Hi Dean, glad to hear that you found the report useful. We got the /api/mcp endpoint to work with the Authorization header, but not before uncovering another bug related to overly aggressive OAuth probing which deviates from the OAuth RFC. Here’s that bug: *** Cursor MCP client probes OAuth even when server signals OAuth unavailable***
Have a nice weekend!