docs: add consent-skip allowlist section to gateway dashboard guide#982
Open
wdawson wants to merge 10 commits into
Conversation
…GRO-99) Inline section explaining the "Skip consent for trusted clients" field on the gateway form, with a starter table of confirmed MCP client IDs (Claude, Visual Studio Code) and guidance on finding client IDs for unlisted clients. Cross-link from the User Sources overview. Rescoped from a standalone reference page after investigation — the CIMD ecosystem is too early (May 2026) to justify a separate page, but the table can grow as more clients adopt CIMD. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Claude Code publishes its own CIMD at https://claude.ai/oauth/claude-code-client-metadata (verified, distinct client_name 'Claude Code'), separate from the Claude Desktop / Claude.ai metadata document. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add Goose row (https://goose-docs.ai/oauth/client-metadata.json), verified against Arcade infrastructure-observed traffic - Add one-liner above the table making it explicit the values are the literal client_id strings sent in OAuth authorize requests Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Arcade has observed only 2-3 token fetches with the Goose client_id in the last 3 months — not enough signal to call it a client admins will want to allowlist. Easy to add back if traffic picks up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Move "Skip consent for trusted MCP clients" from create-via-dashboard/page.mdx to mcp-gateways/page.mdx where it lives as a core concept alongside the Authentication section - Drop the "intentionally short / CIMD is early" paragraph after the table — CIMD has been recommended long enough that the framing was off - Address style review on PR #982: - Drop em-dashes around clauses (Google.EmDash) in two spots - Replace "We expect" with direct phrasing (Google.We) - Reword "can be allowlisted" / "is generated" passive voice and drop the weasel "usually" - Drop the YOUR-GATEWAY-SLUG placeholder that was causing Vale's MDX parser to abort on these files - Update the User Sources overview cross-link to the new section anchor Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the long "The Skip consent for trusted clients (optional) field on the gateway form lets you allowlist..." phrasing with "This feature lets you allowlist..." since the section heading already establishes which field this is about. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reframe to describe what DCR-using clients lack (a stable client_id) rather than make a distributional claim about MCP clients we can't back up. Same fact, more honest framing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…yntax
your-gateway-slug -> {your-gateway-slug} in both the Connect to an MCP
Gateway example and the create-via-dashboard After Creating a Gateway
example. Standard URL-template / OpenAPI placeholder syntax — visually
distinct without re-introducing the <YOUR-GATEWAY-SLUG> Vale parser
crash.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Uppercase plus curly braces — visually loud like the original <YOUR-GATEWAY-SLUG> form, but braces protect from the MDX parser crash that the angle-bracket form caused. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The link wasn't pulling its weight — readers landing on the User Sources page aren't reaching for consent-skip details. Keep that material localized to the gateway page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an inline Skip consent for trusted MCP clients section to
app/en/guides/mcp-gateways/create-via-dashboard/page.mdx, with a starter table of confirmed MCP client IDs and guidance on finding client IDs for unlisted clients. Cross-link added from the User Sources overview.Closes GRO-99. Part of the GRO-75 umbrella.
Targeting
Targets
wils/gro-93-docs-configuring-user-sources-guide(the GRO-75 integration branch), not main. The umbrella PR (#978) is the one that eventually merges to main.Rescope vs. original GRO-99
Originally scoped as a standalone reference page. After investigating actual CIMD adoption across the documented MCP clients, the only stable, publicly verifiable client IDs are:
https://claude.ai/oauth/mcp-oauth-client-metadata(also referenced in the dashboard form's tooltip)https://vscode.dev/oauth/client-metadata.jsonCursor, GitHub Copilot, Codex, and Claude Code all currently rely on Dynamic Client Registration with ephemeral client IDs — no stable value to allowlist. A separate reference page would be too thin to justify. Inline keeps it adjacent to the form field, and the table is easy to extend when more clients adopt CIMD.
Decisions worth flagging
if (!byoaEnabled || authType === "arcade_header") return null;visibility check inconsent-skip-client-ids-field.tsx.Test plan
pnpm build—/en/guides/mcp-gateways/create-via-dashboardand/en/guides/user-sourcesrender in route table<YOUR-GATEWAY-SLUG>MDX parser issue oncreate-via-dashboard/page.mdxblocks Vale but is out of scope for this PR🤖 Generated with Claude Code
Note
Low Risk
Docs-only changes that add guidance for an OAuth consent-skip allowlist and adjust example URL formatting; no runtime behavior is modified.
Overview
Adds documentation for the “Skip consent for trusted MCP clients” gateway setting, explaining when it applies (Arcade Auth/User Source only), how client IDs are determined (CIMD vs Dynamic Client Registration), and providing a starter table of known
client_idvalues.Updates the dashboard creation guide to link to this new section and standardizes gateway URL examples to use
{YOUR-GATEWAY-SLUG}formatting.Reviewed by Cursor Bugbot for commit 5fab043. Bugbot is set up for automated code reviews on this repo. Configure here.