From 5ea13cd0470c4fad97c8456f4060487545b52764 Mon Sep 17 00:00:00 2001
From: sea-snake <104725312+sea-snake@users.noreply.github.com>
Date: Wed, 17 Jun 2026 12:44:29 +0000
Subject: [PATCH 1/5] feat(fe): add /mcp delegation authorization flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a /mcp page that lets a deploy-configured MCP server obtain an
Internet Identity delegation acting as the user's default account at a
given application, plus an MCP access device-gate in Settings.

- New mcp_server_origin frontend deploy arg, appended to the form-action
  CSP and exposed to the frontend; /mcp delivers the delegation to that
  origin only (rejects any other callback origin).
- /mcp route: GET-in/redirect-back flow mirroring /cli — McpHero, the
  combined 'Allow MCP access' authorize screen, success/invalid/error and
  the MCP-access-not-enabled gate; default account resolved via
  get_default_account so MCP acts as the same principal /authorize gives.
- Settings: new MCP access card + confirm dialog (CLI card untouched).
- mcpAuthorizeFunnel analytics; e2e fixture + spec; CSP unit test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 scripts/frontend-arg-helpers.bash             |   3 +-
 .../src/lib/components/ui/McpLogo.svelte      |  21 ++
 .../src/lib/constants/store.constants.ts      |   1 +
 .../internet_identity_frontend_idl.js         |   2 +
 .../internet_identity_frontend_types.d.ts     |   7 +
 src/frontend/src/lib/globals.ts               |   5 +
 .../src/lib/stores/mcp-access.store.ts        |  48 ++++
 .../lib/utils/analytics/mcpAuthorizeFunnel.ts |  32 +++
 .../(authenticated)/settings/+page.svelte     |   2 +
 .../components/McpAccessSection.svelte        |  90 +++++++
 .../components/McpConfirmDialog.svelte        |  59 ++++
 .../routes/(new-styling)/mcp/+layout.svelte   | 179 ++++++++++++
 .../src/routes/(new-styling)/mcp/+page.svelte | 254 ++++++++++++++++++
 .../src/routes/(new-styling)/mcp/+page.ts     | 149 ++++++++++
 .../mcp/components/McpHero.svelte             |  76 ++++++
 .../(new-styling)/mcp/mcp-switcher.store.ts   |  12 +
 .../src/routes/(new-styling)/mcp/utils.ts     | 129 +++++++++
 .../mcp/views/McpAuthorizeView.svelte         |  62 +++++
 .../mcp/views/McpCloseWindowView.svelte       |  22 ++
 .../mcp/views/McpDisabledView.svelte          |  43 +++
 .../mcp/views/McpErrorView.svelte             |  27 ++
 .../mcp/views/McpInvalidView.svelte           |  30 +++
 .../tests/e2e-playwright/fixtures/index.ts    |   2 +
 .../tests/e2e-playwright/fixtures/mcp.ts      | 135 ++++++++++
 .../tests/e2e-playwright/routes/mcp.spec.ts   | 253 +++++++++++++++++
 .../internet_identity_frontend.did            |   5 +
 .../local_test_arg.did.template               |   1 +
 src/internet_identity_frontend/src/main.rs    |  61 ++++-
 .../tests/integration/http.rs                 |   1 +
 .../src/internet_identity/types.rs            |   6 +
 30 files changed, 1711 insertions(+), 6 deletions(-)
 create mode 100644 src/frontend/src/lib/components/ui/McpLogo.svelte
 create mode 100644 src/frontend/src/lib/stores/mcp-access.store.ts
 create mode 100644 src/frontend/src/lib/utils/analytics/mcpAuthorizeFunnel.ts
 create mode 100644 src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpConfirmDialog.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/+layout.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/+page.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/+page.ts
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/mcp-switcher.store.ts
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/utils.ts
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/views/McpAuthorizeView.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/views/McpCloseWindowView.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/views/McpDisabledView.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/views/McpErrorView.svelte
 create mode 100644 src/frontend/src/routes/(new-styling)/mcp/views/McpInvalidView.svelte
 create mode 100644 src/frontend/tests/e2e-playwright/fixtures/mcp.ts
 create mode 100644 src/frontend/tests/e2e-playwright/routes/mcp.spec.ts

diff --git a/scripts/frontend-arg-helpers.bash b/scripts/frontend-arg-helpers.bash
index 453bc71689..42329f4328 100644
--- a/scripts/frontend-arg-helpers.bash
+++ b/scripts/frontend-arg-helpers.bash
@@ -72,7 +72,7 @@ build_frontend_install_arg() {
     }
 
     # All known fields with their defaults (null for missing/new canisters)
-    local -a field_names=(backend_canister_id backend_origin related_origins fetch_root_key analytics_config dummy_auth dev_csp featured_dashboard_apps)
+    local -a field_names=(backend_canister_id backend_origin related_origins fetch_root_key analytics_config dummy_auth dev_csp featured_dashboard_apps mcp_server_origin)
     local -A current_values=(
         [backend_canister_id]="null"
         [backend_origin]="null"
@@ -82,6 +82,7 @@ build_frontend_install_arg() {
         [dummy_auth]="null"
         [dev_csp]="null"
         [featured_dashboard_apps]="null"
+        [mcp_server_origin]="null"
     )
 
     if [ -z "$raw_config" ]; then
diff --git a/src/frontend/src/lib/components/ui/McpLogo.svelte b/src/frontend/src/lib/components/ui/McpLogo.svelte
new file mode 100644
index 0000000000..e9bcc3d3e8
--- /dev/null
+++ b/src/frontend/src/lib/components/ui/McpLogo.svelte
@@ -0,0 +1,21 @@
+<script lang="ts">
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    class?: ClassValue;
+  }
+
+  const { class: className }: Props = $props();
+</script>
+
+<!-- The Model Context Protocol logo, rendered in currentColor. -->
+<svg
+  viewBox="0 0 24 24"
+  fill="currentColor"
+  class={className}
+  aria-hidden="true"
+>
+  <path
+    d="M13.85 0a4.16 4.16 0 0 0-2.95 1.217L1.456 10.66a.835.835 0 0 0 0 1.18.835.835 0 0 0 1.18 0l9.442-9.442a2.49 2.49 0 0 1 3.541 0 2.49 2.49 0 0 1 0 3.541L8.59 12.97l-.1.1a.835.835 0 0 0 0 1.18.835.835 0 0 0 1.18 0l.1-.098 7.03-7.034a2.49 2.49 0 0 1 3.542 0l.049.05a2.49 2.49 0 0 1 0 3.54l-8.54 8.54a1.96 1.96 0 0 0 0 2.755l1.753 1.753a.835.835 0 0 0 1.18 0 .835.835 0 0 0 0-1.18l-1.753-1.753a.266.266 0 0 1 0-.394l8.54-8.54a4.185 4.185 0 0 0 0-5.9l-.05-.05a4.16 4.16 0 0 0-2.95-1.218c-.2 0-.401.02-.6.048a4.17 4.17 0 0 0-1.17-3.552A4.16 4.16 0 0 0 13.85 0m0 3.333a.84.84 0 0 0-.59.245L6.275 10.56a4.186 4.186 0 0 0 0 5.902 4.186 4.186 0 0 0 5.902 0L19.16 9.48a.835.835 0 0 0 0-1.18.835.835 0 0 0-1.18 0l-6.985 6.984a2.49 2.49 0 0 1-3.54 0 2.49 2.49 0 0 1 0-3.54l6.983-6.985a.835.835 0 0 0 0-1.18.84.84 0 0 0-.59-.245"
+  />
+</svg>
diff --git a/src/frontend/src/lib/constants/store.constants.ts b/src/frontend/src/lib/constants/store.constants.ts
index 71500d16db..db5b7d1a42 100644
--- a/src/frontend/src/lib/constants/store.constants.ts
+++ b/src/frontend/src/lib/constants/store.constants.ts
@@ -2,6 +2,7 @@ export const storeLocalStorageKey = {
   LastUsedIdentities: "ii-last-used-identities",
   Locale: "ii-locale",
   CliAccess: "ii-cli-access",
+  McpAccess: "ii-mcp-access",
 } as const;
 
 export type StoreLocalStorageKey =
diff --git a/src/frontend/src/lib/generated/internet_identity_frontend_idl.js b/src/frontend/src/lib/generated/internet_identity_frontend_idl.js
index e281588b9d..bb07822114 100644
--- a/src/frontend/src/lib/generated/internet_identity_frontend_idl.js
+++ b/src/frontend/src/lib/generated/internet_identity_frontend_idl.js
@@ -17,6 +17,7 @@ export const idlFactory = ({ IDL }) => {
     'backend_origin' : IDL.Text,
     'dev_csp' : IDL.Opt(IDL.Bool),
     'dummy_auth' : IDL.Opt(IDL.Opt(DummyAuthConfig)),
+    'mcp_server_origin' : IDL.Opt(IDL.Text),
     'feature_flags' : IDL.Opt(IDL.Vec(IDL.Tuple(IDL.Text, IDL.Bool))),
   });
   const HeaderField = IDL.Tuple(IDL.Text, IDL.Text);
@@ -56,6 +57,7 @@ export const init = ({ IDL }) => {
     'backend_origin' : IDL.Text,
     'dev_csp' : IDL.Opt(IDL.Bool),
     'dummy_auth' : IDL.Opt(IDL.Opt(DummyAuthConfig)),
+    'mcp_server_origin' : IDL.Opt(IDL.Text),
     'feature_flags' : IDL.Opt(IDL.Vec(IDL.Tuple(IDL.Text, IDL.Bool))),
   });
   return [InternetIdentityFrontendInit];
diff --git a/src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts b/src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts
index d0640df8a2..cc50cc8bb3 100644
--- a/src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts
+++ b/src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts
@@ -44,6 +44,13 @@ export interface InternetIdentityFrontendInit {
   'backend_origin' : string,
   'dev_csp' : [] | [boolean],
   'dummy_auth' : [] | [[] | [DummyAuthConfig]],
+  /**
+   * Origin of the trusted MCP server, e.g. "https://mcp.id.ai" (no trailing
+   * slash). The /mcp delegation flow delivers the delegation to this origin
+   * only (it's added to the form-action CSP and /mcp rejects callbacks on any
+   * other origin). When unset, the /mcp flow is disabled.
+   */
+  'mcp_server_origin' : [] | [string],
   /**
    * Frontend feature flag overrides keyed by flag name, e.g.
    * record { "EMAIL_RECOVERY"; true }. Sets the deployment-level baseline for
diff --git a/src/frontend/src/lib/globals.ts b/src/frontend/src/lib/globals.ts
index d885e2fbf3..d78c570bde 100644
--- a/src/frontend/src/lib/globals.ts
+++ b/src/frontend/src/lib/globals.ts
@@ -119,3 +119,8 @@ export const getPrimaryOrigin = () =>
 // `undefined` when the operator didn't configure this flag.
 export const getConfiguredFeatureFlag = (name: string): boolean | undefined =>
   frontendCanisterConfig.feature_flags[0]?.find(([key]) => key === name)?.[1];
+
+// Origin of the trusted MCP server configured via the canister deploy args, or
+// `undefined` when unset (in which case the `/mcp` delegation flow is disabled).
+export const getMcpServerOrigin = (): string | undefined =>
+  frontendCanisterConfig.mcp_server_origin[0];
diff --git a/src/frontend/src/lib/stores/mcp-access.store.ts b/src/frontend/src/lib/stores/mcp-access.store.ts
new file mode 100644
index 0000000000..35d7b77503
--- /dev/null
+++ b/src/frontend/src/lib/stores/mcp-access.store.ts
@@ -0,0 +1,48 @@
+import { derived, get, type Readable } from "svelte/store";
+import { storeLocalStorageKey } from "$lib/constants/store.constants";
+import { writableStored } from "./writable.store";
+
+type McpAccessState = {
+  [identityNumber: string]: boolean;
+};
+
+type McpAccessStore = Readable<McpAccessState> & {
+  isEnabled: (identityNumber: bigint) => boolean;
+  enable: (identityNumber: bigint) => void;
+  disable: (identityNumber: bigint) => void;
+};
+
+export const initMcpAccessStore = (): McpAccessStore => {
+  const store = writableStored<McpAccessState>({
+    key: storeLocalStorageKey.McpAccess,
+    defaultValue: {},
+    version: 1,
+  });
+
+  return {
+    subscribe: store.subscribe,
+    isEnabled: (identityNumber) =>
+      get(store)[identityNumber.toString()] === true,
+    enable: (identityNumber) => {
+      store.update((state) => ({
+        ...state,
+        [identityNumber.toString()]: true,
+      }));
+    },
+    disable: (identityNumber) => {
+      store.update((state) => {
+        const next = { ...state };
+        delete next[identityNumber.toString()];
+        return next;
+      });
+    },
+  };
+};
+
+export const mcpAccessStore = initMcpAccessStore();
+
+/** Reactive boolean for a specific identity. */
+export const isMcpAccessEnabledStore = (
+  identityNumber: bigint,
+): Readable<boolean> =>
+  derived(mcpAccessStore, (state) => state[identityNumber.toString()] === true);
diff --git a/src/frontend/src/lib/utils/analytics/mcpAuthorizeFunnel.ts b/src/frontend/src/lib/utils/analytics/mcpAuthorizeFunnel.ts
new file mode 100644
index 0000000000..2a380bfded
--- /dev/null
+++ b/src/frontend/src/lib/utils/analytics/mcpAuthorizeFunnel.ts
@@ -0,0 +1,32 @@
+import { Funnel } from "./Funnel";
+
+/**
+ * /mcp authorize flow events (the funnel prefixes each with `mcp-authorize--`):
+ *
+ * start-mcp-authorize (INIT)
+ *   mcp-authorize--request-invalid   (fragment missing/malformed, or callback
+ *                                      origin ≠ configured MCP server origin)
+ *   mcp-authorize--request-received  (valid request, authorize screen shown)
+ *     mcp-authorize--confirmed       (user clicked Allow access)
+ *       mcp-authorize--access-disabled (MCP access not enabled on this device)
+ *       mcp-authorize--success       (MCP server redirected back status=success)
+ *       mcp-authorize--error         (MCP server redirected back status=error)
+ * end-mcp-authorize
+ *
+ * The flow navigates away to the MCP server and back, so the success and error
+ * events fire on a fresh page load — Plausible correlates them with the start
+ * by visitor session, not by JS lifetime.
+ */
+export const McpAuthorizeEvents = {
+  RequestInvalid: "request-invalid",
+  RequestReceived: "request-received",
+  Confirmed: "confirmed",
+  AccessDisabled: "access-disabled",
+  Success: "success",
+  Error: "error",
+} as const;
+
+export const mcpAuthorizeFunnel = new Funnel<typeof McpAuthorizeEvents>(
+  "mcp-authorize",
+  true,
+);
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/+page.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/+page.svelte
index cc7ffd1fde..e4d19d83b3 100644
--- a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/+page.svelte
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/+page.svelte
@@ -3,6 +3,7 @@
   import { Trans } from "$lib/components/locale";
   import { t } from "$lib/stores/locale.store";
   import CliAccessSection from "./components/CliAccessSection.svelte";
+  import McpAccessSection from "./components/McpAccessSection.svelte";
 </script>
 
 <header class="flex flex-col gap-3">
@@ -16,4 +17,5 @@
 
 <div class="mt-10 flex max-w-3xl flex-col gap-5">
   <CliAccessSection identityNumber={$authenticatedStore.identityNumber} />
+  <McpAccessSection identityNumber={$authenticatedStore.identityNumber} />
 </div>
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
new file mode 100644
index 0000000000..e7033ffdff
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
@@ -0,0 +1,90 @@
+<script lang="ts">
+  import Badge from "$lib/components/ui/Badge.svelte";
+  import Toggle from "$lib/components/ui/Toggle.svelte";
+  import McpLogo from "$lib/components/ui/McpLogo.svelte";
+  import { Trans } from "$lib/components/locale";
+  import { t } from "$lib/stores/locale.store";
+  import {
+    mcpAccessStore,
+    isMcpAccessEnabledStore,
+  } from "$lib/stores/mcp-access.store";
+  import McpConfirmDialog from "./McpConfirmDialog.svelte";
+
+  interface Props {
+    identityNumber: bigint;
+  }
+
+  const { identityNumber }: Props = $props();
+  const titleId = $props.id();
+
+  const enabledStore = $derived(isMcpAccessEnabledStore(identityNumber));
+  const enabled = $derived($enabledStore);
+
+  let showConfirm = $state(false);
+
+  const handleToggle = (event: Event) => {
+    if (!(event.currentTarget instanceof HTMLInputElement)) {
+      return;
+    }
+    if (event.currentTarget.checked) {
+      showConfirm = true;
+    } else {
+      mcpAccessStore.disable(identityNumber);
+    }
+  };
+
+  const handleConfirm = () => {
+    mcpAccessStore.enable(identityNumber);
+    showConfirm = false;
+  };
+</script>
+
+<section
+  class="border-border-secondary bg-bg-secondary flex flex-row items-start gap-4 rounded-xl border p-5"
+>
+  <span
+    class="border-border-tertiary text-fg-secondary bg-bg-primary flex size-10 shrink-0 items-center justify-center rounded-lg border"
+    aria-hidden="true"
+  >
+    <McpLogo class="size-5" />
+  </span>
+
+  <div class="flex flex-1 flex-col gap-1">
+    <div class="flex min-h-[1.5rem] flex-row items-center gap-2">
+      <h3 id={titleId} class="text-text-primary text-base font-semibold">
+        {$t`MCP access`}
+      </h3>
+      {#if enabled}
+        <Badge color="success" size="sm" dot>
+          {$t`Enabled`}
+        </Badge>
+      {/if}
+    </div>
+    <p class="text-text-tertiary text-sm">
+      {#if enabled}
+        <Trans>
+          AI assistants on this device can ask to sign you in to apps.
+        </Trans>
+      {:else}
+        <Trans>
+          Let AI assistants on this device sign in to apps using your identity.
+        </Trans>
+      {/if}
+    </p>
+  </div>
+
+  <div class="shrink-0">
+    <Toggle
+      checked={enabled}
+      onchange={handleToggle}
+      aria-labelledby={titleId}
+    />
+  </div>
+</section>
+
+{#if showConfirm}
+  <McpConfirmDialog
+    onConfirm={handleConfirm}
+    onClose={() => (showConfirm = false)}
+  />
+{/if}
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpConfirmDialog.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpConfirmDialog.svelte
new file mode 100644
index 0000000000..b0d34ff6ee
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpConfirmDialog.svelte
@@ -0,0 +1,59 @@
+<script lang="ts">
+  import { TriangleAlertIcon } from "@lucide/svelte";
+  import Dialog from "$lib/components/ui/Dialog.svelte";
+  import FeaturedIcon from "$lib/components/ui/FeaturedIcon.svelte";
+  import Checkbox from "$lib/components/ui/Checkbox.svelte";
+  import { Trans } from "$lib/components/locale";
+  import { t } from "$lib/stores/locale.store";
+
+  interface Props {
+    onConfirm: () => void;
+    onClose: () => void;
+  }
+
+  const { onConfirm, onClose }: Props = $props();
+
+  let acknowledged = $state(false);
+</script>
+
+<Dialog {onClose} width="wider">
+  <div class="flex flex-col gap-5 p-1">
+    <FeaturedIcon size="lg" variant="warning" class="self-start">
+      <TriangleAlertIcon class="size-6" />
+    </FeaturedIcon>
+
+    <h2 class="text-text-primary text-2xl font-medium">
+      {$t`Are you sure?`}
+    </h2>
+
+    <p class="text-text-tertiary text-base text-pretty">
+      <Trans>
+        Enabling this lets AI assistants on this device ask to sign you in to
+        apps using your identity.
+      </Trans>
+    </p>
+
+    <ul class="text-text-tertiary flex list-disc flex-col gap-2 ps-5 text-sm">
+      <li>
+        <Trans>It can send messages or move funds on your behalf.</Trans>
+      </li>
+      <li>
+        <Trans>Like any AI, it can hallucinate and make mistakes.</Trans>
+      </li>
+    </ul>
+
+    <Checkbox
+      bind:checked={acknowledged}
+      label={$t`I understand the risks.`}
+      labelClass="text-sm"
+    />
+
+    <button
+      class="btn btn-primary btn-lg w-full"
+      onclick={onConfirm}
+      disabled={!acknowledged}
+    >
+      {$t`Enable MCP access`}
+    </button>
+  </div>
+</Dialog>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/+layout.svelte b/src/frontend/src/routes/(new-styling)/mcp/+layout.svelte
new file mode 100644
index 0000000000..72ea27e05b
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/+layout.svelte
@@ -0,0 +1,179 @@
+<script lang="ts">
+  import type { LayoutProps } from "./$types";
+  import { ChevronDownIcon, UserIcon } from "@lucide/svelte";
+  import { lastUsedIdentitiesStore } from "$lib/stores/last-used-identities.store";
+  import { t } from "$lib/stores/locale.store";
+  import { AuthWizard } from "$lib/components/wizards/auth";
+  import Header from "$lib/components/layout/Header.svelte";
+  import Footer from "$lib/components/layout/Footer.svelte";
+  import Dialog from "$lib/components/ui/Dialog.svelte";
+  import Popover from "$lib/components/ui/Popover.svelte";
+  import IdentitySwitcher from "$lib/components/ui/IdentitySwitcher.svelte";
+  import ManageIdentities from "$lib/components/ui/ManageIdentities.svelte";
+  import Avatar from "$lib/components/ui/Avatar.svelte";
+  import { handleError } from "$lib/components/utils/error";
+  import { toaster } from "$lib/components/utils/toaster";
+  import { showIdentitySwitcher } from "./mcp-switcher.store";
+
+  const { children }: LayoutProps = $props();
+
+  // --- Identity switcher state ---
+  const lastUsedIdentities = $derived(
+    Object.values($lastUsedIdentitiesStore.identities).sort(
+      (a, b) => b.lastUsedTimestampMillis - a.lastUsedTimestampMillis,
+    ),
+  );
+  const selectedIdentity = $derived($lastUsedIdentitiesStore.selected);
+
+  let identityButtonRef = $state<HTMLElement>();
+  let isIdentityPopoverOpen = $state(false);
+  let isAuthDialogOpen = $state(false);
+  let isManageIdentitiesDialogOpen = $state(false);
+
+  // Switching identity only *selects* here — unlike the authorize route, it
+  // doesn't sign in. The page's Allow access button performs the authentication
+  // for the selected identity, so the user always makes that explicit choice.
+  const handleSelectIdentity = (identityNumber: bigint): Promise<void> => {
+    lastUsedIdentitiesStore.selectIdentity(identityNumber);
+    isIdentityPopoverOpen = false;
+    isAuthDialogOpen = false;
+    return Promise.resolve();
+  };
+  // The "use another identity" dialog signs in through its own AuthWizard;
+  // these run once it has authenticated, so they only select and notify.
+  const handleSignUp = async (identityNumber: bigint): Promise<void> => {
+    await handleSelectIdentity(identityNumber);
+    toaster.success({
+      title: $t`You're all set. Your identity has been created.`,
+      duration: 4000,
+    });
+  };
+  const handleRemoveIdentity = (identityNumber: bigint) => {
+    const isCurrent = selectedIdentity?.identityNumber === identityNumber;
+    if (isCurrent) {
+      const nextIdentity = lastUsedIdentities.find(
+        (identity) => identity.identityNumber !== identityNumber,
+      );
+      if (nextIdentity !== undefined) {
+        lastUsedIdentitiesStore.selectIdentity(nextIdentity.identityNumber);
+      }
+    }
+
+    const removedIdentity =
+      $lastUsedIdentitiesStore.identities[`${identityNumber}`];
+    lastUsedIdentitiesStore.removeIdentity(identityNumber);
+
+    isManageIdentitiesDialogOpen = false;
+    if (removedIdentity !== undefined) {
+      const identityName =
+        removedIdentity.name ?? `${removedIdentity.identityNumber}`;
+      toaster.create({
+        title: $t`Identity removed`,
+        description: $t`${identityName} has been removed from this device.`,
+        closable: true,
+        duration: 5000,
+        action: {
+          label: $t`Undo`,
+          onClick: () => {
+            lastUsedIdentitiesStore.restoreIdentity(removedIdentity);
+            if (isCurrent) {
+              lastUsedIdentitiesStore.selectIdentity(
+                removedIdentity.identityNumber,
+              );
+            }
+          },
+        },
+      });
+    }
+  };
+</script>
+
+<div class="flex min-h-[100dvh] flex-col" data-page="mcp-authorize-view">
+  <div class="h-[env(safe-area-inset-top)]"></div>
+  <Header>
+    {#if selectedIdentity !== undefined && $showIdentitySwitcher}
+      <button
+        bind:this={identityButtonRef}
+        class="btn btn-tertiary ms-auto gap-2.5 pe-3 md:-me-3"
+        onclick={() => (isIdentityPopoverOpen = true)}
+        aria-label="Switch identity"
+      >
+        <Avatar size="xs">
+          <UserIcon class="size-4" />
+        </Avatar>
+        <span>{selectedIdentity.name ?? selectedIdentity.identityNumber}</span>
+        <ChevronDownIcon class="size-4" />
+      </button>
+      {#if isIdentityPopoverOpen}
+        <Popover
+          anchor={identityButtonRef}
+          onClose={() => (isIdentityPopoverOpen = false)}
+          direction="down"
+          align="end"
+          distance="0.75rem"
+          class="!bg-bg-primary"
+        >
+          <IdentitySwitcher
+            selected={selectedIdentity.identityNumber}
+            identities={lastUsedIdentities}
+            onSwitchIdentity={(identityNumber) =>
+              handleSelectIdentity(identityNumber)}
+            onUseAnotherIdentity={() => {
+              isIdentityPopoverOpen = false;
+              isAuthDialogOpen = true;
+            }}
+            onManageIdentity={(): Promise<void> => {
+              isIdentityPopoverOpen = false;
+              window.open("/manage", "_blank");
+              return Promise.resolve();
+            }}
+            onManageIdentities={() => {
+              isIdentityPopoverOpen = false;
+              isManageIdentitiesDialogOpen = true;
+            }}
+            onError={(error) => {
+              isIdentityPopoverOpen = false;
+              handleError(error);
+            }}
+            onClose={() => (isIdentityPopoverOpen = false)}
+          />
+        </Popover>
+      {/if}
+      {#if isAuthDialogOpen}
+        <Dialog onClose={() => (isAuthDialogOpen = false)}>
+          <AuthWizard
+            onSignIn={handleSelectIdentity}
+            onSignUp={handleSignUp}
+            onError={(error) => {
+              isAuthDialogOpen = false;
+              handleError(error);
+            }}
+          >
+            <h1 class="text-text-primary my-2 self-start text-2xl font-medium">
+              {$t`Sign in`}
+            </h1>
+            <p class="text-text-secondary mb-6 self-start text-sm">
+              {$t`Choose method to continue`}
+            </p>
+          </AuthWizard>
+        </Dialog>
+      {/if}
+    {/if}
+  </Header>
+
+  <div class="flex flex-1 flex-col items-center justify-center">
+    {@render children()}
+  </div>
+
+  <Footer />
+  <div class="h-[env(safe-area-inset-bottom)]"></div>
+</div>
+
+{#if isManageIdentitiesDialogOpen}
+  <Dialog onClose={() => (isManageIdentitiesDialogOpen = false)}>
+    <ManageIdentities
+      identities={lastUsedIdentities}
+      onRemoveIdentity={handleRemoveIdentity}
+    />
+  </Dialog>
+{/if}
diff --git a/src/frontend/src/routes/(new-styling)/mcp/+page.svelte b/src/frontend/src/routes/(new-styling)/mcp/+page.svelte
new file mode 100644
index 0000000000..e1ed1c135d
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/+page.svelte
@@ -0,0 +1,254 @@
+<script lang="ts">
+  import type { PageProps } from "./$types";
+  import {
+    isAuthenticatedStore,
+    authenticationStore,
+  } from "$lib/stores/authentication.store";
+  import { lastUsedIdentitiesStore } from "$lib/stores/last-used-identities.store";
+  import { sessionStore } from "$lib/stores/session.store";
+  import { mcpAccessStore } from "$lib/stores/mcp-access.store";
+  import { AuthLastUsedFlow } from "$lib/flows/authLastUsedFlow.svelte";
+  import { AuthWizard } from "$lib/components/wizards/auth";
+  import AuthPanel from "$lib/components/layout/AuthPanel.svelte";
+  import { t } from "$lib/stores/locale.store";
+  import { handleError } from "$lib/components/utils/error";
+  import { toaster } from "$lib/components/utils/toaster";
+  import { getMcpServerOrigin } from "$lib/globals";
+  import { get } from "svelte/store";
+  import { onMount } from "svelte";
+  import McpHero from "./components/McpHero.svelte";
+  import McpAuthorizeView from "./views/McpAuthorizeView.svelte";
+  import McpCloseWindowView from "./views/McpCloseWindowView.svelte";
+  import McpDisabledView from "./views/McpDisabledView.svelte";
+  import McpErrorView from "./views/McpErrorView.svelte";
+  import McpInvalidView from "./views/McpInvalidView.svelte";
+  import { mcpAuthorize } from "./utils";
+  import { showIdentitySwitcher } from "./mcp-switcher.store";
+  import {
+    mcpAuthorizeFunnel,
+    McpAuthorizeEvents,
+  } from "$lib/utils/analytics/mcpAuthorizeFunnel";
+
+  const { data }: PageProps = $props();
+  const params = $derived(data.params);
+  const status = $derived(data.status);
+
+  // The MCP server is configured as a deploy arg; when unset the flow is
+  // disabled. The delegation is delivered to this origin only.
+  const mcpServerOrigin = getMcpServerOrigin();
+  const mcpServerHost =
+    mcpServerOrigin !== undefined ? new URL(mcpServerOrigin).host : undefined;
+
+  // The request's callback must point at the configured MCP server origin. This
+  // mirrors the `form-action` CSP, which only allows that origin — checking it
+  // here lets us show a clean invalid screen instead of a silent CSP block.
+  const originMatches = (
+    callback: string,
+    configuredOrigin: string,
+  ): boolean => {
+    try {
+      return new URL(callback).origin === new URL(configuredOrigin).origin;
+    } catch {
+      return false;
+    }
+  };
+  const requestValid = $derived(
+    params.kind === "valid" &&
+      mcpServerOrigin !== undefined &&
+      originMatches(params.callback, mcpServerOrigin),
+  );
+
+  const authFlow = new AuthLastUsedFlow();
+  $effect(() =>
+    authFlow.init(
+      Object.values($lastUsedIdentitiesStore.identities).map(
+        ({ identityNumber }) => identityNumber,
+      ),
+    ),
+  );
+
+  // MCP is always app-scoped, so the chosen identity must have MCP access
+  // enabled on this device.
+  const isMcpAccessGated = (identityNumber: bigint | undefined): boolean =>
+    identityNumber !== undefined && !mcpAccessStore.isEnabled(identityNumber);
+
+  onMount(() => {
+    // A redirect back from the MCP server carries an outcome `status`; a fresh
+    // entry carries the request itself.
+    if (status === "success") {
+      mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.Success);
+    } else if (status === "error") {
+      mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.Error);
+    } else {
+      mcpAuthorizeFunnel.init();
+      if (!requestValid) {
+        mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.RequestInvalid);
+        mcpAuthorizeFunnel.close();
+      } else {
+        mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.RequestReceived);
+        // A returning user without device MCP access opens straight on the
+        // gated screen, so record that terminal outcome here.
+        if (phase.kind === "mcp-disabled") {
+          mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.AccessDisabled);
+          mcpAuthorizeFunnel.close();
+        }
+      }
+    }
+
+    // Drop the URL fragment once parsed so the public_key, callback, and status
+    // don't sit in the address bar after the user lands here.
+    if (window.location.hash !== "") {
+      window.history.replaceState(
+        null,
+        "",
+        window.location.pathname + window.location.search,
+      );
+    }
+  });
+
+  type Phase =
+    | { kind: "wizard" }
+    | { kind: "authorize" }
+    | { kind: "close" }
+    | { kind: "mcp-disabled" }
+    | { kind: "invalid" }
+    | { kind: "error" };
+
+  // The phase the page opens on. Outcomes the MCP server redirects back with
+  // take priority; otherwise a returning user with a previously-used identity
+  // opens on the authorize screen, and a user with no last-used identity starts
+  // in the sign-in method wizard.
+  const initialPhase = (): Phase => {
+    if (status === "success") {
+      return { kind: "close" };
+    }
+    if (status === "error") {
+      return { kind: "error" };
+    }
+    if (!requestValid) {
+      return { kind: "invalid" };
+    }
+    const selected = get(lastUsedIdentitiesStore).selected;
+    if (selected !== undefined) {
+      // MCP access is a device-local flag we can read up front, so when it's
+      // off for this identity show the gated screen immediately rather than the
+      // Allow access button followed by a gate after sign-in.
+      return isMcpAccessGated(selected.identityNumber)
+        ? { kind: "mcp-disabled" }
+        : { kind: "authorize" };
+    }
+    return { kind: "wizard" };
+  };
+
+  let phase = $state<Phase>(initialPhase());
+
+  // The switcher is only meaningful while the user is choosing how to sign in.
+  $effect(() => {
+    showIdentitySwitcher.set(
+      phase.kind === "wizard" || phase.kind === "authorize",
+    );
+  });
+
+  // Once an identity has actually signed in (via the wizard here or the "use
+  // another identity" dialog in the layout), advance from the wizard to the
+  // authorize step. Switching identity only *selects* and never authenticates,
+  // so it never triggers this.
+  $effect(() => {
+    if (phase.kind === "wizard" && $isAuthenticatedStore) {
+      phase = isMcpAccessGated($authenticationStore?.identityNumber)
+        ? { kind: "mcp-disabled" }
+        : { kind: "authorize" };
+    }
+  });
+
+  const handleAuthorize = async (): Promise<void> => {
+    if (params.kind !== "valid" || mcpServerOrigin === undefined) {
+      return;
+    }
+    const selected = $lastUsedIdentitiesStore.selected;
+    if (selected === undefined) {
+      return;
+    }
+    mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.Confirmed);
+    try {
+      // The Allow access button is the single sign-in point: switching identity
+      // only selects, so authenticate the selected identity now if it isn't
+      // already the active session.
+      if ($authenticationStore?.identityNumber !== selected.identityNumber) {
+        sessionStore.reset();
+        await authFlow.authenticate(
+          $lastUsedIdentitiesStore.identities[`${selected.identityNumber}`],
+        );
+      }
+      const authenticated = get(authenticationStore);
+      if (authenticated === undefined) {
+        return;
+      }
+      if (isMcpAccessGated(authenticated.identityNumber)) {
+        mcpAuthorizeFunnel.trigger(McpAuthorizeEvents.AccessDisabled);
+        mcpAuthorizeFunnel.close();
+        phase = { kind: "mcp-disabled" };
+        return;
+      }
+      // On success `mcpAuthorize` navigates the browser to the MCP server,
+      // which redirects back here with a status — so a resolved promise means
+      // the chain was built and submitted, not that we stay on this page.
+      await mcpAuthorize({
+        authenticated,
+        publicKey: params.publicKey,
+        app: params.app,
+        ttlMinutes: params.ttlMinutes,
+        callback: params.callback,
+        state: params.state,
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  };
+
+  const wizardSignInHandlers = {
+    onSignIn: (identityNumber: bigint): Promise<void> => {
+      lastUsedIdentitiesStore.selectIdentity(identityNumber);
+      return Promise.resolve();
+    },
+    onSignUp: (identityNumber: bigint): Promise<void> => {
+      lastUsedIdentitiesStore.selectIdentity(identityNumber);
+      toaster.success({
+        title: $t`You're all set. Your identity has been created.`,
+        duration: 4000,
+      });
+      return Promise.resolve();
+    },
+    onError: handleError,
+  };
+</script>
+
+{#if phase.kind === "invalid"}
+  <McpInvalidView />
+{:else if phase.kind === "error"}
+  <McpErrorView />
+{:else if phase.kind === "wizard" && params.kind === "valid" && mcpServerHost !== undefined}
+  <div class="flex w-full justify-center max-sm:flex-1 sm:max-w-110">
+    <AuthPanel>
+      <McpHero app={params.app} mcpServer={mcpServerHost} />
+      <AuthWizard {...wizardSignInHandlers}>
+        <h1 class="text-text-primary my-2 self-start text-2xl font-medium">
+          {$t`Choose method`}
+        </h1>
+        <p class="text-text-secondary mb-6 self-start text-sm">
+          {$t`to allow MCP access to ${params.app}`}
+        </p>
+      </AuthWizard>
+    </AuthPanel>
+  </div>
+{:else if phase.kind === "authorize" && params.kind === "valid" && mcpServerHost !== undefined}
+  <McpAuthorizeView
+    app={params.app}
+    mcpServer={mcpServerHost}
+    onAuthorize={handleAuthorize}
+  />
+{:else if phase.kind === "mcp-disabled"}
+  <McpDisabledView />
+{:else if phase.kind === "close"}
+  <McpCloseWindowView />
+{/if}
diff --git a/src/frontend/src/routes/(new-styling)/mcp/+page.ts b/src/frontend/src/routes/(new-styling)/mcp/+page.ts
new file mode 100644
index 0000000000..0654efa950
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/+page.ts
@@ -0,0 +1,149 @@
+import type { PageLoad } from "./$types";
+import { fromBase64URL } from "$lib/utils/utils";
+
+/** Default delegation lifetime in minutes when the request omits `ttl`. */
+const DEFAULT_TTL_MINUTES = 60;
+
+/**
+ * The `/mcp` request, parsed from the URL fragment the MCP server redirects the
+ * browser to. `valid` carries the validated request — the session public key to
+ * delegate to, the callback to post the delegation back to, the single-use
+ * `state` echoed back to the MCP server, the delegation TTL, and the app whose
+ * account the delegation acts as. `invalid` means the fragment was missing or
+ * malformed.
+ *
+ * The callback's origin is checked against the configured MCP server origin in
+ * the page component (where the canister config is available), not here.
+ */
+export type McpParams =
+  | {
+      kind: "valid";
+      /** base64url-encoded DER session pubkey supplied by the MCP server. */
+      publicKey: string;
+      callback: string;
+      /** Opaque value echoed back to the MCP server so it can tie the delivered
+       *  delegation to the request it started (CSRF protection). */
+      state: string;
+      ttlMinutes: number;
+      /** Hostname of the app whose account the delegation acts as. */
+      app: string;
+    }
+  | { kind: "invalid" };
+
+/**
+ * Outcome the MCP server redirects back with after receiving the delegation.
+ * `success` and `error` arrive on their own on a fresh page load.
+ */
+export type McpStatus = "success" | "error";
+
+const parseStatus = (raw: string | null): McpStatus | undefined => {
+  if (raw === "success" || raw === "error") {
+    return raw;
+  }
+  return undefined;
+};
+
+const parseBase64Url = (raw: string | null): string | undefined => {
+  if (raw === null || raw === "") {
+    return undefined;
+  }
+  try {
+    fromBase64URL(raw);
+    return raw;
+  } catch {
+    return undefined;
+  }
+};
+
+/**
+ * Structural callback check: must be an absolute http(s) URL. The exact origin
+ * match against the configured MCP server origin happens in the component — the
+ * canister config isn't available here (this `load` also runs at prerender).
+ */
+const parseCallback = (raw: string | null): string | undefined => {
+  if (raw === null || raw === "") {
+    return undefined;
+  }
+  let url: URL;
+  try {
+    url = new URL(raw);
+  } catch {
+    return undefined;
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    return undefined;
+  }
+  return raw;
+};
+
+/**
+ * Returns the normalised hostname if `raw` is a bare hostname (optionally with
+ * mixed case), or undefined if it's not. Rejects port, path, query, fragment,
+ * scheme prefix, and userinfo by requiring the round-trip through `new URL` to
+ * leave only the hostname behind.
+ */
+const parseApp = (raw: string | null): string | undefined => {
+  if (raw === null || raw === "") {
+    return undefined;
+  }
+  let url: URL;
+  try {
+    url = new URL(`https://${raw}`);
+  } catch {
+    return undefined;
+  }
+  if (url.hostname.toLowerCase() !== raw.toLowerCase()) {
+    return undefined;
+  }
+  return url.hostname;
+};
+
+const parseState = (raw: string | null): string | undefined => {
+  if (raw === null || raw === "") {
+    return undefined;
+  }
+  return raw;
+};
+
+const parseTtl = (raw: string | null): number | undefined => {
+  if (raw === null) {
+    return DEFAULT_TTL_MINUTES;
+  }
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return undefined;
+  }
+  return Math.floor(parsed);
+};
+
+export const load: PageLoad = ({
+  url,
+}): { params: McpParams; status: McpStatus | undefined } => {
+  // The MCP server redirects the browser here with the request in the URL
+  // fragment (never sent to the server, so the session key and callback stay
+  // out of II's request logs; the address-bar copy is cleared in `+page.svelte`
+  // via `replaceState`). Reading `url.hash` relies on this universal `load`
+  // re-running client-side; with `adapter-static` it's empty during prerender.
+  const params = new URLSearchParams(url.hash.slice(1));
+
+  const status = parseStatus(params.get("status"));
+  const publicKey = parseBase64Url(params.get("public_key"));
+  const callback = parseCallback(params.get("callback"));
+  const state = parseState(params.get("state"));
+  const app = parseApp(params.get("app"));
+  const ttlMinutes = parseTtl(params.get("ttl"));
+
+  if (
+    publicKey === undefined ||
+    callback === undefined ||
+    state === undefined ||
+    app === undefined ||
+    ttlMinutes === undefined
+  ) {
+    return { params: { kind: "invalid" }, status };
+  }
+  return {
+    params: { kind: "valid", publicKey, callback, state, ttlMinutes, app },
+    status,
+  };
+};
diff --git a/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte b/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
new file mode 100644
index 0000000000..c15589c20b
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
@@ -0,0 +1,76 @@
+<script lang="ts">
+  import { GlobeIcon, LockIcon } from "@lucide/svelte";
+  import Badge from "$lib/components/ui/Badge.svelte";
+  import McpLogo from "$lib/components/ui/McpLogo.svelte";
+  import Ellipsis from "$lib/components/utils/Ellipsis.svelte";
+  import { getDapps } from "$lib/legacy/flows/dappsExplorer/dapps";
+
+  interface Props {
+    /** Hostname of the app the delegation acts as. */
+    app: string;
+    /** Hostname of the configured MCP server (e.g. mcp.id.ai). */
+    mcpServer: string;
+  }
+
+  const { app, mcpServer }: Props = $props();
+
+  const apps = getDapps();
+  const dapp = $derived(apps.find((a) => a.hasOrigin(`https://${app}`)));
+</script>
+
+<!--
+  The app and the MCP server as two nodes bridged by a dashed link with a
+  centered lock chip (the link is secured by your Internet Identity) — conveys
+  "your identity lets this app be acted on by the MCP server" before any copy.
+-->
+<div class="flex items-start justify-center gap-0 py-5">
+  <div class="flex w-24 flex-col items-center gap-2.5">
+    <div
+      class={[
+        "flex size-15 shrink-0 items-center justify-center overflow-hidden rounded-2xl",
+        dapp?.logoSrc === undefined &&
+          "border-border-secondary text-fg-primary bg-bg-primary border",
+      ]}
+    >
+      {#if dapp?.logoSrc !== undefined}
+        <img
+          src={dapp.logoSrc}
+          alt={`${dapp.name} logo`}
+          class="size-15 object-cover"
+        />
+      {:else}
+        <GlobeIcon class="size-6" />
+      {/if}
+    </div>
+    <Badge size="sm" class="max-w-24">
+      <Ellipsis text={app} position="middle" />
+    </Badge>
+  </div>
+
+  <div
+    class="relative flex h-15 flex-[0_0_2.75rem] items-center justify-center"
+  >
+    <div
+      class="border-border-secondary absolute inset-x-[-0.5rem] top-1/2 -translate-y-1/2 border-t-2 border-dashed"
+      aria-hidden="true"
+    ></div>
+    <span
+      class="border-border-tertiary bg-bg-secondary text-fg-tertiary relative z-[1] flex size-6.5 items-center justify-center rounded-full border"
+      aria-hidden="true"
+    >
+      <LockIcon class="size-3.5" />
+    </span>
+  </div>
+
+  <div class="flex w-24 flex-col items-center gap-2.5">
+    <div
+      class="border-border-secondary text-fg-primary bg-bg-primary flex size-15 shrink-0 items-center justify-center rounded-2xl border"
+      aria-hidden="true"
+    >
+      <McpLogo class="size-6.5" />
+    </div>
+    <Badge size="sm" class="max-w-24">
+      <Ellipsis text={mcpServer} position="middle" />
+    </Badge>
+  </div>
+</div>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/mcp-switcher.store.ts b/src/frontend/src/routes/(new-styling)/mcp/mcp-switcher.store.ts
new file mode 100644
index 0000000000..eebc9ba3bc
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/mcp-switcher.store.ts
@@ -0,0 +1,12 @@
+import { writable } from "svelte/store";
+
+/**
+ * Whether the identity switcher in the /mcp layout header should be shown.
+ *
+ * The page sets this to `true` only during the sign-in phases (wizard,
+ * authorize) and `false` on the terminal screens (close, error, invalid,
+ * mcp-disabled), where switching identity is meaningless. It lives in a shared
+ * store because the switcher is rendered by the layout but its relevance is
+ * owned by the page's phase.
+ */
+export const showIdentitySwitcher = writable(false);
diff --git a/src/frontend/src/routes/(new-styling)/mcp/utils.ts b/src/frontend/src/routes/(new-styling)/mcp/utils.ts
new file mode 100644
index 0000000000..73086303ed
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/utils.ts
@@ -0,0 +1,129 @@
+import type { Authenticated } from "$lib/stores/authentication.store";
+import { DelegationChain, ECDSAKeyIdentity } from "@icp-sdk/core/identity";
+import { remapToLegacyDomain } from "$lib/utils/iiConnection";
+import {
+  fromBase64URL,
+  retryFor,
+  throwCanisterError,
+  transformSignedDelegation,
+} from "$lib/utils/utils";
+
+interface McpAuthorizeInput {
+  authenticated: Authenticated;
+  /** base64url-encoded DER session pubkey supplied by the MCP server. */
+  publicKey: string;
+  /** Hostname of the app whose account the delegation acts as. */
+  app: string;
+  /** Lifetime in minutes. */
+  ttlMinutes: number;
+  /** Callback URL (on the configured MCP server origin) the delegation chain is
+   *  form-POSTed to. */
+  callback: string;
+  /** Opaque value from the request, echoed back so the MCP server can tie the
+   *  delivered delegation to the request it started. */
+  state: string;
+}
+
+/**
+ * Builds a two-hop delegation chain rooted at the user's identity and ending at
+ * the MCP server's public key, then delivers it to the MCP server's callback
+ * via a top-level form-POST navigation. The MCP server reads the post and
+ * redirects the browser back to `/mcp` with a `status` so this page keeps
+ * owning the UI.
+ *
+ * The chain is derived for the app's account: `get_default_account` resolves
+ * the user's default account for the app origin, and that account number (which
+ * may be the unreserved default or a specific one the user set) is what the
+ * delegation is bound to — so the MCP server acts as the same account a normal
+ * `/authorize` sign-in to the app would use, not the legacy anchor-seed
+ * principal a blind `null` produces.
+ *
+ * The canister only ever signs a delegation to a freshly-generated,
+ * non-extractable browser key — never to the public_key from the URL fragment
+ * (which is attacker-controllable). The MCP server's public key only enters the
+ * chain via a sub-delegation signed by the ephemeral key.
+ */
+export const mcpAuthorize = async ({
+  authenticated,
+  publicKey,
+  app,
+  ttlMinutes,
+  callback,
+  state,
+}: McpAuthorizeInput): Promise<void> => {
+  const { identityNumber, actor } = authenticated;
+  // Remap an app domain on a gateway (*.icp0.io / *.icp.net) to *.ic0.app so
+  // the principal matches the one /authorize derives for the same app.
+  const effectiveOrigin = remapToLegacyDomain(`https://${app}`);
+  const maxTimeToLiveNanos = BigInt(ttlMinutes) * BigInt(60) * BigInt(1e9);
+
+  const { account_number } = await actor
+    .get_default_account(identityNumber, effectiveOrigin)
+    .then(throwCanisterError);
+
+  const ephemeralIdentity = await ECDSAKeyIdentity.generate({
+    extractable: false,
+  });
+  const ephemeralPublicKey = new Uint8Array(
+    ephemeralIdentity.getPublicKey().toDer(),
+  );
+
+  const { user_key, expiration } = await actor
+    .prepare_account_delegation(
+      identityNumber,
+      effectiveOrigin,
+      account_number,
+      ephemeralPublicKey,
+      [maxTimeToLiveNanos],
+    )
+    .then(throwCanisterError);
+
+  const canisterChain = await retryFor(5, () =>
+    actor
+      .get_account_delegation(
+        identityNumber,
+        effectiveOrigin,
+        account_number,
+        ephemeralPublicKey,
+        expiration,
+      )
+      .then(throwCanisterError)
+      .then(transformSignedDelegation)
+      .then((delegation) =>
+        DelegationChain.fromDelegations([delegation], new Uint8Array(user_key)),
+      ),
+  );
+
+  // Sub-delegate from the ephemeral key to the MCP server's public key. The
+  // expiration matches the canister-signed delegation so the chain expires as a
+  // whole.
+  const mcpPubKey = fromBase64URL(publicKey);
+  const expirationDate = new Date(Number(expiration / BigInt(1_000_000)));
+  const chain = await DelegationChain.create(
+    ephemeralIdentity,
+    { toDer: () => mcpPubKey },
+    expirationDate,
+    { previous: canisterChain },
+  );
+
+  // Submit as a top-level navigation to the configured MCP server origin (the
+  // only origin allowed by the `form-action` CSP). The MCP server redirects
+  // back to /mcp with a status param.
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.action = callback;
+  const delegationInput = document.createElement("input");
+  delegationInput.type = "hidden";
+  delegationInput.name = "delegation";
+  delegationInput.value = JSON.stringify(chain.toJSON());
+  form.appendChild(delegationInput);
+  // Echo the state so the MCP server can match this delivery to the request it
+  // started.
+  const stateInput = document.createElement("input");
+  stateInput.type = "hidden";
+  stateInput.name = "state";
+  stateInput.value = state;
+  form.appendChild(stateInput);
+  document.body.appendChild(form);
+  form.submit();
+};
diff --git a/src/frontend/src/routes/(new-styling)/mcp/views/McpAuthorizeView.svelte b/src/frontend/src/routes/(new-styling)/mcp/views/McpAuthorizeView.svelte
new file mode 100644
index 0000000000..b879ebf40a
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/views/McpAuthorizeView.svelte
@@ -0,0 +1,62 @@
+<script lang="ts">
+  import AuthPanel from "$lib/components/layout/AuthPanel.svelte";
+  import ProgressRing from "$lib/components/ui/ProgressRing.svelte";
+  import McpHero from "../components/McpHero.svelte";
+  import { t } from "$lib/stores/locale.store";
+  import { getDapps } from "$lib/legacy/flows/dappsExplorer/dapps";
+
+  interface Props {
+    /** Hostname of the app the delegation acts as. */
+    app: string;
+    /** Hostname of the configured MCP server. */
+    mcpServer: string;
+    onAuthorize: () => Promise<void>;
+  }
+
+  const { app, mcpServer, onAuthorize }: Props = $props();
+
+  let busy = $state(false);
+
+  const handleClick = async () => {
+    busy = true;
+    try {
+      await onAuthorize();
+    } finally {
+      busy = false;
+    }
+  };
+
+  // Name the app by its catalogue name when known, otherwise by hostname.
+  const dapp = $derived(getDapps().find((a) => a.hasOrigin(`https://${app}`)));
+  const accountScope = $derived(
+    dapp?.name !== undefined
+      ? $t`your ${dapp.name} account`
+      : $t`your account on ${app}`,
+  );
+</script>
+
+<div class="flex w-full justify-center max-sm:flex-1 sm:max-w-110">
+  <AuthPanel>
+    <McpHero {app} {mcpServer} />
+
+    <h1 class="text-text-primary mt-2 text-2xl font-medium">
+      {$t`Allow MCP access`}
+    </h1>
+    <p class="text-text-tertiary mt-1 text-base text-pretty">
+      {$t`Let ${mcpServer} act as ${accountScope}`}
+    </p>
+
+    <button
+      class="btn btn-primary btn-xl mt-8 w-full"
+      onclick={handleClick}
+      disabled={busy}
+    >
+      {#if busy}
+        <ProgressRing class="size-5" />
+        <span>{$t`Allowing access`}</span>
+      {:else}
+        <span>{$t`Allow access`}</span>
+      {/if}
+    </button>
+  </AuthPanel>
+</div>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/views/McpCloseWindowView.svelte b/src/frontend/src/routes/(new-styling)/mcp/views/McpCloseWindowView.svelte
new file mode 100644
index 0000000000..77642ced29
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/views/McpCloseWindowView.svelte
@@ -0,0 +1,22 @@
+<script lang="ts">
+  import { CheckIcon } from "@lucide/svelte";
+  import FeaturedIcon from "$lib/components/ui/FeaturedIcon.svelte";
+  import { t } from "$lib/stores/locale.store";
+</script>
+
+<!--
+  Centered, card-less "you're done" page. Once the MCP server has accepted the
+  delegation there's nothing actionable here; the user just closes the tab and
+  returns to their MCP client.
+-->
+<div class="flex flex-col items-center gap-5 px-6 text-center">
+  <FeaturedIcon size="lg" variant="success">
+    <CheckIcon class="size-6" strokeWidth={2.4} />
+  </FeaturedIcon>
+  <h1 class="text-text-primary text-2xl font-medium">
+    {$t`You're signed in`}
+  </h1>
+  <p class="text-text-tertiary text-base">
+    {$t`You can close this window.`}
+  </p>
+</div>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/views/McpDisabledView.svelte b/src/frontend/src/routes/(new-styling)/mcp/views/McpDisabledView.svelte
new file mode 100644
index 0000000000..ace15d728e
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/views/McpDisabledView.svelte
@@ -0,0 +1,43 @@
+<script lang="ts">
+  import { ExternalLinkIcon, LockIcon } from "@lucide/svelte";
+  import AuthPanel from "$lib/components/layout/AuthPanel.svelte";
+  import FeaturedIcon from "$lib/components/ui/FeaturedIcon.svelte";
+  import { Trans } from "$lib/components/locale";
+  import { t } from "$lib/stores/locale.store";
+</script>
+
+<!--
+  Shown when the chosen identity has MCP access disabled on this device. The
+  toggle is purely client-side (localStorage), so we know about the gate before
+  issuing any backend call — the user lands here immediately on page load.
+-->
+<div class="flex w-full justify-center max-sm:flex-1 sm:max-w-110">
+  <AuthPanel>
+    <FeaturedIcon size="lg" variant="error" class="mb-5 self-start">
+      <LockIcon class="size-6" />
+    </FeaturedIcon>
+
+    <h1 class="text-text-primary text-2xl font-medium">
+      {$t`MCP access not enabled`}
+    </h1>
+    <p class="text-text-tertiary mt-4 text-base text-pretty">
+      <Trans>
+        For security, Internet Identity blocks MCP clients from signing in to
+        apps using your identity.
+      </Trans>
+    </p>
+    <p class="text-text-tertiary mt-4 text-base text-pretty">
+      <Trans>Enable MCP access for this device, then try again.</Trans>
+    </p>
+
+    <a
+      href="/manage/settings"
+      target="_blank"
+      rel="noopener noreferrer"
+      class="btn btn-secondary btn-xl mt-8 w-full"
+    >
+      <ExternalLinkIcon class="size-5" />
+      <span>{$t`Manage your identity`}</span>
+    </a>
+  </AuthPanel>
+</div>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/views/McpErrorView.svelte b/src/frontend/src/routes/(new-styling)/mcp/views/McpErrorView.svelte
new file mode 100644
index 0000000000..2f78fa1a50
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/views/McpErrorView.svelte
@@ -0,0 +1,27 @@
+<script lang="ts">
+  import { CircleAlertIcon } from "@lucide/svelte";
+  import AuthPanel from "$lib/components/layout/AuthPanel.svelte";
+  import FeaturedIcon from "$lib/components/ui/FeaturedIcon.svelte";
+  import { Trans } from "$lib/components/locale";
+  import { t } from "$lib/stores/locale.store";
+</script>
+
+<!-- Terminal screen for an MCP-reported failure (status=error redirect-back). -->
+<div class="flex w-full justify-center max-sm:flex-1 sm:max-w-110">
+  <AuthPanel>
+    <FeaturedIcon size="lg" variant="error" class="mb-4 self-start">
+      <CircleAlertIcon class="size-6" />
+    </FeaturedIcon>
+    <h1 class="text-text-primary mb-3 text-2xl font-medium">
+      {$t`Something went wrong`}
+    </h1>
+    <p class="text-text-tertiary mb-2 text-base text-pretty">
+      <Trans>The MCP client couldn't finish connecting.</Trans>
+    </p>
+    <p class="text-text-tertiary text-base text-pretty">
+      <Trans>
+        Return to your MCP client and try again. You can close this window.
+      </Trans>
+    </p>
+  </AuthPanel>
+</div>
diff --git a/src/frontend/src/routes/(new-styling)/mcp/views/McpInvalidView.svelte b/src/frontend/src/routes/(new-styling)/mcp/views/McpInvalidView.svelte
new file mode 100644
index 0000000000..7c7bf465aa
--- /dev/null
+++ b/src/frontend/src/routes/(new-styling)/mcp/views/McpInvalidView.svelte
@@ -0,0 +1,30 @@
+<script lang="ts">
+  import { CircleAlertIcon } from "@lucide/svelte";
+  import AuthPanel from "$lib/components/layout/AuthPanel.svelte";
+  import FeaturedIcon from "$lib/components/ui/FeaturedIcon.svelte";
+  import { Trans } from "$lib/components/locale";
+  import { t } from "$lib/stores/locale.store";
+</script>
+
+<!-- Terminal screen for a missing or malformed /mcp request. -->
+<div class="flex w-full justify-center max-sm:flex-1 sm:max-w-110">
+  <AuthPanel>
+    <FeaturedIcon size="lg" variant="error" class="mb-4 self-start">
+      <CircleAlertIcon class="size-6" />
+    </FeaturedIcon>
+    <h1 class="text-text-primary mb-3 text-2xl font-medium">
+      {$t`Invalid request`}
+    </h1>
+    <p class="text-text-tertiary mb-2 text-base text-pretty">
+      <Trans
+        >This connection link is missing information or has been changed.</Trans
+      >
+    </p>
+    <p class="text-text-tertiary text-base text-pretty">
+      <Trans>
+        Start the connection again from your MCP client. You can close this
+        window.
+      </Trans>
+    </p>
+  </AuthPanel>
+</div>
diff --git a/src/frontend/tests/e2e-playwright/fixtures/index.ts b/src/frontend/tests/e2e-playwright/fixtures/index.ts
index b7263d6a74..09b9aaf916 100644
--- a/src/frontend/tests/e2e-playwright/fixtures/index.ts
+++ b/src/frontend/tests/e2e-playwright/fixtures/index.ts
@@ -11,6 +11,7 @@ import { test as manageAccessPageTest } from "./manageAccessPage";
 import { test as manageRecoveryPageTest } from "./manageRecoveryPage";
 import { test as emailRecoveryTest } from "./emailRecovery";
 import { test as cliTest } from "./cli";
+import { test as mcpTest } from "./mcp";
 
 export const test = mergeTests(
   inertWorkaroundTest,
@@ -25,4 +26,5 @@ export const test = mergeTests(
   manageRecoveryPageTest,
   emailRecoveryTest,
   cliTest,
+  mcpTest,
 );
diff --git a/src/frontend/tests/e2e-playwright/fixtures/mcp.ts b/src/frontend/tests/e2e-playwright/fixtures/mcp.ts
new file mode 100644
index 0000000000..ab7b2f454b
--- /dev/null
+++ b/src/frontend/tests/e2e-playwright/fixtures/mcp.ts
@@ -0,0 +1,135 @@
+import { Ed25519KeyIdentity } from "@icp-sdk/core/identity";
+import { test as base, type Page } from "@playwright/test";
+import { toBase64URL } from "../../../src/lib/utils/utils";
+import { II_URL } from "../utils";
+
+/** What the MCP server stand-in does on its next form POST. */
+type McpOutcome = "success" | "error";
+
+/**
+ * The origin the e2e canister is deployed with as `mcp_server_origin` (see
+ * `local_test_arg.did.template`). The `/mcp` page only accepts a callback on
+ * this origin and the `form-action` CSP only allows posting to it.
+ */
+const MCP_SERVER_ORIGIN = "https://mcp.id.ai";
+
+/**
+ * Stands in for a remote MCP server. Unlike the CLI loopback fixture there's no
+ * real HTTP server: the configured MCP origin is a public https origin, so the
+ * delegation arrives as a top-level form-POST navigation to it. We intercept
+ * that navigation with `page.route` (which catches it before the network, so no
+ * server or DNS for `mcp.id.ai` is needed), read the posted delegation, and
+ * fulfill a 303 redirect back to `/mcp` with a `status` — exactly what a real
+ * MCP server would do.
+ *
+ * `receivedDelegation` resolves with the delegation chain JSON once the flow
+ * successfully posts it.
+ */
+export type McpFixture = {
+  publicKey: string;
+  state: string;
+  mcpOrigin: string;
+  callbackUrl: string;
+  receivedDelegation: Promise<unknown>;
+  /** Every delegation received so far, in order (for multi-post tests). */
+  receivedDelegations: unknown[];
+  /** Sets what the MCP server stand-in does on its next form POST. */
+  setNextOutcome: (outcome: McpOutcome) => void;
+  /**
+   * Installs the form-POST interceptor on `page`. Must be called before the
+   * flow submits the delegation. Reads the posted `delegation`/`state` and
+   * redirects the browser back to `/mcp` with the configured outcome status.
+   */
+  installInterceptor: (page: Page) => Promise<void>;
+  /** Builds the `/mcp` authorize URL with the request params in the fragment. */
+  buildAuthorizeUrl: (opts: {
+    app: string;
+    ttlMinutes?: number;
+    callbackUrl?: string;
+  }) => string;
+};
+
+export const test = base.extend<{ mcp: McpFixture }>({
+  // eslint-disable-next-line no-empty-pattern -- playwright fixtures require the destructure
+  mcp: async ({}, use) => {
+    const identity = Ed25519KeyIdentity.generate();
+    const publicKey = toBase64URL(
+      new Uint8Array(identity.getPublicKey().toDer()),
+    );
+    // Opaque value the MCP server puts in the request and the frontend echoes
+    // back in its POST so the server can tie the delivery to the request.
+    const state = toBase64URL(crypto.getRandomValues(new Uint8Array(32)));
+    const callbackUrl = `${MCP_SERVER_ORIGIN}/callback`;
+
+    let resolveDelegation: (body: unknown) => void = () => undefined;
+    const receivedDelegation = new Promise<unknown>((resolve) => {
+      resolveDelegation = resolve;
+    });
+    const receivedDelegations: unknown[] = [];
+
+    let nextOutcome: McpOutcome = "success";
+    const setNextOutcome = (outcome: McpOutcome): void => {
+      nextOutcome = outcome;
+    };
+
+    const installInterceptor = async (page: Page): Promise<void> => {
+      const redirectTo = (status: McpOutcome): string => {
+        const url = new URL("/mcp", II_URL);
+        url.hash = new URLSearchParams({ status }).toString();
+        return url.toString();
+      };
+
+      await page.route(`${MCP_SERVER_ORIGIN}/**`, async (route) => {
+        let location: string;
+        const posted = new URLSearchParams(route.request().postData() ?? "");
+        if (nextOutcome === "error" || posted.get("state") !== state) {
+          // On an "error" outcome, or if the frontend didn't echo the request
+          // state (a real MCP server would reject this), redirect back with an
+          // error so the test fails loudly instead of `receivedDelegation`
+          // hanging forever.
+          location = redirectTo("error");
+        } else {
+          const delegation = posted.get("delegation");
+          let parsed: unknown;
+          try {
+            parsed = delegation === null ? null : JSON.parse(delegation);
+          } catch {
+            parsed = delegation;
+          }
+          receivedDelegations.push(parsed);
+          resolveDelegation(parsed);
+          location = redirectTo("success");
+        }
+        await route.fulfill({ status: 303, headers: { location } });
+      });
+    };
+
+    const buildAuthorizeUrl = (opts: {
+      app: string;
+      ttlMinutes?: number;
+      callbackUrl?: string;
+    }): string => {
+      const fragment = new URLSearchParams();
+      fragment.set("public_key", publicKey);
+      fragment.set("callback", opts.callbackUrl ?? callbackUrl);
+      fragment.set("state", state);
+      fragment.set("app", opts.app);
+      if (opts.ttlMinutes !== undefined) {
+        fragment.set("ttl", String(opts.ttlMinutes));
+      }
+      return `${II_URL}/mcp#${fragment.toString()}`;
+    };
+
+    await use({
+      publicKey,
+      state,
+      mcpOrigin: MCP_SERVER_ORIGIN,
+      callbackUrl,
+      receivedDelegation,
+      receivedDelegations,
+      setNextOutcome,
+      installInterceptor,
+      buildAuthorizeUrl,
+    });
+  },
+});
diff --git a/src/frontend/tests/e2e-playwright/routes/mcp.spec.ts b/src/frontend/tests/e2e-playwright/routes/mcp.spec.ts
new file mode 100644
index 0000000000..b08c837ed6
--- /dev/null
+++ b/src/frontend/tests/e2e-playwright/routes/mcp.spec.ts
@@ -0,0 +1,253 @@
+import { expect, type Page } from "@playwright/test";
+import { Principal } from "@icp-sdk/core/principal";
+import { test } from "../fixtures";
+import { addVirtualAuthenticator, authorize, II_URL } from "../utils";
+
+/** The app the MCP delegation acts as, used across the tests. */
+const APP = "nice-name.com";
+
+/** Decodes a hex string (as delegation chains encode public keys) to bytes. */
+const hexToBytes = (hex: string): Uint8Array =>
+  Uint8Array.from(hex.match(/.{1,2}/g) ?? [], (byte) => parseInt(byte, 16));
+
+const signUp = async (page: Page): Promise<void> => {
+  const continueWithPasskey = page.getByRole("button", {
+    name: "Continue with passkey",
+  });
+  const signUpToggle = page.getByRole("button", {
+    name: "Sign up",
+    exact: true,
+  });
+  await continueWithPasskey.or(signUpToggle).first().waitFor();
+  if (await continueWithPasskey.isVisible()) {
+    await continueWithPasskey.click();
+    await page.getByRole("button", { name: "Create new identity" }).click();
+  } else {
+    await signUpToggle.click();
+    await page.getByRole("button", { name: "Sign up with passkey" }).click();
+  }
+  await page.getByLabel("Identity name").fill("Test User");
+  await page.getByRole("button", { name: "Create identity" }).click();
+};
+
+/** Returns the chain's first-delegation expiration in milliseconds since epoch. */
+const expirationMillis = (body: unknown): number => {
+  if (
+    typeof body !== "object" ||
+    body === null ||
+    !("delegations" in body) ||
+    !Array.isArray(body.delegations) ||
+    body.delegations.length === 0
+  ) {
+    throw new Error("delegation chain missing or empty");
+  }
+  const expiration: unknown = body.delegations[0]?.delegation?.expiration;
+  if (typeof expiration !== "string") {
+    throw new Error("delegation expiration missing");
+  }
+  return Number(BigInt(`0x${expiration}`) / BigInt(1_000_000));
+};
+
+/** The hex root public key of a delegation chain (the per-account key). */
+const rootPublicKey = (body: unknown): string => {
+  if (
+    typeof body === "object" &&
+    body !== null &&
+    "publicKey" in body &&
+    typeof body.publicKey === "string"
+  ) {
+    return body.publicKey;
+  }
+  throw new Error("delegation chain missing publicKey");
+};
+
+/**
+ * Enables device-local MCP access for the signed-in identity via Settings.
+ * Assumes the page is already on `/manage`.
+ */
+const enableMcpAccessInSettings = async (
+  page: Page,
+  isMobile: boolean,
+): Promise<void> => {
+  if (isMobile) {
+    await page.getByRole("button", { name: "Open menu" }).click();
+  }
+  await page.getByRole("link", { name: "Settings" }).click();
+  await page.waitForURL(II_URL + "/manage/settings");
+  await page.getByRole("switch", { name: "MCP access" }).check();
+  await page.getByLabel("I understand the risks.").check();
+  await page.getByRole("button", { name: "Enable MCP access" }).click();
+  await expect(page.getByText("Enabled", { exact: true })).toBeVisible();
+};
+
+test("Invalid params show the error screen", async ({ page }) => {
+  await page.goto(II_URL + "/mcp");
+  await expect(
+    page.getByRole("heading", { name: "Invalid request" }),
+  ).toBeVisible();
+});
+
+test("A callback off the configured MCP origin is rejected", async ({
+  page,
+  mcp,
+}) => {
+  await page.goto(
+    mcp.buildAuthorizeUrl({
+      app: APP,
+      callbackUrl: "https://attacker.example.com/cb",
+    }),
+  );
+  await expect(
+    page.getByRole("heading", { name: "Invalid request" }),
+  ).toBeVisible();
+});
+
+test("Without MCP access enabled the gated screen shows", async ({
+  page,
+  mcp,
+}) => {
+  await addVirtualAuthenticator(page);
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP }));
+  await signUp(page);
+  await expect(
+    page.getByRole("heading", { name: "MCP access not enabled" }),
+  ).toBeVisible();
+});
+
+test("Returning user without MCP access lands on the gated screen immediately", async ({
+  page,
+  mcp,
+}) => {
+  await addVirtualAuthenticator(page);
+  await page.goto(II_URL);
+  await signUp(page);
+  await page.waitForURL(II_URL + "/manage");
+
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP }));
+  await expect(
+    page.getByRole("heading", { name: "MCP access not enabled" }),
+  ).toBeVisible();
+  await expect(page.getByRole("button", { name: "Allow access" })).toBeHidden();
+});
+
+test("Once MCP access is enabled, Allow access posts a two-hop delegation chain", async ({
+  page,
+  mcp,
+  isMobile,
+}) => {
+  await addVirtualAuthenticator(page);
+  await mcp.installInterceptor(page);
+  await page.goto(II_URL);
+  await signUp(page);
+  await page.waitForURL(II_URL + "/manage");
+  await enableMcpAccessInSettings(page, isMobile);
+
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP }));
+  await page.getByRole("button", { name: "Allow access" }).click();
+
+  const body = await mcp.receivedDelegation;
+  expect(body).toMatchObject({
+    delegations: expect.any(Array),
+    publicKey: expect.any(String),
+  });
+  // Rooted at the user's principal: canister-signed delegation to the ephemeral
+  // browser key, then the ephemeral key's sub-delegation to the MCP server's
+  // public key.
+  if (
+    typeof body === "object" &&
+    body !== null &&
+    "delegations" in body &&
+    Array.isArray(body.delegations)
+  ) {
+    expect(body.delegations.length).toBe(2);
+  }
+  await expect(
+    page.getByRole("heading", { name: "You're signed in" }),
+  ).toBeVisible();
+});
+
+test("Identity switcher shows while signing in and hides on the success screen", async ({
+  page,
+  mcp,
+  isMobile,
+}) => {
+  await addVirtualAuthenticator(page);
+  await mcp.installInterceptor(page);
+  await page.goto(II_URL);
+  await signUp(page);
+  await page.waitForURL(II_URL + "/manage");
+  await enableMcpAccessInSettings(page, isMobile);
+
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP }));
+  const switcher = page.getByRole("button", { name: "Switch identity" });
+  const allow = page.getByRole("button", { name: "Allow access" });
+  await expect(allow).toBeVisible();
+  await expect(switcher).toBeVisible();
+
+  await allow.click();
+  await expect(
+    page.getByRole("heading", { name: "You're signed in" }),
+  ).toBeVisible();
+  await expect(switcher).toBeHidden();
+});
+
+test("Requested TTL within bounds is honoured", async ({
+  page,
+  mcp,
+  isMobile,
+}) => {
+  const ttlMinutes = 60;
+  await addVirtualAuthenticator(page);
+  await mcp.installInterceptor(page);
+  await page.goto(II_URL);
+  await signUp(page);
+  await page.waitForURL(II_URL + "/manage");
+  await enableMcpAccessInSettings(page, isMobile);
+
+  const before = Date.now();
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP, ttlMinutes }));
+  await page.getByRole("button", { name: "Allow access" }).click();
+
+  const expMillis = expirationMillis(await mcp.receivedDelegation);
+  const requestedMillis = ttlMinutes * 60 * 1000;
+  expect(expMillis - before).toBeGreaterThanOrEqual(requestedMillis - 60_000);
+  expect(expMillis - before).toBeLessThanOrEqual(requestedMillis + 60_000);
+});
+
+test("MCP acts as the same principal that /authorize gives for that app", async ({
+  page,
+  mcp,
+  identities,
+  signInWithIdentity,
+  isMobile,
+}) => {
+  const identityNumber = identities[0].identityNumber;
+
+  // Principal the app (nice-name.com) sees via the normal /authorize flow — its
+  // default account.
+  const authorizePrincipal = await authorize(page, async (authPage) => {
+    await signInWithIdentity(authPage, identityNumber);
+    await authPage
+      .getByRole("button", { name: "Continue", exact: true })
+      .click();
+  });
+
+  // Enable device MCP access for the same identity.
+  await page.goto(II_URL);
+  await signInWithIdentity(page, identityNumber);
+  await page.waitForURL(II_URL + "/manage");
+  await enableMcpAccessInSettings(page, isMobile);
+
+  // Principal the MCP server is granted: the self-authenticating principal of
+  // the delegation chain's root public key.
+  await mcp.installInterceptor(page);
+  await page.goto(mcp.buildAuthorizeUrl({ app: APP }));
+  await page.getByRole("button", { name: "Allow access" }).click();
+  const chain = await mcp.receivedDelegation;
+  const mcpPrincipal = Principal.selfAuthenticating(
+    hexToBytes(rootPublicKey(chain)),
+  ).toText();
+
+  // Same identity + same default account for the app ⇒ same principal.
+  expect(mcpPrincipal).toBe(authorizePrincipal);
+});
diff --git a/src/internet_identity_frontend/internet_identity_frontend.did b/src/internet_identity_frontend/internet_identity_frontend.did
index 97dbfd7b59..1aa58824b6 100644
--- a/src/internet_identity_frontend/internet_identity_frontend.did
+++ b/src/internet_identity_frontend/internet_identity_frontend.did
@@ -63,6 +63,11 @@ type InternetIdentityFrontendInit = record {
     // each flag; localStorage, the flag's init callback and ?feature_flag_* URL
     // params still take precedence. Unknown flag names are ignored.
     feature_flags : opt vec record { text; bool };
+    // Origin of the trusted MCP server, e.g. "https://mcp.id.ai" (no trailing
+    // slash). The /mcp delegation flow delivers the delegation to this origin
+    // only (it's added to the form-action CSP and /mcp rejects callbacks on any
+    // other origin). When unset, the /mcp flow is disabled.
+    mcp_server_origin : opt text;
 };
 
 service : (InternetIdentityFrontendInit) -> {
diff --git a/src/internet_identity_frontend/local_test_arg.did.template b/src/internet_identity_frontend/local_test_arg.did.template
index 927e93a104..d12cf13b61 100644
--- a/src/internet_identity_frontend/local_test_arg.did.template
+++ b/src/internet_identity_frontend/local_test_arg.did.template
@@ -15,5 +15,6 @@
       "https://oisy.com";
       "https://oc.app";
     };
+    mcp_server_origin = opt "https://mcp.id.ai";
   },
 )
diff --git a/src/internet_identity_frontend/src/main.rs b/src/internet_identity_frontend/src/main.rs
index 614a7c51f7..50d5ca8837 100644
--- a/src/internet_identity_frontend/src/main.rs
+++ b/src/internet_identity_frontend/src/main.rs
@@ -37,6 +37,7 @@ fn certify_all_assets(args: InternetIdentityFrontendArgs) {
     let static_assets = get_static_assets(&args);
     let related_origins = args.related_origins.as_ref();
     let dev_csp = args.dev_csp.unwrap_or(false);
+    let mcp_server_origin = args.mcp_server_origin.as_deref();
 
     // Extract integrity hashes for inline scripts from HTML files
     let integrity_hashes = static_assets
@@ -84,6 +85,7 @@ fn certify_all_assets(args: InternetIdentityFrontendArgs) {
                             integrity_hashes.clone(),
                             related_origins,
                             dev_csp,
+                            mcp_server_origin,
                             vec![(
                                 "cache-control".to_string(),
                                 NO_CACHE_ASSET_CACHE_CONTROL.to_string(),
@@ -121,6 +123,7 @@ fn certify_all_assets(args: InternetIdentityFrontendArgs) {
                             integrity_hashes.clone(),
                             related_origins,
                             dev_csp,
+                            mcp_server_origin,
                             vec![headers],
                         ),
                         fallback_for: vec![],
@@ -146,6 +149,7 @@ fn get_asset_headers(
     integrity_hashes: Vec<String>,
     related_origins: Option<&Vec<String>>,
     dev_csp: bool,
+    mcp_server_origin: Option<&str>,
     additional_headers: Vec<HeaderField>,
 ) -> Vec<HeaderField> {
     let credentials_allowlist = if let Some(related_origins) = related_origins {
@@ -178,7 +182,12 @@ fn get_asset_headers(
         // Comprehensive policy to prevent XSS attacks and data injection
         (
             "Content-Security-Policy".to_string(),
-            get_content_security_policy(integrity_hashes, related_origins, dev_csp),
+            get_content_security_policy(
+                integrity_hashes,
+                related_origins,
+                dev_csp,
+                mcp_server_origin,
+            ),
         ),
         // Strict-Transport-Security (HSTS)
         // Forces browsers to use HTTPS for all future requests to this domain
@@ -260,7 +269,7 @@ fn get_asset_headers(
 /// base-uri 'none':
 ///   Prevents injection of <base> tags that could redirect relative URLs
 ///
-/// form-action 'self' http://127.0.0.1:*:
+/// form-action 'self' http://127.0.0.1:* [mcp_server_origin]:
 ///   The CLI authorize flow (`/cli`) delivers the delegation to the CLI's
 ///   loopback callback via a top-level form POST (a top-level navigation
 ///   avoids Chrome's Local Network Access permission prompt that a `fetch`
@@ -271,6 +280,10 @@ fn get_asset_headers(
 ///   isn't allowlistable here; the `/cli` parser only accepts 127.0.0.1 to
 ///   match. `localhost` is also excluded (it can resolve off-loopback) — so a
 ///   form can never post to a remote origin.
+///   The `/mcp` authorize flow form-POSTs to the configured MCP server, so
+///   when `mcp_server_origin` is set that single operator-trusted origin is
+///   appended here. It's never a wildcard and `form-action` is never broadened
+///   to `https:` — only that exact origin is allowed.
 ///
 /// style-src 'self' 'unsafe-inline':
 ///   Allow stylesheets from same origin and inline styles
@@ -298,6 +311,7 @@ fn get_content_security_policy(
     integrity_hashes: Vec<String>,
     related_origins: Option<&Vec<String>>,
     dev_csp: bool,
+    mcp_server_origin: Option<&str>,
 ) -> String {
     let connect_src = if dev_csp {
         // Allow connecting via http for development purposes
@@ -330,13 +344,22 @@ fn get_content_security_policy(
         "'self'".to_string()
     };
 
+    // The `/mcp` authorize flow delivers the delegation to the configured MCP
+    // server via a top-level form POST, so that origin must be an allowed
+    // `form-action` source. It's a single operator-configured origin (a deploy
+    // arg), never a wildcard — `form-action` is never broadened to `https:`.
+    let form_action = match mcp_server_origin {
+        Some(origin) => format!("'self' http://127.0.0.1:* {origin}"),
+        None => "'self' http://127.0.0.1:*".to_string(),
+    };
+
     let csp = format!(
         "default-src 'none';\
          connect-src {connect_src};\
          img-src 'self' data: https://*.googleusercontent.com;\
          script-src {script_src};\
          base-uri 'none';\
-         form-action 'self' http://127.0.0.1:*;\
+         form-action {form_action};\
          style-src 'self' 'unsafe-inline';\
          style-src-elem 'self' 'unsafe-inline';\
          font-src 'self';\
@@ -514,7 +537,7 @@ mod tests {
     #[test]
     fn csp_differs_between_dev_and_prod_for_connect_src_and_upgrade_insecure_requests() {
         // Dev CSP: allow http: in connect-src and omit upgrade-insecure-requests
-        let dev_csp = get_content_security_policy(Vec::new(), None, true);
+        let dev_csp = get_content_security_policy(Vec::new(), None, true, None);
 
         assert!(
             dev_csp.contains("connect-src 'self' https: http:"),
@@ -526,7 +549,7 @@ mod tests {
         );
 
         // Prod CSP: disallow http: in connect-src and include upgrade-insecure-requests
-        let prod_csp = get_content_security_policy(Vec::new(), None, false);
+        let prod_csp = get_content_security_policy(Vec::new(), None, false, None);
 
         assert!(
             prod_csp.contains("connect-src 'self' https:"),
@@ -541,4 +564,32 @@ mod tests {
             "prod CSP should include upgrade-insecure-requests, got: {prod_csp}"
         );
     }
+
+    #[test]
+    fn csp_form_action_includes_configured_mcp_origin_only() {
+        // Without an MCP origin, form-action stays self + loopback only.
+        let without = get_content_security_policy(Vec::new(), None, false, None);
+        assert!(
+            without.contains("form-action 'self' http://127.0.0.1:*;"),
+            "form-action should be self + loopback when no MCP origin, got: {without}"
+        );
+
+        // With an MCP origin, exactly that origin is appended to form-action.
+        let with = get_content_security_policy(
+            Vec::new(),
+            None,
+            false,
+            Some("https://mcp.id.ai"),
+        );
+        assert!(
+            with.contains("form-action 'self' http://127.0.0.1:* https://mcp.id.ai;"),
+            "form-action should append the configured MCP origin, got: {with}"
+        );
+
+        // form-action is never broadened to a bare https: source.
+        assert!(
+            !with.contains("form-action 'self' http://127.0.0.1:* https:;"),
+            "form-action must not be broadened to https:, got: {with}"
+        );
+    }
 }
diff --git a/src/internet_identity_frontend/tests/integration/http.rs b/src/internet_identity_frontend/tests/integration/http.rs
index b319cb5dc3..c7eb78c2e9 100644
--- a/src/internet_identity_frontend/tests/integration/http.rs
+++ b/src/internet_identity_frontend/tests/integration/http.rs
@@ -63,6 +63,7 @@ fn default_frontend_args() -> InternetIdentityFrontendArgs {
         dev_csp: None,
         featured_dashboard_apps: None,
         feature_flags: None,
+        mcp_server_origin: None,
     }
 }
 
diff --git a/src/internet_identity_interface/src/internet_identity/types.rs b/src/internet_identity_interface/src/internet_identity/types.rs
index 3f2ae3530b..3d65d371f0 100644
--- a/src/internet_identity_interface/src/internet_identity/types.rs
+++ b/src/internet_identity_interface/src/internet_identity/types.rs
@@ -243,6 +243,12 @@ pub struct InternetIdentityFrontendArgs {
     /// own init callback, and `?feature_flag_*` URL params take precedence.
     /// Names that don't match a known frontend flag are ignored by the frontend.
     pub feature_flags: Option<Vec<(String, bool)>>,
+    /// Origin of the trusted MCP server, e.g. "https://mcp.id.ai" (no trailing
+    /// slash). The `/mcp` delegation flow delivers the delegation to this origin
+    /// (and only this origin — it's added to the `form-action` CSP and the
+    /// `/mcp` page rejects callbacks on any other origin). When unset, the
+    /// `/mcp` flow is disabled.
+    pub mcp_server_origin: Option<String>,
 }
 
 /// Config fields that are synchronized between the frontend and backend.

From ab9087c03f9b455e1e609ae04eeb9546257658f6 Mon Sep 17 00:00:00 2001
From: sea-snake <104725312+sea-snake@users.noreply.github.com>
Date: Wed, 17 Jun 2026 13:19:09 +0000
Subject: [PATCH 2/5] address PR review: move MCP icon, harden CSP origin,
 guard origin parse

- Move the MCP logo from lib/components/ui/McpLogo.svelte to
  lib/components/icons/McpIcon.svelte, alongside PasskeyIcon/SsoIcon, and
  match their SVGAttributes/size-5 convention.
- main.rs: sanitize mcp_server_origin to a strict scheme://host[:port]
  origin before splicing into the form-action CSP; drop (fail closed) any
  value carrying whitespace/';'/','/path/query/fragment/userinfo or a
  disallowed scheme, so a misconfigured deploy arg can't break or inject
  the policy. Extend the CSP test with malformed cases. (Copilot)
- /mcp +page.svelte: parse the configured origin defensively (try/catch);
  a malformed value is treated as unset so the route shows the invalid
  screen instead of throwing during render. (Copilot)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../McpLogo.svelte => icons/McpIcon.svelte}   | 18 ++----
 .../components/McpAccessSection.svelte        |  4 +-
 .../src/routes/(new-styling)/mcp/+page.svelte | 38 +++++++-----
 .../mcp/components/McpHero.svelte             |  4 +-
 src/internet_identity_frontend/src/main.rs    | 60 ++++++++++++++++---
 5 files changed, 86 insertions(+), 38 deletions(-)
 rename src/frontend/src/lib/components/{ui/McpLogo.svelte => icons/McpIcon.svelte} (73%)

diff --git a/src/frontend/src/lib/components/ui/McpLogo.svelte b/src/frontend/src/lib/components/icons/McpIcon.svelte
similarity index 73%
rename from src/frontend/src/lib/components/ui/McpLogo.svelte
rename to src/frontend/src/lib/components/icons/McpIcon.svelte
index e9bcc3d3e8..006739311e 100644
--- a/src/frontend/src/lib/components/ui/McpLogo.svelte
+++ b/src/frontend/src/lib/components/icons/McpIcon.svelte
@@ -1,21 +1,13 @@
 <script lang="ts">
-  import type { ClassValue } from "svelte/elements";
+  import type { SVGAttributes } from "svelte/elements";
 
-  interface Props {
-    class?: ClassValue;
-  }
-
-  const { class: className }: Props = $props();
+  const { class: className, ...props }: SVGAttributes<SVGSVGElement> = $props();
 </script>
 
-<!-- The Model Context Protocol logo, rendered in currentColor. -->
-<svg
-  viewBox="0 0 24 24"
-  fill="currentColor"
-  class={className}
-  aria-hidden="true"
->
+<!-- The Model Context Protocol logo. -->
+<svg viewBox="0 0 24 24" {...props} class={["size-5", className]}>
   <path
     d="M13.85 0a4.16 4.16 0 0 0-2.95 1.217L1.456 10.66a.835.835 0 0 0 0 1.18.835.835 0 0 0 1.18 0l9.442-9.442a2.49 2.49 0 0 1 3.541 0 2.49 2.49 0 0 1 0 3.541L8.59 12.97l-.1.1a.835.835 0 0 0 0 1.18.835.835 0 0 0 1.18 0l.1-.098 7.03-7.034a2.49 2.49 0 0 1 3.542 0l.049.05a2.49 2.49 0 0 1 0 3.54l-8.54 8.54a1.96 1.96 0 0 0 0 2.755l1.753 1.753a.835.835 0 0 0 1.18 0 .835.835 0 0 0 0-1.18l-1.753-1.753a.266.266 0 0 1 0-.394l8.54-8.54a4.185 4.185 0 0 0 0-5.9l-.05-.05a4.16 4.16 0 0 0-2.95-1.218c-.2 0-.401.02-.6.048a4.17 4.17 0 0 0-1.17-3.552A4.16 4.16 0 0 0 13.85 0m0 3.333a.84.84 0 0 0-.59.245L6.275 10.56a4.186 4.186 0 0 0 0 5.902 4.186 4.186 0 0 0 5.902 0L19.16 9.48a.835.835 0 0 0 0-1.18.835.835 0 0 0-1.18 0l-6.985 6.984a2.49 2.49 0 0 1-3.54 0 2.49 2.49 0 0 1 0-3.54l6.983-6.985a.835.835 0 0 0 0-1.18.84.84 0 0 0-.59-.245"
+    class="fill-current"
   />
 </svg>
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
index e7033ffdff..2328deadc3 100644
--- a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/settings/components/McpAccessSection.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
   import Badge from "$lib/components/ui/Badge.svelte";
   import Toggle from "$lib/components/ui/Toggle.svelte";
-  import McpLogo from "$lib/components/ui/McpLogo.svelte";
+  import McpIcon from "$lib/components/icons/McpIcon.svelte";
   import { Trans } from "$lib/components/locale";
   import { t } from "$lib/stores/locale.store";
   import {
@@ -46,7 +46,7 @@
     class="border-border-tertiary text-fg-secondary bg-bg-primary flex size-10 shrink-0 items-center justify-center rounded-lg border"
     aria-hidden="true"
   >
-    <McpLogo class="size-5" />
+    <McpIcon class="size-5" />
   </span>
 
   <div class="flex flex-1 flex-col gap-1">
diff --git a/src/frontend/src/routes/(new-styling)/mcp/+page.svelte b/src/frontend/src/routes/(new-styling)/mcp/+page.svelte
index e1ed1c135d..92495cb0d9 100644
--- a/src/frontend/src/routes/(new-styling)/mcp/+page.svelte
+++ b/src/frontend/src/routes/(new-styling)/mcp/+page.svelte
@@ -33,29 +33,39 @@
   const params = $derived(data.params);
   const status = $derived(data.status);
 
-  // The MCP server is configured as a deploy arg; when unset the flow is
-  // disabled. The delegation is delivered to this origin only.
-  const mcpServerOrigin = getMcpServerOrigin();
-  const mcpServerHost =
-    mcpServerOrigin !== undefined ? new URL(mcpServerOrigin).host : undefined;
+  // The MCP server is configured as a deploy arg; when unset (or misconfigured)
+  // the flow is disabled. The delegation is delivered to this origin only.
+  // Parse it once, defensively: a malformed value is treated as unset so the
+  // route shows the invalid screen rather than throwing during render.
+  const mcpServer = ((): { origin: string; host: string } | undefined => {
+    const raw = getMcpServerOrigin();
+    if (raw === undefined) {
+      return undefined;
+    }
+    try {
+      const url = new URL(raw);
+      return { origin: url.origin, host: url.host };
+    } catch {
+      return undefined;
+    }
+  })();
+  const mcpServerHost = mcpServer?.host;
 
   // The request's callback must point at the configured MCP server origin. This
   // mirrors the `form-action` CSP, which only allows that origin — checking it
   // here lets us show a clean invalid screen instead of a silent CSP block.
-  const originMatches = (
-    callback: string,
-    configuredOrigin: string,
-  ): boolean => {
+  const callbackMatchesMcpServer = (callback: string): boolean => {
+    if (mcpServer === undefined) {
+      return false;
+    }
     try {
-      return new URL(callback).origin === new URL(configuredOrigin).origin;
+      return new URL(callback).origin === mcpServer.origin;
     } catch {
       return false;
     }
   };
   const requestValid = $derived(
-    params.kind === "valid" &&
-      mcpServerOrigin !== undefined &&
-      originMatches(params.callback, mcpServerOrigin),
+    params.kind === "valid" && callbackMatchesMcpServer(params.callback),
   );
 
   const authFlow = new AuthLastUsedFlow();
@@ -162,7 +172,7 @@
   });
 
   const handleAuthorize = async (): Promise<void> => {
-    if (params.kind !== "valid" || mcpServerOrigin === undefined) {
+    if (params.kind !== "valid" || mcpServer === undefined) {
       return;
     }
     const selected = $lastUsedIdentitiesStore.selected;
diff --git a/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte b/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
index c15589c20b..8adb7777bd 100644
--- a/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
+++ b/src/frontend/src/routes/(new-styling)/mcp/components/McpHero.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
   import { GlobeIcon, LockIcon } from "@lucide/svelte";
   import Badge from "$lib/components/ui/Badge.svelte";
-  import McpLogo from "$lib/components/ui/McpLogo.svelte";
+  import McpIcon from "$lib/components/icons/McpIcon.svelte";
   import Ellipsis from "$lib/components/utils/Ellipsis.svelte";
   import { getDapps } from "$lib/legacy/flows/dappsExplorer/dapps";
 
@@ -67,7 +67,7 @@
       class="border-border-secondary text-fg-primary bg-bg-primary flex size-15 shrink-0 items-center justify-center rounded-2xl border"
       aria-hidden="true"
     >
-      <McpLogo class="size-6.5" />
+      <McpIcon class="size-6.5" />
     </div>
     <Badge size="sm" class="max-w-24">
       <Ellipsis text={mcpServer} position="middle" />
diff --git a/src/internet_identity_frontend/src/main.rs b/src/internet_identity_frontend/src/main.rs
index 50d5ca8837..b327f3434a 100644
--- a/src/internet_identity_frontend/src/main.rs
+++ b/src/internet_identity_frontend/src/main.rs
@@ -305,6 +305,36 @@ fn get_asset_headers(
 /// frame-src 'self' <related_origins...>:
 ///   Allow framing only from same origin and configured related origins
 ///
+/// Validates that `origin` is a bare http(s) origin (`scheme://host[:port]`)
+/// safe to splice into a CSP `form-action` source list, returning it unchanged
+/// when valid or `None` otherwise. Rejects anything carrying a path, query,
+/// fragment, userinfo, or characters that could break the header or inject
+/// another directive (whitespace, `;`, `,`). This is defence-in-depth around an
+/// operator-set deploy arg, not user input.
+fn sanitize_mcp_origin(origin: &str) -> Option<String> {
+    // Reject characters that would terminate the source / directive or smuggle
+    // a second source. `is_control` also covers CR/LF header-injection bytes.
+    if origin
+        .chars()
+        .any(|c| c.is_whitespace() || c.is_control() || c == ';' || c == ',')
+    {
+        return None;
+    }
+    let rest = origin
+        .strip_prefix("https://")
+        .or_else(|| origin.strip_prefix("http://"))?;
+    // Only `host[:port]` may remain — no path/query/fragment, and no userinfo.
+    if rest.is_empty()
+        || rest.contains('/')
+        || rest.contains('?')
+        || rest.contains('#')
+        || rest.contains('@')
+    {
+        return None;
+    }
+    Some(origin.to_string())
+}
+
 /// upgrade-insecure-requests (production only):
 ///   Automatically upgrade HTTP requests to HTTPS (omitted in dev for localhost)
 fn get_content_security_policy(
@@ -348,7 +378,11 @@ fn get_content_security_policy(
     // server via a top-level form POST, so that origin must be an allowed
     // `form-action` source. It's a single operator-configured origin (a deploy
     // arg), never a wildcard — `form-action` is never broadened to `https:`.
-    let form_action = match mcp_server_origin {
+    // The value is sanitized to a bare origin first: a stray space, `;`, or a
+    // path/query/fragment would otherwise break the header or inject another
+    // directive. An invalid value is dropped (treated as unset), so a
+    // misconfigured arg fails closed rather than weakening the policy.
+    let form_action = match mcp_server_origin.and_then(sanitize_mcp_origin) {
         Some(origin) => format!("'self' http://127.0.0.1:* {origin}"),
         None => "'self' http://127.0.0.1:*".to_string(),
     };
@@ -575,12 +609,7 @@ mod tests {
         );
 
         // With an MCP origin, exactly that origin is appended to form-action.
-        let with = get_content_security_policy(
-            Vec::new(),
-            None,
-            false,
-            Some("https://mcp.id.ai"),
-        );
+        let with = get_content_security_policy(Vec::new(), None, false, Some("https://mcp.id.ai"));
         assert!(
             with.contains("form-action 'self' http://127.0.0.1:* https://mcp.id.ai;"),
             "form-action should append the configured MCP origin, got: {with}"
@@ -591,5 +620,22 @@ mod tests {
             !with.contains("form-action 'self' http://127.0.0.1:* https:;"),
             "form-action must not be broadened to https:, got: {with}"
         );
+
+        // A malformed origin is dropped (treated as unset) rather than spliced
+        // into the header, so it can't break the policy or inject a directive.
+        for bad in [
+            "https://mcp.id.ai/callback",                    // path
+            "https://mcp.id.ai; script-src 'unsafe-inline'", // directive injection
+            "https://mcp.id.ai evil.test",                   // extra source via whitespace
+            "https://user@mcp.id.ai",                        // userinfo
+            "ftp://mcp.id.ai",                               // disallowed scheme
+            "mcp.id.ai",                                     // missing scheme
+        ] {
+            let csp = get_content_security_policy(Vec::new(), None, false, Some(bad));
+            assert!(
+                csp.contains("form-action 'self' http://127.0.0.1:*;"),
+                "malformed MCP origin {bad:?} should be dropped, got: {csp}"
+            );
+        }
     }
 }

From e6cdd88c6474520b7f08a8f42d970e801249d528 Mon Sep 17 00:00:00 2001
From: sea-snake <sea-snake@users.noreply.github.com>
Date: Wed, 17 Jun 2026 15:41:17 +0200
Subject: [PATCH 3/5] fix(fe): prompt for and set mcp_server_origin in
 deploy-pr-to-beta
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

build_fe_install_arg omitted mcp_server_origin, so staging deploys via
deploy-pr-to-beta always sent null and never asked for it — leaving /mcp
disabled. Add the prompt (default parsed from the live /.config) and emit
the field in the FE install arg.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 scripts/deploy-common.bash | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/deploy-common.bash b/scripts/deploy-common.bash
index 43f5924ba9..7719b7b2a7 100644
--- a/scripts/deploy-common.bash
+++ b/scripts/deploy-common.bash
@@ -603,6 +603,7 @@ prompt_fe_extra_args() {
     local dev_csp_default="null"
     local dummy_auth_default="null"
     local analytics_default="null"
+    local mcp_server_origin_default="null"
 
     if [ -n "$raw_config" ]; then
         local parsed
@@ -611,6 +612,7 @@ prompt_fe_extra_args() {
         parsed=$(_parse_candid_field "dev_csp" "$raw_config");          [ -n "$parsed" ] && dev_csp_default="$parsed"
         parsed=$(_parse_candid_field "dummy_auth" "$raw_config");       [ -n "$parsed" ] && dummy_auth_default="$parsed"
         parsed=$(_parse_candid_field "analytics_config" "$raw_config"); [ -n "$parsed" ] && analytics_default="$parsed"
+        parsed=$(_parse_candid_field "mcp_server_origin" "$raw_config"); [ -n "$parsed" ] && mcp_server_origin_default="$parsed"
     else
         echo "  Warning: could not fetch current config; defaults are derived from the staging quad, NOT live values." >&2
         echo "           Hitting Enter through will OVERWRITE any custom-domain backend_origin / related_origins on chain." >&2
@@ -624,6 +626,7 @@ prompt_fe_extra_args() {
     DEV_CSP_ARG=$(prompt_default         "dev_csp (opt bool)"                          "$dev_csp_default")
     DUMMY_AUTH_ARG=$(prompt_default      "dummy_auth (opt opt DummyAuthConfig)"        "$dummy_auth_default")
     ANALYTICS_ARG=$(prompt_default       "analytics_config (opt opt AnalyticsConfig)"  "$analytics_default")
+    MCP_SERVER_ORIGIN_ARG=$(prompt_default "mcp_server_origin (opt text)"              "$mcp_server_origin_default")
 }
 
 # -------------------------
@@ -676,6 +679,7 @@ build_fe_install_arg() {
     dev_csp = $DEV_CSP_ARG;
     dummy_auth = $DUMMY_AUTH_ARG;
     analytics_config = $ANALYTICS_ARG;
+    mcp_server_origin = $MCP_SERVER_ORIGIN_ARG;
   }
 )
 EOF

From e593f734f4a42f349bf7f6306474539cf928ae34 Mon Sep 17 00:00:00 2001
From: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org>
Date: Thu, 18 Jun 2026 01:11:43 +0200
Subject: [PATCH 4/5] fix(ci): pass mcp_server_origin in e2e frontend install
 args (#4029)

The e2e job installs the frontend canister with inline --args that omitted mcp_server_origin, so getMcpServerOrigin() was undefined and the /mcp flow always rendered the invalid screen, timing out all interactive mcp.spec.ts tests. Add mcp_server_origin = opt "https://mcp.id.ai" to match the origin the mcp fixture posts to.
---
 .github/workflows/canister-tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/canister-tests.yml b/.github/workflows/canister-tests.yml
index 3a89092e2c..e447b44844 100644
--- a/.github/workflows/canister-tests.yml
+++ b/.github/workflows/canister-tests.yml
@@ -615,7 +615,7 @@ jobs:
           dnssec_config="$(node src/frontend/tests/e2e-playwright/utils/renderDnssecTestAnchor.mjs)"
           icp canister install internet_identity --wasm internet_identity_backend.wasm.gz --args "(opt record { captcha_config = opt record { max_unsolved_captchas= 50:nat64; captcha_trigger = variant {Static = variant { CaptchaDisabled }}}; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; new_flow_origins = opt vec { \"https://id.ai\" }; openid_configs = opt vec { ${{ steps.openid-configs.outputs.OPENID_CONFIGS }} }; sso_discoverable_domains = opt vec { $sso_domains_vec }; enable_dnssec_email_recovery = opt true; dnssec_config = $dnssec_config })"
           II_CANISTER_ID=$(icp canister status internet_identity --id-only)
-          icp canister install internet_identity_frontend --wasm internet_identity_frontend.wasm.gz --args "(record { backend_canister_id = principal \"$II_CANISTER_ID\"; backend_origin = \"https://backend.id.ai\"; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; fetch_root_key = opt true; dev_csp = opt true })"
+          icp canister install internet_identity_frontend --wasm internet_identity_frontend.wasm.gz --args "(record { backend_canister_id = principal \"$II_CANISTER_ID\"; backend_origin = \"https://backend.id.ai\"; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; fetch_root_key = opt true; dev_csp = opt true; mcp_server_origin = opt \"https://mcp.id.ai\" })"
           icp canister install test_app --wasm demos/test-app/test_app.wasm
 
       - name: Run dev server

From 8e6c0fabd44edc30f78c2af2cd858fe930107e47 Mon Sep 17 00:00:00 2001
From: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org>
Date: Thu, 18 Jun 2026 01:12:38 +0200
Subject: [PATCH 5/5] chore: update local test MCP origin to mcp.beta.id.ai

Apply reviewer suggestion from aterga.
---
 src/internet_identity_frontend/local_test_arg.did.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/internet_identity_frontend/local_test_arg.did.template b/src/internet_identity_frontend/local_test_arg.did.template
index d12cf13b61..81c3b00955 100644
--- a/src/internet_identity_frontend/local_test_arg.did.template
+++ b/src/internet_identity_frontend/local_test_arg.did.template
@@ -15,6 +15,6 @@
       "https://oisy.com";
       "https://oc.app";
     };
-    mcp_server_origin = opt "https://mcp.id.ai";
+    mcp_server_origin = opt "https://mcp.beta.id.ai";
   },
 )