Merge branch 'main' into add-systemprompt-client

Ejb503 · web-flow · commit c23ca1aab53a · 2025-06-17T21:31:29.000+02:00
diff --git a/docs/clients.mdx b/docs/clients.mdx
@@ -545,11 +545,13 @@ Programmatically assemble prompts for LLMs using [GenAIScript](https://microsoft
 - [MindPal MCP Documentation](https://docs.mindpal.io/agent/mcp)
 
 ### MooPoint
+
 [MooPoint](https://moopoint.io)
 
 MooPoint is a web-based AI chat platform built for developers and advanced users, letting you interact with multiple large language models (LLMs) through a single, unified interface. Connect your own API keys (OpenAI, Anthropic, and more) and securely manage custom MCP server integrations.
 
 **Key features:**
+
 - Accessible from any PC or smartphone—no installation required
 - Choose your preferred LLM provider
 - Supports `SSE`, `Streamable HTTP`, `npx`, and `uvx` MCP servers
diff --git a/docs/specification/draft/basic/authorization.mdx b/docs/specification/draft/basic/authorization.mdx
@@ -354,7 +354,7 @@ MCP servers **MUST** validate access tokens before processing the request, ensur
 
 A MCP server **MUST** follow the guidelines in [OAuth 2.1 - Section 5.2](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-5.2) to validate inbound tokens.
 
-MCP servers **MUST** only accept tokens specifically intended for themselves and **MUST** reject tokens that do not include them in the audience claim or otherwise verify that they are the intended recipient of the token. See [Security Best Practices Section 2.2](/specification/draft/basic/security_best_practices#token-passthrough) for details.
+MCP servers **MUST** only accept tokens specifically intended for themselves and **MUST** reject tokens that do not include them in the audience claim or otherwise verify that they are the intended recipient of the token. See the [Security Best Practices Token Passthrough section](/specification/draft/basic/security_best_practices#token-passthrough) for details.
 
 If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a seperate token, issued by the upstream authorization server. The MCP server **MUST NOT** pass through the token it received from the MCP client.
 
