From 86c8d54f47d8cbe73c679c796667fde01cb91d5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A9l=20Solano?= <joelsolano@jsolano.de>
Date: Sat, 29 Nov 2025 03:45:33 +0100
Subject: [PATCH] fix(mcp): return origin url as authorization server (#6397)

---
 packages/better-auth/src/plugins/mcp/index.ts    | 5 +++--
 packages/better-auth/src/plugins/mcp/mcp.test.ts | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/packages/better-auth/src/plugins/mcp/index.ts b/packages/better-auth/src/plugins/mcp/index.ts
index dabc5a9b80..c1bc0f6349 100644
--- a/packages/better-auth/src/plugins/mcp/index.ts
+++ b/packages/better-auth/src/plugins/mcp/index.ts
@@ -93,10 +93,11 @@ export const getMCPProtectedResourceMetadata = (
 	options?: MCPOptions | undefined,
 ) => {
 	const baseURL = ctx.context.baseURL;
+	const origin = new URL(baseURL).origin;
 
 	return {
-		resource: options?.resource ?? new URL(baseURL).origin,
-		authorization_servers: [baseURL],
+		resource: options?.resource ?? origin,
+		authorization_servers: [origin],
 		jwks_uri: options?.oidcConfig?.metadata?.jwks_uri ?? `${baseURL}/mcp/jwks`,
 		scopes_supported: options?.oidcConfig?.metadata?.scopes_supported ?? [
 			"openid",
diff --git a/packages/better-auth/src/plugins/mcp/mcp.test.ts b/packages/better-auth/src/plugins/mcp/mcp.test.ts
index 43d112dfe7..2183c16c32 100644
--- a/packages/better-auth/src/plugins/mcp/mcp.test.ts
+++ b/packages/better-auth/src/plugins/mcp/mcp.test.ts
@@ -368,10 +368,11 @@ describe("mcp", async () => {
 		const metadata = await serverClient.$fetch(
 			"/.well-known/oauth-protected-resource",
 		);
+		const origin = new URL(baseURL).origin;
 
 		expect(metadata.data).toMatchObject({
-			resource: baseURL,
-			authorization_servers: [`${baseURL}/api/auth`],
+			resource: origin,
+			authorization_servers: [origin],
 			jwks_uri: `${baseURL}/api/auth/mcp/jwks`,
 			scopes_supported: ["openid", "profile", "email", "offline_access"],
 			bearer_methods_supported: ["header"],