Why enterprise login blocked a self-hosted MCP server
A self-hosted MCP server for fetching many websites needed to be reachable from Claude.ai and ChatGPT. It could not be left open to everyone because it contained OpenRouter keys.
Protecting it with caused the connection to fail before any login page appeared. An MCP client first looks for OAuth details at `/.well-known/oauth-protected-resource`, then tries to register itself automatically with the server.
is not an server that supports this dynamic client registration, so the process stops. The same problem appeared at work when an API-key-only MCP server needed to connect to a production AI agent and other developers, because company security rules prohibited that type of API key connection.
Key points
- Do not expose an MCP server publicly when it contains OpenRouter keys.
- first discover OAuth settings at a standard web address.
- The server must support dynamic client registration for this flow.
- alone did not meet that MCP requirement.
- Workplace security rules may reject API-key-only connections to s.