I got some authorization failure when using CIMD (Client ID Metadata Document) as the client ID. The login worked ok. But after that, 404 is received:
POST /sdk/v1/b2b/oauth/authorize/start
Request Body:
{
“client_id”: “https://tough-luckily-goldfish.ngrok-free.app/connectors/api/v1/apps/rEhhYQKqSeSHUWUKbQ6p6A/mcp-client-metadata22”,
“redirect_uri”: “https://tough-luckily-goldfish.ngrok-free.app/connectors/oauth/callback/authorized”,
“response_type”: “code”,
“scope”: “openid email profile admin:projects manage:api_keys:test manage:project_settings”
}
Response Body:
{
“status_code”: 404,
“request_id”: “request-id-live-40be8c99-fd47-4aa1-9d11-cc9d2e2d7730”,
“error_type”: “connected_app_not_found”,
“error_message”: “The Connected App requested could not be found.”,
“error_url”: “404 - Stytch Docs”
}
Hey @Xin_Huang ,
Thanks for reaching out!
Taking a look at our internal logs, it looks like there are 2 B2BOAuthAuthorizeStart calls made in quick succession, with the second request resulting in the 404 error.
We don’t expect MCP clients to be making a duplicate request in this scenario, since for CIMD there should only be 1 active Connected App corresponding to the metadata URL in that moment.
Could you please let us know a bit more about your setup? It looks like these requests were being made by the Stytch JS SDK - are you using the prebuilt B2BIdentityProvider UI component for example, or calling it headlessly in your frontend logic? Any details you could kindly share there will help us look into this further. Thank you!
Something else I’ll also note - we’re noticing that the client_uri doesn’t have the same origin as the CIMD URL, due to what looks like could be a typo:
{"client_id":"https://tough-luckily-goldfish.ngrok-free.app/connectors/api/v1/apps/rEhhYQKqSeSHUWUKbQ6p6A/mcp-client-metadata22","client_uri":"https://tough-luckily-goldfish.ngrok-freeze.app/api/v1/apps/rEhhYQKqSeSHUWUKbQ6p6A", ...
note the ngrok-free.app vs. ngrok-freeze.app. Could you please double-check the metadata JSON is correct?