From 7bf7b0a1e1d4e7a37ce3397e8eb806c9e0d942ef Mon Sep 17 00:00:00 2001 From: Eleftheria Stein-Kousathana Date: Mon, 10 Nov 2025 09:51:45 +0100 Subject: [PATCH 1/2] Add docs for resource indicator --- docs/toolhive/guides-cli/run-mcp-servers.mdx | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/toolhive/guides-cli/run-mcp-servers.mdx b/docs/toolhive/guides-cli/run-mcp-servers.mdx index 0f1875a..5d323a9 100644 --- a/docs/toolhive/guides-cli/run-mcp-servers.mdx +++ b/docs/toolhive/guides-cli/run-mcp-servers.mdx @@ -728,6 +728,30 @@ thv run https://api.example.com/mcp \ --remote-auth-scopes read,write,admin ``` +#### Resource indicator (RFC 8707) + +When authenticating to remote MCP servers, you can specify a resource indicator +as defined by [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html). This +allows the authorization server to return an access token with a scoped +audience, which will then be passed to and validated by the remote MCP server. + +By default, ToolHive automatically uses the remote server URL as the resource +indicator when authenticating. The URL is validated, normalized (lowercase +scheme and host, fragments stripped), and included in the OAuth token request. + +To explicitly set a different resource indicator, use the +`--remote-auth-resource` flag: + +```bash +thv run https://api.example.com/mcp \ + ... \ + --remote-auth-resource https://api.example.com +``` + +The resource parameter must include a scheme and host, and cannot contain +fragments. If you provide an invalid resource parameter, ToolHive will return an +error. + #### Custom authentication timeout Adjust the authentication timeout for slow networks: From 4d0ca3420c2e73c9af81d12dd6765edad144848b Mon Sep 17 00:00:00 2001 From: Eleftheria Stein-Kousathana Date: Mon, 10 Nov 2025 09:58:46 +0100 Subject: [PATCH 2/2] Update docs/toolhive/guides-cli/run-mcp-servers.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/toolhive/guides-cli/run-mcp-servers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toolhive/guides-cli/run-mcp-servers.mdx b/docs/toolhive/guides-cli/run-mcp-servers.mdx index 5d323a9..4e2bce9 100644 --- a/docs/toolhive/guides-cli/run-mcp-servers.mdx +++ b/docs/toolhive/guides-cli/run-mcp-servers.mdx @@ -731,7 +731,7 @@ thv run https://api.example.com/mcp \ #### Resource indicator (RFC 8707) When authenticating to remote MCP servers, you can specify a resource indicator -as defined by [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html). This +as defined by [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707). This allows the authorization server to return an access token with a scoped audience, which will then be passed to and validated by the remote MCP server.