Skip OAuth1 browser flow when access tokens are pre-provided#1
Merged
Conversation
`build_oauth1_client` always called `run_oauth1_flow()`, which opens a
browser via `webbrowser.open` and binds a localhost listener on
127.0.0.1:8976 to receive the OAuth1 callback. This is a desktop flow
and cannot run in non-interactive environments — CI builds, hosted MCP
runtimes (e.g. FastMCP Cloud / Horizon), or anything without a display
and an in-process browser on the same machine.
When both `X_OAUTH_ACCESS_TOKEN` and `X_OAUTH_ACCESS_TOKEN_SECRET` are
set in the environment, use them directly and skip the browser flow.
Local behaviour is unchanged when either env var is unset — the
interactive flow still runs.
This also fixes a documentation/runtime mismatch: the README already
mentioned `X_OAUTH_ACCESS_TOKEN` as a way to supply a pre-generated
token, but the runtime never actually consumed it (it was only read by
`get_auth_headers`, which the request signing path doesn't use).
Workflow:
1. Run locally once with `X_OAUTH_PRINT_TOKENS=1 python server.py`
to complete the interactive flow and capture both values.
2. Set the two env vars in your hosted environment.
3. Subsequent startups skip the browser entirely.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Lets us deploy this fork to FastMCP Cloud / Horizon.
build_oauth1_clientalways calledrun_oauth1_flow(), which opens a browser and binds a localhost listener on 127.0.0.1:8976 — a desktop flow that cannot run in a hosted build container.When both
X_OAUTH_ACCESS_TOKENandX_OAUTH_ACCESS_TOKEN_SECRETare set, skip the browser flow and use them directly. Local behaviour is unchanged when either is unset.Mirrors upstream PR: xdevplatform#14
Test plan
python -m py_compile server.pypassesfastmcp inspect) succeeds and/mcpserves over HTTPS🤖 Generated with Claude Code