From 88411de7274deced4f018fedf4430b7cc774a318 Mon Sep 17 00:00:00 2001
From: Timmyy3000 <timiogunme@gmail.com>
Date: Fri, 15 May 2026 12:47:41 +0100
Subject: [PATCH] fix(oauth): advertise mcp scope in auth metadata

Co-authored-by: Codex <codex@openai.com>
---
 lib/auth.ts             | 1 +
 tests/mcp-oauth.test.ts | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/lib/auth.ts b/lib/auth.ts
index 501829e..676871d 100644
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -19,6 +19,7 @@ export const auth = betterAuth({
     organization(),
     jwt(),
     oauthProvider({
+      scopes: ["openid", "profile", "email", "offline_access", "mcp"],
       validAudiences: [MCP_RESOURCE],
       // TODO: rate-limit /api/auth/oauth2/register per IP before relying on this in untrusted environments.
       allowDynamicClientRegistration: true,
diff --git a/tests/mcp-oauth.test.ts b/tests/mcp-oauth.test.ts
index dd8bd4d..62755f0 100644
--- a/tests/mcp-oauth.test.ts
+++ b/tests/mcp-oauth.test.ts
@@ -194,6 +194,9 @@ describe("MCP discovery", () => {
       `${APP_URL}/api/auth/oauth2/authorize`,
     );
     expect(body.token_endpoint).toBe(`${APP_URL}/api/auth/oauth2/token`);
+    expect(body.scopes_supported).toEqual(
+      expect.arrayContaining(["openid", "profile", "email", "offline_access", "mcp"]),
+    );
   });
 });
 describe("MCP route methods", () => {