Fix token audience validation in separate auth mode

The auth server's /introspect endpoint now correctly sets the 'aud' field to the resource server URL (BASE_URI) instead of the client ID. This ensures proper audience validation when the MCP server verifies tokens in separate mode. - Import BASE_URI in auth server - Set aud to BASE_URI in introspection response - Fixes "Token was not issued for this resource server" error 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>

Author: bhosmer-ant

auth-server/index.ts

@@ -6,7 +6,7 @@ import { EverythingAuthProvider } from '../src/auth/provider.js';
 import { handleFakeAuthorize, handleFakeAuthorizeRedirect } from '../src/handlers/fakeauth.js';
 import { redisClient } from '../src/redis.js';
 import { logger } from '../src/utils/logger.js';
-import { AUTH_SERVER_PORT, AUTH_SERVER_URL } from '../src/config.js';
+import { AUTH_SERVER_PORT, AUTH_SERVER_URL, BASE_URI } from '../src/config.js';
 
 const app = express();
 
@@ -101,7 +101,7 @@ app.post('/introspect', introspectRateLimit, express.urlencoded({ extended: fals
  userId: authInfo.extra?.userId, // Custom field for our implementation
  username: authInfo.extra?.username,
  iss: AUTH_SERVER_URL,
- aud: authInfo.clientId,
+ aud: BASE_URI, // The resource server URL this token is intended for
  token_type: 'Bearer'
  });
 

package.json

@@ -15,7 +15,7 @@
  "dev:with-separate-auth": "concurrently -n \"AUTH,MCP\" -c \"yellow,cyan\" \"npm run dev:auth-server\" \"npm run dev:separate\"",
  "build": "tsc && npm run copy-static",
  "copy-static": "mkdir -p dist/src/static && cp -r src/static/* dist/src/static/",
- "lint": "eslint src/ auth-server/",
+ "lint": "eslint src/ auth-server/ shared/",
  "test": "NODE_OPTIONS=--experimental-vm-modules jest",
  "test:integrated": "AUTH_MODE=integrated npm test",
  "test:separate": "AUTH_MODE=separate npm test",