feat: add mcpOAuthTokenStorage support across all SDKs

dotnet/src/Client.cs

@@ -637,6 +637,7 @@ private void ApplyConfigDefaultsForMode(SessionConfigBase config)
         if (_options.Mode == CopilotClientMode.Empty)
         {
             config.EnableSessionTelemetry ??= false;
+            config.McpOAuthTokenStorage ??= McpOAuthTokenStorageMode.InMemory;
         }
     }
 
@@ -868,6 +869,7 @@ public async Task<CopilotSession> CreateSessionAsync(SessionConfig config, Cance
                 config.Streaming is true ? true : null,
                 config.IncludeSubAgentStreamingEvents,
                 config.McpServers,
+                config.McpOAuthTokenStorage,
                 "direct",
                 config.CustomAgents,
                 config.DefaultAgent,
@@ -1055,6 +1057,7 @@ public async Task<CopilotSession> ResumeSessionAsync(string sessionId, ResumeSes
                 config.Streaming is true ? true : null,
                 config.IncludeSubAgentStreamingEvents,
                 config.McpServers,
+                config.McpOAuthTokenStorage,
                 "direct",
                 config.CustomAgents,
                 config.DefaultAgent,
@@ -2169,6 +2172,7 @@ internal record CreateSessionRequest(
         bool? Streaming,
         bool? IncludeSubAgentStreamingEvents,
         IDictionary<string, McpServerConfig>? McpServers,
+        McpOAuthTokenStorageMode? McpOAuthTokenStorage,
         string? EnvValueMode,
         IList<CustomAgentConfig>? CustomAgents,
         DefaultAgentConfig? DefaultAgent,
@@ -2247,6 +2251,7 @@ internal record ResumeSessionRequest(
         bool? Streaming,
         bool? IncludeSubAgentStreamingEvents,
         IDictionary<string, McpServerConfig>? McpServers,
+        McpOAuthTokenStorageMode? McpOAuthTokenStorage,
         string? EnvValueMode,
         IList<CustomAgentConfig>? CustomAgents,
         DefaultAgentConfig? DefaultAgent,
@@ -2343,6 +2348,7 @@ internal record HooksInvokeResponse(
     [JsonSerializable(typeof(ListSessionsResponse))]
     [JsonSerializable(typeof(GetSessionMetadataRequest))]
     [JsonSerializable(typeof(GetSessionMetadataResponse))]
+    [JsonSerializable(typeof(McpOAuthTokenStorageMode))]
     [JsonSerializable(typeof(ModelCapabilitiesOverride))]
     [JsonSerializable(typeof(ProviderConfig))]
     [JsonSerializable(typeof(ResumeSessionRequest))]

dotnet/src/Types.cs

@@ -2081,6 +2081,21 @@ public enum McpHttpServerConfigOauthGrantType
     ClientCredentials
 }
 
+/// <summary>
+/// Controls how MCP OAuth tokens are stored for a session.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter<McpOAuthTokenStorageMode>))]
+public enum McpOAuthTokenStorageMode
+{
+    /// <summary>Tokens are stored in the OS keychain, shared across sessions.</summary>
+    [JsonStringEnumMemberName("persistent")]
+    Persistent,
+
+    /// <summary>Tokens are stored in memory and discarded when the session ends.</summary>
+    [JsonStringEnumMemberName("in-memory")]
+    InMemory
+}
+
 /// <summary>
 /// Abstract base class for MCP server configurations.
 /// </summary>
@@ -2397,6 +2412,7 @@ protected SessionConfigBase(SessionConfigBase? other)
                 ? new Dictionary<string, McpServerConfig>(dict, dict.Comparer)
                 : new Dictionary<string, McpServerConfig>(other.McpServers))
             : null;
+        McpOAuthTokenStorage = other.McpOAuthTokenStorage;
         Model = other.Model;
         ModelCapabilities = other.ModelCapabilities;
         OnAutoModeSwitchRequest = other.OnAutoModeSwitchRequest;
@@ -2616,6 +2632,12 @@ protected SessionConfigBase(SessionConfigBase? other)
     /// </summary>
     public IDictionary<string, McpServerConfig>? McpServers { get; set; }
 
+    /// <summary>
+    /// Controls how MCP OAuth tokens are stored for this session.
+    /// Default: <see cref="McpOAuthTokenStorageMode.InMemory"/> for safe multitenant behavior.
+    /// </summary>
+    public McpOAuthTokenStorageMode? McpOAuthTokenStorage { get; set; }
+
     /// <summary>Custom agent configurations for the session.</summary>
     public IList<CustomAgentConfig>? CustomAgents { get; set; }
 

dotnet/test/Unit/CloneTests.cs

@@ -77,6 +77,7 @@ public void SessionConfig_Clone_CopiesAllProperties()
             EnableSessionTelemetry = false,
             IncludeSubAgentStreamingEvents = false,
             McpServers = new Dictionary<string, McpServerConfig> { ["server1"] = new McpStdioServerConfig { Command = "echo" } },
+            McpOAuthTokenStorage = McpOAuthTokenStorageMode.Persistent,
             CustomAgents = [new CustomAgentConfig { Name = "agent1", Model = "claude-haiku-4.5" }],
             Agent = "agent1",
             Cloud = new CloudSessionOptions
@@ -113,6 +114,7 @@ public void SessionConfig_Clone_CopiesAllProperties()
         Assert.Equal(original.EnableSessionTelemetry, clone.EnableSessionTelemetry);
         Assert.Equal(original.IncludeSubAgentStreamingEvents, clone.IncludeSubAgentStreamingEvents);
         Assert.Equal(original.McpServers.Count, clone.McpServers!.Count);
+        Assert.Equal(original.McpOAuthTokenStorage, clone.McpOAuthTokenStorage);
         Assert.Equal(original.CustomAgents.Count, clone.CustomAgents!.Count);
         Assert.Equal(original.CustomAgents[0].Model, clone.CustomAgents[0].Model);
         Assert.Equal(original.Agent, clone.Agent);
@@ -420,4 +422,30 @@ public void ResumeSessionConfig_Clone_PreservesEnableSessionTelemetryDefault()
 
         Assert.Null(clone.EnableSessionTelemetry);
     }
+
+    [Fact]
+    public void SessionConfig_Clone_CopiesMcpOAuthTokenStorage()
+    {
+        var original = new SessionConfig
+        {
+            McpOAuthTokenStorage = McpOAuthTokenStorageMode.Persistent,
+        };
+
+        var clone = original.Clone();
+
+        Assert.Equal(McpOAuthTokenStorageMode.Persistent, clone.McpOAuthTokenStorage);
+    }
+
+    [Fact]
+    public void ResumeSessionConfig_Clone_CopiesMcpOAuthTokenStorage()
+    {
+        var original = new ResumeSessionConfig
+        {
+            McpOAuthTokenStorage = McpOAuthTokenStorageMode.Persistent,
+        };
+
+        var clone = original.Clone();
+
+        Assert.Equal(McpOAuthTokenStorageMode.Persistent, clone.McpOAuthTokenStorage);
+    }
 }

go/client.go

@@ -629,6 +629,7 @@ func (c *Client) CreateSession(ctx context.Context, config *SessionConfig) (*Ses
 	req.ModelCapabilities = config.ModelCapabilities
 	req.WorkingDirectory = config.WorkingDirectory
 	req.MCPServers = config.MCPServers
+	req.MCPOAuthTokenStorage = config.MCPOAuthTokenStorage
 	req.EnvValueMode = "direct"
 	req.CustomAgents = config.CustomAgents
 	req.DefaultAgent = config.DefaultAgent
@@ -958,6 +959,7 @@ func (c *Client) ResumeSessionWithOptions(ctx context.Context, sessionID string,
 		req.ContinuePendingWork = Bool(true)
 	}
 	req.MCPServers = config.MCPServers
+	req.MCPOAuthTokenStorage = config.MCPOAuthTokenStorage
 	req.EnvValueMode = "direct"
 	req.CustomAgents = config.CustomAgents
 	req.DefaultAgent = config.DefaultAgent

go/client_test.go

@@ -619,6 +619,70 @@ func TestResumeSessionRequest_InstructionDirectories(t *testing.T) {
 	})
 }
 
+func TestCreateSessionRequest_MCPOAuthTokenStorage(t *testing.T) {
+	t.Run("includes mcpOAuthTokenStorage in JSON when set", func(t *testing.T) {
+		req := createSessionRequest{MCPOAuthTokenStorage: "in-memory"}
+		data, err := json.Marshal(req)
+		if err != nil {
+			t.Fatalf("Failed to marshal: %v", err)
+		}
+		var m map[string]any
+		if err := json.Unmarshal(data, &m); err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		if m["mcpOAuthTokenStorage"] != "in-memory" {
+			t.Errorf("Expected mcpOAuthTokenStorage to be 'in-memory', got %v", m["mcpOAuthTokenStorage"])
+		}
+	})
+
+	t.Run("omits mcpOAuthTokenStorage from JSON when empty", func(t *testing.T) {
+		req := createSessionRequest{}
+		data, err := json.Marshal(req)
+		if err != nil {
+			t.Fatalf("Failed to marshal: %v", err)
+		}
+		var m map[string]any
+		if err := json.Unmarshal(data, &m); err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		if _, ok := m["mcpOAuthTokenStorage"]; ok {
+			t.Error("Expected mcpOAuthTokenStorage to be omitted when empty")
+		}
+	})
+}
+
+func TestResumeSessionRequest_MCPOAuthTokenStorage(t *testing.T) {
+	t.Run("includes mcpOAuthTokenStorage in JSON when set", func(t *testing.T) {
+		req := resumeSessionRequest{SessionID: "s1", MCPOAuthTokenStorage: "persistent"}
+		data, err := json.Marshal(req)
+		if err != nil {
+			t.Fatalf("Failed to marshal: %v", err)
+		}
+		var m map[string]any
+		if err := json.Unmarshal(data, &m); err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		if m["mcpOAuthTokenStorage"] != "persistent" {
+			t.Errorf("Expected mcpOAuthTokenStorage to be 'persistent', got %v", m["mcpOAuthTokenStorage"])
+		}
+	})
+
+	t.Run("omits mcpOAuthTokenStorage from JSON when empty", func(t *testing.T) {
+		req := resumeSessionRequest{SessionID: "s1"}
+		data, err := json.Marshal(req)
+		if err != nil {
+			t.Fatalf("Failed to marshal: %v", err)
+		}
+		var m map[string]any
+		if err := json.Unmarshal(data, &m); err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		if _, ok := m["mcpOAuthTokenStorage"]; ok {
+			t.Error("Expected mcpOAuthTokenStorage to be omitted when empty")
+		}
+	})
+}
+
 func TestOverridesBuiltInTool(t *testing.T) {
 	t.Run("OverridesBuiltInTool is serialized in tool definition", func(t *testing.T) {
 		tool := Tool{

go/mode_empty.go

@@ -126,6 +126,9 @@ func (c *Client) applyConfigDefaultsForMode(config *SessionConfig) {
 		f := false
 		config.EnableSessionTelemetry = &f
 	}
+	if config.MCPOAuthTokenStorage == "" {
+		config.MCPOAuthTokenStorage = "in-memory"
+	}
 }
 
 func (c *Client) applyResumeDefaultsForMode(config *ResumeSessionConfig) {
@@ -136,6 +139,9 @@ func (c *Client) applyResumeDefaultsForMode(config *ResumeSessionConfig) {
 		f := false
 		config.EnableSessionTelemetry = &f
 	}
+	if config.MCPOAuthTokenStorage == "" {
+		config.MCPOAuthTokenStorage = "in-memory"
+	}
 }
 
 // updateSessionOptionsForMode applies the per-mode safe-defaults patch via

go/toolset_test.go

@@ -247,3 +247,30 @@ func TestApplyConfigDefaultsForMode_copilotCliLeavesNil(t *testing.T) {
 		t.Errorf("non-empty mode must not default telemetry")
 	}
 }
+
+func TestApplyConfigDefaultsForMode_emptyDefaultsMCPOAuthTokenStorage(t *testing.T) {
+	c := NewClient(&ClientOptions{Mode: ModeEmpty, BaseDirectory: t.TempDir()})
+	cfg := &SessionConfig{}
+	c.applyConfigDefaultsForMode(cfg)
+	if cfg.MCPOAuthTokenStorage != "in-memory" {
+		t.Errorf("expected MCPOAuthTokenStorage 'in-memory' in empty mode, got %q", cfg.MCPOAuthTokenStorage)
+	}
+}
+
+func TestApplyConfigDefaultsForMode_emptyHonorsCallerMCPOAuthTokenStorage(t *testing.T) {
+	c := NewClient(&ClientOptions{Mode: ModeEmpty, BaseDirectory: t.TempDir()})
+	cfg := &SessionConfig{MCPOAuthTokenStorage: "persistent"}
+	c.applyConfigDefaultsForMode(cfg)
+	if cfg.MCPOAuthTokenStorage != "persistent" {
+		t.Errorf("caller-supplied MCPOAuthTokenStorage must win, got %q", cfg.MCPOAuthTokenStorage)
+	}
+}
+
+func TestApplyConfigDefaultsForMode_copilotCliLeavesMCPOAuthTokenStorageEmpty(t *testing.T) {
+	c := NewClient(&ClientOptions{Mode: ModeCopilotCli})
+	cfg := &SessionConfig{}
+	c.applyConfigDefaultsForMode(cfg)
+	if cfg.MCPOAuthTokenStorage != "" {
+		t.Errorf("non-empty mode must not default MCPOAuthTokenStorage, got %q", cfg.MCPOAuthTokenStorage)
+	}
+}

go/types.go

@@ -965,6 +965,11 @@ type SessionConfig struct {
 	ModelCapabilities *rpc.ModelCapabilitiesOverride
 	// MCPServers configures MCP servers for the session
 	MCPServers map[string]MCPServerConfig
+	// MCPOAuthTokenStorage controls how MCP OAuth tokens are stored for this session.
+	// "persistent" stores tokens in the OS keychain (shared across sessions).
+	// "in-memory" stores tokens in memory and discards them when the session ends.
+	// Defaults to "in-memory" for safe multitenant behavior.
+	MCPOAuthTokenStorage string
 	// CustomAgents configures custom agents for the session
 	CustomAgents []CustomAgentConfig
 	// DefaultAgent configures the default agent (the built-in agent that handles turns when no custom agent is selected).
@@ -1287,6 +1292,11 @@ type ResumeSessionConfig struct {
 	IncludeSubAgentStreamingEvents *bool
 	// MCPServers configures MCP servers for the session
 	MCPServers map[string]MCPServerConfig
+	// MCPOAuthTokenStorage controls how MCP OAuth tokens are stored for this session.
+	// "persistent" stores tokens in the OS keychain (shared across sessions).
+	// "in-memory" stores tokens in memory and discards them when the session ends.
+	// Defaults to "in-memory" for safe multitenant behavior.
+	MCPOAuthTokenStorage string
 	// CustomAgents configures custom agents for the session
 	CustomAgents []CustomAgentConfig
 	// DefaultAgent configures the default agent (the built-in agent that handles turns when no custom agent is selected).
@@ -1602,6 +1612,7 @@ type createSessionRequest struct {
 	Streaming                      *bool                                  `json:"streaming,omitempty"`
 	IncludeSubAgentStreamingEvents *bool                                  `json:"includeSubAgentStreamingEvents,omitempty"`
 	MCPServers                     map[string]MCPServerConfig             `json:"mcpServers,omitempty"`
+	MCPOAuthTokenStorage           string                                 `json:"mcpOAuthTokenStorage,omitempty"`
 	EnvValueMode                   string                                 `json:"envValueMode,omitempty"`
 	CustomAgents                   []CustomAgentConfig                    `json:"customAgents,omitempty"`
 	DefaultAgent                   *DefaultAgentConfig                    `json:"defaultAgent,omitempty"`
@@ -1673,6 +1684,7 @@ type resumeSessionRequest struct {
 	Streaming                      *bool                                  `json:"streaming,omitempty"`
 	IncludeSubAgentStreamingEvents *bool                                  `json:"includeSubAgentStreamingEvents,omitempty"`
 	MCPServers                     map[string]MCPServerConfig             `json:"mcpServers,omitempty"`
+	MCPOAuthTokenStorage           string                                 `json:"mcpOAuthTokenStorage,omitempty"`
 	EnvValueMode                   string                                 `json:"envValueMode,omitempty"`
 	CustomAgents                   []CustomAgentConfig                    `json:"customAgents,omitempty"`
 	DefaultAgent                   *DefaultAgentConfig                    `json:"defaultAgent,omitempty"`

java/src/main/java/com/github/copilot/CopilotClient.java

@@ -512,6 +512,9 @@ public CompletableFuture<CopilotSession> createSession(SessionConfig config) {
                                     + "the tools it wants — e.g. setAvailableTools(new ToolSet().addBuiltIn(BuiltInTools.ISOLATED)).");
                 }
                 request.setToolFilterPrecedence("excluded");
+                if (request.getMcpOAuthTokenStorage() == null) {
+                    request.setMcpOAuthTokenStorage("in-memory");
+                }
             }
 
             long rpcNanos = System.nanoTime();
@@ -626,6 +629,9 @@ public CompletableFuture<CopilotSession> resumeSession(String sessionId, ResumeS
                                     + "the tools it wants — e.g. setAvailableTools(new ToolSet().addBuiltIn(BuiltInTools.ISOLATED)).");
                 }
                 request.setToolFilterPrecedence("excluded");
+                if (request.getMcpOAuthTokenStorage() == null) {
+                    request.setMcpOAuthTokenStorage("in-memory");
+                }
             }
 
             long rpcNanos = System.nanoTime();

java/src/main/java/com/github/copilot/SessionRequestBuilder.java

@@ -125,6 +125,7 @@ static CreateSessionRequest buildCreateRequest(SessionConfig config, String sess
         }
         config.getIncludeSubAgentStreamingEvents().ifPresent(request::setIncludeSubAgentStreamingEvents);
         request.setMcpServers(config.getMcpServers());
+        request.setMcpOAuthTokenStorage(config.getMcpOAuthTokenStorage());
         request.setCustomAgents(config.getCustomAgents());
         request.setDefaultAgent(config.getDefaultAgent());
         request.setAgent(config.getAgent());
@@ -227,6 +228,7 @@ static ResumeSessionRequest buildResumeRequest(String sessionId, ResumeSessionCo
         }
         config.getIncludeSubAgentStreamingEvents().ifPresent(request::setIncludeSubAgentStreamingEvents);
         request.setMcpServers(config.getMcpServers());
+        request.setMcpOAuthTokenStorage(config.getMcpOAuthTokenStorage());
         request.setCustomAgents(config.getCustomAgents());
         request.setDefaultAgent(config.getDefaultAgent());
         request.setAgent(config.getAgent());

java/src/main/java/com/github/copilot/rpc/CreateSessionRequest.java

@@ -81,6 +81,9 @@ public final class CreateSessionRequest {
     @JsonProperty("mcpServers")
     private Map<String, McpServerConfig> mcpServers;
 
+    @JsonProperty("mcpOAuthTokenStorage")
+    private String mcpOAuthTokenStorage;
+
     @JsonProperty("envValueMode")
     private String envValueMode;
 
@@ -369,6 +372,19 @@ public void setMcpServers(Map<String, McpServerConfig> mcpServers) {
         this.mcpServers = mcpServers;
     }
 
+    /** Gets MCP OAuth token storage mode. @return the storage mode */
+    public String getMcpOAuthTokenStorage() {
+        return mcpOAuthTokenStorage;
+    }
+
+    /**
+     * Sets MCP OAuth token storage mode. @param mcpOAuthTokenStorage the storage
+     * mode
+     */
+    public void setMcpOAuthTokenStorage(String mcpOAuthTokenStorage) {
+        this.mcpOAuthTokenStorage = mcpOAuthTokenStorage;
+    }
+
     /** Gets MCP environment variable value mode. @return the mode */
     public String getEnvValueMode() {
         return envValueMode;