MCP control desk — OAuth, tiers, and links that actually work with Cursor & Claude.
Cursor’s MCP OAuth + Keycloak is fragile. Use X-Dev-Token in development to enforce free / premium / analyst tiers reliably.
Copy one block into .cursor/mcp.json under mcpServers.portfolio-watchdog (merge with your url + type).
{ }
Sign in via the account portal (no fragile redirect_uri on port 80). Users are pre-seeded.
Test users: free_user / free123 · premium_user / premium123 · analyst_user / analyst123
If Keycloak shows HTTPS required or logs Trusted Hosts /
CLIENT_REGISTER_ERROR (Cursor registers clients over a tunnel): the running realm is still on old defaults.
Recreate Keycloak so realm-export.json applies:
docker compose rm -sf keycloak && docker compose up -d keycloak
Or in Admin: Require SSL → None; Client registration → Anonymous → Trusted Hosts → disable
host must match only (Keycloak requires client URIs must match or host check — not both off).
Use these if you wire a client that supports RFC 9728 discovery.
After logging in at Keycloak, obtain an access token (e.g. from network tab or curl token endpoint) and add to Cursor:
"headers": {
"Authorization": "Bearer <paste-access-token>"
}
Token must include API scopes; audience is accepted for both mcp-client and mcp-server on this stack.