MCP configuration when migrating production deployment to v0.8.0-rc2

[knightjdr]

I have a deployment on Railway set up with the one-click install described in the docs. Monday I upgraded to v0.8.0-rc2 and have run into an issue. An MCP server that does not require OAuth is now displaying that it does. It is displaying with an amber key icon. This is described in the documentation as:

OAuth Required (amber key): Server requires OAuth authentication

Our librechat.yaml file has no OAuth configuration. I've tried explicitly declaring OAuth is not required with no effect. librechat.yaml

version: 1.2.8
mcpServers:
  myserver:
    type: "streamable-http"
    url: https://example.com/mcp/
    timeout: 240000
    headers:
      Authorization: "Bearer ${MCP_API_TOKEN}"
    oauth:
      requiresOAuth: false
    startup: true

This is problematic because an Agent that uses this MCP server and is shared with other users now requires those users to connect this server manually (via the right side panel under MCP settings). They have to push the "Authenticate" button, but that is all.

This affects agents created before the migration and after. Agents from before were migrated with npm run migrate:agent-permissions

This is not seen in a fresh development instance. It suggest there is some previous configuration that needs to be updated, but it's unclear what that is. This is also seen in development.

[danny-avila]

Remove these fields:

    oauth:
      requiresOAuth: false
    startup: true

So should be just:

version: 1.2.8
mcpServers:
  myserver:
    type: "streamable-http"
    url: https://example.com/mcp/
    timeout: 240000
    headers:
      Authorization: "Bearer ${MCP_API_TOKEN}"

MCP Servers need to be initialized by the user from the chat menu or the MCP Panel:

[knightjdr]

Thanks for the quick response.

This was only added during my troubleshooting attempts. I've removed and redeployed, but still have the same issue.

    oauth:
      requiresOAuth: false
    startup: true

Sorry, I need to clarify that I am seeing this in development as well. In my ticket description (updated) I had pulled the latest from main but didn't update the docker images before testing.

Current status in development:

• an MCP server that does not require OAuth (using the librechat.yaml configuration from your post), will display the amber key icon.
• I am unable to create a new Agent with the MCP server without first connecting to the server
• Another user trying to use the Agent needs to manually connect the MCP server as well.

[danny-avila]

I will try to improve automatic re-initialization when the agent is being used with previously configured mcp tools.

[knightjdr]

@danny-avila Some more details. If I set my server definition as below, it is still showing as requiring OAuth in the logs

version: 1.2.8
mcpServers:
  myserver:
    type: "streamable-http"
    url: http://host.docker.internal:8000/mcp/
    timeout: 300000
    headers:
      Authorization: "Bearer ${MCP_API_TOKEN}"

Logs:

LibreChat         | 2025-08-21 13:10:43 info: Server listening on all interfaces at port 3080. Use http://localhost:3080 to access it
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] -------------------------------------------------┐
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] URL: http://host.docker.internal:8000/mcp/
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] OAuth Required: true
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] Capabilities: undefined
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] Tools: undefined
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] Server Instructions: undefined
LibreChat         | 2025-08-21 13:10:43 info: [MCP][myserver] -------------------------------------------------┘

I can see here that useOAuth is hardcoded to true and is as well in the type definition.

On my server I can see requests to /.well-known/oauth-protected-resource/mcp. This endpoint isn't implemented.

Setting these useOAuth values to false will show the correct OAuth Required status, but connecting to the server during startup fails with Transport error: fetch failed and no request hitting my server. Trying to track this down further at the moment but posting in case you can point me in the right direction.

[danny-avila]

It seems to me everything is working as expected but there is some confusion here as to what the configurations are meant for.

If users are able to connect manually to your MCP server, the connection is working fine.

See this comment for more info: #9131 (comment)

tl;dr, the startup field is for determining whether a connection should be shared by all users and therefore initialized at startup, so that should be set to true (and we are thinking of renaming this).

And requiresOAuth is for allowing the system to determine right away whether oauth is needed or not, because it will attempt an oauth connection by default according to MCP spec.

Let me know what happens when you try this config, if you intend to share the connection to all users:

version: 1.2.8
mcpServers:
  myserver:
    type: "streamable-http"
    url: http://host.docker.internal:8000/mcp/
    requiresOAuth: false
    startup: true
    timeout: 300000
    headers:
      Authorization: "Bearer ${MCP_API_TOKEN}"

[knightjdr]

This is the configuration I was after and is working locally and in production. Thank you and sorry for the confusion.