{"openapi":"3.1.0","info":{"title":"QENEX Remote MCP Server","version":"45.0.0"},"paths":{"/health":{"get":{"summary":"Health","operationId":"health_health_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/.well-known/oauth-protected-resource/{path}":{"get":{"summary":"Oauth Protected Resource","description":"OAuth 2.0 Protected Resource Metadata (RFC 9728).\n\nReturns resource URL matching the request origin so local and remote\nclients both pass the MCP protected-resource origin check.","operationId":"oauth_protected_resource__well_known_oauth_protected_resource__path__get","parameters":[{"name":"path","in":"path","required":true,"schema":{"type":"string","title":"Path"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/.well-known/oauth-protected-resource":{"get":{"summary":"Oauth Protected Resource","description":"OAuth 2.0 Protected Resource Metadata (RFC 9728).\n\nReturns resource URL matching the request origin so local and remote\nclients both pass the MCP protected-resource origin check.","operationId":"oauth_protected_resource__well_known_oauth_protected_resource_get","parameters":[{"name":"path","in":"query","required":false,"schema":{"type":"string","default":"","title":"Path"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/.well-known/oauth-authorization-server/{path}":{"get":{"summary":"Oauth Metadata","description":"OAuth 2.0 Authorization Server Metadata (RFC 8414).\n\nLocal AS — supports client_credentials (CLI/headless) and authorization_code\nwith PKCE (claude.ai web connector, RFC 7636).","operationId":"oauth_metadata__well_known_oauth_authorization_server__path__get","parameters":[{"name":"path","in":"path","required":true,"schema":{"type":"string","title":"Path"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/.well-known/oauth-authorization-server":{"get":{"summary":"Oauth Metadata","description":"OAuth 2.0 Authorization Server Metadata (RFC 8414).\n\nLocal AS — supports client_credentials (CLI/headless) and authorization_code\nwith PKCE (claude.ai web connector, RFC 7636).","operationId":"oauth_metadata__well_known_oauth_authorization_server_get","parameters":[{"name":"path","in":"query","required":false,"schema":{"type":"string","default":"","title":"Path"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/authorize":{"get":{"summary":"Authorize","description":"OAuth 2.0 Authorization Code + PKCE endpoint (RFC 7636).\n\nIssues a one-time authorization code stored in Redis, then redirects\nthe client to the redirect_uri with ?code=...&state=... appended.\nSupports first-party public clients only (no client_secret required).","operationId":"authorize_authorize_get","parameters":[{"name":"response_type","in":"query","required":false,"schema":{"type":"string","default":"","title":"Response Type"}},{"name":"client_id","in":"query","required":false,"schema":{"type":"string","default":"","title":"Client Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"code_challenge","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code Challenge"}},{"name":"code_challenge_method","in":"query","required":false,"schema":{"type":"string","default":"S256","title":"Code Challenge Method"}},{"name":"state","in":"query","required":false,"schema":{"type":"string","default":"","title":"State"}},{"name":"scope","in":"query","required":false,"schema":{"type":"string","default":"mcp","title":"Scope"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/register":{"post":{"summary":"Oauth Register","description":"Dynamic Client Registration (RFC 7591) — stateless HMAC variant.\n\nIssues client_id + HMAC-derived client_secret. No Redis writes required:\nthe secret is fully deterministic from server secret + client_id, so\nvalidation at the token endpoint doesn't need a stored record.","operationId":"oauth_register_oauth_register_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/token":{"post":{"summary":"Oauth Token","description":"OAuth 2.0 Token Endpoint — client_credentials grant (RFC 6749).\n\nValidates client_id + HMAC-derived secret (stateless), then issues a\n64-char SSO session token validated by _mcp_auth Option 2.","operationId":"oauth_token_oauth_token_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}}},"components":{"schemas":{"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"}}}}