[Bug]: Access Token scoping not working

[shams858]

While creating an access token in the "Token Scoping" I specified a virtual server ID in "Server ID (Limit to specific server)" field. But when I list/invoke Virtual MCP Servers with that access token those restrictions doesn't apply. It executes all the Virtual MCP Servers even if they are not mentioned in the Token Scoping.

Example MCP request for List tools

curl --location 'http://localhost:4444/servers/d5bfbc608b46459992956aff678ccfb2/mcp' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json, text/event-stream' \ --header 'Authorization: Bearer <access token>' \ --data '{ "jsonrpc": "2.0", "id": 1, "method": "tools/list", "params": {} }'

[shams858]

I believe the issue is that MCPPathRewriteMiddleware directly calls streamable_http_session.handle_streamable_http() instead of letting the request flow through the middleware stack to reach the mounted app.

Here's what's happening:

• Request comes to /servers/.../mcp
• MCPPathRewriteMiddleware intercepts it (before token scoping)
• It rewrites the path and directly handles the request
• Token scoping middleware never gets called