Empty string for `tos_uri` and `logo_uri` causing validation errors during DCR as of 1.17.4

Question

Empty string for `tos_uri` and `logo_uri` causing validation errors during DCR as of 1.17.4

Closed this issue a month ago · 3 comments

Describe the bug
Previously, if a client did not send a tos_uri or logo_uri in their Dynamic Client Registration request, clients using the MCP SDK accepted empty strings in the response of the registration call.

With #877 released in https://github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.17.5, empty strings are treated as "unsafe" in these fields, and cause DCR to fail.

To Reproduce
This can be replicated with the newest MCP inspector and the ActiveCampaign MCP server.

Steps to reproduce the behavior:

Create a free trial ActiveCampaign account: https://www.activecampaign.com/free
Start the latest MCP inspector (or any version >= 0.16.6, when this upstream change was pulled in)
Try to connect to the ActiveCampaign MCP server
See an error instead of successful DCR

Expected behavior
The client registers a dynamic client successfully

Logs
Example error response:

 [ { "validation": "url", "code": "invalid_string", "message": "Invalid url", "path": [ "logo_uri" ] }, { "code": "custom", "message": "URL must be parseable", "fatal": true, "path": [ "logo_uri" ] }, { "validation": "url", "code": "invalid_string", "message": "Invalid url", "path": [ "tos_uri" ] }, { "code": "custom", "message": "URL must be parseable", "fatal": true, "path": [ "tos_uri" ] } ]

Additional context
I don't see any indication of why empty strings are being treated as potentially harmful in these cases - the issue and PR that initiated these changes were to make sure that authentication URLs did not try to execute javascript - #841

Answer 1 · 2025-09-17T04:32:41.000Z

We're running into the same issue with ActiveCampaign's MCP. We're not yet on 1.17.4 as a client and observing this bug.

Based on my debugging I see two possible paths:

The schema validation should permit empty strings (as they were permitted before the change)
If it is intended / a breaking change that these empty strings are no longer permitted, it should be documented somewhere that the response from client registration should leave the fields unset instead of empty. In this case, the ActiveCampaign MCP should not return empty strings for these fields in their registration response, because IIUC the ClientInformation schema will be echoed back in a subsequent request, which will fail validation on a server at 1.17.4.

Somewhat strangely, claude code also runs into this bug, but claude.ai does not; so claude.ai must be processing the registration responses specially to make this work; we're considering doing the same.

Answer 2 · 2025-09-29T14:26:07.000Z

an empty string should be considered safe by the zod validation, agree this is a bug.

Answer 3 · 2025-10-03T15:01:40.000Z

From #987 (review)

should we really be accepting an empty string? Should the endpoints just not be returning anything for this property, which is already allowed by the .optional()?