Checks on baseURL and every outbound request host:
--allow-fileOptional runtime gate (--dns-rebind-protect): rejects requests whose Host header or remote address fall outside the allowlist (default includes bound host, localhost, loopback). Extend with --allow-host.
--protected enables:
WWW-Authenticate: Bearer challenges for unauthenticated endpoints--token-audience) & issuer (--auth-issuer) validation if supplied--jwks-uri, RS256) unless --insecure-unsigned-tokens.When combined with --auth-server and flags:
POST /register (--proxy-register) proxies dynamic client registrationPOST /oauth/token (--proxy-oauth) proxies token grants (client_credentials, authorization_code, refresh_token) and stores resulting tokens automatically when server id provided in payload.Disabled unless --allow-file; guarded by path containment check to prevent directory traversal.
Credentials listed via metrics/auth tools with masked values. File store optionally AES-GCM encrypted (MCP_CRED_KEY). Environment auto-import (prefix OAS_MCP_) ingests credentials per security scheme on first instantiation.
Access tokens (client credentials / refresh flows) are refreshed ~30s before expiry when possible; failures are non-fatal (tool call may later surface 401).
Resource registry emits debounced hash-based resources/list_changed notifications including changed names for efficient client cache invalidation.
MCP_CRED_KEY regularly (re-encrypt store)--insecure-unsigned-tokens outside test environments--allow-host * patterns; enumerate explicit hosts