Oauth in STDIO server

[SamMorrowDrums]

Hello from the GitHub MCP Server Maintainers 👋,

Shipping in v1.5.0: the local (stdio) server now supports OAuth 2.1 login, so you no longer need to create, store, and rotate a Personal Access Token. Log in through your browser on first use — the token is kept in memory only and is never written to disk.

📖 Full guide: Local Server OAuth Login

How it works

• The server prefers the authorization code flow with PKCE. It starts a loopback callback server on your machine, opens GitHub's authorization page, and exchanges the returned code for a token.
• On github.com, the official image and release binaries already include the GitHub App credentials, so there's nothing to configure — start the server and log in.
• On GitHub Enterprise (GHES / ghe.com), you bring your own OAuth App or GitHub App (--oauth-client-id + --gh-host). Both OAuth Apps and GitHub Apps are fully supported.

Headless or no browser?

There's a device-code fallback for SSH sessions, containers, and other headless environments — you'll get a code to enter on another device. If your client doesn't support URL elicitation, the server detects it, tells you, and falls back automatically.

Running in Docker

Docker needs a fixed callback port published to loopback so the container's login callback is reachable:

docker run -i --rm -p 127.0.0.1:8085:8085 -e GITHUB_OAUTH_CALLBACK_PORT=8085 ghcr.io/github/github-mcp-server

The native binary doesn't need this — it uses a random loopback port. Every install guide now leads with an OAuth config block in its client's own syntax.

Security

• PKCE binds the authorization code to the login attempt that started it.
• The token lives in memory only for the life of the process — nothing is persisted to disk.
• The callback server binds to loopback only.

We want your feedback! 💬

Auth is sensitive and this is new, so we want to hear what breaks:

• Did login work in your client / IDE / CLI? Tell us which one, your OS, and native vs Docker.
• Did the device-code fallback kick in when you expected it?
• Anything confusing or missing in the docs?

Drop a comment below — we're listening! 🙏

[ifabrish]

Yes