fix: include "none" in token_endpoint_auth_methods_supported metadata

The `build_metadata()` function hardcoded `token_endpoint_auth_methods_supported`
to `["client_secret_post", "client_secret_basic"]`, but the registration handler
already supports `token_endpoint_auth_method: "none"` for public clients.

MCP clients like Claude Code follow the metadata to determine supported auth
methods. Without "none" advertised, public client flows break: the client
registers successfully (no client_secret), but then cannot complete the token
exchange because the metadata implies a secret is required.

Also includes "none" in `revocation_endpoint_auth_methods_supported` for
consistency.

Fixes #2260

Author: namabile

src/mcp/server/auth/routes.py

@@ -165,7 +165,7 @@ def build_metadata(
         response_types_supported=["code"],
         response_modes_supported=None,
         grant_types_supported=["authorization_code", "refresh_token"],
-        token_endpoint_auth_methods_supported=["client_secret_post", "client_secret_basic"],
+        token_endpoint_auth_methods_supported=["client_secret_post", "client_secret_basic", "none"],
         token_endpoint_auth_signing_alg_values_supported=None,
         service_documentation=service_documentation_url,
         ui_locales_supported=None,
@@ -182,7 +182,7 @@ def build_metadata(
     # Add revocation endpoint if supported
     if revocation_options.enabled:  # pragma: no branch
         metadata.revocation_endpoint = AnyHttpUrl(str(issuer_url).rstrip("/") + REVOCATION_PATH)
-        metadata.revocation_endpoint_auth_methods_supported = ["client_secret_post", "client_secret_basic"]
+        metadata.revocation_endpoint_auth_methods_supported = ["client_secret_post", "client_secret_basic", "none"]
 
     return metadata
 

tests/client/test_auth.py

@@ -1245,10 +1245,10 @@ def test_build_metadata(
             "registration_endpoint": Is(registration_endpoint),
             "scopes_supported": ["read", "write", "admin"],
             "grant_types_supported": ["authorization_code", "refresh_token"],
-            "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "none"],
             "service_documentation": Is(service_documentation_url),
             "revocation_endpoint": Is(revocation_endpoint),
-            "revocation_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "revocation_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "none"],
             "code_challenge_methods_supported": ["S256"],
         }
     )

tests/server/fastmcp/auth/test_auth_integration.py

@@ -320,7 +320,7 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):
         assert metadata["revocation_endpoint"] == "https://auth.example.com/revoke"
         assert metadata["response_types_supported"] == ["code"]
         assert metadata["code_challenge_methods_supported"] == ["S256"]
-        assert metadata["token_endpoint_auth_methods_supported"] == ["client_secret_post", "client_secret_basic"]
+        assert metadata["token_endpoint_auth_methods_supported"] == ["client_secret_post", "client_secret_basic", "none"]
         assert metadata["grant_types_supported"] == [
             "authorization_code",
             "refresh_token",