ha-mcp-dev 6.7.2.dev257__tar.gz → 6.7.2.dev259__tar.gz

{ha_mcp_dev-6.7.2.dev257/src/ha_mcp_dev.egg-info → ha_mcp_dev-6.7.2.dev259}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ha-mcp-dev
-Version: 6.7.2.dev257
+Version: 6.7.2.dev259
 Summary: Home Assistant MCP Server - Complete control of Home Assistant through MCP
 Author-email: Julien <github@qc-h.net>
 License: MIT

{ha_mcp_dev-6.7.2.dev257 → ha_mcp_dev-6.7.2.dev259}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ha-mcp-dev"
-version = "6.7.2.dev257"
+version = "6.7.2.dev259"
 description = "Home Assistant MCP Server - Complete control of Home Assistant through MCP"
 readme = "README.md"
 requires-python = ">=3.13,<3.14"

{ha_mcp_dev-6.7.2.dev257 → ha_mcp_dev-6.7.2.dev259}/src/ha_mcp/__main__.py

@@ -19,7 +19,6 @@ from typing import TYPE_CHECKING, Any  # noqa: E402
 if TYPE_CHECKING:
     from fastmcp import FastMCP
 
-    from ha_mcp.auth.provider import HomeAssistantOAuthProvider
     from ha_mcp.client.rest_client import HomeAssistantClient
     from ha_mcp.config import Settings
     from ha_mcp.server import HomeAssistantSmartMCPServer
@@ -32,10 +31,13 @@ class OAuthProxyClient:
 
     This class is necessary because tools capture a reference to the client at registration time.
     The proxy allows us to inject different credentials per-request based on OAuth token claims.
+
+    The Home Assistant URL is fixed server-side (HOMEASSISTANT_URL env var).
+    Only the access token varies per-user (from OAuth consent form).
     """
 
-    def __init__(self, auth_provider: "HomeAssistantOAuthProvider") -> None:
-        self._auth_provider = auth_provider
+    def __init__(self, ha_url: str) -> None:
+        self._ha_url = ha_url.rstrip("/")
         self._oauth_clients: dict[str, HomeAssistantClient] = {}
         self._lock = threading.Lock()
 
@@ -52,26 +54,25 @@ class OAuthProxyClient:
             logger.warning("No access token in context")
             raise RuntimeError("No OAuth token in request context")
 
-        # Extract HA credentials from token claims
+        # Extract HA token from claims (URL is server-side config)
         claims = token.claims
 
-        if not claims or "ha_url" not in claims or "ha_token" not in claims:
+        if not claims or "ha_token" not in claims:
             logger.error(f"OAuth token missing HA credentials. Keys present: {list(claims.keys()) if claims else []}")
             raise RuntimeError("No Home Assistant credentials in OAuth token claims")
 
-        ha_url = claims["ha_url"]
         ha_token = claims["ha_token"]
 
-        # Hash credentials for cache key to avoid raw tokens appearing in dict keys
-        client_key = hashlib.sha256(f"{ha_url}:{ha_token}".encode()).hexdigest()
+        # Hash token for cache key to avoid raw tokens appearing in dict keys
+        client_key = hashlib.sha256(ha_token.encode()).hexdigest()
 
         with self._lock:
             if client_key not in self._oauth_clients:
                 self._oauth_clients[client_key] = HomeAssistantClient(
-                    base_url=ha_url,
+                    base_url=self._ha_url,
                     token=ha_token,
                 )
-                logger.info(f"Created OAuth client for {ha_url}")
+                logger.info(f"Created OAuth client for {self._ha_url}")
 
             return self._oauth_clients[client_key]
 
@@ -610,18 +611,19 @@ def main_sse() -> None:
 def main_oauth() -> None:
     """Run server with OAuth 2.1 authentication over HTTP.
 
-    This mode enables zero-config authentication for MCP clients like Claude.ai.
-    Users authenticate via a consent form where they enter their Home Assistant
-    URL and Long-Lived Access Token.
+    This mode enables per-user authentication for MCP clients like Claude.ai.
+    Users authenticate via a consent form where they provide their
+    Long-Lived Access Token.
 
     Environment:
+    - HOMEASSISTANT_URL (required): URL of the Home Assistant instance
     - MCP_BASE_URL (required): Public URL where this server is accessible (e.g., https://your-tunnel.com)
     - MCP_PORT (optional, default: 8086)
     - MCP_SECRET_PATH (optional, default: "/mcp")
     - LOG_LEVEL (optional, default: INFO)
 
-    Note: HOMEASSISTANT_URL and HOMEASSISTANT_TOKEN are NOT required in this mode.
-    They are collected via the OAuth consent form.
+    Note: HOMEASSISTANT_TOKEN is NOT required in this mode.
+    Per-user tokens are collected via the OAuth consent form.
     """
     # Configure logging for OAuth mode
     log_level = os.getenv("LOG_LEVEL", "INFO").upper()
@@ -633,21 +635,45 @@ def main_oauth() -> None:
 
     port, path = _get_http_runtime(default_port=8086)
     base_url = os.getenv("MCP_BASE_URL")
+    ha_url = os.getenv("HOMEASSISTANT_URL")
 
+    missing = []
     if not base_url:
-        logger.error("MCP_BASE_URL environment variable is required for OAuth mode")
-        logger.error(
-            "Example: export MCP_BASE_URL=https://your-tunnel.trycloudflare.com"
+        missing.append("  - MCP_BASE_URL (e.g., https://your-tunnel.trycloudflare.com)")
+    if not ha_url:
+        missing.append("  - HOMEASSISTANT_URL (e.g., http://homeassistant.local:8123)")
+
+    if missing:
+        missing_vars = "\n".join(missing)
+        print(
+            f"""
+==============================================================================
+                    Home Assistant MCP Server - Configuration Error
+==============================================================================
+
+Missing required environment variables for OAuth mode:
+{missing_vars}
+
+For setup instructions, see:
+  https://github.com/homeassistant-ai/ha-mcp/blob/master/docs/OAUTH.md
+
+==============================================================================
+""",
+            file=sys.stderr,
         )
         sys.exit(1)
 
-    _run_entrypoint(_run_oauth_server(base_url, port, path), "OAuth server")
+    # Type narrowing: ha_url and base_url are guaranteed non-None after the check above
+    assert ha_url is not None
+    assert base_url is not None
+    _run_entrypoint(_run_oauth_server(ha_url, base_url, port, path), "OAuth server")
 
 
-async def _run_oauth_server(base_url: str, port: int, path: str) -> None:
+async def _run_oauth_server(ha_url: str, base_url: str, port: int, path: str) -> None:
     """Run the OAuth-authenticated MCP server.
 
     Args:
+        ha_url: Home Assistant instance URL (server-side config)
         base_url: Public URL where this server is accessible (required)
         port: Port to listen on
         path: MCP endpoint path
@@ -661,9 +687,9 @@ async def _run_oauth_server(base_url: str, port: int, path: str) -> None:
         service_documentation_url="https://github.com/homeassistant-ai/ha-mcp",
     )
 
-    # In OAuth mode, credentials come from the OAuth consent form per-request.
-    # The proxy client extracts them from token claims on each tool invocation.
-    proxy_client = OAuthProxyClient(auth_provider)
+    # In OAuth mode, the HA URL is fixed server-side. Per-user tokens come
+    # from the OAuth consent form and are extracted from token claims.
+    proxy_client = OAuthProxyClient(ha_url)
 
     global _server
     _server = HomeAssistantSmartMCPServer(

{ha_mcp_dev-6.7.2.dev257 → ha_mcp_dev-6.7.2.dev259}/src/ha_mcp/auth/consent_form.py

@@ -2,16 +2,27 @@
 Consent form HTML template for Home Assistant OAuth authentication.
 
 This module provides the HTML consent form where users enter their
-Home Assistant URL and Long-Lived Access Token (LLAT).
+Long-Lived Access Token (LLAT) to authorize MCP client access.
 """
 
+import html
+from urllib.parse import urlparse
+
+
+def _extract_domain(redirect_uri: str) -> str:
+    """Extract display domain from redirect URI."""
+    try:
+        parsed = urlparse(redirect_uri)
+        return parsed.netloc or redirect_uri
+    except (AttributeError, TypeError, ValueError):
+        return redirect_uri
+
 
 def create_consent_html(
     client_id: str,
-    client_name: str | None,
     redirect_uri: str,
     state: str,
-    scopes: list[str],
+    txn_id: str,
     error_message: str | None = None,
 ) -> str:
     """
@@ -19,23 +30,27 @@ def create_consent_html(
 
     Args:
         client_id: OAuth client ID
-        client_name: Human-readable client name
-        redirect_uri: OAuth redirect URI
+        redirect_uri: OAuth redirect URI (used to derive the display domain)
         state: OAuth state parameter
-        scopes: Requested OAuth scopes
+        txn_id: Transaction ID for this authorization request
         error_message: Optional error message to display
 
     Returns:
         HTML string for the consent form
     """
-    display_name = client_name or client_id
-    scopes_display = ", ".join(scopes) if scopes else "full access"
+    domain = _extract_domain(redirect_uri)
+    safe_domain = html.escape(domain)
+    safe_client_id = html.escape(client_id)
+    safe_redirect_uri = html.escape(redirect_uri)
+    safe_state = html.escape(state)
+    safe_txn_id = html.escape(txn_id)
 
     error_html = ""
     if error_message:
+        safe_error = html.escape(error_message)
         error_html = f"""
         <div class="error-message">
-            <strong>Error:</strong> {error_message}
+            <strong>Error:</strong> {safe_error}
         </div>
         """
 
@@ -52,7 +67,8 @@ def create_consent_html(
             --primary-hover: #0288d1;
             --error-color: #f44336;
             --error-bg: #ffebee;
-            --success-color: #4caf50;
+            --warning-color: #ff9800;
+            --warning-bg: #fff3e0;
             --text-color: #212121;
             --text-secondary: #757575;
             --border-color: #e0e0e0;
@@ -66,7 +82,8 @@ def create_consent_html(
                 --primary-hover: #4fc3f7;
                 --error-color: #ef5350;
                 --error-bg: #3e2723;
-                --success-color: #66bb6a;
+                --warning-color: #ffb74d;
+                --warning-bg: #2a1f0a;
                 --text-color: #e0e0e0;
                 --text-secondary: #9e9e9e;
                 --border-color: #424242;
@@ -123,28 +140,6 @@ def create_consent_html(
             font-size: 14px;
         }}
 
-        .client-info {{
-            background: var(--bg-color);
-            border-radius: 8px;
-            padding: 16px;
-            margin-bottom: 24px;
-        }}
-
-        .client-info p {{
-            font-size: 14px;
-            color: var(--text-secondary);
-        }}
-
-        .client-info strong {{
-            color: var(--text-color);
-        }}
-
-        .scopes {{
-            margin-top: 8px;
-            font-size: 13px;
-            color: var(--text-secondary);
-        }}
-
         .error-message {{
             background: var(--error-bg);
             border: 1px solid var(--error-color);
@@ -155,6 +150,21 @@ def create_consent_html(
             color: var(--error-color);
         }}
 
+        .warning-box {{
+            background: var(--warning-bg);
+            border: 1px solid var(--warning-color);
+            border-radius: 8px;
+            padding: 12px 16px;
+            margin-bottom: 20px;
+            font-size: 13px;
+            color: var(--text-color);
+            line-height: 1.5;
+        }}
+
+        .warning-box strong {{
+            color: var(--warning-color);
+        }}
+
         .form-group {{
             margin-bottom: 20px;
         }}
@@ -166,8 +176,6 @@ def create_consent_html(
             margin-bottom: 8px;
         }}
 
-        input[type="text"],
-        input[type="url"],
         input[type="password"] {{
             width: 100%;
             padding: 12px 16px;
@@ -245,23 +253,6 @@ def create_consent_html(
             background: var(--bg-color);
         }}
 
-        .security-note {{
-            margin-top: 20px;
-            padding: 12px;
-            background: var(--bg-color);
-            border-radius: 8px;
-            font-size: 12px;
-            color: var(--text-secondary);
-            text-align: center;
-        }}
-
-        .security-note svg {{
-            width: 14px;
-            height: 14px;
-            vertical-align: middle;
-            margin-right: 4px;
-        }}
-
         .loading {{
             display: none;
         }}
@@ -296,35 +287,23 @@ def create_consent_html(
                 <circle fill="#18BCF2" cx="120" cy="120" r="40"/>
             </svg>
             <h1>Connect to Home Assistant</h1>
-            <p class="subtitle">Authorize {display_name} to access your smart home</p>
-        </div>
-
-        <div class="client-info">
-            <p>Application: <strong>{display_name}</strong></p>
-            <p class="scopes">Requested access: <strong>{scopes_display}</strong></p>
+            <p class="subtitle">Authorization request from <strong>{safe_domain}</strong></p>
         </div>
 
         {error_html}
 
-        <form method="POST" id="consent-form">
-            <input type="hidden" name="client_id" value="{client_id}">
-            <input type="hidden" name="redirect_uri" value="{redirect_uri}">
-            <input type="hidden" name="state" value="{state}">
+        <div class="warning-box">
+            <strong>Important:</strong> Your access token will be shared with
+            <strong>{safe_domain}</strong> and used for ongoing access to your
+            Home Assistant instance. To revoke access, delete the token in
+            Home Assistant &rarr; Profile &rarr; Security &rarr; Long-Lived Access Tokens.
+        </div>
 
-            <div class="form-group">
-                <label for="ha_url">Home Assistant URL</label>
-                <input
-                    type="url"
-                    id="ha_url"
-                    name="ha_url"
-                    placeholder="https://homeassistant.local:8123"
-                    required
-                    autocomplete="url"
-                >
-                <p class="help-text">
-                    The URL of your Home Assistant instance (e.g., http://homeassistant.local:8123)
-                </p>
-            </div>
+        <form method="POST" id="consent-form">
+            <input type="hidden" name="txn_id" value="{safe_txn_id}">
+            <input type="hidden" name="client_id" value="{safe_client_id}">
+            <input type="hidden" name="redirect_uri" value="{safe_redirect_uri}">
+            <input type="hidden" name="state" value="{safe_state}">
 
             <div class="form-group">
                 <label for="ha_token">Long-Lived Access Token</label>
@@ -356,14 +335,6 @@ def create_consent_html(
                 </button>
             </div>
         </form>
-
-        <div class="security-note">
-            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor">
-                <path d="M12 1L3 5v6c0 5.55 3.84 10.74 9 12 5.16-1.26 9-6.45 9-12V5l-9-4zm0 10.99h7c-.53 4.12-3.28 7.79-7 8.94V12H5V6.3l7-3.11v8.8z"/>
-            </svg>
-            Your credentials are validated directly with your Home Assistant instance
-            and stored securely for this session only.
-        </div>
     </div>
 
     <script>
@@ -374,22 +345,7 @@ def create_consent_html(
 
             btn.disabled = true;
             loading.classList.add('active');
-            btnText.textContent = 'Validating...';
-        }});
-
-        // Try to detect Home Assistant URL from common patterns
-        (function() {{
-            var savedUrl = localStorage.getItem('ha_mcp_url');
-            if (savedUrl) {{
-                document.getElementById('ha_url').value = savedUrl;
-            }}
-        }})();
-
-        // Save URL on successful form navigation
-        document.getElementById('ha_url').addEventListener('change', function(e) {{
-            if (e.target.value) {{
-                localStorage.setItem('ha_mcp_url', e.target.value);
-            }}
+            btnText.textContent = 'Authorizing...';
         }});
     </script>
 </body>
@@ -408,6 +364,9 @@ def create_error_html(error: str, error_description: str) -> str:
     Returns:
         HTML string for the error page
     """
+    safe_error = html.escape(error)
+    safe_description = html.escape(error_description)
+
     return f"""
 <!DOCTYPE html>
 <html lang="en">
@@ -493,8 +452,8 @@ def create_error_html(error: str, error_description: str) -> str:
             <path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 15h-2v-2h2v2zm0-4h-2V7h2v6z"/>
         </svg>
         <h1>Authentication Error</h1>
-        <div class="error-code">{error}</div>
-        <p>{error_description}</p>
+        <div class="error-code">{safe_error}</div>
+        <p>{safe_description}</p>
     </div>
 </body>
 </html>

{ha_mcp_dev-6.7.2.dev257 → ha_mcp_dev-6.7.2.dev259}/src/ha_mcp/auth/provider.py

@@ -3,7 +3,7 @@ Home Assistant OAuth 2.1 Provider.
 
 This module implements OAuth 2.1 authentication with Dynamic Client Registration (DCR)
 for Home Assistant MCP Server. Users authenticate via a consent form where they
-provide their Home Assistant URL and Long-Lived Access Token (LLAT).
+provide their Long-Lived Access Token (LLAT).
 """
 
 import binascii
@@ -15,7 +15,6 @@ from base64 import urlsafe_b64decode, urlsafe_b64encode
 from typing import Any
 from urllib.parse import urlencode
 
-import httpx
 from fastmcp.server.auth.auth import (
     AccessToken,  # FastMCP version has claims field
     ClientRegistrationOptions,
@@ -49,15 +48,13 @@ REFRESH_TOKEN_EXPIRY_SECONDS = 7 * 24 * 60 * 60  # 7 days
 class HomeAssistantCredentials:
     """Stores Home Assistant credentials for a client."""
 
-    def __init__(self, ha_url: str, ha_token: str):
-        self.ha_url = ha_url.rstrip("/")
+    def __init__(self, ha_token: str):
         self.ha_token = ha_token
         self.validated_at = time.time()
 
     def to_dict(self) -> dict[str, Any]:
         """Convert to dictionary for storage."""
         return {
-            "ha_url": self.ha_url,
             "ha_token": self.ha_token,
             "validated_at": self.validated_at,
         }
@@ -73,11 +70,11 @@ class HomeAssistantOAuthProvider(OAuthProvider):
     - Custom consent form for collecting HA credentials
     - Stateless access tokens (base64-encoded JSON)
 
-    The consent form collects the user's Home Assistant URL and
-    Long-Lived Access Token, validates them, and encodes them into
-    stateless access tokens for subsequent API calls.
+    The consent form collects the user's Long-Lived Access Token,
+    which is encoded into stateless access tokens for subsequent API calls.
+    The Home Assistant URL is configured server-side via HOMEASSISTANT_URL.
 
-    Access tokens are base64-encoded JSON containing HA credentials.
+    Access tokens are base64-encoded JSON containing the HA token.
     No encryption or signing - security comes from HTTPS transport
     and the LLAT itself being the authorization boundary.
     """
@@ -140,16 +137,15 @@ class HomeAssistantOAuthProvider(OAuthProvider):
 
         logger.info(f"HomeAssistantOAuthProvider initialized with base_url={base_url}")
 
-    def _encode_credentials(self, ha_url: str, ha_token: str) -> str:
+    def _encode_credentials(self, ha_token: str) -> str:
         """
-        Encode HA credentials into a stateless access token.
+        Encode HA token into a stateless access token.
 
-        Tokens are base64-encoded JSON containing HA credentials.
+        Tokens are base64-encoded JSON containing the HA token.
         No encryption or signing - credentials are readable but transmitted over HTTPS.
         The LLAT itself provides the security boundary.
         """
         payload = {
-            "ha_url": ha_url,
             "ha_token": ha_token,
             "iat": int(time.time()),
         }
@@ -157,11 +153,11 @@ class HomeAssistantOAuthProvider(OAuthProvider):
         encoded = urlsafe_b64encode(json_str.encode()).decode().rstrip("=")
         return encoded
 
-    def _decode_credentials(self, token: str) -> tuple[str, str] | None:
+    def _decode_credentials(self, token: str) -> str | None:
         """
-        Decode access token to extract HA credentials.
+        Decode access token to extract HA token.
 
-        Returns (ha_url, ha_token) or None if invalid.
+        Returns ha_token or None if invalid.
         """
         try:
             # Add padding if needed
@@ -172,11 +168,10 @@ class HomeAssistantOAuthProvider(OAuthProvider):
             decoded = urlsafe_b64decode(token.encode()).decode()
             payload = json.loads(decoded)
 
-            ha_url = payload.get("ha_url")
             ha_token = payload.get("ha_token")
 
-            if ha_url and ha_token:
-                return ha_url, ha_token
+            if ha_token:
+                return ha_token
             return None
         except (binascii.Error, json.JSONDecodeError, UnicodeDecodeError) as e:
             logger.debug(f"Failed to decode token: {e}")
@@ -405,32 +400,34 @@ class HomeAssistantOAuthProvider(OAuthProvider):
                 status_code=400,
             )
 
-        html = create_consent_html(
+        redirect_uri = pending.get("redirect_uri", "")
+        if not redirect_uri:
+            return HTMLResponse(
+                create_error_html(
+                    "invalid_request",
+                    "No redirect URI provided. The client must specify a redirect URI.",
+                ),
+                status_code=400,
+            )
+
+        consent_html = create_consent_html(
             client_id=pending["client_id"],
-            client_name=pending.get("client_name"),
-            redirect_uri=pending["redirect_uri"],
+            redirect_uri=redirect_uri,
             state=pending.get("state", ""),
-            scopes=pending.get("scopes", []),
+            txn_id=txn_id,
             error_message=error_message,
         )
 
-        # Add txn_id as hidden field
-        html = html.replace(
-            '<input type="hidden" name="client_id"',
-            f'<input type="hidden" name="txn_id" value="{txn_id}">\n            <input type="hidden" name="client_id"',
-        )
-
-        return HTMLResponse(html)
+        return HTMLResponse(consent_html)
 
     async def _consent_post(self, request: Request) -> Response:
         """Handle POST request from consent form."""
-        logger.info("📝 === CONSENT FORM POST RECEIVED ===")
+        logger.info("=== CONSENT FORM POST RECEIVED ===")
         form = await request.form()
 
         txn_id = form.get("txn_id")
-        ha_url = form.get("ha_url")
         ha_token = form.get("ha_token")
-        logger.info(f"📝 Form data: txn_id={txn_id}, ha_url={ha_url}, has_token={ha_token is not None}")
+        logger.info(f"Form data: txn_id={txn_id}, has_token={ha_token is not None}")
 
         if not txn_id:
             return HTMLResponse(
@@ -451,30 +448,13 @@ class HomeAssistantOAuthProvider(OAuthProvider):
                 status_code=400,
             )
 
-        if not ha_url or not ha_token:
+        if not ha_token:
             # Redirect back to form with error
             base = str(self.base_url).rstrip('/')
             error_params = urlencode(
                 {
                     "txn_id": txn_id,
-                    "error": "Please provide both Home Assistant URL and access token.",
-                }
-            )
-            return RedirectResponse(
-                f"{base}/consent?{error_params}",
-                status_code=303,
-            )
-
-        # Validate HA credentials
-        validation_error = await self._validate_ha_credentials(
-            str(ha_url), str(ha_token)
-        )
-        if validation_error:
-            base = str(self.base_url).rstrip('/')
-            error_params = urlencode(
-                {
-                    "txn_id": txn_id,
-                    "error": validation_error,
+                    "error": "Please provide your Long-Lived Access Token.",
                 }
             )
             return RedirectResponse(
@@ -482,13 +462,13 @@ class HomeAssistantOAuthProvider(OAuthProvider):
                 status_code=303,
             )
 
-        # Store validated credentials
+        # Store credentials (no server-side validation - the token will be
+        # validated on first actual API call to the configured HA instance)
         client_id = pending["client_id"]
         self.ha_credentials[client_id] = HomeAssistantCredentials(
-            ha_url=str(ha_url),
             ha_token=str(ha_token),
         )
-        logger.info(f"✅ Stored HA credentials for client {client_id}: {str(ha_url)}")
+        logger.info(f"Stored HA credentials for client {client_id}")
 
         # Generate authorization code
         auth_code_value = f"ha_auth_code_{secrets.token_hex(16)}"
@@ -524,59 +504,6 @@ class HomeAssistantOAuthProvider(OAuthProvider):
         logger.info(f"Authorization successful for client {client_id}")
         return RedirectResponse(redirect_uri, status_code=303)
 
-    async def _validate_ha_credentials(self, ha_url: str, ha_token: str) -> str | None:
-        """
-        Validate Home Assistant credentials by making a test API call.
-
-        Args:
-            ha_url: Home Assistant URL
-            ha_token: Long-Lived Access Token
-
-        Returns:
-            Error message if validation failed, None if successful
-        """
-        try:
-            ha_url = ha_url.rstrip("/")
-
-            async with httpx.AsyncClient(timeout=10.0) as client:
-                response = await client.get(
-                    f"{ha_url}/api/config",
-                    headers={
-                        "Authorization": f"Bearer {ha_token}",
-                        "Content-Type": "application/json",
-                    },
-                )
-
-                if response.status_code == 401:
-                    return "Invalid access token. Please check your Long-Lived Access Token."
-
-                if response.status_code == 403:
-                    return "Access forbidden. The token may not have sufficient permissions."
-
-                if response.status_code >= 400:
-                    return f"Failed to connect to Home Assistant: HTTP {response.status_code}"
-
-                # Verify we got a valid config response
-                try:
-                    config = response.json()
-                    if "location_name" not in config and "version" not in config:
-                        return "Invalid response from Home Assistant. Please check the URL."
-                except Exception:
-                    return "Invalid response format from Home Assistant."
-
-                logger.info(
-                    f"Validated HA credentials for {config.get('location_name', 'Unknown')}"
-                )
-                return None
-
-        except httpx.ConnectError:
-            return "Could not connect to Home Assistant. Please check the URL and ensure Home Assistant is accessible."
-        except httpx.TimeoutException:
-            return "Connection to Home Assistant timed out. Please check the URL."
-        except Exception as e:
-            logger.error(f"Error validating HA credentials: {e}")
-            return f"Failed to validate credentials: {str(e)}"
-
     async def load_authorization_code(
         self, client: OAuthClientInformationFull, authorization_code: str
     ) -> AuthorizationCode | None:
@@ -607,10 +534,8 @@ class HomeAssistantOAuthProvider(OAuthProvider):
             raise TokenError("invalid_client", "Client ID is required")
 
         # Generate tokens
-        access_token_value = f"ha_access_{secrets.token_hex(32)}"
         refresh_token_value = f"ha_refresh_{secrets.token_hex(32)}"
 
-        access_token_expires_at = int(time.time() + ACCESS_TOKEN_EXPIRY_SECONDS)
         refresh_token_expires_at = int(time.time() + REFRESH_TOKEN_EXPIRY_SECONDS)
 
         # Get HA credentials for this client to encode in token
@@ -621,11 +546,9 @@ class HomeAssistantOAuthProvider(OAuthProvider):
                 f"No Home Assistant credentials found for client {client.client_id}",
             )
 
-        # STATELESS TOKEN: Encode HA credentials directly into the access token
+        # STATELESS TOKEN: Encode HA token directly into the access token
         # No server-side storage needed - token contains everything as base64-encoded JSON
-        access_token_value = self._encode_credentials(
-            ha_credentials.ha_url, ha_credentials.ha_token
-        )
+        access_token_value = self._encode_credentials(ha_credentials.ha_token)
 
         # Still use random string for refresh token (less sensitive, can be in memory)
         # Refresh tokens are less frequently used and don't need to carry credentials
@@ -738,17 +661,15 @@ class HomeAssistantOAuthProvider(OAuthProvider):
         """
         Load and validate access token.
 
-        STATELESS: Decodes token to extract HA credentials.
+        STATELESS: Decodes token to extract HA token.
         No server-side storage needed - token is self-contained base64-encoded JSON.
         """
 
-        # Decode token to get HA credentials
-        credentials = self._decode_credentials(token)
-        if not credentials:
+        # Decode token to get HA token
+        ha_token = self._decode_credentials(token)
+        if not ha_token:
             return None
 
-        ha_url, ha_token = credentials
-
         # Create AccessToken object with decoded credentials in claims
         # No expiry check - tokens don't expire (LLAT revocation handles security)
         return AccessToken(
@@ -757,7 +678,6 @@ class HomeAssistantOAuthProvider(OAuthProvider):
             scopes=["homeassistant", "mcp"],
             expires_at=None,  # Stateless tokens don't expire
             claims={
-                "ha_url": ha_url,
                 "ha_token": ha_token,
             },
         )
@@ -801,7 +721,7 @@ class HomeAssistantOAuthProvider(OAuthProvider):
         """
         Get Home Assistant credentials for a client.
 
-        This is used by the MCP server to get the HA URL and token
+        This is used by the MCP server to get the HA token
         for making API calls on behalf of the authenticated user.
 
         Args:

{ha_mcp_dev-6.7.2.dev257 → ha_mcp_dev-6.7.2.dev259/src/ha_mcp_dev.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ha-mcp-dev
-Version: 6.7.2.dev257
+Version: 6.7.2.dev259
 Summary: Home Assistant MCP Server - Complete control of Home Assistant through MCP
 Author-email: Julien <github@qc-h.net>
 License: MIT