feat(client): add config toggle to opt out of OAuth revoke on Disconnect

The Inspector is a testing tool, so users may legitimately want to
exercise the inverse scenario: how does an authorization server behave
when a client disconnects without revoking? Mirror the existing pattern
used for MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS — boolean ConfigItem,
default to the spec-compliant value (`true`), expose via the Settings
panel (auto-rendered for any ConfigItem).

The local clear() still runs when revocation is disabled, so users
still get a clean slate in the Inspector even when opting out of the
remote revoke.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: jblz

client/src/lib/configurationTypes.ts

@@ -45,4 +45,12 @@ export type InspectorConfig = {
    * Default Time-to-Live (TTL) in milliseconds for newly created tasks.
    */
   MCP_TASK_TTL: ConfigItem;
+
+  /**
+   * Whether to send an RFC 7009 token revocation request to the authorization server
+   * on Disconnect (when the server advertises a `revocation_endpoint`). Default `true`
+   * (spec-compliant). Disable to test server behavior when a client disconnects
+   * without revoking, or to suppress the network call during offline testing.
+   */
+  MCP_OAUTH_REVOKE_ON_DISCONNECT: ConfigItem;
 };

client/src/lib/constants.ts

@@ -92,4 +92,11 @@ export const DEFAULT_INSPECTOR_CONFIG: InspectorConfig = {
     value: 60000,
     is_session_item: false,
   },
+  MCP_OAUTH_REVOKE_ON_DISCONNECT: {
+    label: "Revoke OAuth Tokens on Disconnect",
+    description:
+      "When disconnecting, send an RFC 7009 token revocation request to the authorization server before clearing local state. Disable to test how a server behaves when a client disconnects without revoking.",
+    value: true,
+    is_session_item: false,
+  },
 } as const;

client/src/lib/hooks/__tests__/useConnection.test.tsx

@@ -1836,5 +1836,42 @@ describe("useConnection", () => {
 
       expect(result.current.connectionStatus).toBe("disconnected");
     });
+
+    test("skips revokeTokens when MCP_OAUTH_REVOKE_ON_DISCONNECT is false", async () => {
+      const { InspectorOAuthClientProvider } = jest.requireMock("../../auth");
+      const providerCtor = InspectorOAuthClientProvider as jest.Mock;
+      providerCtor.mockClear();
+
+      const propsWithRevokeDisabled: Parameters<typeof useConnection>[0] = {
+        ...defaultProps,
+        config: {
+          ...DEFAULT_INSPECTOR_CONFIG,
+          MCP_OAUTH_REVOKE_ON_DISCONNECT: {
+            ...DEFAULT_INSPECTOR_CONFIG.MCP_OAUTH_REVOKE_ON_DISCONNECT,
+            value: false,
+          },
+        },
+      };
+
+      const { result } = renderHook(() =>
+        useConnection(propsWithRevokeDisabled),
+      );
+      await act(async () => {
+        await result.current.connect();
+      });
+
+      await act(async () => {
+        await result.current.disconnect();
+      });
+
+      expect(mockRevokeTokens).not.toHaveBeenCalled();
+      // Local clear still runs so the user gets a fresh slate even when
+      // remote revocation is opted out.
+      const disconnectInstance = providerCtor.mock.results[
+        providerCtor.mock.results.length - 1
+      ].value as { clear: jest.Mock };
+      expect(disconnectInstance.clear).toHaveBeenCalledTimes(1);
+      expect(result.current.connectionStatus).toBe("disconnected");
+    });
   });
 });

client/src/lib/hooks/useConnection.ts

@@ -71,6 +71,7 @@ import {
   getMCPServerRequestMaxTotalTimeout,
   resetRequestTimeoutOnProgress,
   getMCPProxyAuthToken,
+  revokeOAuthTokensOnDisconnect,
 } from "@/utils/configUtils";
 import { getMCPServerRequestTimeout } from "@/utils/configUtils";
 import { InspectorConfig } from "../configurationTypes";
@@ -1183,10 +1184,13 @@ export function useConnection({
       ).terminateSession();
     await mcpClient?.close();
     // RFC 7009: revoke tokens at the AS before wiping local state, so the
-    // server doesn't keep a still-valid token around as a tombstone.
-    const fetchFn =
-      connectionType === "proxy" ? createProxyFetch(config) : undefined;
-    await revokeTokens({ serverUrl: sseUrl, fetchFn });
+    // server doesn't keep a still-valid token around as a tombstone. Users
+    // testing the inverse scenario can opt out via the config toggle.
+    if (revokeOAuthTokensOnDisconnect(config)) {
+      const fetchFn =
+        connectionType === "proxy" ? createProxyFetch(config) : undefined;
+      await revokeTokens({ serverUrl: sseUrl, fetchFn });
+    }
     const authProvider = new InspectorOAuthClientProvider(sseUrl);
     authProvider.clear();
     setMcpClient(null);

client/src/utils/configUtils.ts

@@ -58,6 +58,12 @@ export const getMCPTaskTtl = (config: InspectorConfig): number => {
   return config.MCP_TASK_TTL.value as number;
 };
 
+export const revokeOAuthTokensOnDisconnect = (
+  config: InspectorConfig,
+): boolean => {
+  return config.MCP_OAUTH_REVOKE_ON_DISCONNECT.value as boolean;
+};
+
 export const getInitialTransportType = ():
   | "stdio"
   | "sse"