Skip to content

MCP Servers: regenerate-token + client config snippets at disclosure#75

Open
lezama wants to merge 1 commit into
mainfrom
feat/mcp-token-recovery
Open

MCP Servers: regenerate-token + client config snippets at disclosure#75
lezama wants to merge 1 commit into
mainfrom
feat/mcp-token-recovery

Conversation

@lezama
Copy link
Copy Markdown
Owner

@lezama lezama commented May 19, 2026

Summary

Fixes the MCP Server token-recovery footgun found during the UX review (finding #5):

  • Regenerate token action on the list view — rotate without delete + recreate.
  • 15-minute recovery window — refreshing the post-create / post-regenerate page re-shows the token via a transient until the user acknowledges. After the transient expires (or the user acknowledges), the token is purged and the page bounces to the list.
  • Client config snippets — at token disclosure, the page now shows ready-to-paste config for Claude Code, Cursor, and VS Code (Continue / Cline). Each snippet has a Copy button.
  • Subtitle updated to reflect the recoverable-for-15-minutes contract.

Why

Previously, a user who closed the disclosure page lost access and had to delete + recreate the server. The named clients in the subtitle (Claude Code / Cursor / VS Code) also got no help formatting the config — every user paid the same lookup cost.

Test plan

  • Create a server → token + 3 client snippets render.
  • Refresh within 15 minutes → token still visible.
  • Click "I've saved this" → bounces to list, token no longer visible on refresh.
  • Click "Regenerate token" on a row → new token + snippets render with the new value.
  • Wait > 15 minutes after create without acknowledging → token no longer recoverable; "Regenerate" is the path.

🤖 Generated with Claude Code

@lezama @claude
MCP Servers: regenerate-token + client config snippets at disclosure
0f810c8 
Fixes the token-recovery footgun found in UX review #5:

- Add `OpenclaWP_Mcp_Server_Store::regenerate_token( $slug )` and an
  `admin-post.php` handler so each row in the list view exposes a
  Regenerate token link.
- Bump the flash transient TTL from 60 s to 15 min and switch the
  disclosure render to a non-destructive `peek_flashed_token()`. An
  explicit acknowledge handler (or transient expiry) is now what
  purges the plaintext, so an accidental refresh isn't terminal.
- Render Claude Code / Cursor / VS Code config snippets (stacked
  cards, inline `navigator.clipboard.writeText` Copy buttons) below
  the disclosed token so admins can paste straight into their config.
- Update the page subtitle to describe the recoverable-for-15-minutes
  contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lezama