mcp-server

Paused

App Files Files Community

NiWaRe commited on Sep 17, 2025

Commit

d097b9a

verified ·

1 Parent(s): 7d190a0

Update AUTH_README.md

Browse files

Files changed (1) hide show

AUTH_README.md +17 -42

AUTH_README.md CHANGED Viewed

@@ -33,8 +33,8 @@ Authorization: Bearer YOUR_WANDB_API_KEY
 In Mistral LeChat, add a Custom MCP Connector:
-1. **Server URL**: `https://your-space.hf.space/mcp`
-2. **Authentication**: Choose "HTTP Bearer Token"
 3. **Token**: Enter your W&B API key
 ### Claude Desktop / Cursor
@@ -46,7 +46,7 @@ Configure in your MCP settings:
   "mcpServers": {
     "wandb": {
       "transport": "http",
-      "url": "http://localhost:8080/mcp",
       "headers": {
         "Authorization": "Bearer YOUR_WANDB_API_KEY",
         "Accept": "application/json, text/event-stream"
@@ -67,7 +67,7 @@ import requests
 # Initialize MCP session
 response = requests.post(
-    "http://localhost:8080/mcp",
     headers={
         "Authorization": "Bearer YOUR_WANDB_API_KEY",
         "Accept": "application/json, text/event-stream",
@@ -82,41 +82,28 @@ response = requests.post(
 )
 ```
-## Security Considerations
-### Non-Expiring API Keys
-W&B API keys don't expire by default, similar to GitHub Personal Access Tokens or OpenAI API keys. This is a design choice by W&B for developer convenience.
-**Best Practices:**
-- Rotate keys regularly (quarterly recommended)
-- Use separate keys for different services
-- Monitor usage at [wandb.ai/settings](https://wandb.ai/settings)
-- Revoke compromised keys immediately
-- Never commit keys to version control
-### Multi-User Deployment
-For HuggingFace Spaces or shared deployments:
-- Server requires no API key configuration
-- Each user provides their own key
-- Keys are used transiently per request
-- No keys are stored or logged
-## OAuth: Why We Can't Support Full OAuth 2.0
-### What We Tried
-We attempted to implement OAuth 2.0 support to provide a seamless authentication experience, especially for clients like Mistral LeChat that expect OAuth for custom connectors. This included:
 1. **OAuth Discovery Endpoints**: `/.well-known/oauth-authorization-server`
 2. **Authorization Flow**: Redirect to W&B's Auth0 login
 3. **Token Exchange**: Accept W&B API keys as "access tokens"
 4. **Device Flow**: Guide users to get their API key
-### Why It Doesn't Work
-**Fundamental Limitations:**
 1. **W&B Doesn't Provide OAuth for Third Parties**
    - W&B uses Auth0 internally but doesn't allow third-party OAuth client registration
@@ -133,8 +120,6 @@ We attempted to implement OAuth 2.0 support to provide a seamless authentication
    - W&B's Auth0 instance (`wandb.auth0.com`) doesn't know about our server
    - Can't validate tokens or handle callbacks
-### What Would Be Needed for Full OAuth
 For proper OAuth 2.0 support, W&B would need to:
 1. **Allow OAuth Client Registration**
@@ -152,16 +137,6 @@ For proper OAuth 2.0 support, W&B would need to:
    - Revocation endpoint for invalidating tokens
    - JWKS endpoint for JWT validation
-### Current Solution
-Given these limitations, we use W&B API keys directly as Bearer tokens. This approach:
-- ✅ Works with all W&B functionality
-- ✅ Compatible with MCP specification
-- ✅ Simple and reliable
-- ✅ Follows industry patterns (GitHub, OpenAI)
-- ❌ Requires manual key management
-- ❌ No automatic token refresh
 ## Troubleshooting
 ### Common Issues

 In Mistral LeChat, add a Custom MCP Connector:
+1. **Server URL**: `https://niware-wandb-mcp-server.hf.space/mcp`
+2. **Authentication**: Choose "API Key Authentication"
 3. **Token**: Enter your W&B API key
 ### Claude Desktop / Cursor
   "mcpServers": {
     "wandb": {
       "transport": "http",
+      "url": "https://niware-wandb-mcp-server.hf.space/mcp",
       "headers": {
         "Authorization": "Bearer YOUR_WANDB_API_KEY",
         "Accept": "application/json, text/event-stream"
 # Initialize MCP session
 response = requests.post(
+    "https://niware-wandb-mcp-server.hf.space/mcp",
     headers={
         "Authorization": "Bearer YOUR_WANDB_API_KEY",
         "Accept": "application/json, text/event-stream",
 )
 ```
+## OAuth: WIP
+### Current Solution
+We currently use W&B API keys directly as Bearer tokens. This approach:
+- ✅ Works with all W&B functionality
+- ✅ Compatible with MCP specification
+- ✅ Simple and reliable
+- ✅ Follows industry patterns (GitHub, OpenAI)
+- ❌ Requires manual key management
+- ❌ No automatic token refresh
+### Tests
+We attempted to implement a OAuth-assisted authentication flow (clients like ChatGPT would forward to login in the beginning):
 1. **OAuth Discovery Endpoints**: `/.well-known/oauth-authorization-server`
 2. **Authorization Flow**: Redirect to W&B's Auth0 login
 3. **Token Exchange**: Accept W&B API keys as "access tokens"
 4. **Device Flow**: Guide users to get their API key
+### Still WIP
+We're running into some issues with the OAuth-assisted approach we tried out (forward clients to wandb.ai/protect and return OAuth style metdata) - with some issus:
 1. **W&B Doesn't Provide OAuth for Third Parties**
    - W&B uses Auth0 internally but doesn't allow third-party OAuth client registration
    - W&B's Auth0 instance (`wandb.auth0.com`) doesn't know about our server
    - Can't validate tokens or handle callbacks
 For proper OAuth 2.0 support, W&B would need to:
 1. **Allow OAuth Client Registration**
    - Revocation endpoint for invalidating tokens
    - JWKS endpoint for JWT validation
 ## Troubleshooting
 ### Common Issues