docs: document MCP OAuth setup

[hanneskuettner]

Overview

This PR documents MCP OAuth setup for Directus and makes the registration defaults explicit.

The OAuth server is intentionally disabled by default, and enabling it is not enough to support dynamic client onboarding. Admins now need to opt into the OAuth routes with MCP_OAUTH_ENABLED=true and separately enable at least one registration mode:

• MCP_OAUTH_DCR_ENABLED=true for Dynamic Client Registration
• MCP_OAUTH_CIMD_ENABLED=true for Client ID Metadata Document registration

The docs also call out that both the environment variable and the matching project setting need to allow a registration mode before Directus advertises or accepts it.

Scope

• Added an MCP OAuth guide covering authorization flow, client registration, security guidance, and troubleshooting.
• Added MCP OAuth configuration reference entries, including DCR/CIMD defaults and the split authorize/registration rate limiters.
• Updated MCP installation and security docs to point readers toward the OAuth setup and security model.
• Moved the existing local MCP docs down one slot so the hosted OAuth page can sit with the core MCP setup flow.

Potential Risks / Drawbacks

• This is documentation-only, but the OAuth guidance is security-sensitive. I grounded the defaults and behavior against the implementation before opening this PR.
• No new screenshots are included. The relevant change is configuration and security behavior, so screenshots would be more maintenance burden than signal here.

Review Notes / Questions

Please review the OAuth security wording closely, especially the DCR/CIMD opt-in language and the CIMD SSRF hardening description.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 27, 2026 10:46pm