fix: handle URL-encoded token responses from OAuth providers

[giulio-leone]

Summary

Some OAuth providers (e.g. GitHub) return token endpoint responses in application/x-www-form-urlencoded format instead of JSON. The SDK calls response.json() unconditionally, causing a SyntaxError when the response is URL-encoded.

Root Cause

In executeTokenRequest(), line 1246:

return OAuthTokensSchema.parse(await response.json());

While the SDK already sends Accept: application/json (which handles compliant servers like GitHub), some OAuth providers may still return URL-encoded responses regardless of the Accept header.

Fix

Added parseTokenResponse() helper that checks the response Content-Type header:

• application/x-www-form-urlencoded: Parses with URLSearchParams and converts to a plain object
• Everything else (including application/json and missing header): Falls through to response.json() (existing behavior, fully backward-compatible)

The OAuthTokensSchema uses z.coerce.number() for expires_in, so string values from URL-encoded responses are automatically coerced to numbers.

Tests

Added 3 new tests in exchangeAuthorization:

• URL-encoded response with content-type: application/x-www-form-urlencoded
• URL-encoded response with expires_in as string (coerced to number)
• JSON response with explicit content-type: application/json (regression test)

Verification

2 consecutive clean test runs: 1550/1550 tests passed, 0 failures.

Fixes #759

[changeset-bot]

🦋 Changeset detected

Latest commit: f465500

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@modelcontextprotocol/sdk@1599

commit: 1340923

[giulio-leone]

All CI checks pass. Ready for review.