Skip to content

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 28, 2025
Merged

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled #1189

merged 5 commits into from
Nov 28, 2025

Conversation

@jerome3o-anthropic
Copy link
Member

@jerome3o-anthropic jerome3o-anthropic commented Nov 28, 2025
edited
Loading

Summary

  • Adds support for MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL environment variable to relax the HTTPS requirement for OAuth issuer URLs
  • When set to true or 1, HTTP URLs are allowed for any hostname (not just localhost/127.0.0.1)
  • Logs a warning at server startup when enabled: "MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL is enabled - HTTP issuer URLs are allowed. Do not use in production."
  • Useful for development/testing in Docker environments with custom hostnames where HTTPS is impractical

Test plan

  • Set MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL=true and verify HTTP issuer URLs are accepted
  • Verify warning is logged once at startup
  • Verify HTTPS is still required when env var is not set
  • Verify localhost/127.0.0.1 still work without the flag

🤖 Generated with Claude Code

@jerome3o-anthropic @claude
Allow HTTP issuer URLs when MCP_DEV_MODE is enabled
df9aac8 
When MCP_DEV_MODE=true or MCP_DEV_MODE=1, the HTTPS requirement for
issuer URLs is relaxed. This is useful for development and testing
scenarios where HTTPS is impractical, such as Docker environments
with custom hostnames.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jerome3o-anthropic jerome3o-anthropic requested a review from a team as a code owner November 28, 2025 15:26
@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 28, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1189

commit: c7c0eb7

felixweinberger
felixweinberger reviewed Nov 28, 2025
View reviewed changes
@jerome3o-anthropic jerome3o-anthropic requested a review from a team as a code owner November 28, 2025 15:47
@jerome3o-anthropic jerome3o-anthropic merged commit 5e0302f into main Nov 28, 2025
10 checks passed
@jerome3o-anthropic jerome3o-anthropic deleted the jerome/allow-http-dev-mode branch November 28, 2025 15:53
@pcarleton
Copy link
Member

pcarleton commented Nov 28, 2025

post-hoc, this LGTM. We may want a similar option for non-https CIMD URLs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixweinberger felixweinberger felixweinberger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jerome3o-anthropic @pcarleton @felixweinberger