-
Notifications
You must be signed in to change notification settings - Fork 184
docs(agent-tools): fix Cursor MCP setup to use API key auth #1221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+116
−130
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Does Cursor support OAuth for remote MCP servers as of mid-2026, and does it work with static/pre-shared Client ID flows for third-party MCP providers?💡 Result:
As of July 2026, Cursor provides native support for OAuth for remote Model Context Protocol (MCP) servers [1][2]. For MCP servers requiring OAuth, you can configure them in your mcp.json file [1][3]. Cursor supports the use of static OAuth client credentials to bypass or supplement dynamic flows [1][3]. Key details regarding this support include: Static/Pre-shared Client ID Flows: Cursor allows you to provide a static CLIENT_ID and optional CLIENT_SECRET directly within the auth object of an MCP server entry in mcp.json [1][3]. This is intended for providers that supply fixed credentials, require specific redirect URL whitelisting, or do not support OAuth 2.0 Dynamic Client Registration (DCR) [1][3]. Technical Considerations and Known Limitations: 1. Authorization Code Flow Enforcement: Cursor's MCP client is primarily designed to use the authorization code (redirect-based) flow [4][5]. Even when a CLIENT_SECRET is provided in the configuration, the client may still initiate a redirect-based flow rather than utilizing a client credentials grant (RFC 6749 §4.4) to obtain tokens server-to-server [4][5]. 2. Callback Handling: Cursor utilizes fixed redirect URLs, specifically cursor://anysphere.cursor-mcp/oauth/callback [1][3]. You must register this URL with your OAuth provider [1][3]. Some users have reported issues where the internal callback handler may occasionally fail to respond correctly (e.g., ERR_EMPTY_RESPONSE) or where the "Connect" button fails to trigger the browser flow [6][2]. 3. Fixed Redirection: Because Cursor uses fixed, random-port based redirection for OAuth callbacks, it may experience difficulties with strict Identity Providers (IdPs) like Okta, Entra, or Cognito that require exact, pre-registered redirect URIs, whereas it typically works seamlessly with providers like Keycloak that allow wildcard redirects [7]. For configuration, you can add an auth block to your mcp.json as follows: { "mcpServers": { "your-server-name": { "url": "https://api.example.com/mcp", "auth": { "CLIENT_ID": "your-oauth-client-id", "CLIENT_SECRET": "your-client-secret", "scopes": ["read", "write"] } } } } [1][3]
Citations:
🏁 Script executed:
Repository: Comfy-Org/docs
Length of output: 38197
Update the Cursor setup copy to match current MCP OAuth support. Cursor now supports OAuth for remote MCP servers, including static client ID/secret flows, so this section should only fall back to an API key if Comfy Cloud has a specific incompatibility. If the API-key example stays, avoid
${env:COMFY_API_KEY}inheadersunless Cursor expands that field for remote HTTP configs.🤖 Prompt for AI Agents