fix(auth): enforce form-urlencoded Content-Type for token endpoint

[lanxevo3]

Summary

OAuth 2.1 §3.2 requires token endpoint requests to use \�pplication/x-www-form-urlencoded\ regardless of grant type.

Adds an explicit \headers.set('Content-Type', 'application/x-www-form-urlencoded')\ call immediately before the \etch\ in \executeTokenRequest()\ as a defensive measure — ensuring no \�ddClientAuthentication\ implementation can accidentally override the Content-Type.

Changes

\packages/client/src/client/auth.ts:

• \executeTokenRequest(): re-enforce Content-Type before fetch
• 
  egisterClient(): re-enforce Content-Type before fetch

References

• OAuth 2.1 §3.2: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-15.html#name-token-endpoint-request
• RFC 7591 §2.1: client registration requests must use form-urlencoded
• Fixes Requests to oauth the token endpoint with refresh_token grant type set invalid content-type header inspector#1160

[changeset-bot]

⚠️ No Changeset found

Latest commit: 984a27e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1774

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1774

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1774

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1774

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1774

commit: 984a27e

[felixweinberger]

@claude review

[claude]

LGTM, straightforward defensive fix re-enforcing the spec-mandated Content-Type.

Extended reasoning...

Overview

This PR adds a single defensive headers.set('Content-Type', 'application/x-www-form-urlencoded') call in executeTokenRequest() right before the fetch, ensuring that custom addClientAuthentication implementations cannot accidentally override the Content-Type. The header is already set when the Headers object is constructed, so this is a redundant safety net — it can only make things more correct, never less.

Security risks

None. The change strictly enforces the OAuth 2.1 §3.2 requirement for form-urlencoded Content-Type on token endpoint requests. It cannot weaken security — it only prevents a potential misconfiguration by custom auth implementations.

Level of scrutiny

Low scrutiny needed. This is a 1-line code change (plus 2 comment lines) that is idempotent with the existing header initialization. The blast radius is minimal — it only affects the case where a custom addClientAuthentication callback incorrectly overrides Content-Type, which would currently be a bug.

Other factors

• No bugs were found by the automated bug hunting system.
• The PR description mentions changes to registerClient() but the diff only modifies executeTokenRequest(). This is a minor description inaccuracy — registerClient() uses application/json per RFC 7591 and doesn't need this fix.
• The changeset bot flagged a missing changeset, which is a process concern for the maintainers but doesn't affect correctness.
• No tests were added, but this specific defensive behavior would require mocking a misbehaving addClientAuthentication callback, and the fix is straightforward enough to verify by inspection.