Dynamic Client Registration on Guided OAuth Flow sending an empty body to endpoint

[KKonstantinov]

Describe the bug
When point 2 is reached on the Guided OAuth Flow, when debugging the incoming request, it can be observed that the inspector is sending an empty body to the endpoint.

For example, what claude sends is the following:

{
  "client_name": "claudeai",
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code"
  ],
  "token_endpoint_auth_method": "none",
  "scope": "claudeai",
  "redirect_uris": [
    "https://claude.ai/api/mcp/auth_callback"
  ]
}

To Reproduce
Steps to reproduce the behavior:

1. Open up OAuth setup in Inspector
2. Pass the first step successfully (Metadata Discovery) with both oauth-authorization-endpoint and oauth-protected-resource set up and no validation errors
3. Attempt to pass the second step (Client Registration) and debug the body that is sent. If you're using a 3rd party auth server, modify the "registration_endpoint" inside the .well-known/oauth-authorization-endpoint to point to your own proxy endpoint and stop the debugger to see the request.

Expected behavior
Parameters sent as per the spec and generated as per the oauth-authorization-endpoint capabilities.

[symdeb]

Found the same issue today. Also my case passed step 2 fine.
Even responding to /register with a body, the registration fails with Error:
Failed to fetch. no details provided for the reason of the error.
Checked in wireshark and there is no body data.

BTW inspector does not call with POST, but OPTIONS in my case. it does that for other calls as well but retries with GET later on upon the server returning an error for OPTIONS.

Request Received at 2025-07-02T08:17:39+00:00

method:OPTIONS
headers:
Host:localhost
Connection:keep-alive
Accept:/
Access-Control-Request-Method:POST
Access-Control-Request-Headers:content-type
Origin:http://localhost:6274
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Sec-Fetch-Mode:cors
Sec-Fetch-Site:same-site
Sec-Fetch-Dest:empty
Referer:http://localhost:6274/
Accept-Encoding:gzip, deflate, br, zstd
Accept-Language:en-US,en;q=0.9
URL: /api/oauth/register
Query:
Query Parameters:
contents:

response:
{"client_id":"s6BhdRkqt3","client_secret":"cf136dc3c1fc93f31185e5885805d","client_id_expires_at":0,"grant_types":["authorization_code","implicit"],"client_name":"MCP_test_Client","token_endpoint_auth_method":"client_secret_basic"}