Add mcp scope for use with MCP server (!198566) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Add mcp scope for use with MCP server.
- All dynamically generated OAuth applications can only create access tokens with this scope.
This new scope currently has no ability to do anything, and is only creatable by creating a dynamic OAuth token, which is currently behind a default-off feature flag.

How to set up and validate locally

📺 Watch the demo here on Unfiltered (private to GitLab team members) 📺

Enable the feature flag to create OAuth applications. Feature.enable(:oauth_dynamic_client_registration)
Enable the feature flag to enable the MCP server. Feature.enable(:mcp_server)
Create a new OAuth application - I've defined the scope in the request, but it'll always use mcp regardless of input. (Auth not required.)

POST /oauth/register 

{
  "client_name": "my example application",
  "scope": [
    "mcp"
  ],
  "redirect_uris": [
    "https://something.test"
  ]
}

Use the returned client_id to authorize the application as a logged in GitLab user. Use a tool like Postman to make this easier.
When doing so, try to authorize using a scope other than mcp, like api and check that it fails.
Try to use the returned access token to do anything, and check that it is unauthorized.

Also try a full end-to-end flow:

Install mcp-remote from npm.
Run it! mcp-remote https://gdk.test:4334/api/v4/mcp

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #554826 (closed)

Edited Jul 23, 2025 by Max Woolf

Add mcp scope for use with MCP server

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports