fix: unwrap JSON-RPC error envelope for MCP payment challenges#160
Merged
fix: unwrap JSON-RPC error envelope for MCP payment challenges#160
Conversation
When an MCP server returns a 402 payment challenge, the challenge data (chargeAmount, x402, mpp) is nested inside a JSON-RPC error envelope at error.data, not at the top level. The ATXPAccountHandler was parsing the top level, finding no challenge fields, and calling /authorize/auto without MPP challenges — causing a 400 from accounts. Plain Express servers return challenge fields at the top level (no envelope), so dev:resource worked while MCP servers like search failed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The response rewriter only hooked res.end(), but MCP Streamable HTTP
sends JSON-RPC responses as SSE "data: {...}" events via res.write().
The rewriter never saw the payment challenge data, so x402/mpp fields
were lost — causing /authorize/auto to fail with "At least one MPP
challenge is required" for MCP servers using SSE transport.
Now hooks both res.write and res.end, and tryRewritePaymentResponse
handles both SSE data lines and plain JSON bodies.
Also unwraps JSON-RPC error envelope in ATXPAccountHandler for cases
where the challenge data arrives as { error: { data: {...} } }.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
chargeAmount,x402,mpp) inside{ error: { code: -30402, data: { ... } } }— the handler was looking at the top level and finding nothingContext
Plain Express servers (dev:resource) return challenge fields at the top level, so they worked. MCP servers (search) wrap the 402 in a JSON-RPC error envelope, so
buildAuthorizeParamsreceived{}, produced no MPP challenges, and/authorize/autorejected with 400.Test plan
🤖 Generated with Claude Code