fix

Author: brendan-kellam

docs/docs/features/mcp-server.mdx

@@ -28,6 +28,10 @@ Sourcebot MCP uses a [Streamable HTTP](https://modelcontextprotocol.io/specifica
 
 You can read more about the options in the [authorization](#authorization) section.
 
+<Note>
+    If [anonymous access](https://docs.sourcebot.dev/docs/configuration/auth/access-settings#anonymous-access) is enabled on your Sourcebot instance, no OAuth token or API key is required. You can connect directly to the MCP endpoint without any authorization.
+</Note>
+
 <AccordionGroup>
 <Accordion title="Claude Code">
         [Claude Code MCP docs](https://code.claude.com/docs/en/mcp#connect-claude-code-to-tools-via-mcp)
@@ -273,7 +277,7 @@ You can read more about the options in the [authorization](#authorization) secti
 
 ## Authorization
 
-The Sourcebot MCP server supports two authorization methods, OAuth and API keys.
+The Sourcebot MCP server supports two authorization methods, OAuth and API keys. If [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) is enabled on your instance, no authorization is required.
 
 Regardless of which method you use, all MCP requests are scoped to the associated Sourcebot user and inherit the [user's role and permissions](/docs/configuration/auth/roles-and-permissions). When [permission syncing](/docs/features/permission-syncing) is configured, this includes repository permissions - the MCP server will only surface results from repositories the user has access to.
 

packages/web/next.config.mjs

@@ -37,6 +37,18 @@ const nextConfig = {
                 source: "/.well-known/oauth-protected-resource/:path*",
                 destination: "/api/ee/.well-known/oauth-protected-resource/:path*",
             },
+            // Non-spec fallback: some MCP clients (observed in Claude Code and Cursor) guess
+            // /register as the Dynamic Client Registration endpoint (RFC 7591) when OAuth
+            // Authorization Server Metadata discovery fails entirely. This happens when the
+            // instance does not hold an enterprise license, causing all well-known endpoints
+            // to return 404. Per the MCP spec, clients should only attempt Dynamic Client
+            // Registration if the authorization server advertises a registration_endpoint in
+            // its metadata — guessing the URL is not spec-compliant behavior. This rewrite
+            // ensures those requests reach the actual endpoint rather than hitting a 404.
+            {
+                source: "/register",
+                destination: "/api/ee/oauth/register",
+            }
         ];
     },
     // This is required to support PostHog trailing slash API requests

packages/web/src/app/api/(server)/[...slug]/route.ts

@@ -0,0 +1,16 @@
+import { ErrorCode } from "@/lib/errorCodes"
+import { ServiceError } from "@/lib/serviceError"
+import { StatusCodes } from "http-status-codes"
+import { NextResponse } from "next/server"
+
+// Repeat for other methods or use a handler:
+const handler = () => NextResponse.json(
+    {
+        statusCode: StatusCodes.NOT_FOUND,
+        errorCode: ErrorCode.NOT_FOUND,
+        message: "This API endpoint does not exist",
+    } satisfies ServiceError,
+    { status: 404 }
+  )
+  
+  export { handler as GET, handler as POST, handler as PUT, handler as PATCH, handler as DELETE }

packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts

@@ -1,12 +1,13 @@
 import { apiHandler } from '@/lib/apiHandler';
 import { env, hasEntitlement } from '@sourcebot/shared';
+import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 
 // RFC 8414: OAuth 2.0 Authorization Server Metadata
 // @see: https://datatracker.ietf.org/doc/html/rfc8414
 export const GET = apiHandler(async () => {
     if (!hasEntitlement('oauth')) {
         return Response.json(
-            { error: 'not_found', error_description: 'OAuth authorization server metadata is not available on this plan.' },
+            { error: 'not_found', error_description: OAUTH_NOT_SUPPORTED_ERROR_MESSAGE },
             { status: 404 }
         );
     }

packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts

@@ -1,6 +1,7 @@
 import { apiHandler } from '@/lib/apiHandler';
 import { env, hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
+import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 
 // RFC 9728: OAuth 2.0 Protected Resource Metadata (path-specific form)
 // For a resource at /api/mcp, the well-known URI is /.well-known/oauth-protected-resource/api/mcp.
@@ -12,7 +13,7 @@ const PROTECTED_RESOURCES = new Set([
 export const GET = apiHandler(async (_request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) => {
     if (!hasEntitlement('oauth')) {
         return Response.json(
-            { error: 'not_found', error_description: 'OAuth protected resource metadata is not available on this plan.' },
+            { error: 'not_found', error_description: OAUTH_NOT_SUPPORTED_ERROR_MESSAGE },
             { status: 404 }
         );
     }

packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/route.ts

@@ -4,6 +4,7 @@ import { prisma } from '@/prisma';
 import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 import { z } from 'zod';
+import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 
 // RFC 7591: OAuth 2.0 Dynamic Client Registration
 // @see: https://datatracker.ietf.org/doc/html/rfc7591
@@ -16,7 +17,7 @@ const registerRequestSchema = z.object({
 export const POST = apiHandler(async (request: NextRequest) => {
     if (!hasEntitlement('oauth')) {
         return Response.json(
-            { error: 'access_denied', error_description: 'OAuth is not available on this plan. Please see https://sourcebot.dev/pricing' },
+            { error: 'access_denied', error_description: OAUTH_NOT_SUPPORTED_ERROR_MESSAGE },
             { status: 403 }
         );
     }

packages/web/src/app/api/(server)/ee/oauth/register/route.ts

@@ -2,14 +2,15 @@ import { revokeToken } from '@/ee/features/oauth/server';
 import { apiHandler } from '@/lib/apiHandler';
 import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
+import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 
 // RFC 7009: OAuth 2.0 Token Revocation
 // Always returns 200 regardless of whether the token existed.
 // @see: https://datatracker.ietf.org/doc/html/rfc7009
 export const POST = apiHandler(async (request: NextRequest) => {
     if (!hasEntitlement('oauth')) {
         return Response.json(
-            { error: 'access_denied', error_description: 'OAuth is not available on this plan. Please see https://sourcebot.dev/pricing' },
+            { error: 'access_denied', error_description: OAUTH_NOT_SUPPORTED_ERROR_MESSAGE },
             { status: 403 }
         );
     }

packages/web/src/app/api/(server)/ee/oauth/revoke/route.ts

@@ -2,14 +2,15 @@ import { verifyAndExchangeCode, verifyAndRotateRefreshToken, ACCESS_TOKEN_TTL_SE
 import { apiHandler } from '@/lib/apiHandler';
 import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
+import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 
 // OAuth 2.0 Token Endpoint
 // Supports grant_type=authorization_code with PKCE (RFC 7636).
 // @see: https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
 export const POST = apiHandler(async (request: NextRequest) => {
     if (!hasEntitlement('oauth')) {
         return Response.json(
-            { error: 'access_denied', error_description: 'OAuth is not available on this plan. Please see https://sourcebot.dev/pricing' },
+            { error: 'access_denied', error_description: OAUTH_NOT_SUPPORTED_ERROR_MESSAGE },
             { status: 403 }
         );
     }

packages/web/src/app/api/(server)/ee/oauth/token/route.ts

@@ -0,0 +1,2 @@
+
+export const OAUTH_NOT_SUPPORTED_ERROR_MESSAGE = 'OAuth is not supported on this instance. Please authenticate using a Sourcebot API key instead. See https://docs.sourcebot.dev/docs/features/mcp-server for more information.';