Conformance • Scenarios
Scenario Catalog
The test suite ships 35 scenarios across seven capability areas.
OAuth Auth Code + PKCE (6)
| ID | Scenario | Status |
|---|
auth.auth_code_pkce_happy_path | Full happy path: discover → register → authorize → token exchange | Draft |
auth.missing_pkce_challenge | Missing code_challenge → 400 | Draft |
auth.wrong_pkce_verifier | Wrong code_verifier → invalid_grant | Draft |
auth.reused_authorization_code | Reused code fails second exchange | Draft |
auth.invalid_redirect_uri | Invalid redirect → error | Draft |
auth.denied_consent | Consent denied → access_denied | Draft |
OAuth DCR (4)
| ID | Scenario | Status |
|---|
dcr.happy_path | Minimal metadata registration | Draft |
dcr.unsupported_grant_type | Unsupported grant → 400 | Draft |
dcr.public_client_with_secret | Public client sends secret → 400 | Draft |
dcr.invalid_scope | Unsupported scope → 400 | Draft |
OAuth CIMD (5)
| ID | Scenario | Status |
|---|
cimd.happy_path | CIMD URL → server fetches metadata | Draft |
cimd.non_https_rejected | HTTP URL in production → 400 | Draft |
cimd.mismatched_client_id | Metadata client_id ≠ URL | Draft |
cimd.fetch_timeout | CIMD fetch timeout → graceful 400 | Draft |
cimd.metadata_cache | Second request uses cached metadata | Draft |
MCP Protocol (5)
| ID | Scenario | Status |
|---|
protocol.tools_list_schema | tools/list returns valid shape | Draft |
protocol.tools_call_valid | tools/call with valid params | Draft |
protocol.tools_call_unknown_tool | Unknown tool → JSON-RPC error | Draft |
protocol.tools_call_missing_arg | Missing required arg → error | Draft |
protocol.resources_list_schema | resources/list shape | Draft |
Error / Edge (5)
| ID | Scenario | Status |
|---|
errors.unauthorized_request_returns_401 | No token → 401 | Draft |
errors.expired_token_returns_401 | Expired token → 401 | Draft |
errors.unknown_scope | Unknown scope → 403 | Draft |
errors.insufficient_scope | Insufficient permissions → 403 | Draft |
errors.wrong_audience | Wrong audience → 401 | Draft |
No-Auth MCP (5)
Test that a server exposes MCP operations without requiring any authentication.
| ID | Scenario | Status |
|---|
no_auth.tools_list | tools/list succeeds without auth | Draft |
no_auth.tools_call | tools/call succeeds without auth | Draft |
no_auth.initialize | initialize handshake works with no auth | Draft |
no_auth.resources_list | resources/list succeeds without auth | Draft |
no_auth.prompts_list | prompts/list succeeds without auth | Draft |
Bearer Token Auth MCP (5)
Test that a server correctly validates RFC 6750 Bearer tokens on MCP requests.
Tokens can be provided inline or resolved from an environment variable via from_env.
| ID | Scenario | Status |
|---|
bearer.valid_token | Valid Bearer token → 200 + valid response | Draft |
bearer.missing_token | No token → 401 + WWW-Authenticate | Draft |
bearer.invalid_token | Malformed token → 401 | Draft |
bearer.expired_token | Expired token → 401 | Draft |
bearer.insufficient_scope | Wrong scope → 403 | Draft |