fix(mcp): persist Tools-tab MCP OAuth token to DB

[tin-berri]

Problem

• MCP OAuth "on behalf of" (OBO) mode was not persisting per-user access tokens, so tools came back empty and the connection never showed as established.
• access_token and refresh_token were not stored in the database and never refreshed if they are expired

Fix

• Stored access_token and refresh_token into the litellm_MCPUserCredentials DB Table
• Added logic for minting new access_token if access_token is expired or has 60s left to expire

After Fix: Users are able to store access_tokens with LiteLLM and can access tools list consistently via a DB lookup for the corresponding access_tokens

Linear ticket

Resolves LIT-3579
https://linear.app/litellm-ai/issue/LIT-3579/fix-obo-mcp-tool-access-and-token-persistence

Note

• Need to address the token_validation on the Create MCP Server Temporary Server Authentication since we are trying to move into simplifying the MCP Server Setup and in OBO-mode.

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have added meaningful tests
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible; it only solves 1 specific problem
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

CI (LiteLLM team)

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Screenshots / Proof of Fix

Deployed the branch to a vcluster and added a Slack MCP server in OBO mode (Transport HTTP, Auth OAuth, OAuth Flow Type Interactive, delegate_auth_to_upstream off), clicked "Authorize & Fetch", then submitted "Add MCP Server". Verified the token is written to the DB on submit and that the proxy can use it.

Prereqs: proxy reachable at localhost:8000 (port-forward), master key sk-compare-litellm, and the new server's id in SERVER_ID.

SERVER_ID=3c6789d7-8e47-4271-9343-545a485de2eb   # the server you just created

1. DB: the per-user OAuth credential row is created on submit (before the flow this is ROW_COUNT= 0)

GW=$(kubectl -n litellm get pod -o name | grep gateway | head -1 | cut -d/ -f2)
kubectl -n litellm exec -i "$GW" -- /app/.venv/bin/python - <<'PY'
import os, asyncio
from litellm.proxy.auth.rds_iam_token import generate_iam_auth_token
host=os.environ["DATABASE_HOST"]; port=os.getenv("DATABASE_PORT","5432")
user=os.getenv("DATABASE_USER") or "postgres"; name=os.getenv("DATABASE_NAME","postgres")
os.environ["DATABASE_URL"]=f"postgresql://{user}:{generate_iam_auth_token(db_host=host,db_port=port,db_user=user)}@{host}:{port}/{name}"
from prisma import Prisma
async def main():
    db=Prisma(); await db.connect()
    rows=await db.query_raw('SELECT user_id, server_id, created_at, length(credential_b64) AS cred_len FROM "LiteLLM_MCPUserCredentials" ORDER BY created_at DESC')
    print("ROW_COUNT=", len(rows))
    for r in rows: print(r)
    await db.disconnect()
asyncio.run(main())
PY

ROW_COUNT= 1
{'user_id': 'default_user_id', 'server_id': '3c6789d7-8e47-4271-9343-545a485de2eb', 'created_at': '2026-06-05T23:32:23.880+00:00', 'cred_len': 1232}

2. Proxy reads the stored credential (status endpoint)

curl -s -H "Authorization: Bearer sk-compare-litellm" \
  "http://localhost:8000/v1/mcp/server/$SERVER_ID/oauth-user-credential/status"

{"server_id":"3c6789d7-8e47-4271-9343-545a485de2eb","has_credential":true,"expires_at":"2026-06-06T11:32:23.867530+00:00","is_expired":false,"connected_at":"2026-06-05T23:32:23.867549+00:00"}

3. Tool list works with only the LiteLLM key, so the backend attaches the stored token (before the fix this returned {"tools": 0, ...} / "No tools available")

curl -s -H "Authorization: Bearer sk-compare-litellm" \
  "http://localhost:8000/mcp-rest/tools/list?server_id=$SERVER_ID" \
  | python3 -c "import sys,json;d=json.load(sys.stdin);print(json.dumps({'tools':len(d.get('tools') or []),'error':d.get('error'),'message':d.get('message')}))"

{"tools": 19, "error": null, "message": "Successfully retrieved tools"}

The DB check runs inside the gateway pod because the RDS connection uses IAM auth (no static password); it reuses the proxy's own generate_iam_auth_token so it connects exactly like the proxy. Adjust the namespace / gateway pod selector if your release differs.

Token refresh on expiry (the refresh half)

Same vcluster and the same Slack OBO server. The Tools-tab list path (/mcp-rest/tools/list) now refreshes a stored token that has expired, minting a new one from the stored refresh_token instead of returning an empty tool list.

Forcing expiry without waiting ~12h for Slack's natural token lifetime needs a DB write (the credential is encrypted, so it can't be done with curl). I rewrote the stored credential's expires_at into the past and recorded fingerprints (sha256 prefix, never the raw token), without calling any refresh code:

access_token_fp : 69e4f40e0f2b
refresh_token_fp: 846dbefb19f9
expires_at      : 2026-06-06T02:44:10Z   (in the past)

Then I opened the slack_OBO server's tools in the dashboard, which is the action that calls /mcp-rest/tools/list. The tools rendered, and the stored credential had been refreshed end to end with no manual refresh:

                  before (armed)      after opening the Tools tab
access_token_fp   69e4f40e0f2b   ->   b2d9372f0de4    rotated
refresh_token_fp  846dbefb19f9   ->   beddfed984e1    rotated (Slack rotation)
expires_at        02:44Z (past)  ->   15:46Z (~12h)   fresh

The access token changing proves a new token was minted from the stored refresh_token; the refresh token also rotating confirms Slack processed a real grant_type=refresh_token exchange rather than anything local. Before this change the same flow returned an empty tool list once the token lapsed

Type

🐛 Bug Fix

Changes

When adding an MCP server, "Authorize & Fetch" runs the OAuth code exchange and useMcpOAuthFlow holds the resulting access and refresh token. On submit, after createMCPServer returns the new server_id, the create flow only cached the token in sessionStorage (setToken) with no backend DB write. For an interactive PKCE oauth2 server with delegate_auth_to_upstream off (OBO mode) LiteLLM owns the per-user token, so skipping the DB write left has_credentials false; _get_user_oauth_extra_headers_from_db then returned None, a tools/list issued with only the LiteLLM key went upstream unauthenticated and came back empty, and the user had to re-authorize every time to see the tool list.

This change persists the token on submit for OBO servers via storeMCPOAuthUserCredential (POST /v1/mcp/server/{id}/oauth-user-credential), keyed by the calling user, so has_credentials becomes true and the proxy attaches the upstream auth header on subsequent tool lists. The mode is classified with getMcpOAuthMode, so only OBO writes to the DB; PKCE passthrough keeps its browser-held sessionStorage token (forwarded as the x-mcp-<alias>-authorization header) and M2M uses the backend service token.

Added a regression test in create_mcp_server.test.tsx asserting an OBO submit persists the access and refresh token to the DB via storeMCPOAuthUserCredential and does not fall back to the sessionStorage cache.

This PR also covers the second half of the OBO lifecycle: refreshing the stored token once it expires. The Tools-tab list endpoint (/mcp-rest/tools/list) read the stored credential and, when the access token had expired, returned None without attempting a refresh, so the tool list went empty again once the token lapsed even though a valid refresh_token was sitting in the DB. The MCP-protocol path in server.py already refreshed, so the two surfaces disagreed. The refresh decision (return the stored token while it is valid, otherwise mint a new one from the stored refresh_token) is now extracted into a shared resolve_valid_user_oauth_token helper in db.py, and both the REST and protocol paths call it, deleting server.py's duplicated inline refresh block. The helper also treats a token expiring within MCP_PER_USER_TOKEN_EXPIRY_BUFFER_SECONDS (60s) as needing refresh, so a near-expiry token is renewed before it can lapse mid-request; that buffer was previously applied only to the Redis cache TTL and not to the DB expiry check. Scope stays limited to OBO, the only mode that persists a per-user refresh_token; M2M caches its token in-memory per-server and passthrough keeps the credential browser-side, so neither has a stored credential for the helper to refresh.

Added regression tests in test_db_credentials.py covering the expiry buffer boundary (a token with 30s of life left is treated as valid under no buffer but as expired under the 60s buffer) and the refresh decision (expired-with-refresh-token mints a new token, expired-without-refresh-token returns None, a still-valid token is returned without any refresh call, and a failed refresh surfaces as None).

[greptile-apps]

Greptile Summary

This PR fixes MCP OAuth "on behalf of" mode on the Tools screen by adding a server-side credential persist step (storeMCPOAuthUserCredential) after the token exchange, matching the existing pattern in useUserMcpOAuthFlow. Previously, the token was cached only in sessionStorage, so has_credentials remained false and tool listings came back empty after a page refresh.

• useToolsOAuthFlow.tsx: Inserts await storeMCPOAuthUserCredential(...) between the token exchange and the setToken / onSuccess calls; a DB write failure now propagates as an error and suppresses the false-success path (setToken and onSuccess are only reached when the write succeeds).
• useToolsOAuthFlow.test.tsx: New unit tests verify the happy path (DB write, sessionStorage cache, and onSuccess all fire) and the failure path (status flips to error, setToken and onSuccess are not called).

Confidence Score: 4/5

Safe to merge — the change is minimal and surgical, touching only the Tools-screen OAuth hook. The core logic mirrors the already-reviewed useUserMcpOAuthFlow pattern, and both the happy path and the DB-failure path are covered by the new tests.

The implementation is clean and consistent with the established pattern. The one small gap is that the has_credential field in the successful response from storeMCPOAuthUserCredential is not checked — a 200 OK with has_credential: false would be treated as success. This is unlikely in practice (the server would return a non-OK status on actual failure) and is the same approach taken by useUserMcpOAuthFlow, so no regression is introduced. No other functional concerns were identified.

No files require special attention. useToolsOAuthFlow.tsx carries the only functional change and is straightforward to audit.

Important Files Changed

Filename	Overview
ui/litellm-dashboard/src/hooks/useToolsOAuthFlow.tsx	Adds a mandatory storeMCPOAuthUserCredential DB write after token exchange, mirroring useUserMcpOAuthFlow; setToken (sessionStorage) is only reached on successful DB write, so a failed write now surfaces as an error instead of a silent false-success.
ui/litellm-dashboard/src/hooks/useToolsOAuthFlow.test.tsx	New test file covering both the persist-on-success path (DB write called, setToken called, onSuccess called) and the no-false-success-on-DB-failure path (status flips to error, setToken and onSuccess not called); all network calls are properly mocked.

_{Reviews (1): Last reviewed commit: "fix(ui): persist Tools-tab MCP OAuth tok..." | Re-trigger Greptile}

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 6 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
litellm/proxy/_experimental/mcp_server/db.py	88.23%	2 Missing ⚠️
...m/proxy/_experimental/mcp_server/rest_endpoints.py	0.00%	2 Missing ⚠️
litellm/proxy/_experimental/mcp_server/server.py	60.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[veria-ai]

Medium: OAuth token validation bypass

This stores the token returned by the temporary OAuth session, but getTemporaryPayload() does not include token_validation, and the /oauth-user-credential store endpoint just persists the posted token. A user creating or submitting an OBO MCP server can authorize an account that does not satisfy the configured token validation rules, then have that token accepted for later tool calls. Include the validation rules in the temporary OAuth session and/or have the credential storage path re-validate the token response against the persisted server before upserting it.

[tin-berri]

Confirmed, and it is actually broader than the temporary session. token_validation is not wired through to enforcement anywhere today: a grep across litellm/ finds it only on the in-memory MCPServer type and the _validate_token_response check at discoverable_endpoints.py:476, and nothing ever assigns mcp_server.token_validation in either manager load path. There is no DB column and NewMCPServerRequest has no token_validation field, so the rules entered in the UI are dropped before they could reach the check, for persisted servers too, not just the temporary session.

Wiring it end to end means a DB migration plus the persist path, manager population on load, and carrying it into the temporary record so the create-flow exchange validates. That is a bigger change than this PR, which is scoped to persisting and refreshing the OBO token, so I am handling token_validation in a dedicated follow-up PR and tracking it separately rather than resolving here

[veria-ai]

PR overview

This PR updates the Tools-tab MCP server creation flow so OAuth tokens obtained during the temporary authorization session are persisted to the database for later MCP tool use. The touched UI code is in the MCP server creation component that handles OAuth credential submission.

There is one open security issue in the OAuth credential persistence path. The current flow can store an OAuth token without enforcing the MCP server’s configured token validation rules, allowing a user to save a token for an account that should not be accepted and use it in later tool calls. No issues have been addressed yet, so the PR still needs validation added before this flow is safe to merge.

Open issues (1)

• Medium: OAuth token validation bypass — ui/litellm-dashboard/src/components/mcp_tools/create_mcp_server.tsx:445

Fixed/addressed: 0 · PR risk: 7/10

[mateo-berri]

LGTM; thanks!