;
1085
1582
  skip_code_challenge_check?: boolean | undefined;
1583
+ audience?: string | undefined;
1584
+ forward_audience_on_refresh?: boolean | undefined;
1086
1585
  revocation_endpoint?: string | undefined;
1087
1586
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1088
1587
  } | undefined;
1089
1588
  oauth_headers?: Record<string, string> | undefined;
1090
1589
  apiKey?: {
1091
- source: "admin" | "user";
1590
+ source: "user" | "admin";
1092
1591
  authorization_type: "custom" | "basic" | "bearer";
1093
1592
  key?: string | undefined;
1094
1593
  custom_header?: string | undefined;
1095
1594
  } | undefined;
1096
1595
  customUserVars?: Record<string, {
1097
- title: string;
1098
1596
  description: string;
1597
+ title: string;
1598
+ sensitive?: boolean | undefined;
1099
1599
  }> | undefined;
1100
- env?: Record<string, string> | undefined;
1600
+ obo?: undefined;
1101
1601
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
1102
1602
  }, {
1103
1603
  command: string;
1104
1604
  args: string[];
1105
- title?: string | undefined;
1605
+ type?: "stdio" | undefined;
1106
1606
  description?: string | undefined;
1607
+ title?: string | undefined;
1608
+ chatMenu?: boolean | undefined;
1609
+ env?: Record<string, string> | undefined;
1107
1610
  startup?: boolean | undefined;
1108
1611
  iconPath?: string | undefined;
1109
1612
  timeout?: number | undefined;
1110
1613
  sseReadTimeout?: number | undefined;
1111
1614
  initTimeout?: number | undefined;
1112
- chatMenu?: boolean | undefined;
1113
- type?: "stdio" | undefined;
1114
1615
  serverInstructions?: string | boolean | undefined;
1115
1616
  requiresOAuth?: boolean | undefined;
1116
1617
  oauth?: {
@@ -1126,21 +1627,24 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1126
1627
  response_types_supported?: string[] | undefined;
1127
1628
  code_challenge_methods_supported?: string[] | undefined;
1128
1629
  skip_code_challenge_check?: boolean | undefined;
1630
+ audience?: string | undefined;
1631
+ forward_audience_on_refresh?: boolean | undefined;
1129
1632
  revocation_endpoint?: string | undefined;
1130
1633
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1131
1634
  } | undefined;
1132
1635
  oauth_headers?: Record<string, string> | undefined;
1133
1636
  apiKey?: {
1134
- source: "admin" | "user";
1637
+ source: "user" | "admin";
1135
1638
  authorization_type: "custom" | "basic" | "bearer";
1136
1639
  key?: string | undefined;
1137
1640
  custom_header?: string | undefined;
1138
1641
  } | undefined;
1139
1642
  customUserVars?: Record<string, {
1140
- title: string;
1141
1643
  description: string;
1644
+ title: string;
1645
+ sensitive?: boolean | undefined;
1142
1646
  }> | undefined;
1143
- env?: Record<string, string> | undefined;
1647
+ obo?: undefined;
1144
1648
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
1145
1649
  }>, z.ZodObject<{
1146
1650
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -1176,21 +1680,21 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1176
1680
  /**
1177
1681
  * OAuth configuration for SSE and Streamable HTTP transports
1178
1682
  * - Optional: OAuth can be auto-discovered on 401 responses
1179
- * - Pre-configured values will skip discovery steps
1683
+ * - Pre-configured confidential clients must pin both OAuth endpoints
1180
1684
  */
1181
- oauth: z.ZodOptional<z.ZodObject<{
1685
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
1182
1686
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
1183
- authorization_url: z.ZodOptional<z.ZodString>;
1687
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1184
1688
  /** OAuth token endpoint (optional - can be auto-discovered) */
1185
- token_url: z.ZodOptional<z.ZodString>;
1689
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1186
1690
  /** OAuth client ID (optional - can use dynamic registration) */
1187
1691
  client_id: z.ZodOptional<z.ZodString>;
1188
- /** OAuth client secret (optional - can use dynamic registration) */
1692
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
1189
1693
  client_secret: z.ZodOptional<z.ZodString>;
1190
1694
  /** OAuth scopes to request */
1191
1695
  scope: z.ZodOptional<z.ZodString>;
1192
1696
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
1193
- redirect_uri: z.ZodOptional<z.ZodString>;
1697
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1194
1698
  /** Token exchange method */
1195
1699
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
1196
1700
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -1203,8 +1707,45 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1203
1707
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1204
1708
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
1205
1709
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
1710
+ /**
1711
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
1712
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
1713
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
1714
+ * automatically from Protected Resource Metadata) is the standards-conformant
1715
+ * route; `audience` covers the providers that ignore it.
1716
+ *
1717
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
1718
+ * and DCR-discovered paths). Whether it is also forwarded on the
1719
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
1720
+ *
1721
+ * The `authorization_code` exchange intentionally never receives `audience` —
1722
+ * Auth0 binds audience from the original `/authorize` request and embeds it
1723
+ * in the issued access token; sending it again is redundant.
1724
+ *
1725
+ * No canonicalization is applied — the audience identifier is provider-defined
1726
+ * and may differ from the MCP server URL. This field is only accepted from
1727
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
1728
+ */
1729
+ audience: z.ZodOptional<z.ZodString>;
1730
+ /**
1731
+ * Whether to also forward `audience` on the `refresh_token` grant body.
1732
+ *
1733
+ * Default: `true`. Required for Auth0, which strips the API audience from
1734
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
1735
+ * — without it the next MCP call 401s once the initial access token expires.
1736
+ *
1737
+ * Set to `false` for providers that document refresh requests as
1738
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
1739
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
1740
+ * `aud` claim across refreshes when the initial token was resource-bound,
1741
+ * so the extra parameter is redundant and may be rejected as
1742
+ * `invalid_request`.
1743
+ *
1744
+ * Ignored when `audience` itself is not configured.
1745
+ */
1746
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
1206
1747
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
1207
- revocation_endpoint: z.ZodOptional<z.ZodString>;
1748
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1208
1749
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
1209
1750
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1210
1751
  }, "strip", z.ZodTypeAny, {
@@ -1220,6 +1761,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1220
1761
  response_types_supported?: string[] | undefined;
1221
1762
  code_challenge_methods_supported?: string[] | undefined;
1222
1763
  skip_code_challenge_check?: boolean | undefined;
1764
+ audience?: string | undefined;
1765
+ forward_audience_on_refresh?: boolean | undefined;
1223
1766
  revocation_endpoint?: string | undefined;
1224
1767
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1225
1768
  }, {
@@ -1235,9 +1778,45 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1235
1778
  response_types_supported?: string[] | undefined;
1236
1779
  code_challenge_methods_supported?: string[] | undefined;
1237
1780
  skip_code_challenge_check?: boolean | undefined;
1781
+ audience?: string | undefined;
1782
+ forward_audience_on_refresh?: boolean | undefined;
1238
1783
  revocation_endpoint?: string | undefined;
1239
1784
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1240
- }>>;
1785
+ }>, {
1786
+ authorization_url?: string | undefined;
1787
+ token_url?: string | undefined;
1788
+ client_id?: string | undefined;
1789
+ client_secret?: string | undefined;
1790
+ scope?: string | undefined;
1791
+ redirect_uri?: string | undefined;
1792
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1793
+ grant_types_supported?: string[] | undefined;
1794
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1795
+ response_types_supported?: string[] | undefined;
1796
+ code_challenge_methods_supported?: string[] | undefined;
1797
+ skip_code_challenge_check?: boolean | undefined;
1798
+ audience?: string | undefined;
1799
+ forward_audience_on_refresh?: boolean | undefined;
1800
+ revocation_endpoint?: string | undefined;
1801
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1802
+ }, {
1803
+ authorization_url?: string | undefined;
1804
+ token_url?: string | undefined;
1805
+ client_id?: string | undefined;
1806
+ client_secret?: string | undefined;
1807
+ scope?: string | undefined;
1808
+ redirect_uri?: string | undefined;
1809
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
1810
+ grant_types_supported?: string[] | undefined;
1811
+ token_endpoint_auth_methods_supported?: string[] | undefined;
1812
+ response_types_supported?: string[] | undefined;
1813
+ code_challenge_methods_supported?: string[] | undefined;
1814
+ skip_code_challenge_check?: boolean | undefined;
1815
+ audience?: string | undefined;
1816
+ forward_audience_on_refresh?: boolean | undefined;
1817
+ revocation_endpoint?: string | undefined;
1818
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
1819
+ }>>;
1241
1820
  /** Custom headers to send with OAuth requests (registration, discovery, token exchange, etc.) */
1242
1821
  oauth_headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
1243
1822
  /**
@@ -1255,12 +1834,12 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1255
1834
  /** Custom header name when authorization_type is 'custom' */
1256
1835
  custom_header: z.ZodOptional<z.ZodString>;
1257
1836
  }, "strip", z.ZodTypeAny, {
1258
- source: "admin" | "user";
1837
+ source: "user" | "admin";
1259
1838
  authorization_type: "custom" | "basic" | "bearer";
1260
1839
  key?: string | undefined;
1261
1840
  custom_header?: string | undefined;
1262
1841
  }, {
1263
- source: "admin" | "user";
1842
+ source: "user" | "admin";
1264
1843
  authorization_type: "custom" | "basic" | "bearer";
1265
1844
  key?: string | undefined;
1266
1845
  custom_header?: string | undefined;
@@ -1268,27 +1847,36 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1268
1847
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
1269
1848
  title: z.ZodString;
1270
1849
  description: z.ZodString;
1850
+ /**
1851
+ * Whether the field holds a secret and should be masked in the UI.
1852
+ * Defaults to masked when omitted; set to `false` for non-secret setup
1853
+ * values (e.g. username, project key, base URL) to render as plain text.
1854
+ */
1855
+ sensitive: z.ZodOptional<z.ZodBoolean>;
1271
1856
  }, "strip", z.ZodTypeAny, {
1272
- title: string;
1273
1857
  description: string;
1274
- }, {
1275
1858
  title: string;
1859
+ sensitive?: boolean | undefined;
1860
+ }, {
1276
1861
  description: string;
1862
+ title: string;
1863
+ sensitive?: boolean | undefined;
1277
1864
  }>>>;
1278
1865
  } & {
1279
1866
  type: z.ZodDefault<z.ZodLiteral<"websocket">>;
1867
+ obo: z.ZodOptional<z.ZodUndefined>;
1280
1868
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
1281
1869
  }, "strip", z.ZodTypeAny, {
1282
1870
  type: "websocket";
1283
1871
  url: string;
1284
- title?: string | undefined;
1285
1872
  description?: string | undefined;
1873
+ title?: string | undefined;
1874
+ chatMenu?: boolean | undefined;
1286
1875
  startup?: boolean | undefined;
1287
1876
  iconPath?: string | undefined;
1288
1877
  timeout?: number | undefined;
1289
1878
  sseReadTimeout?: number | undefined;
1290
1879
  initTimeout?: number | undefined;
1291
- chatMenu?: boolean | undefined;
1292
1880
  serverInstructions?: string | boolean | undefined;
1293
1881
  requiresOAuth?: boolean | undefined;
1294
1882
  oauth?: {
@@ -1304,31 +1892,35 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1304
1892
  response_types_supported?: string[] | undefined;
1305
1893
  code_challenge_methods_supported?: string[] | undefined;
1306
1894
  skip_code_challenge_check?: boolean | undefined;
1895
+ audience?: string | undefined;
1896
+ forward_audience_on_refresh?: boolean | undefined;
1307
1897
  revocation_endpoint?: string | undefined;
1308
1898
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1309
1899
  } | undefined;
1310
1900
  oauth_headers?: Record<string, string> | undefined;
1311
1901
  apiKey?: {
1312
- source: "admin" | "user";
1902
+ source: "user" | "admin";
1313
1903
  authorization_type: "custom" | "basic" | "bearer";
1314
1904
  key?: string | undefined;
1315
1905
  custom_header?: string | undefined;
1316
1906
  } | undefined;
1317
1907
  customUserVars?: Record<string, {
1318
- title: string;
1319
1908
  description: string;
1909
+ title: string;
1910
+ sensitive?: boolean | undefined;
1320
1911
  }> | undefined;
1912
+ obo?: undefined;
1321
1913
  }, {
1322
1914
  url: string;
1323
- title?: string | undefined;
1915
+ type?: "websocket" | undefined;
1324
1916
  description?: string | undefined;
1917
+ title?: string | undefined;
1918
+ chatMenu?: boolean | undefined;
1325
1919
  startup?: boolean | undefined;
1326
1920
  iconPath?: string | undefined;
1327
1921
  timeout?: number | undefined;
1328
1922
  sseReadTimeout?: number | undefined;
1329
1923
  initTimeout?: number | undefined;
1330
- chatMenu?: boolean | undefined;
1331
- type?: "websocket" | undefined;
1332
1924
  serverInstructions?: string | boolean | undefined;
1333
1925
  requiresOAuth?: boolean | undefined;
1334
1926
  oauth?: {
@@ -1344,20 +1936,24 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1344
1936
  response_types_supported?: string[] | undefined;
1345
1937
  code_challenge_methods_supported?: string[] | undefined;
1346
1938
  skip_code_challenge_check?: boolean | undefined;
1939
+ audience?: string | undefined;
1940
+ forward_audience_on_refresh?: boolean | undefined;
1347
1941
  revocation_endpoint?: string | undefined;
1348
1942
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1349
1943
  } | undefined;
1350
1944
  oauth_headers?: Record<string, string> | undefined;
1351
1945
  apiKey?: {
1352
- source: "admin" | "user";
1946
+ source: "user" | "admin";
1353
1947
  authorization_type: "custom" | "basic" | "bearer";
1354
1948
  key?: string | undefined;
1355
1949
  custom_header?: string | undefined;
1356
1950
  } | undefined;
1357
1951
  customUserVars?: Record<string, {
1358
- title: string;
1359
1952
  description: string;
1953
+ title: string;
1954
+ sensitive?: boolean | undefined;
1360
1955
  }> | undefined;
1956
+ obo?: undefined;
1361
1957
  }>, z.ZodObject<{
1362
1958
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
1363
1959
  title: z.ZodOptional<z.ZodString>;
@@ -1392,21 +1988,21 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1392
1988
  /**
1393
1989
  * OAuth configuration for SSE and Streamable HTTP transports
1394
1990
  * - Optional: OAuth can be auto-discovered on 401 responses
1395
- * - Pre-configured values will skip discovery steps
1991
+ * - Pre-configured confidential clients must pin both OAuth endpoints
1396
1992
  */
1397
- oauth: z.ZodOptional<z.ZodObject<{
1993
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
1398
1994
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
1399
- authorization_url: z.ZodOptional<z.ZodString>;
1995
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1400
1996
  /** OAuth token endpoint (optional - can be auto-discovered) */
1401
- token_url: z.ZodOptional<z.ZodString>;
1997
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1402
1998
  /** OAuth client ID (optional - can use dynamic registration) */
1403
1999
  client_id: z.ZodOptional<z.ZodString>;
1404
- /** OAuth client secret (optional - can use dynamic registration) */
2000
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
1405
2001
  client_secret: z.ZodOptional<z.ZodString>;
1406
2002
  /** OAuth scopes to request */
1407
2003
  scope: z.ZodOptional<z.ZodString>;
1408
2004
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
1409
- redirect_uri: z.ZodOptional<z.ZodString>;
2005
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1410
2006
  /** Token exchange method */
1411
2007
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
1412
2008
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -1419,8 +2015,45 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1419
2015
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1420
2016
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
1421
2017
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
2018
+ /**
2019
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
2020
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
2021
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
2022
+ * automatically from Protected Resource Metadata) is the standards-conformant
2023
+ * route; `audience` covers the providers that ignore it.
2024
+ *
2025
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
2026
+ * and DCR-discovered paths). Whether it is also forwarded on the
2027
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
2028
+ *
2029
+ * The `authorization_code` exchange intentionally never receives `audience` —
2030
+ * Auth0 binds audience from the original `/authorize` request and embeds it
2031
+ * in the issued access token; sending it again is redundant.
2032
+ *
2033
+ * No canonicalization is applied — the audience identifier is provider-defined
2034
+ * and may differ from the MCP server URL. This field is only accepted from
2035
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
2036
+ */
2037
+ audience: z.ZodOptional<z.ZodString>;
2038
+ /**
2039
+ * Whether to also forward `audience` on the `refresh_token` grant body.
2040
+ *
2041
+ * Default: `true`. Required for Auth0, which strips the API audience from
2042
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
2043
+ * — without it the next MCP call 401s once the initial access token expires.
2044
+ *
2045
+ * Set to `false` for providers that document refresh requests as
2046
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
2047
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
2048
+ * `aud` claim across refreshes when the initial token was resource-bound,
2049
+ * so the extra parameter is redundant and may be rejected as
2050
+ * `invalid_request`.
2051
+ *
2052
+ * Ignored when `audience` itself is not configured.
2053
+ */
2054
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
1422
2055
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
1423
- revocation_endpoint: z.ZodOptional<z.ZodString>;
2056
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1424
2057
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
1425
2058
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1426
2059
  }, "strip", z.ZodTypeAny, {
@@ -1436,6 +2069,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1436
2069
  response_types_supported?: string[] | undefined;
1437
2070
  code_challenge_methods_supported?: string[] | undefined;
1438
2071
  skip_code_challenge_check?: boolean | undefined;
2072
+ audience?: string | undefined;
2073
+ forward_audience_on_refresh?: boolean | undefined;
2074
+ revocation_endpoint?: string | undefined;
2075
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2076
+ }, {
2077
+ authorization_url?: string | undefined;
2078
+ token_url?: string | undefined;
2079
+ client_id?: string | undefined;
2080
+ client_secret?: string | undefined;
2081
+ scope?: string | undefined;
2082
+ redirect_uri?: string | undefined;
2083
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2084
+ grant_types_supported?: string[] | undefined;
2085
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2086
+ response_types_supported?: string[] | undefined;
2087
+ code_challenge_methods_supported?: string[] | undefined;
2088
+ skip_code_challenge_check?: boolean | undefined;
2089
+ audience?: string | undefined;
2090
+ forward_audience_on_refresh?: boolean | undefined;
2091
+ revocation_endpoint?: string | undefined;
2092
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2093
+ }>, {
2094
+ authorization_url?: string | undefined;
2095
+ token_url?: string | undefined;
2096
+ client_id?: string | undefined;
2097
+ client_secret?: string | undefined;
2098
+ scope?: string | undefined;
2099
+ redirect_uri?: string | undefined;
2100
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2101
+ grant_types_supported?: string[] | undefined;
2102
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2103
+ response_types_supported?: string[] | undefined;
2104
+ code_challenge_methods_supported?: string[] | undefined;
2105
+ skip_code_challenge_check?: boolean | undefined;
2106
+ audience?: string | undefined;
2107
+ forward_audience_on_refresh?: boolean | undefined;
1439
2108
  revocation_endpoint?: string | undefined;
1440
2109
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1441
2110
  }, {
@@ -1451,6 +2120,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1451
2120
  response_types_supported?: string[] | undefined;
1452
2121
  code_challenge_methods_supported?: string[] | undefined;
1453
2122
  skip_code_challenge_check?: boolean | undefined;
2123
+ audience?: string | undefined;
2124
+ forward_audience_on_refresh?: boolean | undefined;
1454
2125
  revocation_endpoint?: string | undefined;
1455
2126
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1456
2127
  }>>;
@@ -1471,12 +2142,12 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1471
2142
  /** Custom header name when authorization_type is 'custom' */
1472
2143
  custom_header: z.ZodOptional<z.ZodString>;
1473
2144
  }, "strip", z.ZodTypeAny, {
1474
- source: "admin" | "user";
2145
+ source: "user" | "admin";
1475
2146
  authorization_type: "custom" | "basic" | "bearer";
1476
2147
  key?: string | undefined;
1477
2148
  custom_header?: string | undefined;
1478
2149
  }, {
1479
- source: "admin" | "user";
2150
+ source: "user" | "admin";
1480
2151
  authorization_type: "custom" | "basic" | "bearer";
1481
2152
  key?: string | undefined;
1482
2153
  custom_header?: string | undefined;
@@ -1484,28 +2155,53 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1484
2155
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
1485
2156
  title: z.ZodString;
1486
2157
  description: z.ZodString;
2158
+ /**
2159
+ * Whether the field holds a secret and should be masked in the UI.
2160
+ * Defaults to masked when omitted; set to `false` for non-secret setup
2161
+ * values (e.g. username, project key, base URL) to render as plain text.
2162
+ */
2163
+ sensitive: z.ZodOptional<z.ZodBoolean>;
1487
2164
  }, "strip", z.ZodTypeAny, {
1488
- title: string;
1489
2165
  description: string;
1490
- }, {
1491
2166
  title: string;
2167
+ sensitive?: boolean | undefined;
2168
+ }, {
1492
2169
  description: string;
2170
+ title: string;
2171
+ sensitive?: boolean | undefined;
1493
2172
  }>>>;
1494
2173
  } & {
1495
2174
  type: z.ZodDefault<z.ZodLiteral<"sse">>;
1496
2175
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
2176
+ /**
2177
+ * On-Behalf-Of (OBO) token exchange configuration.
2178
+ * When configured, LibreChat exchanges the logged-in user's federated access token
2179
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
2180
+ * The exchanged token is injected as a Bearer Authorization header automatically.
2181
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
2182
+ */
2183
+ obo: z.ZodOptional<z.ZodObject<{
2184
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
2185
+ scopes: z.ZodString;
2186
+ }, "strip", z.ZodTypeAny, {
2187
+ scopes: string;
2188
+ }, {
2189
+ scopes: string;
2190
+ }>>;
2191
+ /** Optional outbound proxy URL for this remote MCP transport */
2192
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
1497
2193
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
1498
2194
  }, "strip", z.ZodTypeAny, {
1499
2195
  type: "sse";
1500
2196
  url: string;
1501
- title?: string | undefined;
1502
2197
  description?: string | undefined;
2198
+ title?: string | undefined;
2199
+ chatMenu?: boolean | undefined;
1503
2200
  startup?: boolean | undefined;
1504
2201
  iconPath?: string | undefined;
1505
2202
  timeout?: number | undefined;
1506
2203
  sseReadTimeout?: number | undefined;
1507
2204
  initTimeout?: number | undefined;
1508
- chatMenu?: boolean | undefined;
1509
2205
  serverInstructions?: string | boolean | undefined;
1510
2206
  requiresOAuth?: boolean | undefined;
1511
2207
  oauth?: {
@@ -1521,32 +2217,39 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1521
2217
  response_types_supported?: string[] | undefined;
1522
2218
  code_challenge_methods_supported?: string[] | undefined;
1523
2219
  skip_code_challenge_check?: boolean | undefined;
2220
+ audience?: string | undefined;
2221
+ forward_audience_on_refresh?: boolean | undefined;
1524
2222
  revocation_endpoint?: string | undefined;
1525
2223
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1526
2224
  } | undefined;
1527
2225
  oauth_headers?: Record<string, string> | undefined;
1528
2226
  apiKey?: {
1529
- source: "admin" | "user";
2227
+ source: "user" | "admin";
1530
2228
  authorization_type: "custom" | "basic" | "bearer";
1531
2229
  key?: string | undefined;
1532
2230
  custom_header?: string | undefined;
1533
2231
  } | undefined;
1534
2232
  customUserVars?: Record<string, {
1535
- title: string;
1536
2233
  description: string;
2234
+ title: string;
2235
+ sensitive?: boolean | undefined;
1537
2236
  }> | undefined;
2237
+ obo?: {
2238
+ scopes: string;
2239
+ } | undefined;
1538
2240
  headers?: Record<string, string> | undefined;
2241
+ proxy?: string | undefined;
1539
2242
  }, {
1540
2243
  url: string;
1541
- title?: string | undefined;
2244
+ type?: "sse" | undefined;
1542
2245
  description?: string | undefined;
2246
+ title?: string | undefined;
2247
+ chatMenu?: boolean | undefined;
1543
2248
  startup?: boolean | undefined;
1544
2249
  iconPath?: string | undefined;
1545
2250
  timeout?: number | undefined;
1546
2251
  sseReadTimeout?: number | undefined;
1547
2252
  initTimeout?: number | undefined;
1548
- chatMenu?: boolean | undefined;
1549
- type?: "sse" | undefined;
1550
2253
  serverInstructions?: string | boolean | undefined;
1551
2254
  requiresOAuth?: boolean | undefined;
1552
2255
  oauth?: {
@@ -1562,21 +2265,28 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1562
2265
  response_types_supported?: string[] | undefined;
1563
2266
  code_challenge_methods_supported?: string[] | undefined;
1564
2267
  skip_code_challenge_check?: boolean | undefined;
2268
+ audience?: string | undefined;
2269
+ forward_audience_on_refresh?: boolean | undefined;
1565
2270
  revocation_endpoint?: string | undefined;
1566
2271
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1567
2272
  } | undefined;
1568
2273
  oauth_headers?: Record<string, string> | undefined;
1569
2274
  apiKey?: {
1570
- source: "admin" | "user";
2275
+ source: "user" | "admin";
1571
2276
  authorization_type: "custom" | "basic" | "bearer";
1572
2277
  key?: string | undefined;
1573
2278
  custom_header?: string | undefined;
1574
2279
  } | undefined;
1575
2280
  customUserVars?: Record<string, {
1576
- title: string;
1577
2281
  description: string;
2282
+ title: string;
2283
+ sensitive?: boolean | undefined;
1578
2284
  }> | undefined;
2285
+ obo?: {
2286
+ scopes: string;
2287
+ } | undefined;
1579
2288
  headers?: Record<string, string> | undefined;
2289
+ proxy?: string | undefined;
1580
2290
  }>, z.ZodObject<{
1581
2291
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
1582
2292
  title: z.ZodOptional<z.ZodString>;
@@ -1611,21 +2321,21 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1611
2321
  /**
1612
2322
  * OAuth configuration for SSE and Streamable HTTP transports
1613
2323
  * - Optional: OAuth can be auto-discovered on 401 responses
1614
- * - Pre-configured values will skip discovery steps
2324
+ * - Pre-configured confidential clients must pin both OAuth endpoints
1615
2325
  */
1616
- oauth: z.ZodOptional<z.ZodObject<{
2326
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
1617
2327
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
1618
- authorization_url: z.ZodOptional<z.ZodString>;
2328
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1619
2329
  /** OAuth token endpoint (optional - can be auto-discovered) */
1620
- token_url: z.ZodOptional<z.ZodString>;
2330
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1621
2331
  /** OAuth client ID (optional - can use dynamic registration) */
1622
2332
  client_id: z.ZodOptional<z.ZodString>;
1623
- /** OAuth client secret (optional - can use dynamic registration) */
2333
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
1624
2334
  client_secret: z.ZodOptional<z.ZodString>;
1625
2335
  /** OAuth scopes to request */
1626
2336
  scope: z.ZodOptional<z.ZodString>;
1627
2337
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
1628
- redirect_uri: z.ZodOptional<z.ZodString>;
2338
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1629
2339
  /** Token exchange method */
1630
2340
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
1631
2341
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -1638,8 +2348,45 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1638
2348
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1639
2349
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
1640
2350
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
2351
+ /**
2352
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
2353
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
2354
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
2355
+ * automatically from Protected Resource Metadata) is the standards-conformant
2356
+ * route; `audience` covers the providers that ignore it.
2357
+ *
2358
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
2359
+ * and DCR-discovered paths). Whether it is also forwarded on the
2360
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
2361
+ *
2362
+ * The `authorization_code` exchange intentionally never receives `audience` —
2363
+ * Auth0 binds audience from the original `/authorize` request and embeds it
2364
+ * in the issued access token; sending it again is redundant.
2365
+ *
2366
+ * No canonicalization is applied — the audience identifier is provider-defined
2367
+ * and may differ from the MCP server URL. This field is only accepted from
2368
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
2369
+ */
2370
+ audience: z.ZodOptional<z.ZodString>;
2371
+ /**
2372
+ * Whether to also forward `audience` on the `refresh_token` grant body.
2373
+ *
2374
+ * Default: `true`. Required for Auth0, which strips the API audience from
2375
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
2376
+ * — without it the next MCP call 401s once the initial access token expires.
2377
+ *
2378
+ * Set to `false` for providers that document refresh requests as
2379
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
2380
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
2381
+ * `aud` claim across refreshes when the initial token was resource-bound,
2382
+ * so the extra parameter is redundant and may be rejected as
2383
+ * `invalid_request`.
2384
+ *
2385
+ * Ignored when `audience` itself is not configured.
2386
+ */
2387
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
1641
2388
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
1642
- revocation_endpoint: z.ZodOptional<z.ZodString>;
2389
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1643
2390
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
1644
2391
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1645
2392
  }, "strip", z.ZodTypeAny, {
@@ -1655,6 +2402,42 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1655
2402
  response_types_supported?: string[] | undefined;
1656
2403
  code_challenge_methods_supported?: string[] | undefined;
1657
2404
  skip_code_challenge_check?: boolean | undefined;
2405
+ audience?: string | undefined;
2406
+ forward_audience_on_refresh?: boolean | undefined;
2407
+ revocation_endpoint?: string | undefined;
2408
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2409
+ }, {
2410
+ authorization_url?: string | undefined;
2411
+ token_url?: string | undefined;
2412
+ client_id?: string | undefined;
2413
+ client_secret?: string | undefined;
2414
+ scope?: string | undefined;
2415
+ redirect_uri?: string | undefined;
2416
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2417
+ grant_types_supported?: string[] | undefined;
2418
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2419
+ response_types_supported?: string[] | undefined;
2420
+ code_challenge_methods_supported?: string[] | undefined;
2421
+ skip_code_challenge_check?: boolean | undefined;
2422
+ audience?: string | undefined;
2423
+ forward_audience_on_refresh?: boolean | undefined;
2424
+ revocation_endpoint?: string | undefined;
2425
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2426
+ }>, {
2427
+ authorization_url?: string | undefined;
2428
+ token_url?: string | undefined;
2429
+ client_id?: string | undefined;
2430
+ client_secret?: string | undefined;
2431
+ scope?: string | undefined;
2432
+ redirect_uri?: string | undefined;
2433
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2434
+ grant_types_supported?: string[] | undefined;
2435
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2436
+ response_types_supported?: string[] | undefined;
2437
+ code_challenge_methods_supported?: string[] | undefined;
2438
+ skip_code_challenge_check?: boolean | undefined;
2439
+ audience?: string | undefined;
2440
+ forward_audience_on_refresh?: boolean | undefined;
1658
2441
  revocation_endpoint?: string | undefined;
1659
2442
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1660
2443
  }, {
@@ -1670,6 +2453,8 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1670
2453
  response_types_supported?: string[] | undefined;
1671
2454
  code_challenge_methods_supported?: string[] | undefined;
1672
2455
  skip_code_challenge_check?: boolean | undefined;
2456
+ audience?: string | undefined;
2457
+ forward_audience_on_refresh?: boolean | undefined;
1673
2458
  revocation_endpoint?: string | undefined;
1674
2459
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1675
2460
  }>>;
@@ -1690,12 +2475,12 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1690
2475
  /** Custom header name when authorization_type is 'custom' */
1691
2476
  custom_header: z.ZodOptional<z.ZodString>;
1692
2477
  }, "strip", z.ZodTypeAny, {
1693
- source: "admin" | "user";
2478
+ source: "user" | "admin";
1694
2479
  authorization_type: "custom" | "basic" | "bearer";
1695
2480
  key?: string | undefined;
1696
2481
  custom_header?: string | undefined;
1697
2482
  }, {
1698
- source: "admin" | "user";
2483
+ source: "user" | "admin";
1699
2484
  authorization_type: "custom" | "basic" | "bearer";
1700
2485
  key?: string | undefined;
1701
2486
  custom_header?: string | undefined;
@@ -1703,28 +2488,53 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1703
2488
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
1704
2489
  title: z.ZodString;
1705
2490
  description: z.ZodString;
2491
+ /**
2492
+ * Whether the field holds a secret and should be masked in the UI.
2493
+ * Defaults to masked when omitted; set to `false` for non-secret setup
2494
+ * values (e.g. username, project key, base URL) to render as plain text.
2495
+ */
2496
+ sensitive: z.ZodOptional<z.ZodBoolean>;
1706
2497
  }, "strip", z.ZodTypeAny, {
1707
- title: string;
1708
2498
  description: string;
1709
- }, {
1710
2499
  title: string;
2500
+ sensitive?: boolean | undefined;
2501
+ }, {
1711
2502
  description: string;
2503
+ title: string;
2504
+ sensitive?: boolean | undefined;
1712
2505
  }>>>;
1713
2506
  } & {
1714
2507
  type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
1715
2508
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
2509
+ /**
2510
+ * On-Behalf-Of (OBO) token exchange configuration.
2511
+ * When configured, LibreChat exchanges the logged-in user's federated access token
2512
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
2513
+ * The exchanged token is injected as a Bearer Authorization header automatically.
2514
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
2515
+ */
2516
+ obo: z.ZodOptional<z.ZodObject<{
2517
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
2518
+ scopes: z.ZodString;
2519
+ }, "strip", z.ZodTypeAny, {
2520
+ scopes: string;
2521
+ }, {
2522
+ scopes: string;
2523
+ }>>;
2524
+ /** Optional outbound proxy URL for this remote MCP transport */
2525
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
1716
2526
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
1717
2527
  }, "strip", z.ZodTypeAny, {
1718
2528
  type: "streamable-http" | "http";
1719
2529
  url: string;
1720
- title?: string | undefined;
1721
2530
  description?: string | undefined;
2531
+ title?: string | undefined;
2532
+ chatMenu?: boolean | undefined;
1722
2533
  startup?: boolean | undefined;
1723
2534
  iconPath?: string | undefined;
1724
2535
  timeout?: number | undefined;
1725
2536
  sseReadTimeout?: number | undefined;
1726
2537
  initTimeout?: number | undefined;
1727
- chatMenu?: boolean | undefined;
1728
2538
  serverInstructions?: string | boolean | undefined;
1729
2539
  requiresOAuth?: boolean | undefined;
1730
2540
  oauth?: {
@@ -1740,32 +2550,39 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1740
2550
  response_types_supported?: string[] | undefined;
1741
2551
  code_challenge_methods_supported?: string[] | undefined;
1742
2552
  skip_code_challenge_check?: boolean | undefined;
2553
+ audience?: string | undefined;
2554
+ forward_audience_on_refresh?: boolean | undefined;
1743
2555
  revocation_endpoint?: string | undefined;
1744
2556
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1745
2557
  } | undefined;
1746
2558
  oauth_headers?: Record<string, string> | undefined;
1747
2559
  apiKey?: {
1748
- source: "admin" | "user";
2560
+ source: "user" | "admin";
1749
2561
  authorization_type: "custom" | "basic" | "bearer";
1750
2562
  key?: string | undefined;
1751
2563
  custom_header?: string | undefined;
1752
2564
  } | undefined;
1753
2565
  customUserVars?: Record<string, {
1754
- title: string;
1755
2566
  description: string;
2567
+ title: string;
2568
+ sensitive?: boolean | undefined;
1756
2569
  }> | undefined;
2570
+ obo?: {
2571
+ scopes: string;
2572
+ } | undefined;
1757
2573
  headers?: Record<string, string> | undefined;
2574
+ proxy?: string | undefined;
1758
2575
  }, {
1759
2576
  type: "streamable-http" | "http";
1760
2577
  url: string;
1761
- title?: string | undefined;
1762
2578
  description?: string | undefined;
2579
+ title?: string | undefined;
2580
+ chatMenu?: boolean | undefined;
1763
2581
  startup?: boolean | undefined;
1764
2582
  iconPath?: string | undefined;
1765
2583
  timeout?: number | undefined;
1766
2584
  sseReadTimeout?: number | undefined;
1767
2585
  initTimeout?: number | undefined;
1768
- chatMenu?: boolean | undefined;
1769
2586
  serverInstructions?: string | boolean | undefined;
1770
2587
  requiresOAuth?: boolean | undefined;
1771
2588
  oauth?: {
@@ -1781,21 +2598,28 @@ export declare const MCPOptionsSchema: z.ZodUnion<[z.ZodObject<{
1781
2598
  response_types_supported?: string[] | undefined;
1782
2599
  code_challenge_methods_supported?: string[] | undefined;
1783
2600
  skip_code_challenge_check?: boolean | undefined;
2601
+ audience?: string | undefined;
2602
+ forward_audience_on_refresh?: boolean | undefined;
1784
2603
  revocation_endpoint?: string | undefined;
1785
2604
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1786
2605
  } | undefined;
1787
2606
  oauth_headers?: Record<string, string> | undefined;
1788
2607
  apiKey?: {
1789
- source: "admin" | "user";
2608
+ source: "user" | "admin";
1790
2609
  authorization_type: "custom" | "basic" | "bearer";
1791
2610
  key?: string | undefined;
1792
2611
  custom_header?: string | undefined;
1793
2612
  } | undefined;
1794
2613
  customUserVars?: Record<string, {
1795
- title: string;
1796
2614
  description: string;
2615
+ title: string;
2616
+ sensitive?: boolean | undefined;
1797
2617
  }> | undefined;
2618
+ obo?: {
2619
+ scopes: string;
2620
+ } | undefined;
1798
2621
  headers?: Record<string, string> | undefined;
2622
+ proxy?: string | undefined;
1799
2623
  }>]>;
1800
2624
  export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodObject<{
1801
2625
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -1831,21 +2655,21 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1831
2655
  /**
1832
2656
  * OAuth configuration for SSE and Streamable HTTP transports
1833
2657
  * - Optional: OAuth can be auto-discovered on 401 responses
1834
- * - Pre-configured values will skip discovery steps
2658
+ * - Pre-configured confidential clients must pin both OAuth endpoints
1835
2659
  */
1836
- oauth: z.ZodOptional<z.ZodObject<{
2660
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
1837
2661
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
1838
- authorization_url: z.ZodOptional<z.ZodString>;
2662
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1839
2663
  /** OAuth token endpoint (optional - can be auto-discovered) */
1840
- token_url: z.ZodOptional<z.ZodString>;
2664
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1841
2665
  /** OAuth client ID (optional - can use dynamic registration) */
1842
2666
  client_id: z.ZodOptional<z.ZodString>;
1843
- /** OAuth client secret (optional - can use dynamic registration) */
2667
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
1844
2668
  client_secret: z.ZodOptional<z.ZodString>;
1845
2669
  /** OAuth scopes to request */
1846
2670
  scope: z.ZodOptional<z.ZodString>;
1847
2671
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
1848
- redirect_uri: z.ZodOptional<z.ZodString>;
2672
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1849
2673
  /** Token exchange method */
1850
2674
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
1851
2675
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -1858,8 +2682,45 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1858
2682
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1859
2683
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
1860
2684
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
2685
+ /**
2686
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
2687
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
2688
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
2689
+ * automatically from Protected Resource Metadata) is the standards-conformant
2690
+ * route; `audience` covers the providers that ignore it.
2691
+ *
2692
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
2693
+ * and DCR-discovered paths). Whether it is also forwarded on the
2694
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
2695
+ *
2696
+ * The `authorization_code` exchange intentionally never receives `audience` —
2697
+ * Auth0 binds audience from the original `/authorize` request and embeds it
2698
+ * in the issued access token; sending it again is redundant.
2699
+ *
2700
+ * No canonicalization is applied — the audience identifier is provider-defined
2701
+ * and may differ from the MCP server URL. This field is only accepted from
2702
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
2703
+ */
2704
+ audience: z.ZodOptional<z.ZodString>;
2705
+ /**
2706
+ * Whether to also forward `audience` on the `refresh_token` grant body.
2707
+ *
2708
+ * Default: `true`. Required for Auth0, which strips the API audience from
2709
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
2710
+ * — without it the next MCP call 401s once the initial access token expires.
2711
+ *
2712
+ * Set to `false` for providers that document refresh requests as
2713
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
2714
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
2715
+ * `aud` claim across refreshes when the initial token was resource-bound,
2716
+ * so the extra parameter is redundant and may be rejected as
2717
+ * `invalid_request`.
2718
+ *
2719
+ * Ignored when `audience` itself is not configured.
2720
+ */
2721
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
1861
2722
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
1862
- revocation_endpoint: z.ZodOptional<z.ZodString>;
2723
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
1863
2724
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
1864
2725
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
1865
2726
  }, "strip", z.ZodTypeAny, {
@@ -1875,6 +2736,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1875
2736
  response_types_supported?: string[] | undefined;
1876
2737
  code_challenge_methods_supported?: string[] | undefined;
1877
2738
  skip_code_challenge_check?: boolean | undefined;
2739
+ audience?: string | undefined;
2740
+ forward_audience_on_refresh?: boolean | undefined;
2741
+ revocation_endpoint?: string | undefined;
2742
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2743
+ }, {
2744
+ authorization_url?: string | undefined;
2745
+ token_url?: string | undefined;
2746
+ client_id?: string | undefined;
2747
+ client_secret?: string | undefined;
2748
+ scope?: string | undefined;
2749
+ redirect_uri?: string | undefined;
2750
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2751
+ grant_types_supported?: string[] | undefined;
2752
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2753
+ response_types_supported?: string[] | undefined;
2754
+ code_challenge_methods_supported?: string[] | undefined;
2755
+ skip_code_challenge_check?: boolean | undefined;
2756
+ audience?: string | undefined;
2757
+ forward_audience_on_refresh?: boolean | undefined;
2758
+ revocation_endpoint?: string | undefined;
2759
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
2760
+ }>, {
2761
+ authorization_url?: string | undefined;
2762
+ token_url?: string | undefined;
2763
+ client_id?: string | undefined;
2764
+ client_secret?: string | undefined;
2765
+ scope?: string | undefined;
2766
+ redirect_uri?: string | undefined;
2767
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
2768
+ grant_types_supported?: string[] | undefined;
2769
+ token_endpoint_auth_methods_supported?: string[] | undefined;
2770
+ response_types_supported?: string[] | undefined;
2771
+ code_challenge_methods_supported?: string[] | undefined;
2772
+ skip_code_challenge_check?: boolean | undefined;
2773
+ audience?: string | undefined;
2774
+ forward_audience_on_refresh?: boolean | undefined;
1878
2775
  revocation_endpoint?: string | undefined;
1879
2776
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1880
2777
  }, {
@@ -1890,6 +2787,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1890
2787
  response_types_supported?: string[] | undefined;
1891
2788
  code_challenge_methods_supported?: string[] | undefined;
1892
2789
  skip_code_challenge_check?: boolean | undefined;
2790
+ audience?: string | undefined;
2791
+ forward_audience_on_refresh?: boolean | undefined;
1893
2792
  revocation_endpoint?: string | undefined;
1894
2793
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1895
2794
  }>>;
@@ -1910,12 +2809,12 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1910
2809
  /** Custom header name when authorization_type is 'custom' */
1911
2810
  custom_header: z.ZodOptional<z.ZodString>;
1912
2811
  }, "strip", z.ZodTypeAny, {
1913
- source: "admin" | "user";
2812
+ source: "user" | "admin";
1914
2813
  authorization_type: "custom" | "basic" | "bearer";
1915
2814
  key?: string | undefined;
1916
2815
  custom_header?: string | undefined;
1917
2816
  }, {
1918
- source: "admin" | "user";
2817
+ source: "user" | "admin";
1919
2818
  authorization_type: "custom" | "basic" | "bearer";
1920
2819
  key?: string | undefined;
1921
2820
  custom_header?: string | undefined;
@@ -1923,15 +2822,24 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1923
2822
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
1924
2823
  title: z.ZodString;
1925
2824
  description: z.ZodString;
2825
+ /**
2826
+ * Whether the field holds a secret and should be masked in the UI.
2827
+ * Defaults to masked when omitted; set to `false` for non-secret setup
2828
+ * values (e.g. username, project key, base URL) to render as plain text.
2829
+ */
2830
+ sensitive: z.ZodOptional<z.ZodBoolean>;
1926
2831
  }, "strip", z.ZodTypeAny, {
1927
- title: string;
1928
2832
  description: string;
1929
- }, {
1930
2833
  title: string;
2834
+ sensitive?: boolean | undefined;
2835
+ }, {
1931
2836
  description: string;
2837
+ title: string;
2838
+ sensitive?: boolean | undefined;
1932
2839
  }>>>;
1933
2840
  } & {
1934
2841
  type: z.ZodDefault<z.ZodLiteral<"stdio">>;
2842
+ obo: z.ZodOptional<z.ZodUndefined>;
1935
2843
  /**
1936
2844
  * The executable to run to start the server.
1937
2845
  */
@@ -1957,14 +2865,15 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1957
2865
  type: "stdio";
1958
2866
  command: string;
1959
2867
  args: string[];
1960
- title?: string | undefined;
1961
2868
  description?: string | undefined;
2869
+ title?: string | undefined;
2870
+ chatMenu?: boolean | undefined;
2871
+ env?: Record<string, string> | undefined;
1962
2872
  startup?: boolean | undefined;
1963
2873
  iconPath?: string | undefined;
1964
2874
  timeout?: number | undefined;
1965
2875
  sseReadTimeout?: number | undefined;
1966
2876
  initTimeout?: number | undefined;
1967
- chatMenu?: boolean | undefined;
1968
2877
  serverInstructions?: string | boolean | undefined;
1969
2878
  requiresOAuth?: boolean | undefined;
1970
2879
  oauth?: {
@@ -1980,34 +2889,38 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
1980
2889
  response_types_supported?: string[] | undefined;
1981
2890
  code_challenge_methods_supported?: string[] | undefined;
1982
2891
  skip_code_challenge_check?: boolean | undefined;
2892
+ audience?: string | undefined;
2893
+ forward_audience_on_refresh?: boolean | undefined;
1983
2894
  revocation_endpoint?: string | undefined;
1984
2895
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
1985
2896
  } | undefined;
1986
2897
  oauth_headers?: Record<string, string> | undefined;
1987
2898
  apiKey?: {
1988
- source: "admin" | "user";
2899
+ source: "user" | "admin";
1989
2900
  authorization_type: "custom" | "basic" | "bearer";
1990
2901
  key?: string | undefined;
1991
2902
  custom_header?: string | undefined;
1992
2903
  } | undefined;
1993
2904
  customUserVars?: Record<string, {
1994
- title: string;
1995
2905
  description: string;
2906
+ title: string;
2907
+ sensitive?: boolean | undefined;
1996
2908
  }> | undefined;
1997
- env?: Record<string, string> | undefined;
2909
+ obo?: undefined;
1998
2910
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
1999
2911
  }, {
2000
2912
  command: string;
2001
2913
  args: string[];
2002
- title?: string | undefined;
2914
+ type?: "stdio" | undefined;
2003
2915
  description?: string | undefined;
2916
+ title?: string | undefined;
2917
+ chatMenu?: boolean | undefined;
2918
+ env?: Record<string, string> | undefined;
2004
2919
  startup?: boolean | undefined;
2005
2920
  iconPath?: string | undefined;
2006
2921
  timeout?: number | undefined;
2007
2922
  sseReadTimeout?: number | undefined;
2008
2923
  initTimeout?: number | undefined;
2009
- chatMenu?: boolean | undefined;
2010
- type?: "stdio" | undefined;
2011
2924
  serverInstructions?: string | boolean | undefined;
2012
2925
  requiresOAuth?: boolean | undefined;
2013
2926
  oauth?: {
@@ -2023,21 +2936,24 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2023
2936
  response_types_supported?: string[] | undefined;
2024
2937
  code_challenge_methods_supported?: string[] | undefined;
2025
2938
  skip_code_challenge_check?: boolean | undefined;
2939
+ audience?: string | undefined;
2940
+ forward_audience_on_refresh?: boolean | undefined;
2026
2941
  revocation_endpoint?: string | undefined;
2027
2942
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2028
2943
  } | undefined;
2029
2944
  oauth_headers?: Record<string, string> | undefined;
2030
2945
  apiKey?: {
2031
- source: "admin" | "user";
2946
+ source: "user" | "admin";
2032
2947
  authorization_type: "custom" | "basic" | "bearer";
2033
2948
  key?: string | undefined;
2034
2949
  custom_header?: string | undefined;
2035
2950
  } | undefined;
2036
2951
  customUserVars?: Record<string, {
2037
- title: string;
2038
2952
  description: string;
2953
+ title: string;
2954
+ sensitive?: boolean | undefined;
2039
2955
  }> | undefined;
2040
- env?: Record<string, string> | undefined;
2956
+ obo?: undefined;
2041
2957
  stderr?: number | "pipe" | "ignore" | "inherit" | undefined;
2042
2958
  }>, z.ZodObject<{
2043
2959
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
@@ -2073,21 +2989,21 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2073
2989
  /**
2074
2990
  * OAuth configuration for SSE and Streamable HTTP transports
2075
2991
  * - Optional: OAuth can be auto-discovered on 401 responses
2076
- * - Pre-configured values will skip discovery steps
2992
+ * - Pre-configured confidential clients must pin both OAuth endpoints
2077
2993
  */
2078
- oauth: z.ZodOptional<z.ZodObject<{
2994
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
2079
2995
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
2080
- authorization_url: z.ZodOptional<z.ZodString>;
2996
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2081
2997
  /** OAuth token endpoint (optional - can be auto-discovered) */
2082
- token_url: z.ZodOptional<z.ZodString>;
2998
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2083
2999
  /** OAuth client ID (optional - can use dynamic registration) */
2084
3000
  client_id: z.ZodOptional<z.ZodString>;
2085
- /** OAuth client secret (optional - can use dynamic registration) */
3001
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
2086
3002
  client_secret: z.ZodOptional<z.ZodString>;
2087
3003
  /** OAuth scopes to request */
2088
3004
  scope: z.ZodOptional<z.ZodString>;
2089
3005
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
2090
- redirect_uri: z.ZodOptional<z.ZodString>;
3006
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2091
3007
  /** Token exchange method */
2092
3008
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
2093
3009
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -2100,8 +3016,45 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2100
3016
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2101
3017
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
2102
3018
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
3019
+ /**
3020
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
3021
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
3022
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
3023
+ * automatically from Protected Resource Metadata) is the standards-conformant
3024
+ * route; `audience` covers the providers that ignore it.
3025
+ *
3026
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
3027
+ * and DCR-discovered paths). Whether it is also forwarded on the
3028
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
3029
+ *
3030
+ * The `authorization_code` exchange intentionally never receives `audience` —
3031
+ * Auth0 binds audience from the original `/authorize` request and embeds it
3032
+ * in the issued access token; sending it again is redundant.
3033
+ *
3034
+ * No canonicalization is applied — the audience identifier is provider-defined
3035
+ * and may differ from the MCP server URL. This field is only accepted from
3036
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
3037
+ */
3038
+ audience: z.ZodOptional<z.ZodString>;
3039
+ /**
3040
+ * Whether to also forward `audience` on the `refresh_token` grant body.
3041
+ *
3042
+ * Default: `true`. Required for Auth0, which strips the API audience from
3043
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
3044
+ * — without it the next MCP call 401s once the initial access token expires.
3045
+ *
3046
+ * Set to `false` for providers that document refresh requests as
3047
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
3048
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
3049
+ * `aud` claim across refreshes when the initial token was resource-bound,
3050
+ * so the extra parameter is redundant and may be rejected as
3051
+ * `invalid_request`.
3052
+ *
3053
+ * Ignored when `audience` itself is not configured.
3054
+ */
3055
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
2103
3056
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
2104
- revocation_endpoint: z.ZodOptional<z.ZodString>;
3057
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2105
3058
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
2106
3059
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2107
3060
  }, "strip", z.ZodTypeAny, {
@@ -2117,6 +3070,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2117
3070
  response_types_supported?: string[] | undefined;
2118
3071
  code_challenge_methods_supported?: string[] | undefined;
2119
3072
  skip_code_challenge_check?: boolean | undefined;
3073
+ audience?: string | undefined;
3074
+ forward_audience_on_refresh?: boolean | undefined;
3075
+ revocation_endpoint?: string | undefined;
3076
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3077
+ }, {
3078
+ authorization_url?: string | undefined;
3079
+ token_url?: string | undefined;
3080
+ client_id?: string | undefined;
3081
+ client_secret?: string | undefined;
3082
+ scope?: string | undefined;
3083
+ redirect_uri?: string | undefined;
3084
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3085
+ grant_types_supported?: string[] | undefined;
3086
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3087
+ response_types_supported?: string[] | undefined;
3088
+ code_challenge_methods_supported?: string[] | undefined;
3089
+ skip_code_challenge_check?: boolean | undefined;
3090
+ audience?: string | undefined;
3091
+ forward_audience_on_refresh?: boolean | undefined;
3092
+ revocation_endpoint?: string | undefined;
3093
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3094
+ }>, {
3095
+ authorization_url?: string | undefined;
3096
+ token_url?: string | undefined;
3097
+ client_id?: string | undefined;
3098
+ client_secret?: string | undefined;
3099
+ scope?: string | undefined;
3100
+ redirect_uri?: string | undefined;
3101
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3102
+ grant_types_supported?: string[] | undefined;
3103
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3104
+ response_types_supported?: string[] | undefined;
3105
+ code_challenge_methods_supported?: string[] | undefined;
3106
+ skip_code_challenge_check?: boolean | undefined;
3107
+ audience?: string | undefined;
3108
+ forward_audience_on_refresh?: boolean | undefined;
2120
3109
  revocation_endpoint?: string | undefined;
2121
3110
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2122
3111
  }, {
@@ -2132,6 +3121,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2132
3121
  response_types_supported?: string[] | undefined;
2133
3122
  code_challenge_methods_supported?: string[] | undefined;
2134
3123
  skip_code_challenge_check?: boolean | undefined;
3124
+ audience?: string | undefined;
3125
+ forward_audience_on_refresh?: boolean | undefined;
2135
3126
  revocation_endpoint?: string | undefined;
2136
3127
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2137
3128
  }>>;
@@ -2152,12 +3143,12 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2152
3143
  /** Custom header name when authorization_type is 'custom' */
2153
3144
  custom_header: z.ZodOptional<z.ZodString>;
2154
3145
  }, "strip", z.ZodTypeAny, {
2155
- source: "admin" | "user";
3146
+ source: "user" | "admin";
2156
3147
  authorization_type: "custom" | "basic" | "bearer";
2157
3148
  key?: string | undefined;
2158
3149
  custom_header?: string | undefined;
2159
3150
  }, {
2160
- source: "admin" | "user";
3151
+ source: "user" | "admin";
2161
3152
  authorization_type: "custom" | "basic" | "bearer";
2162
3153
  key?: string | undefined;
2163
3154
  custom_header?: string | undefined;
@@ -2165,27 +3156,36 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2165
3156
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
2166
3157
  title: z.ZodString;
2167
3158
  description: z.ZodString;
3159
+ /**
3160
+ * Whether the field holds a secret and should be masked in the UI.
3161
+ * Defaults to masked when omitted; set to `false` for non-secret setup
3162
+ * values (e.g. username, project key, base URL) to render as plain text.
3163
+ */
3164
+ sensitive: z.ZodOptional<z.ZodBoolean>;
2168
3165
  }, "strip", z.ZodTypeAny, {
2169
- title: string;
2170
3166
  description: string;
2171
- }, {
2172
3167
  title: string;
3168
+ sensitive?: boolean | undefined;
3169
+ }, {
2173
3170
  description: string;
3171
+ title: string;
3172
+ sensitive?: boolean | undefined;
2174
3173
  }>>>;
2175
3174
  } & {
2176
3175
  type: z.ZodDefault<z.ZodLiteral<"websocket">>;
3176
+ obo: z.ZodOptional<z.ZodUndefined>;
2177
3177
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2178
3178
  }, "strip", z.ZodTypeAny, {
2179
3179
  type: "websocket";
2180
3180
  url: string;
2181
- title?: string | undefined;
2182
3181
  description?: string | undefined;
3182
+ title?: string | undefined;
3183
+ chatMenu?: boolean | undefined;
2183
3184
  startup?: boolean | undefined;
2184
3185
  iconPath?: string | undefined;
2185
3186
  timeout?: number | undefined;
2186
3187
  sseReadTimeout?: number | undefined;
2187
3188
  initTimeout?: number | undefined;
2188
- chatMenu?: boolean | undefined;
2189
3189
  serverInstructions?: string | boolean | undefined;
2190
3190
  requiresOAuth?: boolean | undefined;
2191
3191
  oauth?: {
@@ -2201,31 +3201,35 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2201
3201
  response_types_supported?: string[] | undefined;
2202
3202
  code_challenge_methods_supported?: string[] | undefined;
2203
3203
  skip_code_challenge_check?: boolean | undefined;
3204
+ audience?: string | undefined;
3205
+ forward_audience_on_refresh?: boolean | undefined;
2204
3206
  revocation_endpoint?: string | undefined;
2205
3207
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2206
3208
  } | undefined;
2207
3209
  oauth_headers?: Record<string, string> | undefined;
2208
3210
  apiKey?: {
2209
- source: "admin" | "user";
3211
+ source: "user" | "admin";
2210
3212
  authorization_type: "custom" | "basic" | "bearer";
2211
3213
  key?: string | undefined;
2212
3214
  custom_header?: string | undefined;
2213
3215
  } | undefined;
2214
3216
  customUserVars?: Record<string, {
2215
- title: string;
2216
3217
  description: string;
3218
+ title: string;
3219
+ sensitive?: boolean | undefined;
2217
3220
  }> | undefined;
3221
+ obo?: undefined;
2218
3222
  }, {
2219
3223
  url: string;
2220
- title?: string | undefined;
3224
+ type?: "websocket" | undefined;
2221
3225
  description?: string | undefined;
3226
+ title?: string | undefined;
3227
+ chatMenu?: boolean | undefined;
2222
3228
  startup?: boolean | undefined;
2223
3229
  iconPath?: string | undefined;
2224
3230
  timeout?: number | undefined;
2225
3231
  sseReadTimeout?: number | undefined;
2226
3232
  initTimeout?: number | undefined;
2227
- chatMenu?: boolean | undefined;
2228
- type?: "websocket" | undefined;
2229
3233
  serverInstructions?: string | boolean | undefined;
2230
3234
  requiresOAuth?: boolean | undefined;
2231
3235
  oauth?: {
@@ -2241,20 +3245,24 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2241
3245
  response_types_supported?: string[] | undefined;
2242
3246
  code_challenge_methods_supported?: string[] | undefined;
2243
3247
  skip_code_challenge_check?: boolean | undefined;
3248
+ audience?: string | undefined;
3249
+ forward_audience_on_refresh?: boolean | undefined;
2244
3250
  revocation_endpoint?: string | undefined;
2245
3251
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2246
3252
  } | undefined;
2247
3253
  oauth_headers?: Record<string, string> | undefined;
2248
3254
  apiKey?: {
2249
- source: "admin" | "user";
3255
+ source: "user" | "admin";
2250
3256
  authorization_type: "custom" | "basic" | "bearer";
2251
3257
  key?: string | undefined;
2252
3258
  custom_header?: string | undefined;
2253
3259
  } | undefined;
2254
3260
  customUserVars?: Record<string, {
2255
- title: string;
2256
3261
  description: string;
3262
+ title: string;
3263
+ sensitive?: boolean | undefined;
2257
3264
  }> | undefined;
3265
+ obo?: undefined;
2258
3266
  }>, z.ZodObject<{
2259
3267
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
2260
3268
  title: z.ZodOptional<z.ZodString>;
@@ -2289,21 +3297,21 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2289
3297
  /**
2290
3298
  * OAuth configuration for SSE and Streamable HTTP transports
2291
3299
  * - Optional: OAuth can be auto-discovered on 401 responses
2292
- * - Pre-configured values will skip discovery steps
3300
+ * - Pre-configured confidential clients must pin both OAuth endpoints
2293
3301
  */
2294
- oauth: z.ZodOptional<z.ZodObject<{
3302
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
2295
3303
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
2296
- authorization_url: z.ZodOptional<z.ZodString>;
3304
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2297
3305
  /** OAuth token endpoint (optional - can be auto-discovered) */
2298
- token_url: z.ZodOptional<z.ZodString>;
3306
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2299
3307
  /** OAuth client ID (optional - can use dynamic registration) */
2300
3308
  client_id: z.ZodOptional<z.ZodString>;
2301
- /** OAuth client secret (optional - can use dynamic registration) */
3309
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
2302
3310
  client_secret: z.ZodOptional<z.ZodString>;
2303
3311
  /** OAuth scopes to request */
2304
3312
  scope: z.ZodOptional<z.ZodString>;
2305
3313
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
2306
- redirect_uri: z.ZodOptional<z.ZodString>;
3314
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2307
3315
  /** Token exchange method */
2308
3316
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
2309
3317
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -2316,8 +3324,45 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2316
3324
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2317
3325
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
2318
3326
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
3327
+ /**
3328
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
3329
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
3330
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
3331
+ * automatically from Protected Resource Metadata) is the standards-conformant
3332
+ * route; `audience` covers the providers that ignore it.
3333
+ *
3334
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
3335
+ * and DCR-discovered paths). Whether it is also forwarded on the
3336
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
3337
+ *
3338
+ * The `authorization_code` exchange intentionally never receives `audience` —
3339
+ * Auth0 binds audience from the original `/authorize` request and embeds it
3340
+ * in the issued access token; sending it again is redundant.
3341
+ *
3342
+ * No canonicalization is applied — the audience identifier is provider-defined
3343
+ * and may differ from the MCP server URL. This field is only accepted from
3344
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
3345
+ */
3346
+ audience: z.ZodOptional<z.ZodString>;
3347
+ /**
3348
+ * Whether to also forward `audience` on the `refresh_token` grant body.
3349
+ *
3350
+ * Default: `true`. Required for Auth0, which strips the API audience from
3351
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
3352
+ * — without it the next MCP call 401s once the initial access token expires.
3353
+ *
3354
+ * Set to `false` for providers that document refresh requests as
3355
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
3356
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
3357
+ * `aud` claim across refreshes when the initial token was resource-bound,
3358
+ * so the extra parameter is redundant and may be rejected as
3359
+ * `invalid_request`.
3360
+ *
3361
+ * Ignored when `audience` itself is not configured.
3362
+ */
3363
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
2319
3364
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
2320
- revocation_endpoint: z.ZodOptional<z.ZodString>;
3365
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2321
3366
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
2322
3367
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2323
3368
  }, "strip", z.ZodTypeAny, {
@@ -2333,6 +3378,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2333
3378
  response_types_supported?: string[] | undefined;
2334
3379
  code_challenge_methods_supported?: string[] | undefined;
2335
3380
  skip_code_challenge_check?: boolean | undefined;
3381
+ audience?: string | undefined;
3382
+ forward_audience_on_refresh?: boolean | undefined;
2336
3383
  revocation_endpoint?: string | undefined;
2337
3384
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2338
3385
  }, {
@@ -2348,12 +3395,48 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2348
3395
  response_types_supported?: string[] | undefined;
2349
3396
  code_challenge_methods_supported?: string[] | undefined;
2350
3397
  skip_code_challenge_check?: boolean | undefined;
3398
+ audience?: string | undefined;
3399
+ forward_audience_on_refresh?: boolean | undefined;
2351
3400
  revocation_endpoint?: string | undefined;
2352
3401
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2353
- }>>;
2354
- /** Custom headers to send with OAuth requests (registration, discovery, token exchange, etc.) */
2355
- oauth_headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
2356
- /**
3402
+ }>, {
3403
+ authorization_url?: string | undefined;
3404
+ token_url?: string | undefined;
3405
+ client_id?: string | undefined;
3406
+ client_secret?: string | undefined;
3407
+ scope?: string | undefined;
3408
+ redirect_uri?: string | undefined;
3409
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3410
+ grant_types_supported?: string[] | undefined;
3411
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3412
+ response_types_supported?: string[] | undefined;
3413
+ code_challenge_methods_supported?: string[] | undefined;
3414
+ skip_code_challenge_check?: boolean | undefined;
3415
+ audience?: string | undefined;
3416
+ forward_audience_on_refresh?: boolean | undefined;
3417
+ revocation_endpoint?: string | undefined;
3418
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3419
+ }, {
3420
+ authorization_url?: string | undefined;
3421
+ token_url?: string | undefined;
3422
+ client_id?: string | undefined;
3423
+ client_secret?: string | undefined;
3424
+ scope?: string | undefined;
3425
+ redirect_uri?: string | undefined;
3426
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3427
+ grant_types_supported?: string[] | undefined;
3428
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3429
+ response_types_supported?: string[] | undefined;
3430
+ code_challenge_methods_supported?: string[] | undefined;
3431
+ skip_code_challenge_check?: boolean | undefined;
3432
+ audience?: string | undefined;
3433
+ forward_audience_on_refresh?: boolean | undefined;
3434
+ revocation_endpoint?: string | undefined;
3435
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3436
+ }>>;
3437
+ /** Custom headers to send with OAuth requests (registration, discovery, token exchange, etc.) */
3438
+ oauth_headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
3439
+ /**
2357
3440
  * API Key authentication configuration for SSE and Streamable HTTP transports
2358
3441
  * - source: 'admin' means the key is provided by admin and shared by all users
2359
3442
  * - source: 'user' means each user provides their own key via customUserVars
@@ -2368,12 +3451,12 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2368
3451
  /** Custom header name when authorization_type is 'custom' */
2369
3452
  custom_header: z.ZodOptional<z.ZodString>;
2370
3453
  }, "strip", z.ZodTypeAny, {
2371
- source: "admin" | "user";
3454
+ source: "user" | "admin";
2372
3455
  authorization_type: "custom" | "basic" | "bearer";
2373
3456
  key?: string | undefined;
2374
3457
  custom_header?: string | undefined;
2375
3458
  }, {
2376
- source: "admin" | "user";
3459
+ source: "user" | "admin";
2377
3460
  authorization_type: "custom" | "basic" | "bearer";
2378
3461
  key?: string | undefined;
2379
3462
  custom_header?: string | undefined;
@@ -2381,28 +3464,53 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2381
3464
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
2382
3465
  title: z.ZodString;
2383
3466
  description: z.ZodString;
3467
+ /**
3468
+ * Whether the field holds a secret and should be masked in the UI.
3469
+ * Defaults to masked when omitted; set to `false` for non-secret setup
3470
+ * values (e.g. username, project key, base URL) to render as plain text.
3471
+ */
3472
+ sensitive: z.ZodOptional<z.ZodBoolean>;
2384
3473
  }, "strip", z.ZodTypeAny, {
2385
- title: string;
2386
3474
  description: string;
2387
- }, {
2388
3475
  title: string;
3476
+ sensitive?: boolean | undefined;
3477
+ }, {
2389
3478
  description: string;
3479
+ title: string;
3480
+ sensitive?: boolean | undefined;
2390
3481
  }>>>;
2391
3482
  } & {
2392
3483
  type: z.ZodDefault<z.ZodLiteral<"sse">>;
2393
3484
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
3485
+ /**
3486
+ * On-Behalf-Of (OBO) token exchange configuration.
3487
+ * When configured, LibreChat exchanges the logged-in user's federated access token
3488
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
3489
+ * The exchanged token is injected as a Bearer Authorization header automatically.
3490
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
3491
+ */
3492
+ obo: z.ZodOptional<z.ZodObject<{
3493
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
3494
+ scopes: z.ZodString;
3495
+ }, "strip", z.ZodTypeAny, {
3496
+ scopes: string;
3497
+ }, {
3498
+ scopes: string;
3499
+ }>>;
3500
+ /** Optional outbound proxy URL for this remote MCP transport */
3501
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
2394
3502
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2395
3503
  }, "strip", z.ZodTypeAny, {
2396
3504
  type: "sse";
2397
3505
  url: string;
2398
- title?: string | undefined;
2399
3506
  description?: string | undefined;
3507
+ title?: string | undefined;
3508
+ chatMenu?: boolean | undefined;
2400
3509
  startup?: boolean | undefined;
2401
3510
  iconPath?: string | undefined;
2402
3511
  timeout?: number | undefined;
2403
3512
  sseReadTimeout?: number | undefined;
2404
3513
  initTimeout?: number | undefined;
2405
- chatMenu?: boolean | undefined;
2406
3514
  serverInstructions?: string | boolean | undefined;
2407
3515
  requiresOAuth?: boolean | undefined;
2408
3516
  oauth?: {
@@ -2418,32 +3526,39 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2418
3526
  response_types_supported?: string[] | undefined;
2419
3527
  code_challenge_methods_supported?: string[] | undefined;
2420
3528
  skip_code_challenge_check?: boolean | undefined;
3529
+ audience?: string | undefined;
3530
+ forward_audience_on_refresh?: boolean | undefined;
2421
3531
  revocation_endpoint?: string | undefined;
2422
3532
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2423
3533
  } | undefined;
2424
3534
  oauth_headers?: Record<string, string> | undefined;
2425
3535
  apiKey?: {
2426
- source: "admin" | "user";
3536
+ source: "user" | "admin";
2427
3537
  authorization_type: "custom" | "basic" | "bearer";
2428
3538
  key?: string | undefined;
2429
3539
  custom_header?: string | undefined;
2430
3540
  } | undefined;
2431
3541
  customUserVars?: Record<string, {
2432
- title: string;
2433
3542
  description: string;
3543
+ title: string;
3544
+ sensitive?: boolean | undefined;
2434
3545
  }> | undefined;
3546
+ obo?: {
3547
+ scopes: string;
3548
+ } | undefined;
2435
3549
  headers?: Record<string, string> | undefined;
3550
+ proxy?: string | undefined;
2436
3551
  }, {
2437
3552
  url: string;
2438
- title?: string | undefined;
3553
+ type?: "sse" | undefined;
2439
3554
  description?: string | undefined;
3555
+ title?: string | undefined;
3556
+ chatMenu?: boolean | undefined;
2440
3557
  startup?: boolean | undefined;
2441
3558
  iconPath?: string | undefined;
2442
3559
  timeout?: number | undefined;
2443
3560
  sseReadTimeout?: number | undefined;
2444
3561
  initTimeout?: number | undefined;
2445
- chatMenu?: boolean | undefined;
2446
- type?: "sse" | undefined;
2447
3562
  serverInstructions?: string | boolean | undefined;
2448
3563
  requiresOAuth?: boolean | undefined;
2449
3564
  oauth?: {
@@ -2459,21 +3574,28 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2459
3574
  response_types_supported?: string[] | undefined;
2460
3575
  code_challenge_methods_supported?: string[] | undefined;
2461
3576
  skip_code_challenge_check?: boolean | undefined;
3577
+ audience?: string | undefined;
3578
+ forward_audience_on_refresh?: boolean | undefined;
2462
3579
  revocation_endpoint?: string | undefined;
2463
3580
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2464
3581
  } | undefined;
2465
3582
  oauth_headers?: Record<string, string> | undefined;
2466
3583
  apiKey?: {
2467
- source: "admin" | "user";
3584
+ source: "user" | "admin";
2468
3585
  authorization_type: "custom" | "basic" | "bearer";
2469
3586
  key?: string | undefined;
2470
3587
  custom_header?: string | undefined;
2471
3588
  } | undefined;
2472
3589
  customUserVars?: Record<string, {
2473
- title: string;
2474
3590
  description: string;
3591
+ title: string;
3592
+ sensitive?: boolean | undefined;
2475
3593
  }> | undefined;
3594
+ obo?: {
3595
+ scopes: string;
3596
+ } | undefined;
2476
3597
  headers?: Record<string, string> | undefined;
3598
+ proxy?: string | undefined;
2477
3599
  }>, z.ZodObject<{
2478
3600
  /** Display name for the MCP server - only letters, numbers, and spaces allowed */
2479
3601
  title: z.ZodOptional<z.ZodString>;
@@ -2508,21 +3630,21 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2508
3630
  /**
2509
3631
  * OAuth configuration for SSE and Streamable HTTP transports
2510
3632
  * - Optional: OAuth can be auto-discovered on 401 responses
2511
- * - Pre-configured values will skip discovery steps
3633
+ * - Pre-configured confidential clients must pin both OAuth endpoints
2512
3634
  */
2513
- oauth: z.ZodOptional<z.ZodObject<{
3635
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
2514
3636
  /** OAuth authorization endpoint (optional - can be auto-discovered) */
2515
- authorization_url: z.ZodOptional<z.ZodString>;
3637
+ authorization_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2516
3638
  /** OAuth token endpoint (optional - can be auto-discovered) */
2517
- token_url: z.ZodOptional<z.ZodString>;
3639
+ token_url: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2518
3640
  /** OAuth client ID (optional - can use dynamic registration) */
2519
3641
  client_id: z.ZodOptional<z.ZodString>;
2520
- /** OAuth client secret (optional - can use dynamic registration) */
3642
+ /** OAuth client secret (requires explicit authorization and token endpoints) */
2521
3643
  client_secret: z.ZodOptional<z.ZodString>;
2522
3644
  /** OAuth scopes to request */
2523
3645
  scope: z.ZodOptional<z.ZodString>;
2524
3646
  /** OAuth redirect URI (defaults to /api/mcp/{serverName}/oauth/callback) */
2525
- redirect_uri: z.ZodOptional<z.ZodString>;
3647
+ redirect_uri: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2526
3648
  /** Token exchange method */
2527
3649
  token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
2528
3650
  /** Supported grant types (defaults to ['authorization_code', 'refresh_token']) */
@@ -2535,8 +3657,45 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2535
3657
  code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2536
3658
  /** Skip code challenge validation and force S256 (useful for providers like AWS Cognito that support S256 but don't advertise it) */
2537
3659
  skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
3660
+ /**
3661
+ * Auth0/Cognito-style `audience` parameter. Authorization servers that pre-date
3662
+ * RFC 8707 — most prominently Auth0 — issue API-scoped access tokens only when
3663
+ * the `/authorize` request advertises an `audience`. RFC 8707 `resource` (set
3664
+ * automatically from Protected Resource Metadata) is the standards-conformant
3665
+ * route; `audience` covers the providers that ignore it.
3666
+ *
3667
+ * When set, the value is forwarded as-is on `/authorize` (both pre-configured
3668
+ * and DCR-discovered paths). Whether it is also forwarded on the
3669
+ * `refresh_token` grant is controlled by `forward_audience_on_refresh` below.
3670
+ *
3671
+ * The `authorization_code` exchange intentionally never receives `audience` —
3672
+ * Auth0 binds audience from the original `/authorize` request and embeds it
3673
+ * in the issued access token; sending it again is redundant.
3674
+ *
3675
+ * No canonicalization is applied — the audience identifier is provider-defined
3676
+ * and may differ from the MCP server URL. This field is only accepted from
3677
+ * trusted/admin MCP configuration and is rejected from user-managed servers.
3678
+ */
3679
+ audience: z.ZodOptional<z.ZodString>;
3680
+ /**
3681
+ * Whether to also forward `audience` on the `refresh_token` grant body.
3682
+ *
3683
+ * Default: `true`. Required for Auth0, which strips the API audience from
3684
+ * refreshed access tokens unless `audience` is re-supplied on every refresh
3685
+ * — without it the next MCP call 401s once the initial access token expires.
3686
+ *
3687
+ * Set to `false` for providers that document refresh requests as
3688
+ * `grant_type` + `client_id` + `refresh_token` only (Cognito and other
3689
+ * strict OAuth 2.0 token endpoints). Those providers maintain the original
3690
+ * `aud` claim across refreshes when the initial token was resource-bound,
3691
+ * so the extra parameter is redundant and may be rejected as
3692
+ * `invalid_request`.
3693
+ *
3694
+ * Ignored when `audience` itself is not configured.
3695
+ */
3696
+ forward_audience_on_refresh: z.ZodOptional<z.ZodBoolean>;
2538
3697
  /** OAuth revocation endpoint (optional - can be auto-discovered) */
2539
- revocation_endpoint: z.ZodOptional<z.ZodString>;
3698
+ revocation_endpoint: z.ZodOptional<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>>;
2540
3699
  /** OAuth revocation endpoint authentication methods supported (optional - can be auto-discovered) */
2541
3700
  revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
2542
3701
  }, "strip", z.ZodTypeAny, {
@@ -2552,6 +3711,42 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2552
3711
  response_types_supported?: string[] | undefined;
2553
3712
  code_challenge_methods_supported?: string[] | undefined;
2554
3713
  skip_code_challenge_check?: boolean | undefined;
3714
+ audience?: string | undefined;
3715
+ forward_audience_on_refresh?: boolean | undefined;
3716
+ revocation_endpoint?: string | undefined;
3717
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3718
+ }, {
3719
+ authorization_url?: string | undefined;
3720
+ token_url?: string | undefined;
3721
+ client_id?: string | undefined;
3722
+ client_secret?: string | undefined;
3723
+ scope?: string | undefined;
3724
+ redirect_uri?: string | undefined;
3725
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3726
+ grant_types_supported?: string[] | undefined;
3727
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3728
+ response_types_supported?: string[] | undefined;
3729
+ code_challenge_methods_supported?: string[] | undefined;
3730
+ skip_code_challenge_check?: boolean | undefined;
3731
+ audience?: string | undefined;
3732
+ forward_audience_on_refresh?: boolean | undefined;
3733
+ revocation_endpoint?: string | undefined;
3734
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3735
+ }>, {
3736
+ authorization_url?: string | undefined;
3737
+ token_url?: string | undefined;
3738
+ client_id?: string | undefined;
3739
+ client_secret?: string | undefined;
3740
+ scope?: string | undefined;
3741
+ redirect_uri?: string | undefined;
3742
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3743
+ grant_types_supported?: string[] | undefined;
3744
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3745
+ response_types_supported?: string[] | undefined;
3746
+ code_challenge_methods_supported?: string[] | undefined;
3747
+ skip_code_challenge_check?: boolean | undefined;
3748
+ audience?: string | undefined;
3749
+ forward_audience_on_refresh?: boolean | undefined;
2555
3750
  revocation_endpoint?: string | undefined;
2556
3751
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2557
3752
  }, {
@@ -2567,6 +3762,8 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2567
3762
  response_types_supported?: string[] | undefined;
2568
3763
  code_challenge_methods_supported?: string[] | undefined;
2569
3764
  skip_code_challenge_check?: boolean | undefined;
3765
+ audience?: string | undefined;
3766
+ forward_audience_on_refresh?: boolean | undefined;
2570
3767
  revocation_endpoint?: string | undefined;
2571
3768
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2572
3769
  }>>;
@@ -2587,12 +3784,12 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2587
3784
  /** Custom header name when authorization_type is 'custom' */
2588
3785
  custom_header: z.ZodOptional<z.ZodString>;
2589
3786
  }, "strip", z.ZodTypeAny, {
2590
- source: "admin" | "user";
3787
+ source: "user" | "admin";
2591
3788
  authorization_type: "custom" | "basic" | "bearer";
2592
3789
  key?: string | undefined;
2593
3790
  custom_header?: string | undefined;
2594
3791
  }, {
2595
- source: "admin" | "user";
3792
+ source: "user" | "admin";
2596
3793
  authorization_type: "custom" | "basic" | "bearer";
2597
3794
  key?: string | undefined;
2598
3795
  custom_header?: string | undefined;
@@ -2600,28 +3797,53 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2600
3797
  customUserVars: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
2601
3798
  title: z.ZodString;
2602
3799
  description: z.ZodString;
3800
+ /**
3801
+ * Whether the field holds a secret and should be masked in the UI.
3802
+ * Defaults to masked when omitted; set to `false` for non-secret setup
3803
+ * values (e.g. username, project key, base URL) to render as plain text.
3804
+ */
3805
+ sensitive: z.ZodOptional<z.ZodBoolean>;
2603
3806
  }, "strip", z.ZodTypeAny, {
2604
- title: string;
2605
3807
  description: string;
2606
- }, {
2607
3808
  title: string;
3809
+ sensitive?: boolean | undefined;
3810
+ }, {
2608
3811
  description: string;
3812
+ title: string;
3813
+ sensitive?: boolean | undefined;
2609
3814
  }>>>;
2610
3815
  } & {
2611
3816
  type: z.ZodUnion<[z.ZodLiteral<"streamable-http">, z.ZodLiteral<"http">]>;
2612
3817
  headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
3818
+ /**
3819
+ * On-Behalf-Of (OBO) token exchange configuration.
3820
+ * When configured, LibreChat exchanges the logged-in user's federated access token
3821
+ * for a token scoped to this MCP server via the OAuth 2.0 OBO flow (jwt-bearer grant).
3822
+ * The exchanged token is injected as a Bearer Authorization header automatically.
3823
+ * Requires the user to be authenticated via OpenID Connect (e.g., Entra ID).
3824
+ */
3825
+ obo: z.ZodOptional<z.ZodObject<{
3826
+ /** Scopes to request for the downstream MCP server (e.g., "api://<client-id>/Mcp.Tools.ReadWrite") */
3827
+ scopes: z.ZodString;
3828
+ }, "strip", z.ZodTypeAny, {
3829
+ scopes: string;
3830
+ }, {
3831
+ scopes: string;
3832
+ }>>;
3833
+ /** Optional outbound proxy URL for this remote MCP transport */
3834
+ proxy: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
2613
3835
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2614
3836
  }, "strip", z.ZodTypeAny, {
2615
3837
  type: "streamable-http" | "http";
2616
3838
  url: string;
2617
- title?: string | undefined;
2618
3839
  description?: string | undefined;
3840
+ title?: string | undefined;
3841
+ chatMenu?: boolean | undefined;
2619
3842
  startup?: boolean | undefined;
2620
3843
  iconPath?: string | undefined;
2621
3844
  timeout?: number | undefined;
2622
3845
  sseReadTimeout?: number | undefined;
2623
3846
  initTimeout?: number | undefined;
2624
- chatMenu?: boolean | undefined;
2625
3847
  serverInstructions?: string | boolean | undefined;
2626
3848
  requiresOAuth?: boolean | undefined;
2627
3849
  oauth?: {
@@ -2637,32 +3859,39 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2637
3859
  response_types_supported?: string[] | undefined;
2638
3860
  code_challenge_methods_supported?: string[] | undefined;
2639
3861
  skip_code_challenge_check?: boolean | undefined;
3862
+ audience?: string | undefined;
3863
+ forward_audience_on_refresh?: boolean | undefined;
2640
3864
  revocation_endpoint?: string | undefined;
2641
3865
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2642
3866
  } | undefined;
2643
3867
  oauth_headers?: Record<string, string> | undefined;
2644
3868
  apiKey?: {
2645
- source: "admin" | "user";
3869
+ source: "user" | "admin";
2646
3870
  authorization_type: "custom" | "basic" | "bearer";
2647
3871
  key?: string | undefined;
2648
3872
  custom_header?: string | undefined;
2649
3873
  } | undefined;
2650
3874
  customUserVars?: Record<string, {
2651
- title: string;
2652
3875
  description: string;
3876
+ title: string;
3877
+ sensitive?: boolean | undefined;
2653
3878
  }> | undefined;
3879
+ obo?: {
3880
+ scopes: string;
3881
+ } | undefined;
2654
3882
  headers?: Record<string, string> | undefined;
3883
+ proxy?: string | undefined;
2655
3884
  }, {
2656
3885
  type: "streamable-http" | "http";
2657
3886
  url: string;
2658
- title?: string | undefined;
2659
3887
  description?: string | undefined;
3888
+ title?: string | undefined;
3889
+ chatMenu?: boolean | undefined;
2660
3890
  startup?: boolean | undefined;
2661
3891
  iconPath?: string | undefined;
2662
3892
  timeout?: number | undefined;
2663
3893
  sseReadTimeout?: number | undefined;
2664
3894
  initTimeout?: number | undefined;
2665
- chatMenu?: boolean | undefined;
2666
3895
  serverInstructions?: string | boolean | undefined;
2667
3896
  requiresOAuth?: boolean | undefined;
2668
3897
  oauth?: {
@@ -2678,27 +3907,35 @@ export declare const MCPServersSchema: z.ZodRecord<z.ZodString, z.ZodUnion<[z.Zo
2678
3907
  response_types_supported?: string[] | undefined;
2679
3908
  code_challenge_methods_supported?: string[] | undefined;
2680
3909
  skip_code_challenge_check?: boolean | undefined;
3910
+ audience?: string | undefined;
3911
+ forward_audience_on_refresh?: boolean | undefined;
2681
3912
  revocation_endpoint?: string | undefined;
2682
3913
  revocation_endpoint_auth_methods_supported?: string[] | undefined;
2683
3914
  } | undefined;
2684
3915
  oauth_headers?: Record<string, string> | undefined;
2685
3916
  apiKey?: {
2686
- source: "admin" | "user";
3917
+ source: "user" | "admin";
2687
3918
  authorization_type: "custom" | "basic" | "bearer";
2688
3919
  key?: string | undefined;
2689
3920
  custom_header?: string | undefined;
2690
3921
  } | undefined;
2691
3922
  customUserVars?: Record<string, {
2692
- title: string;
2693
3923
  description: string;
3924
+ title: string;
3925
+ sensitive?: boolean | undefined;
2694
3926
  }> | undefined;
3927
+ obo?: {
3928
+ scopes: string;
3929
+ } | undefined;
2695
3930
  headers?: Record<string, string> | undefined;
3931
+ proxy?: string | undefined;
2696
3932
  }>]>>;
2697
3933
  export type MCPOptions = z.infer<typeof MCPOptionsSchema>;
2698
3934
  /**
2699
3935
  * MCP Server configuration that comes from UI/API input only.
2700
3936
  * Omits server-managed fields like startup, timeout, customUserVars, etc.
2701
- * Allows: title, description, url, iconPath, oauth (user credentials)
3937
+ * Allows: title, description, url, iconPath, oauth (user credentials).
3938
+ * Admin-only OAuth audience fields are rejected for user-managed servers.
2702
3939
  *
2703
3940
  * SECURITY: Stdio transport is intentionally excluded from user input.
2704
3941
  * Stdio allows arbitrary command execution and should only be configured
@@ -2714,41 +3951,329 @@ export type MCPOptions = z.infer<typeof MCPOptionsSchema>;
2714
3951
  export declare const MCPServerUserInputSchema: z.ZodUnion<[z.ZodObject<{
2715
3952
  [x: string]: z.ZodTypeAny;
2716
3953
  [x: number]: z.ZodTypeAny;
3954
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
3955
+ client_id: z.ZodOptional<z.ZodString>;
3956
+ client_secret: z.ZodOptional<z.ZodString>;
3957
+ scope: z.ZodOptional<z.ZodString>;
3958
+ token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
3959
+ grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
3960
+ token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
3961
+ response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
3962
+ code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
3963
+ skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
3964
+ revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
3965
+ } & {
3966
+ authorization_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
3967
+ token_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
3968
+ redirect_uri: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
3969
+ revocation_endpoint: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
3970
+ audience: z.ZodOptional<z.ZodNever>;
3971
+ forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
3972
+ }, "strip", z.ZodTypeAny, {
3973
+ authorization_url?: string | undefined;
3974
+ token_url?: string | undefined;
3975
+ client_id?: string | undefined;
3976
+ client_secret?: string | undefined;
3977
+ scope?: string | undefined;
3978
+ redirect_uri?: string | undefined;
3979
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3980
+ grant_types_supported?: string[] | undefined;
3981
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3982
+ response_types_supported?: string[] | undefined;
3983
+ code_challenge_methods_supported?: string[] | undefined;
3984
+ skip_code_challenge_check?: boolean | undefined;
3985
+ audience?: undefined;
3986
+ forward_audience_on_refresh?: undefined;
3987
+ revocation_endpoint?: string | undefined;
3988
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
3989
+ }, {
3990
+ authorization_url?: string | undefined;
3991
+ token_url?: string | undefined;
3992
+ client_id?: string | undefined;
3993
+ client_secret?: string | undefined;
3994
+ scope?: string | undefined;
3995
+ redirect_uri?: string | undefined;
3996
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
3997
+ grant_types_supported?: string[] | undefined;
3998
+ token_endpoint_auth_methods_supported?: string[] | undefined;
3999
+ response_types_supported?: string[] | undefined;
4000
+ code_challenge_methods_supported?: string[] | undefined;
4001
+ skip_code_challenge_check?: boolean | undefined;
4002
+ audience?: undefined;
4003
+ forward_audience_on_refresh?: undefined;
4004
+ revocation_endpoint?: string | undefined;
4005
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4006
+ }>, {
4007
+ authorization_url?: string | undefined;
4008
+ token_url?: string | undefined;
4009
+ client_id?: string | undefined;
4010
+ client_secret?: string | undefined;
4011
+ scope?: string | undefined;
4012
+ redirect_uri?: string | undefined;
4013
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4014
+ grant_types_supported?: string[] | undefined;
4015
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4016
+ response_types_supported?: string[] | undefined;
4017
+ code_challenge_methods_supported?: string[] | undefined;
4018
+ skip_code_challenge_check?: boolean | undefined;
4019
+ audience?: undefined;
4020
+ forward_audience_on_refresh?: undefined;
4021
+ revocation_endpoint?: string | undefined;
4022
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4023
+ }, {
4024
+ authorization_url?: string | undefined;
4025
+ token_url?: string | undefined;
4026
+ client_id?: string | undefined;
4027
+ client_secret?: string | undefined;
4028
+ scope?: string | undefined;
4029
+ redirect_uri?: string | undefined;
4030
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4031
+ grant_types_supported?: string[] | undefined;
4032
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4033
+ response_types_supported?: string[] | undefined;
4034
+ code_challenge_methods_supported?: string[] | undefined;
4035
+ skip_code_challenge_check?: boolean | undefined;
4036
+ audience?: undefined;
4037
+ forward_audience_on_refresh?: undefined;
4038
+ revocation_endpoint?: string | undefined;
4039
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4040
+ }>>;
2717
4041
  } & {
2718
4042
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2719
4043
  }, z.UnknownKeysParam, z.ZodTypeAny, {
2720
4044
  [x: string]: any;
2721
4045
  [x: number]: any;
4046
+ oauth?: unknown;
2722
4047
  url?: unknown;
2723
4048
  }, {
2724
4049
  [x: string]: any;
2725
4050
  [x: number]: any;
4051
+ oauth?: unknown;
2726
4052
  url?: unknown;
2727
4053
  }>, z.ZodObject<{
2728
4054
  [x: string]: z.ZodTypeAny;
2729
4055
  [x: number]: z.ZodTypeAny;
4056
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
4057
+ client_id: z.ZodOptional<z.ZodString>;
4058
+ client_secret: z.ZodOptional<z.ZodString>;
4059
+ scope: z.ZodOptional<z.ZodString>;
4060
+ token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
4061
+ grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4062
+ token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4063
+ response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4064
+ code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4065
+ skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
4066
+ revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4067
+ } & {
4068
+ authorization_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4069
+ token_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4070
+ redirect_uri: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4071
+ revocation_endpoint: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4072
+ audience: z.ZodOptional<z.ZodNever>;
4073
+ forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
4074
+ }, "strip", z.ZodTypeAny, {
4075
+ authorization_url?: string | undefined;
4076
+ token_url?: string | undefined;
4077
+ client_id?: string | undefined;
4078
+ client_secret?: string | undefined;
4079
+ scope?: string | undefined;
4080
+ redirect_uri?: string | undefined;
4081
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4082
+ grant_types_supported?: string[] | undefined;
4083
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4084
+ response_types_supported?: string[] | undefined;
4085
+ code_challenge_methods_supported?: string[] | undefined;
4086
+ skip_code_challenge_check?: boolean | undefined;
4087
+ audience?: undefined;
4088
+ forward_audience_on_refresh?: undefined;
4089
+ revocation_endpoint?: string | undefined;
4090
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4091
+ }, {
4092
+ authorization_url?: string | undefined;
4093
+ token_url?: string | undefined;
4094
+ client_id?: string | undefined;
4095
+ client_secret?: string | undefined;
4096
+ scope?: string | undefined;
4097
+ redirect_uri?: string | undefined;
4098
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4099
+ grant_types_supported?: string[] | undefined;
4100
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4101
+ response_types_supported?: string[] | undefined;
4102
+ code_challenge_methods_supported?: string[] | undefined;
4103
+ skip_code_challenge_check?: boolean | undefined;
4104
+ audience?: undefined;
4105
+ forward_audience_on_refresh?: undefined;
4106
+ revocation_endpoint?: string | undefined;
4107
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4108
+ }>, {
4109
+ authorization_url?: string | undefined;
4110
+ token_url?: string | undefined;
4111
+ client_id?: string | undefined;
4112
+ client_secret?: string | undefined;
4113
+ scope?: string | undefined;
4114
+ redirect_uri?: string | undefined;
4115
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4116
+ grant_types_supported?: string[] | undefined;
4117
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4118
+ response_types_supported?: string[] | undefined;
4119
+ code_challenge_methods_supported?: string[] | undefined;
4120
+ skip_code_challenge_check?: boolean | undefined;
4121
+ audience?: undefined;
4122
+ forward_audience_on_refresh?: undefined;
4123
+ revocation_endpoint?: string | undefined;
4124
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4125
+ }, {
4126
+ authorization_url?: string | undefined;
4127
+ token_url?: string | undefined;
4128
+ client_id?: string | undefined;
4129
+ client_secret?: string | undefined;
4130
+ scope?: string | undefined;
4131
+ redirect_uri?: string | undefined;
4132
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4133
+ grant_types_supported?: string[] | undefined;
4134
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4135
+ response_types_supported?: string[] | undefined;
4136
+ code_challenge_methods_supported?: string[] | undefined;
4137
+ skip_code_challenge_check?: boolean | undefined;
4138
+ audience?: undefined;
4139
+ forward_audience_on_refresh?: undefined;
4140
+ revocation_endpoint?: string | undefined;
4141
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4142
+ }>>;
2730
4143
  } & {
4144
+ proxy: z.ZodOptional<z.ZodNever>;
2731
4145
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2732
4146
  }, z.UnknownKeysParam, z.ZodTypeAny, {
2733
4147
  [x: string]: any;
2734
4148
  [x: number]: any;
4149
+ oauth?: unknown;
4150
+ proxy?: unknown;
2735
4151
  url?: unknown;
2736
4152
  }, {
2737
4153
  [x: string]: any;
2738
4154
  [x: number]: any;
4155
+ oauth?: unknown;
4156
+ proxy?: unknown;
2739
4157
  url?: unknown;
2740
4158
  }>, z.ZodObject<{
2741
4159
  [x: string]: z.ZodTypeAny;
2742
4160
  [x: number]: z.ZodTypeAny;
4161
+ oauth: z.ZodOptional<z.ZodEffects<z.ZodObject<{
4162
+ client_id: z.ZodOptional<z.ZodString>;
4163
+ client_secret: z.ZodOptional<z.ZodString>;
4164
+ scope: z.ZodOptional<z.ZodString>;
4165
+ token_exchange_method: z.ZodOptional<z.ZodNativeEnum<typeof TokenExchangeMethodEnum>>;
4166
+ grant_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4167
+ token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4168
+ response_types_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4169
+ code_challenge_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4170
+ skip_code_challenge_check: z.ZodOptional<z.ZodBoolean>;
4171
+ revocation_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4172
+ } & {
4173
+ authorization_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4174
+ token_url: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4175
+ redirect_uri: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4176
+ revocation_endpoint: z.ZodOptional<z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>>;
4177
+ audience: z.ZodOptional<z.ZodNever>;
4178
+ forward_audience_on_refresh: z.ZodOptional<z.ZodNever>;
4179
+ }, "strip", z.ZodTypeAny, {
4180
+ authorization_url?: string | undefined;
4181
+ token_url?: string | undefined;
4182
+ client_id?: string | undefined;
4183
+ client_secret?: string | undefined;
4184
+ scope?: string | undefined;
4185
+ redirect_uri?: string | undefined;
4186
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4187
+ grant_types_supported?: string[] | undefined;
4188
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4189
+ response_types_supported?: string[] | undefined;
4190
+ code_challenge_methods_supported?: string[] | undefined;
4191
+ skip_code_challenge_check?: boolean | undefined;
4192
+ audience?: undefined;
4193
+ forward_audience_on_refresh?: undefined;
4194
+ revocation_endpoint?: string | undefined;
4195
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4196
+ }, {
4197
+ authorization_url?: string | undefined;
4198
+ token_url?: string | undefined;
4199
+ client_id?: string | undefined;
4200
+ client_secret?: string | undefined;
4201
+ scope?: string | undefined;
4202
+ redirect_uri?: string | undefined;
4203
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4204
+ grant_types_supported?: string[] | undefined;
4205
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4206
+ response_types_supported?: string[] | undefined;
4207
+ code_challenge_methods_supported?: string[] | undefined;
4208
+ skip_code_challenge_check?: boolean | undefined;
4209
+ audience?: undefined;
4210
+ forward_audience_on_refresh?: undefined;
4211
+ revocation_endpoint?: string | undefined;
4212
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4213
+ }>, {
4214
+ authorization_url?: string | undefined;
4215
+ token_url?: string | undefined;
4216
+ client_id?: string | undefined;
4217
+ client_secret?: string | undefined;
4218
+ scope?: string | undefined;
4219
+ redirect_uri?: string | undefined;
4220
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4221
+ grant_types_supported?: string[] | undefined;
4222
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4223
+ response_types_supported?: string[] | undefined;
4224
+ code_challenge_methods_supported?: string[] | undefined;
4225
+ skip_code_challenge_check?: boolean | undefined;
4226
+ audience?: undefined;
4227
+ forward_audience_on_refresh?: undefined;
4228
+ revocation_endpoint?: string | undefined;
4229
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4230
+ }, {
4231
+ authorization_url?: string | undefined;
4232
+ token_url?: string | undefined;
4233
+ client_id?: string | undefined;
4234
+ client_secret?: string | undefined;
4235
+ scope?: string | undefined;
4236
+ redirect_uri?: string | undefined;
4237
+ token_exchange_method?: TokenExchangeMethodEnum | undefined;
4238
+ grant_types_supported?: string[] | undefined;
4239
+ token_endpoint_auth_methods_supported?: string[] | undefined;
4240
+ response_types_supported?: string[] | undefined;
4241
+ code_challenge_methods_supported?: string[] | undefined;
4242
+ skip_code_challenge_check?: boolean | undefined;
4243
+ audience?: undefined;
4244
+ forward_audience_on_refresh?: undefined;
4245
+ revocation_endpoint?: string | undefined;
4246
+ revocation_endpoint_auth_methods_supported?: string[] | undefined;
4247
+ }>>;
2743
4248
  } & {
4249
+ proxy: z.ZodOptional<z.ZodNever>;
2744
4250
  url: z.ZodEffects<z.ZodPipeline<z.ZodEffects<z.ZodString, string, string>, z.ZodString>, string, string>;
2745
4251
  }, z.UnknownKeysParam, z.ZodTypeAny, {
2746
4252
  [x: string]: any;
2747
4253
  [x: number]: any;
4254
+ oauth?: unknown;
4255
+ proxy?: unknown;
2748
4256
  url?: unknown;
2749
4257
  }, {
2750
4258
  [x: string]: any;
2751
4259
  [x: number]: any;
4260
+ oauth?: unknown;
4261
+ proxy?: unknown;
2752
4262
  url?: unknown;
2753
4263
  }>]>;
2754
4264
  export type MCPServerUserInput = z.infer<typeof MCPServerUserInputSchema>;
4265
+ /**
4266
+ * Set of every field name that may appear in a user-submitted MCP server config,
4267
+ * derived from `MCPServerUserInputSchema`'s union members. Used as the comparison
4268
+ * surface for the OBO lockdown check in `updateMCPServerController` so that
4269
+ * server-managed fields on the existing config (`dbId`, `source`, `author`,
4270
+ * `requiresOAuth`, `oauthMetadata`, etc.) don't show up as differences and
4271
+ * cause spurious 403s on legitimate saves.
4272
+ *
4273
+ * Schema-derived rather than hand-maintained: when a new field is added to
4274
+ * `BaseOptionsSchema` or any transport variant, it flows into this set
4275
+ * automatically. The OBO lockdown then locks the new field by default
4276
+ * (since it won't be in the hand-curated `OBO_USER_EDITABLE_FIELDS`
4277
+ * allowlist), preventing a silent privilege regression.
4278
+ */
4279
+ export declare const MCP_USER_INPUT_FIELDS: ReadonlySet<string>;