feat(web): [EE] OAuth2 authorization server with MCP support (#977)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Added support a MCP streamable http transport hosted at `/api/mcp`. [#976](https://github.com/sourcebot-dev/sourcebot/pull/976)
+- [EE] Added support for Oauth 2.1 to the remote MCP server hosted at `/api/mcp`. [#977](https://github.com/sourcebot-dev/sourcebot/pull/977)
 
 ## [4.13.2] - 2026-03-02
 

CLAUDE.md

@@ -237,3 +237,4 @@ After the PR is created:
 - Update CHANGELOG.md with an entry under `[Unreleased]` linking to the new PR. New entries should be placed at the bottom of their section.
 - If the change touches `packages/mcp`, update `packages/mcp/CHANGELOG.md` instead
 - Do NOT add a CHANGELOG entry for documentation-only changes (e.g., changes only in `docs/`)
+- Enterprise-only features (gated by an entitlement) should be prefixed with `[EE]` in the CHANGELOG entry (e.g., `- [EE] Added support for ...`)

packages/db/prisma/migrations/20260304051539_add_oauth_tables/migration.sql

@@ -0,0 +1,47 @@
+-- CreateTable
+CREATE TABLE "OAuthClient" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "redirectUris" TEXT[],
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "OAuthClient_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "OAuthAuthorizationCode" (
+    "codeHash" TEXT NOT NULL,
+    "clientId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "redirectUri" TEXT NOT NULL,
+    "codeChallenge" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "OAuthAuthorizationCode_pkey" PRIMARY KEY ("codeHash")
+);
+
+-- CreateTable
+CREATE TABLE "OAuthToken" (
+    "hash" TEXT NOT NULL,
+    "clientId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "scope" TEXT NOT NULL DEFAULT '',
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastUsedAt" TIMESTAMP(3),
+
+    CONSTRAINT "OAuthToken_pkey" PRIMARY KEY ("hash")
+);
+
+-- AddForeignKey
+ALTER TABLE "OAuthAuthorizationCode" ADD CONSTRAINT "OAuthAuthorizationCode_clientId_fkey" FOREIGN KEY ("clientId") REFERENCES "OAuthClient"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthAuthorizationCode" ADD CONSTRAINT "OAuthAuthorizationCode_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthToken" ADD CONSTRAINT "OAuthToken_clientId_fkey" FOREIGN KEY ("clientId") REFERENCES "OAuthClient"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthToken" ADD CONSTRAINT "OAuthToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/migrations/20260304212808_add_oauth_client_logo_uri/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "OAuthClient" ADD COLUMN     "logoUri" TEXT;

packages/db/prisma/migrations/20260304230353_add_oauth_resource_parameter/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "OAuthAuthorizationCode" ADD COLUMN     "resource" TEXT;
+
+-- AlterTable
+ALTER TABLE "OAuthToken" ADD COLUMN     "resource" TEXT;

packages/db/prisma/migrations/20260304233124_add_oauth_refresh_tokens/migration.sql

@@ -0,0 +1,21 @@
+-- CreateTable
+CREATE TABLE "OAuthRefreshToken" (
+    "hash" TEXT NOT NULL,
+    "clientId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "scope" TEXT NOT NULL DEFAULT '',
+    "resource" TEXT,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "OAuthRefreshToken_pkey" PRIMARY KEY ("hash")
+);
+
+-- CreateIndex
+CREATE INDEX "OAuthRefreshToken_clientId_userId_idx" ON "OAuthRefreshToken"("clientId", "userId");
+
+-- AddForeignKey
+ALTER TABLE "OAuthRefreshToken" ADD CONSTRAINT "OAuthRefreshToken_clientId_fkey" FOREIGN KEY ("clientId") REFERENCES "OAuthClient"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthRefreshToken" ADD CONSTRAINT "OAuthRefreshToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/schema.prisma

@@ -365,6 +365,10 @@ model User {
   chats Chat[]
   sharedChats ChatAccess[]
 
+  oauthTokens        OAuthToken[]
+  oauthAuthCodes     OAuthAuthorizationCode[]
+  oauthRefreshTokens OAuthRefreshToken[]
+
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 
@@ -485,3 +489,64 @@ model ChatAccess {
 
   @@unique([chatId, userId])
 }
+
+// OAuth2 Authorization Server models
+// @see: https://datatracker.ietf.org/doc/html/rfc6749
+
+/// A registered OAuth2 client application (e.g. Claude Desktop, Cursor).
+/// Created via dynamic client registration (RFC 7591) at POST /api/ee/oauth/register.
+model OAuthClient {
+  id           String   @id @default(cuid())
+  name         String
+  logoUri      String?
+  redirectUris String[]
+  createdAt    DateTime @default(now())
+
+  authCodes     OAuthAuthorizationCode[]
+  tokens        OAuthToken[]
+  refreshTokens OAuthRefreshToken[]
+}
+
+/// A short-lived authorization code issued during the OAuth2 authorization code flow.
+/// Single-use and expires after 10 minutes. Stores the PKCE code challenge.
+model OAuthAuthorizationCode {
+  codeHash      String   @id // hashSecret(rawCode)
+  clientId      String
+  client        OAuthClient @relation(fields: [clientId], references: [id], onDelete: Cascade)
+  userId        String
+  user          User        @relation(fields: [userId], references: [id], onDelete: Cascade)
+  redirectUri   String
+  codeChallenge String // BASE64URL(SHA-256(codeVerifier))
+  resource      String? // RFC 8707: canonical URI of the target resource server
+  expiresAt     DateTime
+  createdAt     DateTime    @default(now())
+}
+
+/// An opaque OAuth2 refresh token. Single-use with rotation (RFC 6749 Section 10.4, OAuth 2.1 Section 4.3.1).
+model OAuthRefreshToken {
+  hash      String   @id // hashSecret(rawToken secret portion)
+  clientId  String
+  client    OAuthClient @relation(fields: [clientId], references: [id], onDelete: Cascade)
+  userId    String
+  user      User        @relation(fields: [userId], references: [id], onDelete: Cascade)
+  scope     String      @default("")
+  resource  String? // RFC 8707
+  expiresAt DateTime
+  createdAt DateTime    @default(now())
+
+  @@index([clientId, userId])
+}
+
+/// An opaque OAuth2 access token. The raw token is never stored — only its HMAC-SHA256 hash.
+model OAuthToken {
+  hash       String   @id // hashSecret(rawToken secret portion)
+  clientId   String
+  client     OAuthClient @relation(fields: [clientId], references: [id], onDelete: Cascade)
+  userId     String
+  user       User        @relation(fields: [userId], references: [id], onDelete: Cascade)
+  scope      String      @default("")
+  resource   String? // RFC 8707: canonical URI of the target resource server
+  expiresAt  DateTime
+  createdAt  DateTime    @default(now())
+  lastUsedAt DateTime?
+}

packages/shared/src/constants.ts

@@ -3,6 +3,15 @@ import { ConfigSettings, IdentityProviderType } from "./types.js";
 
 export const SOURCEBOT_SUPPORT_EMAIL = 'team@sourcebot.dev';
 
+/**
+ * @deprecated Use API_KEY_PREFIX instead.
+ */
+export const LEGACY_API_KEY_PREFIX = 'sourcebot-';
+
+export const API_KEY_PREFIX = 'sbk_';
+export const OAUTH_ACCESS_TOKEN_PREFIX = 'sboa_';
+export const OAUTH_REFRESH_TOKEN_PREFIX = 'sbor_';
+
 export const SOURCEBOT_UNLIMITED_SEATS = -1;
 
 /**

packages/shared/src/crypto.ts

@@ -4,6 +4,7 @@ import { z } from 'zod';
 import { env } from './env.server.js';
 import { Token } from '@sourcebot/schemas/v3/shared.type';
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
+import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX } from './constants.js';
 
 const algorithm = 'aes-256-cbc';
 const ivLength = 16; // 16 bytes for CBC
@@ -35,7 +36,27 @@ export function generateApiKey(): { key: string; hash: string } {
     const hash = hashSecret(secret);
 
     return {
-        key: `sourcebot-${secret}`,
+        key: `${API_KEY_PREFIX}${secret}`,
+        hash,
+    };
+}
+
+export function generateOAuthToken(): { token: string; hash: string } {
+    const secret = crypto.randomBytes(32).toString('hex');
+    const hash = hashSecret(secret);
+
+    return {
+        token: `${OAUTH_ACCESS_TOKEN_PREFIX}${secret}`,
+        hash,
+    };
+}
+
+export function generateOAuthRefreshToken(): { token: string; hash: string } {
+    const secret = crypto.randomBytes(32).toString('hex');
+    const hash = hashSecret(secret);
+
+    return {
+        token: `${OAUTH_REFRESH_TOKEN_PREFIX}${secret}`,
         hash,
     };
 }

packages/shared/src/entitlements.ts

@@ -40,7 +40,8 @@ const entitlements = [
     "permission-syncing",
     "github-app",
     "chat-sharing",
-    "org-management"
+    "org-management",
+    "oauth",
 ] as const;
 export type Entitlement = (typeof entitlements)[number];
 
@@ -58,6 +59,7 @@ const entitlementsByPlan: Record<Plan, Entitlement[]> = {
         "github-app",
         "chat-sharing",
         "org-management",
+        "oauth",
     ],
     "self-hosted:enterprise-unlimited": [
         "anonymous-access",
@@ -70,6 +72,7 @@ const entitlementsByPlan: Record<Plan, Entitlement[]> = {
         "github-app",
         "chat-sharing",
         "org-management",
+        "oauth",
     ],
 } as const;