modelcontextprotocol
diff --git a/‎README.md
Lines changed: 19 additions & 8 deletions b/‎README.md
Lines changed: 19 additions & 8 deletions
diff --git a/‎package-lock.json
Lines changed: 15 additions & 9 deletions b/‎package-lock.json
Lines changed: 15 additions & 9 deletions
diff --git a/‎package.json
Lines changed: 3 additions & 1 deletion b/‎package.json
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/client/auth.test.ts
Lines changed: 11 additions & 7 deletions b/‎src/client/auth.test.ts
Lines changed: 11 additions & 7 deletions
diff --git a/‎src/client/auth.ts
Lines changed: 4 additions & 0 deletions b/‎src/client/auth.ts
Lines changed: 4 additions & 0 deletions
@@ -211,7 +211,7 @@ await server.connect(transport);
 For remote servers, start a web server with a Server-Sent Events (SSE) endpoint, and a separate endpoint for the client to send its messages to:
 
 ```typescript
-import express from "express";
+import express, { Request, Response } from "express";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 
@@ -224,16 +224,27 @@ const server = new McpServer({
 
 const app = express();
 
-app.get("/sse", async (req, res) => {
-  const transport = new SSEServerTransport("/messages", res);
+// to support multiple simultaneous connections we have a lookup object from
+// sessionId to transport
+const transports: {[sessionId: string]: SSEServerTransport} = {};
+
+app.get("/sse", async (_: Request, res: Response) => {
+  const transport = new SSEServerTransport('/messages', res);
+  transports[transport.sessionId] = transport;
+  res.on("close", () => {
+    delete transports[transport.sessionId];
+  });
   await server.connect(transport);
 });
 
-app.post("/messages", async (req, res) => {
-  // Note: to support multiple simultaneous connections, these messages will
-  // need to be routed to a specific matching transport. (This logic isn't
-  // implemented here, for simplicity.)
-  await transport.handlePostMessage(req, res);
+app.post("/messages", async (req: Request, res: Response) => {
+  const sessionId = req.query.sessionId as string;
+  const transport = transports[sessionId];
+  if (transport) {
+    await transport.handlePostMessage(req, res);
+  } else {
+    res.status(400).send('No transport found for sessionId');
+  }
 });
 
 app.listen(3001);
 
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.6.1",
+  "version": "1.8.0",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -48,6 +48,7 @@
   "dependencies": {
     "content-type": "^1.0.5",
     "cors": "^2.8.5",
+    "cross-spawn": "^7.0.3",
     "eventsource": "^3.0.2",
     "express": "^5.0.1",
     "express-rate-limit": "^7.5.0",
@@ -61,6 +62,7 @@
     "@jest-mock/express": "^3.0.0",
     "@types/content-type": "^1.1.8",
     "@types/cors": "^2.8.17",
+    "@types/cross-spawn": "^6.0.6",
     "@types/eslint__js": "^8.42.3",
     "@types/eventsource": "^1.1.15",
     "@types/express": "^5.0.0",
 
@@ -46,11 +46,11 @@ describe("OAuth Authorization", () => {
     it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
       // Set up a counter to control behavior
       let callCount = 0;
-      
+
       // Mock implementation that changes behavior based on call count
       mockFetch.mockImplementation((_url, _options) => {
         callCount++;
-        
+
         if (callCount === 1) {
           // First call with MCP header - fail with TypeError (simulating CORS error)
           // We need to use TypeError specifically because that's what the implementation checks for
@@ -68,22 +68,22 @@ describe("OAuth Authorization", () => {
       // Should succeed with the second call
       const metadata = await discoverOAuthMetadata("https://auth.example.com");
       expect(metadata).toEqual(validMetadata);
-      
+
       // Verify both calls were made
       expect(mockFetch).toHaveBeenCalledTimes(2);
-      
+
       // Verify first call had MCP header
       expect(mockFetch.mock.calls[0][1]?.headers).toHaveProperty("MCP-Protocol-Version");
     });
 
     it("throws an error when all fetch attempts fail", async () => {
       // Set up a counter to control behavior
       let callCount = 0;
-      
+
       // Mock implementation that changes behavior based on call count
       mockFetch.mockImplementation((_url, _options) => {
         callCount++;
-        
+
         if (callCount === 1) {
           // First call - fail with TypeError
           return Promise.reject(new TypeError("First failure"));
@@ -96,7 +96,7 @@ describe("OAuth Authorization", () => {
       // Should fail with the second error
       await expect(discoverOAuthMetadata("https://auth.example.com"))
         .rejects.toThrow("Second failure");
-        
+
       // Verify both calls were made
       expect(mockFetch).toHaveBeenCalledTimes(2);
     });
@@ -250,6 +250,7 @@ describe("OAuth Authorization", () => {
         clientInformation: validClientInfo,
         authorizationCode: "code123",
         codeVerifier: "verifier123",
+        redirectUri: "http://localhost:3000/callback",
       });
 
       expect(tokens).toEqual(validTokens);
@@ -271,6 +272,7 @@ describe("OAuth Authorization", () => {
       expect(body.get("code_verifier")).toBe("verifier123");
       expect(body.get("client_id")).toBe("client123");
       expect(body.get("client_secret")).toBe("secret123");
+      expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
     });
 
     it("validates token response schema", async () => {
@@ -288,6 +290,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow();
     });
@@ -303,6 +306,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow("Token exchange failed");
     });
 
@@ -115,6 +115,7 @@ export async function auth(
       clientInformation,
       authorizationCode,
       codeVerifier,
+      redirectUri: provider.redirectUrl,
     });
 
     await provider.saveTokens(tokens);
@@ -259,11 +260,13 @@ export async function exchangeAuthorization(
     clientInformation,
     authorizationCode,
     codeVerifier,
+    redirectUri,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     authorizationCode: string;
     codeVerifier: string;
+    redirectUri: string | URL;
   },
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
@@ -290,6 +293,7 @@ export async function exchangeAuthorization(
     client_id: clientInformation.client_id,
     code: authorizationCode,
     code_verifier: codeVerifier,
+    redirect_uri: String(redirectUri),
   });
 
   if (clientInformation.client_secret) {