Fix MCP OAuth credentials cache not invalidating when the server URL changes

ericdallo · ericdallo · commit 9e4d45e78fee · 2026-03-11T10:18:19.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix MCP OAuth credentials cache not invalidating when the server URL changes.
+
 ## 0.112.0
 
 - Add `plugins` config for loading external configuration from git repos or local paths. #349
diff --git a/src/eca/features/tools/mcp.clj b/src/eca/features/tools/mcp.clj
@@ -259,6 +259,7 @@
     :on-success (fn [{:keys [code]}]
                   (let [{:keys [access-token refresh-token expires-at]} (oauth/authorize-token! oauth-info code)]
                     (swap! db* assoc-in [:mcp-auth server-name] {:type :auth/oauth
+                                                                 :url (:url server-config)
                                                                  :refresh-token refresh-token
                                                                  :access-token access-token
                                                                  :expires-at expires-at}))
@@ -321,6 +322,8 @@
             ;; Skip OAuth entirely if Authorization header is configured
             has-static-auth? (some-> server-config :headers :Authorization some?)
             mcp-auth (get-in @db* [:mcp-auth name])
+            ;; Invalidate cached credentials when URL changed
+            mcp-auth (when (= url (:url mcp-auth)) mcp-auth)
             has-token? (some? (:access-token mcp-auth))
             token-expired? (token-expired? (:expires-at mcp-auth))
             ;; Try to refresh if token exists but is expired
