diff --git a/docs/admin/access-control/index.mdx b/docs/admin/access-control/index.mdx
index 87382e8f3..ff98aecf8 100644
--- a/docs/admin/access-control/index.mdx
+++ b/docs/admin/access-control/index.mdx
@@ -14,7 +14,7 @@
same repository access on Sourcegraph as your code host.
-Sourcegraph uses [Role-Based Access Control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) to enable fine-grained control over different features and abilities of Sourcegraph, without having to modify permissions for each user individually. Currently, the scope of permissions control is limited to [Batch Changes](/admin/access-control/batch-changes) functionality, but it will be expanded to other areas in the future.
+Sourcegraph uses [Role-Based Access Control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) to enable fine-grained control over different features and abilities of Sourcegraph, without having to modify permissions for each user individually. RBAC currently covers several areas, including [Batch Changes](/admin/access-control/batch-changes), [service accounts](/admin/service-accounts), and [Sourcegraph MCP Server access](/api/mcp#availability-and-access-control), and it will expand to other areas over time.
## Managing roles and permissions
@@ -43,6 +43,7 @@ You can read about the specific permission types available for each RBAC-enabled
- [Batch Changes](/admin/access-control/batch-changes)
- [Service accounts](/admin/service-accounts)
+- [Sourcegraph MCP Server](/api/mcp#availability-and-access-control)
### Deleting a role
diff --git a/docs/admin/oauth-apps.mdx b/docs/admin/oauth-apps.mdx
index d0df6f6fc..b5cc061da 100644
--- a/docs/admin/oauth-apps.mdx
+++ b/docs/admin/oauth-apps.mdx
@@ -91,14 +91,15 @@ When creating an OAuth app, select the minimum scopes necessary for your applica
## OAuth endpoints reference
-| Endpoint | URL |
-| -------------------- | ------------------------------------------------------------- |
-| Authorization | `https://sourcegraph.example.com/.auth/idp/oauth/authorize` |
-| Token | `https://sourcegraph.example.com/.auth/idp/oauth/token` |
-| Device Authorization | `https://sourcegraph.example.com/.auth/idp/oauth/device/code` |
-| Token Revocation | `https://sourcegraph.example.com/.auth/idp/oauth/revoke` |
-| Token Introspection | `https://sourcegraph.example.com/.auth/idp/oauth/introspect` |
-| User Info | `https://sourcegraph.example.com/.auth/idp/oauth/userinfo` |
+| Endpoint | URL |
+|-----------------------------|---------------------------------------------------------------|
+| Authorization | `https://sourcegraph.example.com/.auth/idp/oauth/authorize` |
+| Dynamic Client Registration | `https://sourcegraph.example.com/.auth/idp/oauth/register` |
+| Token | `https://sourcegraph.example.com/.auth/idp/oauth/token` |
+| Device Authorization | `https://sourcegraph.example.com/.auth/idp/oauth/device/code` |
+| Token Revocation | `https://sourcegraph.example.com/.auth/idp/oauth/revoke` |
+| Token Introspection | `https://sourcegraph.example.com/.auth/idp/oauth/introspect` |
+| User Info | `https://sourcegraph.example.com/.auth/idp/oauth/userinfo` |
## OAuth Flow Examples
@@ -359,3 +360,23 @@ curl -X POST https://sourcegraph.example.com/.auth/idp/oauth/revoke \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" # Only for private clients
```
+
+## Dynamic Client Registration for MCP
+
+Sourcegraph also supports OAuth 2.0 Dynamic Client Registration (RFC 7591) at
+`/.auth/idp/oauth/register` for MCP clients that can self-register.
+
+This endpoint can be disabled by setting either `mcp.enabled` or
+`auth.idpDynamicClientRegistrationEnabled` to `false`.
+
+Applications created through Dynamic Client Registration are limited to the
+`mcp` scope. For general OAuth integrations that need scopes such as
+`user:all`, `openid`, or `offline_access`, create an OAuth app manually.
+
+
+ To disable self-registration, set
+ `auth.idpDynamicClientRegistrationEnabled` to `false`. If `mcp.enabled` is
+ `false`, Dynamic Client Registration is also unavailable. See
+ [MCP authentication and access control](/api/mcp#availability-and-access-control)
+ for the MCP-specific behavior.
+
diff --git a/docs/api/mcp/index.mdx b/docs/api/mcp/index.mdx
index 507b05dad..a19d7cd24 100644
--- a/docs/api/mcp/index.mdx
+++ b/docs/api/mcp/index.mdx
@@ -92,7 +92,7 @@ If your agent doesn't support Dynamic Client Registration, you can manually crea
-To disable DCR, set the following site configuration:
+To disable DCR while leaving MCP available, set the following site configuration:
```json
{
@@ -100,6 +100,9 @@ To disable DCR, set the following site configuration:
}
```
+If `mcp.enabled` is `false`, DCR is also unavailable and the registration
+endpoint returns `404`.
+
### Access Tokens
@@ -115,6 +118,66 @@ Authorization: token YOUR_ACCESS_TOKEN
only.
+## Availability and Access Control
+
+Admins can control MCP at three levels:
+
+- Site configuration: `mcp.enabled` enables or disables the MCP HTTP endpoints.
+- OAuth Dynamic Client Registration: `auth.idpDynamicClientRegistrationEnabled` controls whether OAuth clients can self-register; it is effectively disabled whenever `mcp.enabled` is `false`.
+- RBAC: users must have the `MCP#ACCESS` permission to use MCP.
+
+### Site-Level Enablement
+
+Use the `mcp.enabled` site configuration to turn the MCP server on or off for the entire instance:
+
+```json
+{
+ "mcp.enabled": true
+}
+```
+
+`mcp.enabled` defaults to `true`. When set to `false`, requests to `/.api/mcp`
+and its subpaths return `404 no route`.
+
+### OAuth Dynamic Client Registration
+
+Use `auth.idpDynamicClientRegistrationEnabled` to control whether compatible
+OAuth clients can self-register against the Sourcegraph identity provider:
+
+```json
+{
+ "auth.idpDynamicClientRegistrationEnabled": true
+}
+```
+
+`auth.idpDynamicClientRegistrationEnabled` defaults to `true`, but it is
+treated as `false` whenever `mcp.enabled` is `false`. When DCR is unavailable,
+requests to `/.auth/idp/oauth/register` return `404 not found`.
+
+### Restricting MCP with RBAC
+
+When MCP is enabled, Sourcegraph also checks the `MCP#ACCESS` permission before
+serving MCP requests. Users without that permission receive `403 forbidden`.
+
+By default, `MCP#ACCESS` is granted to the built-in `User` system role, so all
+signed-in users can access MCP unless an admin changes the default role
+permissions.
+
+To restrict MCP to a subset of users:
+
+1. Open **Site admin > Users & auth > Roles**.
+2. Edit the built-in **User** role and remove the `MCP > ACCESS` permission if you want MCP denied by default.
+3. Create a custom role that includes `MCP > ACCESS`.
+4. Assign that role to the users who should be allowed to use MCP.
+
+See [Access control](/admin/access-control) for more about managing roles and permissions.
+
+
+ MCP access control is separate from [repository permissions](/admin/permissions/).
+ Users can only read data from repositories they are already allowed to access
+ in Sourcegraph.
+
+
## Available Tools
diff --git a/docs/technical-changelog.mdx b/docs/technical-changelog.mdx
index bbb202928..9b41994ed 100644
--- a/docs/technical-changelog.mdx
+++ b/docs/technical-changelog.mdx
@@ -497,7 +497,7 @@ There were no uncategorized changes for this release
#### Auth
- add site setting auth.idpDynamicClientRegistrationEnabled `(PR #8336)`
- - Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591). This makes it easier to authenticate against Sourcegraph from an MCP client. As an administrator you must set `auth.idpDynamicClientRegistrationEnabled` to `true` in your site settings.
+ - Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP clients. The feature is controlled by `auth.idpDynamicClientRegistrationEnabled` and is effectively disabled when `mcp.enabled` is `false`.
#### Code Nav