From e976fda092c120d7bea79af8fc7c461710a24c77 Mon Sep 17 00:00:00 2001 From: Keegan Carruthers-Smith Date: Fri, 23 Jan 2026 13:42:25 +0200 Subject: [PATCH 1/4] update MCP docs for 7.0 GA release - Remove experimental callout - MCP is now generally available - DCR is now enabled by default, update docs accordingly - Add new 'mcp' scope documentation for OAuth and access tokens - Add 'Disabling DCR' section for admins who need to turn it off - Add upgrade notes for users migrating from 6.12 - Update mcp-remote example to use 'mcp' scope instead of 'user:all' --- docs/api/mcp/index.mdx | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/api/mcp/index.mdx b/docs/api/mcp/index.mdx index b94d192a7..16c767e36 100644 --- a/docs/api/mcp/index.mdx +++ b/docs/api/mcp/index.mdx @@ -13,12 +13,6 @@ seoPriority: 1.0 Supported on [Enterprise](/pricing/plans/enterprise) plans. - - This feature is - [experimental](/admin/beta-and-experimental-features#experimental-features) - and might change or be removed in the future. - - The Sourcegraph Model Context Protocol (MCP) Server provides AI agents and applications with programmatic access to your Sourcegraph instance's code search, navigation, and analysis capabilities through a standardized interface. ## Server Endpoints @@ -42,19 +36,11 @@ The Sourcegraph MCP server supports two authentication methods: ### OAuth 2.0 with Dynamic Client Registration -Sourcegraph supports MCP spec-compliant OAuth with Dynamic Client Registration ([RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)), allowing AI agents to authenticate without pre-configured client IDs. - -#### Enabling Dynamic Client Registration - -Enable this feature by setting the following site configuration: +Sourcegraph supports MCP spec-compliant OAuth with Dynamic Client Registration ([RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)), allowing AI agents to authenticate without pre-configured client IDs. DCR is enabled by default starting in Sourcegraph 7.0. -```json -{ - "auth.idpDynamicClientRegistrationEnabled": true -} -``` +DCR-registered applications are restricted to the `mcp` scope, which limits access to MCP endpoints only. -Once enabled, MCP clients that support OAuth can authenticate automatically. For example, for [Amp](https://ampcode.com/), you can run: +MCP clients that support OAuth can authenticate automatically. For example, for [Amp](https://ampcode.com/), you can run: ```bash amp mcp add sg https://sourcegraph.example.com/.api/mcp @@ -69,11 +55,21 @@ claude mcp add --transport http sg https://sourcegraph.example.com/.api/mcp This works similarly for other MCP-compatible agents. +#### Disabling Dynamic Client Registration + +To disable DCR, set the following site configuration: + +```json +{ + "auth.idpDynamicClientRegistrationEnabled": false +} +``` + #### Manual OAuth Setup If your agent doesn't support Dynamic Client Registration, you can manually create an OAuth application: -1. Create an OAuth application in your Sourcegraph instance following the instructions [here](/admin/oauth-apps#creating-an-oauth-app). (Note: you will need the `user:all` scope) +1. Create an OAuth application in your Sourcegraph instance following the instructions [here](/admin/oauth-apps#creating-an-oauth-app). (Note: you can use the `mcp` scope for MCP-only access, or `user:all` for full access) 2. Use `mcp-remote` as a fallback with the following configuration: ```json @@ -88,7 +84,7 @@ If your agent doesn't support Dynamic Client Registration, you can manually crea "--static-oauth-client-info", "{\"client_id\":\"\"}", "--static-oauth-client-metadata", - "{\"scope\":\"user:all\"}" + "{\"scope\":\"mcp\"}" ] } } @@ -109,6 +105,12 @@ Include your token in the Authorization header: Authorization: token YOUR_ACCESS_TOKEN ``` +Access tokens can use the `mcp` scope to restrict access to MCP endpoints only. + +### Upgrading from 6.12 + +If you previously used DCR support in 6.12, some applications may fail to re-authenticate. To resolve this, remove the affected registered applications from the "Account security" tab in your Sourcegraph user settings and re-register them. + ## Client Integration The Sourcegraph MCP server can be integrated with various AI tools and IDEs that support the Model Context Protocol. From b425358ef4ab5452091a46c02fbe30d6913787fd Mon Sep 17 00:00:00 2001 From: Keegan Carruthers-Smith Date: Fri, 23 Jan 2026 13:49:55 +0200 Subject: [PATCH 2/4] Less emphasis on auth, just say how to use --- docs/api/mcp/index.mdx | 49 ++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/docs/api/mcp/index.mdx b/docs/api/mcp/index.mdx index 16c767e36..d0084f5f2 100644 --- a/docs/api/mcp/index.mdx +++ b/docs/api/mcp/index.mdx @@ -30,42 +30,31 @@ Example URL: https://your-sourcegraph-instance.com/.api/mcp ``` -## Authentication - -The Sourcegraph MCP server supports two authentication methods: - -### OAuth 2.0 with Dynamic Client Registration +## Getting Started -Sourcegraph supports MCP spec-compliant OAuth with Dynamic Client Registration ([RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)), allowing AI agents to authenticate without pre-configured client IDs. DCR is enabled by default starting in Sourcegraph 7.0. - -DCR-registered applications are restricted to the `mcp` scope, which limits access to MCP endpoints only. - -MCP clients that support OAuth can authenticate automatically. For example, for [Amp](https://ampcode.com/), you can run: +MCP clients that support OAuth can connect directly—just point them at your Sourcegraph instance and authenticate through your browser: +**[Amp](https://ampcode.com/)** ```bash amp mcp add sg https://sourcegraph.example.com/.api/mcp ``` -For [Claude Code](https://www.claude.com/product/claude-code), you can run: - +**[Claude Code](https://www.claude.com/product/claude-code)** ```bash claude mcp add --transport http sg https://sourcegraph.example.com/.api/mcp ``` +This works similarly for other MCP-compatible agents. See [Client Integration](#client-integration) for detailed setup instructions for each client. -This works similarly for other MCP-compatible agents. +## Authentication -#### Disabling Dynamic Client Registration +The MCP server supports OAuth 2.0 and access token authentication. -To disable DCR, set the following site configuration: +### OAuth 2.0 -```json -{ - "auth.idpDynamicClientRegistrationEnabled": false -} -``` +Sourcegraph implements Dynamic Client Registration ([RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)), so compatible clients can authenticate automatically without pre-configured client IDs. DCR-registered applications are restricted to the `mcp` scope, which limits access to MCP endpoints only. -#### Manual OAuth Setup + If your agent doesn't support Dynamic Client Registration, you can manually create an OAuth application: @@ -97,9 +86,23 @@ If your agent doesn't support Dynamic Client Registration, you can manually crea -### Authorization Header + + + + +To disable DCR, set the following site configuration: + +```json +{ + "auth.idpDynamicClientRegistrationEnabled": false +} +``` + + + +### Access Tokens -Include your token in the Authorization header: +Alternatively, include an access token in the Authorization header: ``` Authorization: token YOUR_ACCESS_TOKEN From f5c60a6bd18f6b590bbeb920e2e76a7e575d945b Mon Sep 17 00:00:00 2001 From: Keegan Carruthers-Smith Date: Wed, 25 Feb 2026 18:56:04 +0200 Subject: [PATCH 3/4] feat/mcp: document SRC_MCP_DISABLE_DEEPSEARCH_TOOL env var Admins may want to disable the deepsearch tool on default/v1 MCP endpoints without affecting deepsearch_read or the dedicated /deepsearch endpoint. This documents the temporary SRC_MCP_DISABLE_DEEPSEARCH_TOOL environment variable introduced in 7.0 as a stopgap until a proper tool allowlist is implemented. See sourcegraph/sourcegraph#9986. Amp-Thread-ID: https://ampcode.com/threads/T-019c95b8-93fb-7179-8aeb-c44b181a30f9 Co-authored-by: Amp --- docs/api/mcp/index.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/api/mcp/index.mdx b/docs/api/mcp/index.mdx index d0084f5f2..324df6914 100644 --- a/docs/api/mcp/index.mdx +++ b/docs/api/mcp/index.mdx @@ -534,6 +534,10 @@ Find repositories where a contributor has made commits. ### Deep Search + + Admins can disable the `deepsearch` tool on the default and v1 MCP endpoints by setting the environment variable `SRC_MCP_DISABLE_DEEPSEARCH_TOOL=true` on the Sourcegraph instance. This does not affect `deepsearch_read` or the dedicated `/deepsearch` endpoint. This is a temporary measure available in 7.0 and will be replaced by a proper tool allowlist in a future release. + + ### `deepsearch` Create a new Deep Search conversation to answer complex questions about your codebase. From 8e1a79d732c5ec4d4f46062883941e6a1abf6734 Mon Sep 17 00:00:00 2001 From: Keegan Carruthers-Smith Date: Wed, 25 Feb 2026 19:07:04 +0200 Subject: [PATCH 4/4] chore/mcp: remove upgrading from 6.12 section The backend migration (83fc1a37594) automatically adds the mcp scope to old DCR clients, so users no longer need to manually re-register their applications when upgrading from 6.12. Amp-Thread-ID: https://ampcode.com/threads/T-019c95c3-9ec8-73d7-9703-1b95bca44c64 Co-authored-by: Amp --- docs/api/mcp/index.mdx | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/api/mcp/index.mdx b/docs/api/mcp/index.mdx index 324df6914..3b801c3c2 100644 --- a/docs/api/mcp/index.mdx +++ b/docs/api/mcp/index.mdx @@ -110,10 +110,6 @@ Authorization: token YOUR_ACCESS_TOKEN Access tokens can use the `mcp` scope to restrict access to MCP endpoints only. -### Upgrading from 6.12 - -If you previously used DCR support in 6.12, some applications may fail to re-authenticate. To resolve this, remove the affected registered applications from the "Account security" tab in your Sourcegraph user settings and re-register them. - ## Client Integration The Sourcegraph MCP server can be integrated with various AI tools and IDEs that support the Model Context Protocol.