github · omgitsads · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 11, 2026
@@ -12,10 +12,8 @@ type tokenCtx string
 var tokenCtxKey tokenCtx = "tokenctx"
 
 type TokenInfo struct {
-	Token         string
-	TokenType     utils.TokenType
-	ScopesFetched bool
-	Scopes        []string
+	Token     string
+	TokenType utils.TokenType
-	TokenType utils.TokenType
+	TokenType utils.TokenType
+
+	// Deprecated: Scopes are now stored separately in the context using WithTokenScopes/GetTokenScopes.
+	Scopes []string
+	// Deprecated: ScopesFetched is no longer used; scopes are managed via TokenScopesKey in the context.
+	ScopesFetched bool
-	TokenType utils.TokenType
+	TokenType utils.TokenType
+
+	// Deprecated: Scopes are now stored separately in the context using WithTokenScopes/GetTokenScopes.
+	Scopes []string
+	// Deprecated: ScopesFetched is no longer used; scopes are managed via TokenScopesKey in the context.
+	ScopesFetched bool
 }
 
 // WithTokenInfo adds TokenInfo to the context
@@ -30,3 +28,20 @@ func GetTokenInfo(ctx context.Context) (*TokenInfo, bool) {
 	}
 	return nil, false
 }
+
+type TokenScopesKey tokenCtx
+
+var tokenScopesKey TokenScopesKey = "tokenscopesctx"
+
+// WithTokenScopes adds token scopes to the context
+func WithTokenScopes(ctx context.Context, scopes []string) context.Context {
+	return context.WithValue(ctx, tokenScopesKey, scopes)
+}
+
+// GetTokenScopes retrieves token scopes from the context
+func GetTokenScopes(ctx context.Context) ([]string, bool) {
+	if scopes, ok := ctx.Value(tokenScopesKey).([]string); ok {
+		return scopes, true
+	}
+	return nil, false
+}
@@ -278,8 +278,10 @@ func PATScopeFilter(b *inventory.Builder, r *http.Request, fetcher scopes.Fetche
 	// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
 	// Fine-grained PATs and other token types don't support this, so we skip filtering.
 	if tokenInfo.TokenType == utils.TokenTypePersonalAccessToken {
-		if tokenInfo.ScopesFetched {
-			return b.WithFilter(github.CreateToolScopeFilter(tokenInfo.Scopes))
+		// Check if scopes are already in context (should be set by WithPATScopes). If not, fetch them.
+		existingScopes, ok := ghcontext.GetTokenScopes(ctx)
+		if ok {
+			return b.WithFilter(github.CreateToolScopeFilter(existingScopes))
 		}
 
 		scopesList, err := fetcher.FetchTokenScopes(ctx, tokenInfo.Token)

@@ -26,18 +26,22 @@ func WithPATScopes(logger *slog.Logger, scopeFetcher scopes.FetcherInterface) fu
 			// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
 			// Fine-grained PATs and other token types don't support this, so we skip filtering.
 			if tokenInfo.TokenType == utils.TokenTypePersonalAccessToken {
+				existingScopes, ok := ghcontext.GetTokenScopes(ctx)
+				if ok {
+					logger.Debug("using existing scopes from context", "scopes", existingScopes)
-					logger.Debug("using existing scopes from context", "scopes", existingScopes)
+					logger.Debug("using existing scopes from context", "scope_count", len(existingScopes))
-					logger.Debug("using existing scopes from context", "scopes", existingScopes)
+					logger.Debug("using existing scopes from context", "scope_count", len(existingScopes))
+					next.ServeHTTP(w, r)
+					return
+				}
+
 				scopesList, err := scopeFetcher.FetchTokenScopes(ctx, tokenInfo.Token)
 				if err != nil {
 					logger.Warn("failed to fetch PAT scopes", "error", err)
 					next.ServeHTTP(w, r)
 					return
 				}
 
-				tokenInfo.Scopes = scopesList
-				tokenInfo.ScopesFetched = true
-
 				// Store fetched scopes in context for downstream use
-				ctx := ghcontext.WithTokenInfo(ctx, tokenInfo)
+				ctx = ghcontext.WithTokenScopes(ctx, scopesList)
 
 				next.ServeHTTP(w, r.WithContext(ctx))
 				return

@@ -111,12 +111,13 @@ func TestWithPATScopes(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var capturedTokenInfo *ghcontext.TokenInfo
+			var capturedScopes []string
+			var scopesFound bool
 			var nextHandlerCalled bool
 
 			nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				nextHandlerCalled = true
-				capturedTokenInfo, _ = ghcontext.GetTokenInfo(r.Context())
+				capturedScopes, scopesFound = ghcontext.GetTokenScopes(r.Context())
 				w.WriteHeader(http.StatusOK)
 			})
 
@@ -141,10 +142,9 @@ func TestWithPATScopes(t *testing.T) {
 
 			assert.Equal(t, tt.expectNextHandlerCalled, nextHandlerCalled, "next handler called mismatch")
 
-			if tt.expectNextHandlerCalled && tt.tokenInfo != nil {
-				require.NotNil(t, capturedTokenInfo, "expected token info in context")
-				assert.Equal(t, tt.expectScopesFetched, capturedTokenInfo.ScopesFetched)
-				assert.Equal(t, tt.expectedScopes, capturedTokenInfo.Scopes)
+			if tt.expectNextHandlerCalled {
+				assert.Equal(t, tt.expectScopesFetched, scopesFound, "scopes found mismatch")
+				assert.Equal(t, tt.expectedScopes, capturedScopes)
 			}
 		})
 	}
@@ -154,9 +154,12 @@ func TestWithPATScopes_PreservesExistingTokenInfo(t *testing.T) {
 	logger := slog.Default()
 
 	var capturedTokenInfo *ghcontext.TokenInfo
+	var capturedScopes []string
+	var scopesFound bool
 
 	nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		capturedTokenInfo, _ = ghcontext.GetTokenInfo(r.Context())
+		capturedScopes, scopesFound = ghcontext.GetTokenScopes(r.Context())
 		w.WriteHeader(http.StatusOK)
 	})
 
@@ -182,6 +185,6 @@ func TestWithPATScopes_PreservesExistingTokenInfo(t *testing.T) {
 	require.NotNil(t, capturedTokenInfo)
 	assert.Equal(t, originalTokenInfo.Token, capturedTokenInfo.Token)
 	assert.Equal(t, originalTokenInfo.TokenType, capturedTokenInfo.TokenType)
-	assert.True(t, capturedTokenInfo.ScopesFetched)
-	assert.Equal(t, []string{"repo", "user"}, capturedTokenInfo.Scopes)
+	assert.True(t, scopesFound)
+	assert.Equal(t, []string{"repo", "user"}, capturedScopes)
 }
@@ -94,17 +94,19 @@ func WithScopeChallenge(oauthCfg *oauth.Config, scopeFetcher scopes.FetcherInter
 				return
 			}
 
-			// Get OAuth scopes from GitHub API
-			activeScopes, err := scopeFetcher.FetchTokenScopes(ctx, tokenInfo.Token)
-			if err != nil {
-				next.ServeHTTP(w, r)
-				return
+			// Get OAuth scopes for Token. First check if scopes are already in context,  then fetch from GitHub if not present.
+			// This allows Remote Server to pass scope info to avoid redundant GitHub API calls.
+			activeScopes, ok := ghcontext.GetTokenScopes(ctx)
+			if !ok {
+				activeScopes, err = scopeFetcher.FetchTokenScopes(ctx, tokenInfo.Token)
+				if err != nil {
+					next.ServeHTTP(w, r)
+					return
+				}
 			}
 
 			// Store active scopes in context for downstream use
-			tokenInfo.Scopes = activeScopes
-			tokenInfo.ScopesFetched = true
-			ctx = ghcontext.WithTokenInfo(ctx, tokenInfo)
+			ctx = ghcontext.WithTokenScopes(ctx, activeScopes)
 			r = r.WithContext(ctx)
 
 			// Check if user has the required scopes

@@ -13,6 +13,16 @@ import (
 func ExtractUserToken(oauthCfg *oauth.Config) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			// Check if token info already exists in context, if it does, skip extraction.
+			// In remote setup, we may have already extracted token info earlier.
+			if _, ok := ghcontext.GetTokenInfo(ctx); ok {
+				// Token info already exists in context, skip extraction
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			tokenType, token, err := utils.ParseAuthorizationHeader(r)
 			if err != nil {
 				// For missing Authorization header, return 401 with WWW-Authenticate header per MCP spec
@@ -25,7 +35,6 @@ func ExtractUserToken(oauthCfg *oauth.Config) func(next http.Handler) http.Handl
 				return
 			}
 
-			ctx := r.Context()
 			ctx = ghcontext.WithTokenInfo(ctx, &ghcontext.TokenInfo{
 				Token:     token,
 				TokenType: tokenType,