MCP OAuth token endpoint proxy (authorization_code + refresh_token)
const url = 'https://example.com/api/oauth/token';const options = { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: 'example', client_id: '2489E9AD-2EE2-8E00-8EC9-32D5F69181C0', resource: 'https://example.com' })};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/oauth/token \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data grant_type=refresh_token \ --data refresh_token=example \ --data client_id=2489E9AD-2EE2-8E00-8EC9-32D5F69181C0 \ --data resource=https://example.comForwards authorization_code and refresh_token grants to Supabase
/auth/v1/oauth/token. Discovered as token_endpoint from
/.well-known/oauth-authorization-server for MCP clients.
Accepts both application/x-www-form-urlencoded (OAuth 2.1 standard) and
application/json request bodies.
RFC 8707 (Resource Indicators): clients MAY include an optional
resource parameter. When present, the value must equal the canonical
API base URL (case-insensitive scheme/host; trailing slash tolerated);
mismatches return invalid_target (HTTP 400). The value is forwarded
upstream so future Supabase versions that honor RFC 8707 populate the
JWT aud claim.
Request Body required
Section titled “Request Body required ”object
RFC 8707 resource indicator. Optional; when provided, must equal the
canonical API base URL (case-insensitive scheme/host; trailing
slash tolerated). Mismatch returns invalid_target.
object
Must be https://, http://localhost/127.0.0.1/[::1], or a
registered custom app scheme. javascript:, data:, file:,
vbscript: are denylisted.
PKCE verifier; the AS metadata advertises S256-only.
RFC 8707 resource indicator (see refresh_token grant).
object
RFC 8707 resource indicator. Optional; when provided, must equal the
canonical API base URL (case-insensitive scheme/host; trailing
slash tolerated). Mismatch returns invalid_target.
object
Must be https://, http://localhost/127.0.0.1/[::1], or a
registered custom app scheme. javascript:, data:, file:,
vbscript: are denylisted.
PKCE verifier; the AS metadata advertises S256-only.
RFC 8707 resource indicator (see refresh_token grant).
Responses
Section titled “ Responses ”Token payload from Supabase
object
Invalid request. Error codes:
INVALID_BODY— schema validation failureINVALID_RESOURCE—resourceparameter does not match canonical API URL
object
Human-readable error message
Stable machine-readable error code for client branching
First validation message per field path
object
Structured validation issues (Zod)
object
Seconds until rate limit resets (429 responses)
Rate limited
object
Human-readable error message
Stable machine-readable error code for client branching
First validation message per field path
object
Structured validation issues (Zod)
object
Seconds until rate limit resets (429 responses)
Seconds until the rate limit resets
Headers
Section titled “Headers ”Server error
object
Human-readable error message
Stable machine-readable error code for client branching
First validation message per field path
object
Structured validation issues (Zod)
object
Seconds until rate limit resets (429 responses)
Upstream Supabase token exchange error
object
Human-readable error message
Stable machine-readable error code for client branching
First validation message per field path
object
Structured validation issues (Zod)
object
Seconds until rate limit resets (429 responses)