Skip to content

Commit a66f8f3

Browse files
localdenlocalden
committed
Update authorization.mdx
1 parent 6f4714c commit a66f8f3

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

docs/specification/draft/basic/authorization.mdx

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,36 @@ to explicitly specify the target resource for which the token is being requested
200200
2. **MUST** identify the MCP server that the client intends to use the token with.
201201
3. **MUST** use the canonical URI of the MCP server as defined in [RFC 8707 Section 2](https://www.rfc-editor.org/rfc/rfc8707.html#name-access-token-request).
202202

203+
##### Canonical Server URI
204+
205+
For the purposes of this specification, the canonical URI of an MCP server is defined as the resource identifier as specified in
206+
[RFC 8707 Section 2](https://www.rfc-editor.org/rfc/rfc8707.html#section-2) and aligns with the `resource` parameter in
207+
[RFC 9728](https://datatracker.ietf.org/doc/html/rfc9728). This URI:
208+
209+
1. **MUST** be an absolute URI, as specified by [Section 4.3 of RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-4.3).
210+
2. **MUST** include the protocol scheme (e.g., `https://`).
211+
3. **MUST** include the fully qualified domain name (FQDN) of the server.
212+
4. **MUST** include any non-default port if applicable (e.g., `https://mcp.example.com:8443`).
213+
5. **MUST NOT** include a fragment component.
214+
6. **SHOULD NOT** include a query component unless necessary for MCP server identification.
215+
7. **SHOULD NOT** include path components beyond what is necessary to uniquely identify the MCP server.
216+
8. **MUST** use lowercase for the scheme and host components.
217+
218+
MCP clients **SHOULD** provide the most specific URI that they can for the MCP server they intend to access.
219+
220+
Examples of valid canonical URIs:
221+
222+
- `https://mcp.example.com`
223+
- `https://mcp.example.com:8443`
224+
- `https://mcp.example.com/server` (when path component is necessary to identify individual MCP server)
225+
226+
Examples of invalid canonical URIs:
227+
228+
- `https://mcp.example.com/` (contains trailing slash)
229+
- `mcp.example.com` (missing scheme)
230+
- `HTTPS://MCP.EXAMPLE.COM` (non-lowercase components)
231+
- `https://mcp.example.com#fragment` (contains fragment)
232+
203233
For example, if accessing an MCP server at `https://mcp.example.com`, the authorization request would include:
204234

205235
```

0 commit comments

Comments
 (0)