Skip to content

Commit 939da93

Browse files
changeset: state the challenge-header sanitization instead of claiming unchanged behavior
1 parent 5d2aac3 commit 939da93

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

.changeset/web-standard-bearer-auth.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,5 +9,7 @@ Add runtime-neutral Bearer authentication to `@modelcontextprotocol/server`:
99
Workers, Deno, Bun, Hono), built on the exported `verifyBearerToken` and
1010
`bearerAuthChallengeResponse` pieces, with `OAuthTokenVerifier` now defined
1111
here. The Express middleware adapts the same core and is unchanged in
12-
behavior; `@modelcontextprotocol/express` re-exports `OAuthTokenVerifier` as
13-
before.
12+
behavior, except that `WWW-Authenticate` challenge values are now RFC 7235
13+
quoted-string sanitized (quotes and backslashes escaped, control and
14+
non-ASCII characters replaced); `@modelcontextprotocol/express` re-exports
15+
`OAuthTokenVerifier` as before.

0 commit comments

Comments
 (0)