docs: Add MCP storage adapter documentation for PR #652

This PR introduces a storage adapter architecture for the MCP client manager,
allowing custom storage backends for MCP server configurations.

Changes:
- Created advanced-client-api.mdx documenting the MCPStorageAdapter interface
- Added security section to oauth-mcp-client.mdx about callback URL clearing
- Updated mcp-client-api.mdx to link to advanced configuration guide

These docs explain the new storage adapter pattern, OAuth security improvements,
and provide examples for implementing custom storage backends.

Related: cloudflare/agents#652

Author: github-actions[bot]

src/content/docs/agents/guides/oauth-mcp-client.mdx

@@ -409,7 +409,26 @@ export default {
 
 </TypeScriptExample>
 
+## Security considerations
+
+The Agents SDK implements several security measures for OAuth flows:
+
+### Callback URL clearing
+
+After successful OAuth authentication, the SDK automatically clears both the `callback_url` and `auth_url` from storage. This prevents malicious actors from reusing callback URLs to impersonate authenticated connections.
+
+### State parameter validation
+
+The SDK validates that OAuth state parameters match the expected values during callback processing, preventing CSRF attacks.
+
+### Token storage
+
+OAuth tokens are stored securely in Durable Object storage and are never exposed to the client. The SDK handles token refresh automatically when needed.
+
+For advanced security configurations or custom storage implementations, refer to the [Advanced MCP Client Configuration](/agents/model-context-protocol/advanced-client-api/) guide.
+
 ## Related
 
 - [Connect to an MCP server](/agents/guides/connect-mcp-client) — Get started tutorial (no OAuth)
 - [McpClient — API reference](/agents/model-context-protocol/mcp-client-api/) — Complete API documentation
+- [Advanced MCP Client Configuration](/agents/model-context-protocol/advanced-client-api/) — Custom storage and security

src/content/docs/agents/model-context-protocol/advanced-client-api.mdx

@@ -0,0 +1,209 @@
+---
+title: Advanced MCP Client Configuration
+pcx_content_type: concept
+tags:
+  - MCP
+sidebar:
+  order: 8
+---
+
+import { TypeScriptExample } from "~/components";
+
+The MCP client implementation in the Agents SDK uses a modular architecture with pluggable storage adapters. This allows you to customize how MCP server connections are persisted and managed.
+
+## Storage Adapter Architecture
+
+The `MCPClientManager` uses a storage adapter pattern to decouple storage logic from the client management logic. By default, the `Agent` class provides a SQL-based storage adapter (`AgentMCPStorageAdapter`) that stores MCP server configurations in Durable Object SQL storage.
+
+### Default SQL Storage
+
+The Agent class automatically creates and manages MCP server storage using SQL:
+
+<TypeScriptExample>
+
+```ts title="src/index.ts"
+import { Agent } from "agents";
+
+export class MyAgent extends Agent<Env, never> {
+	async onRequest(request: Request): Promise<Response> {
+		// The `this.mcp` client manager is already configured with SQL storage
+		const { id, authUrl } = await this.addMcpServer(
+			"Weather API",
+			"https://weather-mcp.example.com/mcp",
+		);
+
+		return new Response(JSON.stringify({ id, authUrl }));
+	}
+}
+```
+
+</TypeScriptExample>
+
+Under the hood, this creates a table named `cf_agents_mcp_servers` with the following schema:
+
+```sql
+CREATE TABLE IF NOT EXISTS cf_agents_mcp_servers (
+  id TEXT PRIMARY KEY NOT NULL,
+  name TEXT NOT NULL,
+  server_url TEXT NOT NULL,
+  callback_url TEXT NOT NULL,
+  client_id TEXT,
+  auth_url TEXT,
+  server_options TEXT
+)
+```
+
+### Storage Adapter Interface
+
+If you need custom storage behavior (such as storing MCP configurations in KV, R2, or an external database), you can implement the `MCPStorageAdapter` interface:
+
+<TypeScriptExample>
+
+```ts title="src/custom-storage.ts"
+import type { MCPStorageAdapter, MCPServerRow } from "agents/mcp";
+
+export class CustomStorageAdapter implements MCPStorageAdapter {
+	constructor(private kv: KVNamespace) {}
+
+	async create(): Promise<void> {
+		// Initialize storage (if needed)
+	}
+
+	async destroy(): Promise<void> {
+		// Clean up storage
+		await this.kv.delete("mcp_servers");
+	}
+
+	async saveServer(server: MCPServerRow): Promise<void> {
+		const servers = await this.listServers();
+		const updated = servers.filter((s) => s.id !== server.id);
+		updated.push(server);
+		await this.kv.put("mcp_servers", JSON.stringify(updated));
+	}
+
+	async removeServer(serverId: string): Promise<void> {
+		const servers = await this.listServers();
+		const filtered = servers.filter((s) => s.id !== serverId);
+		await this.kv.put("mcp_servers", JSON.stringify(filtered));
+	}
+
+	async listServers(): Promise<MCPServerRow[]> {
+		const data = await this.kv.get("mcp_servers", "json");
+		return (data as MCPServerRow[]) || [];
+	}
+
+	async getServerByCallbackUrl(
+		callbackUrl: string,
+	): Promise<MCPServerRow | null> {
+		const servers = await this.listServers();
+		return servers.find((s) => s.callback_url === callbackUrl) || null;
+	}
+
+	async clearOAuthCredentials(serverId: string): Promise<void> {
+		const servers = await this.listServers();
+		const server = servers.find((s) => s.id === serverId);
+		if (server) {
+			server.callback_url = "";
+			server.auth_url = null;
+			await this.saveServer(server);
+		}
+	}
+}
+```
+
+</TypeScriptExample>
+
+### Using a Custom Storage Adapter
+
+To use a custom storage adapter with `MCPClientManager`, you need to instantiate the manager yourself:
+
+<TypeScriptExample>
+
+```ts title="src/index.ts"
+import { MCPClientManager } from "agents/mcp";
+import { CustomStorageAdapter } from "./custom-storage";
+
+type Env = {
+	MCP_STORAGE: KVNamespace;
+};
+
+export class MyAgent extends Agent<Env, never> {
+	mcp!: MCPClientManager;
+
+	constructor(ctx: AgentContext, env: Env) {
+		super(ctx, env);
+
+		// Override the default MCP client manager with custom storage
+		this.mcp = new MCPClientManager("MyAgent", "1.0.0", {
+			storage: new CustomStorageAdapter(env.MCP_STORAGE),
+		});
+	}
+
+	async onRequest(request: Request): Promise<Response> {
+		// Use MCP client as normal
+		const { id } = await this.addMcpServer(
+			"Weather API",
+			"https://weather-mcp.example.com/mcp",
+		);
+
+		return new Response(`Connected: ${id}`);
+	}
+}
+```
+
+</TypeScriptExample>
+
+## OAuth Security
+
+The storage adapter plays a critical role in OAuth security. After successful OAuth authentication, the adapter's `clearOAuthCredentials()` method is called to:
+
+1. Clear the `callback_url` to prevent replay attacks from malicious second callbacks
+2. Clear the `auth_url` so the Agent does not continuously prompt for OAuth on reconnection
+
+This security measure is handled automatically by the `MCPClientManager` during the OAuth callback flow.
+
+## Connection Restoration
+
+When an Agent hibernates and wakes up (for example, after receiving a request), the `MCPClientManager` automatically restores MCP server connections from storage by calling `listServers()` and recreating the connection state.
+
+The restoration process:
+
+1. Calls `listServers()` to get all persisted MCP server configurations
+2. For servers with `auth_url` (OAuth servers), creates connections in "authenticating" state
+3. For servers without `auth_url` (authenticated servers), reconnects immediately
+4. Maintains connection state across hibernation cycles
+
+## Performance Considerations
+
+### Callback URL Caching
+
+The `MCPClientManager` maintains an in-memory cache of callback URLs to optimize the `isCallbackRequest()` check. This avoids database queries for every incoming request.
+
+The cache is:
+
+- Lazily populated on the first callback check
+- Automatically invalidated when servers are added or removed
+- Refreshed from storage when needed
+
+### Storage Adapter Design
+
+When implementing a custom storage adapter, consider:
+
+- **Read performance**: `listServers()` is called during Agent initialization/restoration
+- **Write performance**: `saveServer()` is called when connecting to MCP servers
+- **Callback lookups**: `getServerByCallbackUrl()` is called during OAuth callbacks
+- **Security**: `clearOAuthCredentials()` must be atomic to prevent security issues
+
+## Migration Guide
+
+If you are upgrading from a previous version of the Agents SDK and have existing MCP server connections stored in SQL, no migration is required. The default `AgentMCPStorageAdapter` uses the same SQL table schema and will work with existing data.
+
+However, note the following behavior change:
+
+- **OAuth credentials**: After successful OAuth authentication, both `callback_url` and `auth_url` are now cleared from storage. This is a security improvement to prevent replay attacks.
+
+## Related
+
+- [MCP Client API reference](/agents/model-context-protocol/mcp-client-api/) — High-level Agent methods for MCP
+- [OAuth handling guide](/agents/guides/oauth-mcp-client/) — Complete OAuth integration guide
+- [Transport options](/agents/model-context-protocol/transport/) — Transport configuration

src/content/docs/agents/model-context-protocol/mcp-client-api.mdx

@@ -272,7 +272,12 @@ export class MyAgent extends Agent<Env, never> {
 
 </TypeScriptExample>
 
+## Advanced Configuration
+
+The MCP client implementation uses a modular storage adapter architecture. By default, the Agent class handles storage automatically using Durable Object SQL. For advanced use cases such as custom storage backends or fine-grained control over connection management, refer to the [Advanced MCP Client Configuration](/agents/model-context-protocol/advanced-client-api/) guide.
+
 ## Next Steps
 
 - [Connect your first MCP server](/agents/guides/connect-mcp-client) — Tutorial to get started
 - [Handle OAuth flows](/agents/guides/oauth-mcp-client) — Complete OAuth integration guide
+- [Advanced MCP Client Configuration](/agents/model-context-protocol/advanced-client-api/) — Custom storage adapters and internal architecture