MCP inspector OAuth token exchange proxy

POST

/oauth/mcp-inspector/token

const url = 'https://example.com/api/oauth/mcp-inspector/token';
const options = {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{"grant_type":"authorization_code","code":"example","redirect_uri":"example","code_verifier":"example","refresh_token":"example","client_id":"2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url https://example.com/api/oauth/mcp-inspector/token \
  --header 'Content-Type: application/json' \
  --data '{ "grant_type": "authorization_code", "code": "example", "redirect_uri": "example", "code_verifier": "example", "refresh_token": "example", "client_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" }'

Exchanges authorization codes or refresh tokens for the local MCP inspector. Proxies to Supabase OAuth token exchange while keeping anon key usage server-side.

Request Body^required

application/json

object

grant_type

required

string

Allowed values: authorization_code refresh_token

code

Required when grant_type is authorization_code

string

redirect_uri

Must be localhost/127.0.0.1 HTTP or https://local.apphandoff.com

string

code_verifier

PKCE code verifier (43-128 chars) for authorization_code flow

string

refresh_token

Required when grant_type is refresh_token

string

client_id

required

string format: uuid

Responses

200

Token exchange payload from Supabase

application/json

object

400

Invalid request

application/json

object

error

required

Human-readable error message

string

code

Stable machine-readable error code for client branching

string

fieldErrors

First validation message per field path

object

key

additional properties

string

issues

Structured validation issues (Zod)

Array<object>

object

path

required

string

message

required

string

retryAfter

Seconds until rate limit resets (429 responses)

number

429

Rate limited

application/json

object

error

required

Human-readable error message

string

code

Stable machine-readable error code for client branching

string

fieldErrors

First validation message per field path

object

key

additional properties

string

issues

Structured validation issues (Zod)

Array<object>

object

path

required

string

message

required

string

retryAfter

Seconds until rate limit resets (429 responses)

number

retryAfter

Seconds until the rate limit resets

number

Headers

Retry-After

string

500

Server error

application/json

object

error

required

Human-readable error message

string

code

Stable machine-readable error code for client branching

string

fieldErrors

First validation message per field path

object

key

additional properties

string

issues

Structured validation issues (Zod)

Array<object>

object

path

required

string

message

required

string

retryAfter

Seconds until rate limit resets (429 responses)

number

MCP inspector OAuth token exchange proxy

Request Body required

Responses

200

400

429

Headers

500

Request Body^required