Add TLS configuration options for auth

[DaleSeo]

Fixes #534

This PR adds TLS configuration options for connecting to OAuth servers during token validation.

When the MCP server validates OAuth tokens, it connects to upstream OAuth servers to fetch JWKS keys. Previously, this required those servers to have certificates trusted by the system's default CA bundle. This change allows users to trust custom CA certificates or disable validation for development environments.

transport:
  streamable_http:
    auth:
      servers:
        - https://auth.example.com
      audiences:
        - my-audience
      resource: https://mcp.example.com/mcp
      tls:
        ca_cert: /path/to/ca-certificate.pem
        danger_accept_invalid_certs: false  # dev/testing only

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed

* (developer-tools)/apollo-mcp-server/(latest)/config-file.mdx

Build ID: 832c47fee3ca8afb12add2fc
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/832c47fee3ca8afb12add2fc

[DaleSeo]

We pinned the jwks crate to v0.5.1 directly from Git because this version includes chenhunghan/jwks#19, which adds support for using a custom reqwest::Client. This is necessary for our TLS configuration feature. Without it, we wouldn't be able to use a client set up with custom CA certificates. This version hasn't been published to crates.io yet.

[gocamille]

Thank you for the clarification @DaleSeo ! Is there an existing issue upstream asking for a crates.io publish, or should we open one?

[DaleSeo]

There's an existing issue: chenhunghan/jwks#27. Looks like the publish to crates.io failed in https://github.com/chenhunghan/jwks/actions/runs/17892875856/job/50875615384. Once that's resolved, we can switch back from the Git dependency.

[DaleSeo]

Really appreciate your thorough review, @gocamille! You caught some great issues. I've refactored the code to build the HTTP client once at startup instead of on every request. This way, any invalid TLS configuration will fail immediately when the server starts, and we won't have to read the certificate file for every authenticated request.

The tradeoff is that we lose hot certificate rotation. If you update the CA cert file, you'll need to restart the server to pick up the change. I think this is the right default since cert rotation is rare and the performance and fail-fast benefits outweigh it. If hot rotation becomes a requirement down the road, we can add it later with a file watcher or periodic reload.

[DaleSeo]

There's an existing issue: chenhunghan/jwks#27. Looks like the publish to crates.io failed in https://github.com/chenhunghan/jwks/actions/runs/17892875856/job/50875615384. Once that's resolved, we can switch back from the Git dependency.

[gocamille]

Thank you for this PR @DaleSeo !

[mabuyo]

Minor language consistency edits!

[mabuyo]

Suggested change

	| `tls.danger_accept_invalid_certs`| `bool` | `false` | Accept invalid TLS certificates. Warning: Insecure. Use only for development or testing. |
	| `tls.danger_accept_invalid_certs`| `bool` | `false` | Accepts invalid TLS certificates. Set this to `true for development or testing purposes only. |

(This might need spacing fixes)

[DaleSeo]

Thanks @mabuyo for reviewing the doc updates! I applied your suggestions and had the file reformatted.