OAuth redirect target that completes an MCP connection
The OAuth redirect URI. The external authorization server sends the user’s browser here
after they consent, so the request carries no Narrative bearer token — it is authenticated
instead by the unguessable one-time state (bound to a stored PKCE code_verifier) that
POST /mcp-connections issued.
On a valid state, the platform exchanges the code at the server’s token endpoint (with the
PKCE verifier and resource indicator), validates the new token with a tools/list call, stores
the encrypted tokens, and flips the connection to connected. The one-time state is then
consumed.
You normally never call this directly — it’s the redirect_uri the browser is sent to. It
returns a short plain-text page telling the user they can close the window.
Authentication
Public (no bearer). The state parameter is the credential; it is single-use and short-lived.
Query Parameters
The one-time authorization code issued by the external authorization server.
The one-time state issued by POST /mcp-connections; binds this callback to its PKCE flow.
Response
Connection established. Returns a short plain-text confirmation for the browser.
The response is of type string.
"MCP connection established. You can close this window."

