fix: reset _authRetryInFlight in send() catch; add migration-SKILL entry

felixweinberger · felixweinberger · commit 7384f73b77bf · 2026-03-19T15:14:00.000Z
Addresses both review comments on the breaking-change commit:

1. _authRetryInFlight was never reset when onUnauthorized() throws in
   send() — if the refresh failed transiently, subsequent 401s would
   skip the retry path permanently. The connect paths already had
   try/finally; send() paths now reset in the outer catch block.
   (Resetting in a try/finally around just onUnauthorized would break
   the circuit breaker — the finally would fire before the recursive
   not-awaited send() resolves.)

   Added regression test: onUnauthorized throws once, succeeds on
   second send() call.

2. migration-SKILL.md now has the AuthProvider mapping table per
   CLAUDE.md's both-files requirement.
diff --git a/docs/migration-SKILL.md b/docs/migration-SKILL.md
@@ -47,15 +47,15 @@ Replace all `@modelcontextprotocol/sdk/...` imports using this table.
 
 ### Server imports
 
-| v1 import path                                       | v2 package                                                                                                                                                                                                          |
-| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `@modelcontextprotocol/sdk/server/mcp.js`            | `@modelcontextprotocol/server`                                                                                                                                                                                      |
-| `@modelcontextprotocol/sdk/server/index.js`          | `@modelcontextprotocol/server`                                                                                                                                                                                      |
-| `@modelcontextprotocol/sdk/server/stdio.js`          | `@modelcontextprotocol/server`                                                                                                                                                                                      |
+| v1 import path                                       | v2 package                                                                                                                                                                                                         |
+| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `@modelcontextprotocol/sdk/server/mcp.js`            | `@modelcontextprotocol/server`                                                                                                                                                                                     |
+| `@modelcontextprotocol/sdk/server/index.js`          | `@modelcontextprotocol/server`                                                                                                                                                                                     |
+| `@modelcontextprotocol/sdk/server/stdio.js`          | `@modelcontextprotocol/server`                                                                                                                                                                                     |
 | `@modelcontextprotocol/sdk/server/streamableHttp.js` | `@modelcontextprotocol/node` (class renamed to `NodeStreamableHTTPServerTransport`) OR `@modelcontextprotocol/server` (web-standard `WebStandardStreamableHTTPServerTransport` for Cloudflare Workers, Deno, etc.) |
-| `@modelcontextprotocol/sdk/server/sse.js`            | REMOVED (migrate to Streamable HTTP)                                                                                                                                                                                |
-| `@modelcontextprotocol/sdk/server/auth/*`            | REMOVED (use external auth library)                                                                                                                                                                                 |
-| `@modelcontextprotocol/sdk/server/middleware.js`     | `@modelcontextprotocol/express` (signature changed, see section 8)                                                                                                                                                  |
+| `@modelcontextprotocol/sdk/server/sse.js`            | REMOVED (migrate to Streamable HTTP)                                                                                                                                                                               |
+| `@modelcontextprotocol/sdk/server/auth/*`            | REMOVED (use external auth library)                                                                                                                                                                                |
+| `@modelcontextprotocol/sdk/server/middleware.js`     | `@modelcontextprotocol/express` (signature changed, see section 8)                                                                                                                                                 |
 
 ### Types / shared imports
 
@@ -203,7 +203,41 @@ import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
 if (error instanceof OAuthError && error.code === OAuthErrorCode.InvalidClient) { ... }
 ```
 
-**Unchanged APIs** (only import paths changed): `Client` constructor and most methods, `McpServer` constructor, `server.connect()`, `server.close()`, all client transports (`StreamableHTTPClientTransport`, `SSEClientTransport`, `StdioClientTransport`), `StdioServerTransport`, all Zod schemas, all callback return types. Note: `callTool()` and `request()` signatures changed (schema parameter removed, see section 11).
+### Client `OAuthClientProvider` now extends `AuthProvider`
+
+Transport `authProvider` options now accept the minimal `AuthProvider` interface. `OAuthClientProvider` extends it, so built-in providers work unchanged — custom implementations must add `token()`.
+
+| v1 pattern                                            | v2 equivalent                                                               |
+| ----------------------------------------------------- | --------------------------------------------------------------------------- |
+| `authProvider?: OAuthClientProvider` (option type)    | `authProvider?: AuthProvider` (accepts `OAuthClientProvider` via extension) |
+| Transport reads `authProvider.tokens()?.access_token` | Transport calls `authProvider.token()`                                      |
+| Transport inlines `auth()` on 401                     | Transport calls `authProvider.onUnauthorized()` then retries once           |
+| `_hasCompletedAuthFlow` circuit breaker               | `_authRetryInFlight` circuit breaker                                        |
+| N/A                                                   | `handleOAuthUnauthorized(provider, ctx)` — standard `onUnauthorized` impl   |
+| N/A                                                   | `isOAuthClientProvider(provider)` — type guard                              |
+| N/A                                                   | `UnauthorizedContext` — `{ response, serverUrl, fetchFn }`                  |
+
+**For custom `OAuthClientProvider` implementations**, add:
+
+```typescript
+async token(): Promise<string | undefined> {
+    return (await this.tokens())?.access_token;
+}
+
+async onUnauthorized(ctx: UnauthorizedContext): Promise<void> {
+    await handleOAuthUnauthorized(this, ctx);
+}
+```
+
+**For simple bearer tokens** (previously required stubbing 8 `OAuthClientProvider` members):
+
+```typescript
+// v2: one-liner
+const authProvider: AuthProvider = { token: async () => process.env.API_KEY };
+```
+
+**Unchanged APIs** (only import paths changed): `Client` constructor and most methods, `McpServer` constructor, `server.connect()`, `server.close()`, all client transports (`StreamableHTTPClientTransport`, `SSEClientTransport`, `StdioClientTransport`), `StdioServerTransport`, all
+Zod schemas, all callback return types. Note: `callTool()` and `request()` signatures changed (schema parameter removed, see section 11).
 
 ## 6. McpServer API Changes
 
@@ -279,12 +313,12 @@ Note: the third argument (`metadata`) is required — pass `{}` if no metadata.
 
 ### Schema Migration Quick Reference
 
-| v1 (raw shape) | v2 (Zod schema) |
-|----------------|-----------------|
-| `{ name: z.string() }` | `z.object({ name: z.string() })` |
+| v1 (raw shape)                     | v2 (Zod schema)                              |
+| ---------------------------------- | -------------------------------------------- |
+| `{ name: z.string() }`             | `z.object({ name: z.string() })`             |
 | `{ count: z.number().optional() }` | `z.object({ count: z.number().optional() })` |
-| `{}` (empty) | `z.object({})` |
-| `undefined` (no schema) | `undefined` or omit the field |
+| `{}` (empty)                       | `z.object({})`                               |
+| `undefined` (no schema)            | `undefined` or omit the field                |
 
 ## 7. Headers API
 
@@ -370,31 +404,31 @@ Request/notification params remain fully typed. Remove unused schema imports aft
 
 `RequestHandlerExtra` → structured context types with nested groups. Rename `extra` → `ctx` in all handler callbacks.
 
-| v1 | v2 |
-|----|-----|
-| `RequestHandlerExtra` | `ServerContext` (server) / `ClientContext` (client) / `BaseContext` (base) |
-| `extra` (param name) | `ctx` |
-| `extra.signal` | `ctx.mcpReq.signal` |
-| `extra.requestId` | `ctx.mcpReq.id` |
-| `extra._meta` | `ctx.mcpReq._meta` |
-| `extra.sendRequest(...)` | `ctx.mcpReq.send(...)` |
-| `extra.sendNotification(...)` | `ctx.mcpReq.notify(...)` |
-| `extra.authInfo` | `ctx.http?.authInfo` |
-| `extra.sessionId` | `ctx.sessionId` |
-| `extra.requestInfo` | `ctx.http?.req` (only `ServerContext`) |
-| `extra.closeSSEStream` | `ctx.http?.closeSSE` (only `ServerContext`) |
-| `extra.closeStandaloneSSEStream` | `ctx.http?.closeStandaloneSSE` (only `ServerContext`) |
-| `extra.taskStore` | `ctx.task?.store` |
-| `extra.taskId` | `ctx.task?.id` |
-| `extra.taskRequestedTtl` | `ctx.task?.requestedTtl` |
+| v1                               | v2                                                                         |
+| -------------------------------- | -------------------------------------------------------------------------- |
+| `RequestHandlerExtra`            | `ServerContext` (server) / `ClientContext` (client) / `BaseContext` (base) |
+| `extra` (param name)             | `ctx`                                                                      |
+| `extra.signal`                   | `ctx.mcpReq.signal`                                                        |
+| `extra.requestId`                | `ctx.mcpReq.id`                                                            |
+| `extra._meta`                    | `ctx.mcpReq._meta`                                                         |
+| `extra.sendRequest(...)`         | `ctx.mcpReq.send(...)`                                                     |
+| `extra.sendNotification(...)`    | `ctx.mcpReq.notify(...)`                                                   |
+| `extra.authInfo`                 | `ctx.http?.authInfo`                                                       |
+| `extra.sessionId`                | `ctx.sessionId`                                                            |
+| `extra.requestInfo`              | `ctx.http?.req` (only `ServerContext`)                                     |
+| `extra.closeSSEStream`           | `ctx.http?.closeSSE` (only `ServerContext`)                                |
+| `extra.closeStandaloneSSEStream` | `ctx.http?.closeStandaloneSSE` (only `ServerContext`)                      |
+| `extra.taskStore`                | `ctx.task?.store`                                                          |
+| `extra.taskId`                   | `ctx.task?.id`                                                             |
+| `extra.taskRequestedTtl`         | `ctx.task?.requestedTtl`                                                   |
 
 `ServerContext` convenience methods (new in v2, no v1 equivalent):
 
-| Method | Description | Replaces |
-|--------|-------------|----------|
-| `ctx.mcpReq.log(level, data, logger?)` | Send log notification (respects client's level filter) | `server.sendLoggingMessage(...)` from within handler |
-| `ctx.mcpReq.elicitInput(params, options?)` | Elicit user input (form or URL) | `server.elicitInput(...)` from within handler |
-| `ctx.mcpReq.requestSampling(params, options?)` | Request LLM sampling from client | `server.createMessage(...)` from within handler |
+| Method                                         | Description                                            | Replaces                                             |
+| ---------------------------------------------- | ------------------------------------------------------ | ---------------------------------------------------- |
+| `ctx.mcpReq.log(level, data, logger?)`         | Send log notification (respects client's level filter) | `server.sendLoggingMessage(...)` from within handler |
+| `ctx.mcpReq.elicitInput(params, options?)`     | Elicit user input (form or URL)                        | `server.elicitInput(...)` from within handler        |
+| `ctx.mcpReq.requestSampling(params, options?)` | Request LLM sampling from client                       | `server.createMessage(...)` from within handler      |
 
 ## 11. Schema parameter removed from `request()`, `send()`, and `callTool()`
 
@@ -413,14 +447,14 @@ const elicit = await ctx.mcpReq.send({ method: 'elicitation/create', params: { .
 const tool = await client.callTool({ name: 'my-tool', arguments: {} });
 ```
 
-| v1 call | v2 call |
-|---------|---------|
-| `client.request(req, ResultSchema)` | `client.request(req)` |
-| `client.request(req, ResultSchema, options)` | `client.request(req, options)` |
-| `ctx.mcpReq.send(req, ResultSchema)` | `ctx.mcpReq.send(req)` |
-| `ctx.mcpReq.send(req, ResultSchema, options)` | `ctx.mcpReq.send(req, options)` |
-| `client.callTool(params, CompatibilityCallToolResultSchema)` | `client.callTool(params)` |
-| `client.callTool(params, schema, options)` | `client.callTool(params, options)` |
+| v1 call                                                      | v2 call                            |
+| ------------------------------------------------------------ | ---------------------------------- |
+| `client.request(req, ResultSchema)`                          | `client.request(req)`              |
+| `client.request(req, ResultSchema, options)`                 | `client.request(req, options)`     |
+| `ctx.mcpReq.send(req, ResultSchema)`                         | `ctx.mcpReq.send(req)`             |
+| `ctx.mcpReq.send(req, ResultSchema, options)`                | `ctx.mcpReq.send(req, options)`    |
+| `client.callTool(params, CompatibilityCallToolResultSchema)` | `client.callTool(params)`          |
+| `client.callTool(params, schema, options)`                   | `client.callTool(params, options)` |
 
 Remove unused schema imports: `CallToolResultSchema`, `CompatibilityCallToolResultSchema`, `ElicitResultSchema`, `CreateMessageResultSchema`, etc., when they were only used in `request()`/`send()`/`callTool()` calls.
 
@@ -431,16 +465,20 @@ Remove unused schema imports: `CallToolResultSchema`, `CompatibilityCallToolResu
 ## 13. Runtime-Specific JSON Schema Validators (Enhancement)
 
 The SDK now auto-selects the appropriate JSON Schema validator based on runtime:
+
 - Node.js → `AjvJsonSchemaValidator` (no change from v1)
 - Cloudflare Workers (workerd) → `CfWorkerJsonSchemaValidator` (previously required manual config)
 
 **No action required** for most users. Cloudflare Workers users can remove explicit `jsonSchemaValidator` configuration:
 
 ```typescript
 // v1 (Cloudflare Workers): Required explicit validator
-new McpServer({ name: 'server', version: '1.0.0' }, {
-  jsonSchemaValidator: new CfWorkerJsonSchemaValidator()
-});
+new McpServer(
+    { name: 'server', version: '1.0.0' },
+    {
+        jsonSchemaValidator: new CfWorkerJsonSchemaValidator()
+    }
+);
 
 // v2 (Cloudflare Workers): Auto-selected, explicit config optional
 new McpServer({ name: 'server', version: '1.0.0' }, {});
diff --git a/packages/client/src/client/sse.ts b/packages/client/src/client/sse.ts
@@ -285,6 +285,7 @@ export class SSEClientTransport implements Transport {
             // Release connection - POST responses don't have content we need
             await response.text?.().catch(() => {});
         } catch (error) {
+            this._authRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts
@@ -600,6 +600,7 @@ export class StreamableHTTPClientTransport implements Transport {
                 await response.text?.().catch(() => {});
             }
         } catch (error) {
+            this._authRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
diff --git a/packages/client/test/client/tokenProvider.test.ts b/packages/client/test/client/tokenProvider.test.ts
@@ -97,6 +97,28 @@ describe('StreamableHTTPClientTransport with AuthProvider', () => {
         expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(1);
     });
 
+    it('should reset retry guard when onUnauthorized throws, allowing retry on next send', async () => {
+        const authProvider: AuthProvider = {
+            token: vi.fn(async () => 'token'),
+            onUnauthorized: vi.fn().mockRejectedValueOnce(new Error('transient network error')).mockResolvedValueOnce(undefined)
+        };
+        transport = new StreamableHTTPClientTransport(new URL('http://localhost:1234/mcp'), { authProvider });
+        vi.spyOn(globalThis, 'fetch');
+
+        (globalThis.fetch as Mock)
+            .mockResolvedValueOnce({ ok: false, status: 401, headers: new Headers(), text: async () => 'unauthorized' })
+            .mockResolvedValueOnce({ ok: false, status: 401, headers: new Headers(), text: async () => 'unauthorized' })
+            .mockResolvedValueOnce({ ok: true, status: 202, headers: new Headers() });
+
+        // First send: onUnauthorized throws transient error
+        await expect(transport.send(message)).rejects.toThrow('transient network error');
+        expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(1);
+
+        // Second send: flag should be reset, so onUnauthorized gets a second chance
+        await transport.send(message);
+        expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(2);
+    });
+
     it('should work with no authProvider at all', async () => {
         transport = new StreamableHTTPClientTransport(new URL('http://localhost:1234/mcp'));
         vi.spyOn(globalThis, 'fetch');

Original file line number	Diff line number	Diff line change
`@@ -285,6 +285,7 @@ export class SSEClientTransport implements Transport {`
`285`	`285`	`// Release connection - POST responses don't have content we need`
`286`	`286`	`await response.text?.().catch(() => {});`
`287`	`287`	`} catch (error) {`
	`288`	`+ this._authRetryInFlight = false;`
`288`	`289`	`this.onerror?.(error as Error);`
`289`	`290`	`throw error;`
`290`	`291`	`}`
Original file line number	Diff line number	Diff line change
`@@ -600,6 +600,7 @@ export class StreamableHTTPClientTransport implements Transport {`
`600`	`600`	`await response.text?.().catch(() => {});`
`601`	`601`	`}`
`602`	`602`	`} catch (error) {`
	`603`	`+ this._authRetryInFlight = false;`
`603`	`604`	`this.onerror?.(error as Error);`
`604`	`605`	`throw error;`
`605`	`606`	`}`