Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mcp-assistant.in/llms.txt

Use this file to discover all available pages before exploring further.

Bug fixes

OAuth popup callback reliability

OAuth popup handling is now more resilient when an authorization provider uses cross-origin isolation or Cross-Origin-Opener-Policy behavior that severs the popup’s window.opener relationship. The callback component no longer treats a missing opener as a hard failure when it still has a valid authorization code and state. The popup callback now sends auth codes through both direct postMessage and a same-origin BroadcastChannel, allowing the main app window to call finishAuth even when Chrome reports the opener as unavailable.

Duplicate auth code handling

Popup auth code messages are deduplicated per session/code pair. This prevents duplicate finishAuth calls when both postMessage and BroadcastChannel deliver the same callback payload.

Safer result delivery

Result delivery back to the popup now treats direct WindowProxy.postMessage as best effort. If a COOP-isolated provider leaves behind an unusable window reference, the SDK still broadcasts the result over BroadcastChannel.

Examples

The Next.js popup callback example now mirrors the SDK behavior by using the same BroadcastChannel fallback and by accepting callback state from either state or sessionId query parameters.

Tests

  • Added Playwright coverage for duplicate popup and broadcast messages.
  • Added coverage for missing sessions, finishAuth failures, successful ready-state completion, and no-opener callback broadcasts.