Warn when V2 server falls back to shared BEARER_TOKEN in dev mode

biswapm · biswapm · commit d5a2c42d2a00 · 2026-04-16T18:50:13.000+05:30
In dev, createDevTokenAcquirer previously ignored the resolved scope and
silently fell back to BEARER_TOKEN for all servers. V2 servers (distinct
audience) would receive a token scoped to the shared ATG audience and get
a 401 from the MCP server with no indication of why.

Now emits a console.warn identifying the server, the required scope, and
the exact env var to set (BEARER_TOKEN_&lt;SERVERNAME_UPPER&gt;) so the
misconfiguration is visible before hitting the 401.
diff --git a/packages/agents-a365-tooling/src/McpToolServerConfigurationService.ts b/packages/agents-a365-tooling/src/McpToolServerConfigurationService.ts
@@ -188,10 +188,23 @@ export class McpToolServerConfigurationService {
    *   1. BEARER_TOKEN_<MCPSERVERNAME_UPPER>  — per-server token (effective for V2 unique audiences)
    *   2. BEARER_TOKEN                         — shared fallback (V1 servers share one token)
    * Returns null when neither variable is set; no Authorization header is attached.
+   * Emits a warning when a V2 server (distinct audience) falls back to the shared BEARER_TOKEN,
+   * because that token is scoped to the shared ATG audience and will cause a 401 at the server.
    */
   private createDevTokenAcquirer(): TokenAcquirer {
-    return (server, _scope) => {
-      const token = this.configProvider.getConfiguration().getBearerTokenForServer(server.mcpServerName ?? '');
+    const sharedScope = this.configProvider.getConfiguration().mcpPlatformAuthenticationScope;
+    return (server, scope) => {
+      const serverName = server.mcpServerName ?? '';
+      const perServerEnvKey = `BEARER_TOKEN_${serverName.toUpperCase()}`;
+      const hasPerServerToken = !!process.env[perServerEnvKey];
+      const token = this.configProvider.getConfiguration().getBearerTokenForServer(serverName);
+      if (token && !hasPerServerToken && scope !== sharedScope) {
+        this.logger.warn(
+          `Dev: MCP server '${serverName}' requires scope '${scope}' but only BEARER_TOKEN is set. ` +
+          `The shared token is scoped to a different audience and will likely cause a 401. ` +
+          `Set ${perServerEnvKey} to a token acquired for the correct audience.`
+        );
+      }
       return Promise.resolve(token ?? null);
     };
   }
