P1-9 MCP OAuth Routing

---
category: reference
tags: [task, phase-1, mcp, auth, infra]
last_updated: 2026-03-13
confidence: high
---

# P1-9: Fix MCP OAuth Discovery Routing

**Status: COMPLETE** (2026-03-13)

## Problem

Claude.ai cannot connect to the dev.wikibot.io MCP server via OAuth because the `/.well-known/oauth-authorization-server` discovery endpoint is routed to the Otterwiki Lambda (`$default` catch-all) instead of the MCP Lambda. It returns an HTML wiki page instead of the OAuth JSON metadata document.

Additionally, `MCP_BASE_URL` was set to `https://dev.wikibot.io/mcp`, causing FastMCP to compute a doubled path (`/mcp/mcp`) for the protected resource URL.

## Root Cause

1. API Gateway only routed `/mcp` and `/mcp/{proxy+}` to the MCP Lambda. All `/.well-known/*` paths fell through to Otterwiki's `$default` route.
2. `MCP_BASE_URL` included the `/mcp` subpath, but FastMCP uses this as the base for constructing OAuth metadata URLs, resulting in doubled paths.

## Fix

Two infra changes, zero code changes:

1. **`infra/__main__.py`** — Added API Gateway route `ANY /.well-known/{proxy+}` → MCP Lambda integration
2. **`infra/Pulumi.dev.yaml`** — Changed `mcp_base_url` from `https://dev.wikibot.io/mcp` to `https://dev.wikibot.io`

Commit: `e46ef4a` on `main`. Deployed via `pulumi up`.

## Verification

| Endpoint | Expected | Result |
|----------|----------|--------|
| `GET /.well-known/oauth-authorization-server` | WorkOS OAuth metadata JSON | PASS |
| `GET /.well-known/oauth-protected-resource/mcp` | Protected resource JSON | PASS |
| `POST /mcp` (with bearer token) | MCP initialize response | PASS |
| `GET /Home` | Otterwiki HTML | PASS (unchanged) |