Home A - Z
Page Index
Properties 
category: reference
tags: [task, phase-1, mcp, auth, infra]
last_updated: 2026-03-13
confidence: high

P1-9: Fix MCP OAuth Discovery Routing

Status: COMPLETE (2026-03-13)

Problem

Claude.ai cannot connect to the dev.wikibot.io MCP server via OAuth because the /.well-known/oauth-authorization-server discovery endpoint is routed to the Otterwiki Lambda ($default catch-all) instead of the MCP Lambda. It returns an HTML wiki page instead of the OAuth JSON metadata document.

Additionally, MCP_BASE_URL was set to https://dev.wikibot.io/mcp, causing FastMCP to compute a doubled path (/mcp/mcp) for the protected resource URL.

Root Cause

  1. API Gateway only routed /mcp and /mcp/{proxy+} to the MCP Lambda. All /.well-known/* paths fell through to Otterwiki's $default route.
  2. MCP_BASE_URL included the /mcp subpath, but FastMCP uses this as the base for constructing OAuth metadata URLs, resulting in doubled paths.

Fix

Two infra changes, zero code changes:

  1. infra/__main__.py — Added API Gateway route ANY /.well-known/{proxy+} → MCP Lambda integration
  2. infra/Pulumi.dev.yaml — Changed mcp_base_url from https://dev.wikibot.io/mcp to https://dev.wikibot.io

Commit: e46ef4a on main. Deployed via pulumi up.

Verification

Endpoint Expected Result
GET /.well-known/oauth-authorization-server WorkOS OAuth metadata JSON PASS
GET /.well-known/oauth-protected-resource/mcp Protected resource JSON PASS
POST /mcp (with bearer token) MCP initialize response PASS
GET /Home Otterwiki HTML PASS (unchanged)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9