mcp: document RBAC and mcp.enabled

docs/admin/access-control/index.mdx

@@ -14,7 +14,7 @@
 	same repository access on Sourcegraph as your code host.
 </Callout>
 
-Sourcegraph uses [Role-Based Access Control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) to enable fine-grained control over different features and abilities of Sourcegraph, without having to modify permissions for each user individually. Currently, the scope of permissions control is limited to [Batch Changes](/admin/access-control/batch-changes) functionality, but it will be expanded to other areas in the future.
+Sourcegraph uses [Role-Based Access Control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) to enable fine-grained control over different features and abilities of Sourcegraph, without having to modify permissions for each user individually. RBAC currently covers several areas, including [Batch Changes](/admin/access-control/batch-changes), [service accounts](/admin/service-accounts), and [Sourcegraph MCP Server access](/api/mcp#availability-and-access-control), and it will expand to other areas over time.
 
 ## Managing roles and permissions
 
@@ -43,6 +43,7 @@ You can read about the specific permission types available for each RBAC-enabled
 
 -   [Batch Changes](/admin/access-control/batch-changes)
 -   [Service accounts](/admin/service-accounts)
+-   [Sourcegraph MCP Server](/api/mcp#availability-and-access-control)
 
 ### Deleting a role
 

docs/admin/oauth-apps.mdx

@@ -91,14 +91,15 @@ When creating an OAuth app, select the minimum scopes necessary for your applica
 
 ## OAuth endpoints reference
 
-| Endpoint             | URL                                                           |
-| -------------------- | ------------------------------------------------------------- |
-| Authorization        | `https://sourcegraph.example.com/.auth/idp/oauth/authorize`   |
-| Token                | `https://sourcegraph.example.com/.auth/idp/oauth/token`       |
-| Device Authorization | `https://sourcegraph.example.com/.auth/idp/oauth/device/code` |
-| Token Revocation     | `https://sourcegraph.example.com/.auth/idp/oauth/revoke`      |
-| Token Introspection  | `https://sourcegraph.example.com/.auth/idp/oauth/introspect`  |
-| User Info            | `https://sourcegraph.example.com/.auth/idp/oauth/userinfo`    |
+| Endpoint                    | URL                                                           |
+|-----------------------------|---------------------------------------------------------------|
+| Authorization               | `https://sourcegraph.example.com/.auth/idp/oauth/authorize`   |
+| Dynamic Client Registration | `https://sourcegraph.example.com/.auth/idp/oauth/register`    |
+| Token                       | `https://sourcegraph.example.com/.auth/idp/oauth/token`       |
+| Device Authorization        | `https://sourcegraph.example.com/.auth/idp/oauth/device/code` |
+| Token Revocation            | `https://sourcegraph.example.com/.auth/idp/oauth/revoke`      |
+| Token Introspection         | `https://sourcegraph.example.com/.auth/idp/oauth/introspect`  |
+| User Info                   | `https://sourcegraph.example.com/.auth/idp/oauth/userinfo`    |
 
 ## OAuth Flow Examples
 
@@ -359,3 +360,23 @@ curl -X POST https://sourcegraph.example.com/.auth/idp/oauth/revoke \
   -d "client_id=YOUR_CLIENT_ID" \
   -d "client_secret=YOUR_CLIENT_SECRET" # Only for private clients
 ```
+
+## Dynamic Client Registration for MCP
+
+Sourcegraph also supports OAuth 2.0 Dynamic Client Registration (RFC 7591) at
+`/.auth/idp/oauth/register` for MCP clients that can self-register.
+
+This endpoint can be disabled by setting either `mcp.enabled` or
+`auth.idpDynamicClientRegistrationEnabled` to `false`.
+
+Applications created through Dynamic Client Registration are limited to the
+`mcp` scope. For general OAuth integrations that need scopes such as
+`user:all`, `openid`, or `offline_access`, create an OAuth app manually.
+
+<Callout type="note">
+	To disable self-registration, set
+	`auth.idpDynamicClientRegistrationEnabled` to `false`. If `mcp.enabled` is
+	`false`, Dynamic Client Registration is also unavailable. See
+	[MCP authentication and access control](/api/mcp#availability-and-access-control)
+	for the MCP-specific behavior.
+</Callout>

docs/api/mcp/index.mdx

@@ -92,14 +92,17 @@ If your agent doesn't support Dynamic Client Registration, you can manually crea
 
 <Accordion title="Disabling Dynamic Client Registration">
 
-To disable DCR, set the following site configuration:
+To disable DCR while leaving MCP available, set the following site configuration:
 
 ```json
 {
 	"auth.idpDynamicClientRegistrationEnabled": false
 }
 ```
 
+If `mcp.enabled` is `false`, DCR is also unavailable and the registration
+endpoint returns `404`.
+
 </Accordion>
 
 ### Access Tokens
@@ -115,6 +118,66 @@ Authorization: token YOUR_ACCESS_TOKEN
 	only.
 </Callout>
 
+## Availability and Access Control
+
+Admins can control MCP at three levels:
+
+- Site configuration: `mcp.enabled` enables or disables the MCP HTTP endpoints.
+- OAuth Dynamic Client Registration: `auth.idpDynamicClientRegistrationEnabled` controls whether OAuth clients can self-register; it is effectively disabled whenever `mcp.enabled` is `false`.
+- RBAC: users must have the `MCP#ACCESS` permission to use MCP.
+
+### Site-Level Enablement
+
+Use the `mcp.enabled` site configuration to turn the MCP server on or off for the entire instance:
+
+```json
+{
+	"mcp.enabled": true
+}
+```
+
+`mcp.enabled` defaults to `true`. When set to `false`, requests to `/.api/mcp`
+and its subpaths return `404 no route`.
+
+### OAuth Dynamic Client Registration
+
+Use `auth.idpDynamicClientRegistrationEnabled` to control whether compatible
+OAuth clients can self-register against the Sourcegraph identity provider:
+
+```json
+{
+	"auth.idpDynamicClientRegistrationEnabled": true
+}
+```
+
+`auth.idpDynamicClientRegistrationEnabled` defaults to `true`, but it is
+treated as `false` whenever `mcp.enabled` is `false`. When DCR is unavailable,
+requests to `/.auth/idp/oauth/register` return `404 not found`.
+
+### Restricting MCP with RBAC
+
+When MCP is enabled, Sourcegraph also checks the `MCP#ACCESS` permission before
+serving MCP requests. Users without that permission receive `403 forbidden`.
+
+By default, `MCP#ACCESS` is granted to the built-in `User` system role, so all
+signed-in users can access MCP unless an admin changes the default role
+permissions.
+
+To restrict MCP to a subset of users:
+
+1. Open **Site admin > Users & auth > Roles**.
+2. Edit the built-in **User** role and remove the `MCP > ACCESS` permission if you want MCP denied by default.
+3. Create a custom role that includes `MCP > ACCESS`.
+4. Assign that role to the users who should be allowed to use MCP.
+
+See [Access control](/admin/access-control) for more about managing roles and permissions.
+
+<Callout type="info">
+	MCP access control is separate from [repository permissions](/admin/permissions/).
+	Users can only read data from repositories they are already allowed to access
+	in Sourcegraph.
+</Callout>
+
 ## Available Tools
 
 <Callout type="info">

docs/technical-changelog.mdx

@@ -497,7 +497,7 @@ There were no uncategorized changes for this release
 #### Auth
 
 -   add site setting auth.idpDynamicClientRegistrationEnabled `(PR #8336)`
-    -   Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591). This makes it easier to authenticate against Sourcegraph from an MCP client. As an administrator you must set `auth.idpDynamicClientRegistrationEnabled` to `true` in your site settings.
+    -   Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP clients. The feature is controlled by `auth.idpDynamicClientRegistrationEnabled` and is effectively disabled when `mcp.enabled` is `false`.
 
 #### Code Nav