diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 4f452aac41..ac667558f2 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -117,6 +117,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           build-args: |
             VERSION=${{ github.ref_name }}
+          secrets: |
+            oauth_client_id=${{ secrets.OAUTH_CLIENT_ID }}
+            oauth_client_secret=${{ secrets.OAUTH_CLIENT_SECRET }}
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 1004fc2747..32a6bffad9 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -38,6 +38,8 @@ jobs:
           workdir: .
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.OAUTH_CLIENT_SECRET }}
 
       - name: Generate signed build provenance attestations for workflow artifacts
         uses: actions/attest-build-provenance@v4
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 54f6b9f409..36dfc47bce 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -9,7 +9,7 @@ builds:
   - env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID={{ .Env.OAUTH_CLIENT_ID }} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret={{ .Env.OAUTH_CLIENT_SECRET }}
     goos:
       - linux
       - windows
diff --git a/Dockerfile b/Dockerfile
index a4ea1d03b8..4138e6bcf6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,9 +24,14 @@ COPY . .
 COPY --from=ui-build /app/pkg/github/ui_dist/* ./pkg/github/ui_dist/
 
 # Build the server
+# OAuth credentials are injected via build secrets so they are not baked into image history; the values are public in practice but kept out of layers.
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+    --mount=type=secret,id=oauth_client_id \
+    --mount=type=secret,id=oauth_client_secret \
+    export OAUTH_CLIENT_ID="$(cat /run/secrets/oauth_client_id 2>/dev/null || echo '')" && \
+    export OAUTH_CLIENT_SECRET="$(cat /run/secrets/oauth_client_secret 2>/dev/null || echo '')" && \
+    CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=${OAUTH_CLIENT_ID} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=${OAUTH_CLIENT_SECRET}" \
     -o /bin/github-mcp-server ./cmd/github-mcp-server
 
 # Make a stage to run the app
diff --git a/README.md b/README.md
index 5d6caae6d3..0e44934ca0 100644
--- a/README.md
+++ b/README.md
@@ -176,14 +176,15 @@ GitHub Enterprise Server does not support remote server hosting. Please refer to
 
 ## Local GitHub MCP Server
 
-[![Install with Docker in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=github&inputs=%5B%7B%22id%22%3A%22github_token%22%2C%22type%22%3A%22promptString%22%2C%22description%22%3A%22GitHub%20Personal%20Access%20Token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-e%22%2C%22GITHUB_PERSONAL_ACCESS_TOKEN%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%2C%22env%22%3A%7B%22GITHUB_PERSONAL_ACCESS_TOKEN%22%3A%22%24%7Binput%3Agithub_token%7D%22%7D%7D) [![Install with Docker in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Server-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=github&inputs=%5B%7B%22id%22%3A%22github_token%22%2C%22type%22%3A%22promptString%22%2C%22description%22%3A%22GitHub%20Personal%20Access%20Token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-e%22%2C%22GITHUB_PERSONAL_ACCESS_TOKEN%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%2C%22env%22%3A%7B%22GITHUB_PERSONAL_ACCESS_TOKEN%22%3A%22%24%7Binput%3Agithub_token%7D%22%7D%7D&quality=insiders) [![Install with Docker in Visual Studio](https://img.shields.io/badge/Visual_Studio-Install_Server-C16FDE?style=flat-square&logo=visualstudio&logoColor=white)](https://aka.ms/vs/mcp-install?%7B%22name%22%3A%22github%22%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-e%22%2C%22GITHUB_PERSONAL_ACCESS_TOKEN%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%7D)
+[![Install with Docker in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=github&config=%7B%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-p%22%2C%22127.0.0.1%3A8085%3A8085%22%2C%22-e%22%2C%22GITHUB_OAUTH_CALLBACK_PORT%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%2C%22env%22%3A%7B%22GITHUB_OAUTH_CALLBACK_PORT%22%3A%228085%22%7D%7D) [![Install with Docker in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Server-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=github&config=%7B%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-p%22%2C%22127.0.0.1%3A8085%3A8085%22%2C%22-e%22%2C%22GITHUB_OAUTH_CALLBACK_PORT%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%2C%22env%22%3A%7B%22GITHUB_OAUTH_CALLBACK_PORT%22%3A%228085%22%7D%7D&quality=insiders) [![Install with Docker in Visual Studio](https://img.shields.io/badge/Visual_Studio-Install_Server-C16FDE?style=flat-square&logo=visualstudio&logoColor=white)](https://aka.ms/vs/mcp-install?%7B%22name%22%3A%22github%22%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-p%22%2C%22127.0.0.1%3A8085%3A8085%22%2C%22-e%22%2C%22GITHUB_OAUTH_CALLBACK_PORT%3D8085%22%2C%22ghcr.io%2Fgithub%2Fgithub-mcp-server%22%5D%7D)
 
 ### Prerequisites
 
 1. To run the server in a container, you will need to have [Docker](https://www.docker.com/) installed.
 2. Once Docker is installed, you will also need to ensure Docker is running. The Docker image is available at `ghcr.io/github/github-mcp-server`. The image is public; if you get errors on pull, you may have an expired token and need to `docker logout ghcr.io`.
-3. Lastly you will need to [Create a GitHub Personal Access Token](https://github.com/settings/personal-access-tokens/new).
-The MCP server can use many of the GitHub APIs, so enable the permissions that you feel comfortable granting your AI tools (to learn more about access tokens, please check out the [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)).
+3. **Authentication.** On github.com you don't need to create anything up front — the one-click buttons above log you in with OAuth on first use (a browser-based flow; the token is kept in memory only). The Docker buttons publish a fixed callback port (`127.0.0.1:8085`) so the container's login callback is reachable. See **[Local Server OAuth Login](docs/oauth-login.md)** for how it works, headless/device-code fallback, and bringing your own OAuth or GitHub App (required for GitHub Enterprise Server and `ghe.com`).
+
+   Prefer a token? You can still authenticate with a [GitHub Personal Access Token](https://github.com/settings/personal-access-tokens/new) by setting `GITHUB_PERSONAL_ACCESS_TOKEN` instead (it takes precedence over OAuth). The MCP server can use many of the GitHub APIs, so enable the permissions that you feel comfortable granting your AI tools (to learn more about access tokens, please check out the [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)).
 
 <details><summary><b>Handling PATs Securely</b></summary>
 
@@ -281,6 +282,8 @@ Install in GitHub Copilot on other IDEs (JetBrains, Visual Studio, Eclipse, etc.
 
 Add the following JSON block to your IDE's MCP settings.
 
+> The examples below authenticate with a Personal Access Token. To log in with OAuth instead (no token to create or store), see **[Local Server OAuth Login](docs/oauth-login.md)** — in Docker it needs a fixed callback port, as the one-click buttons above show.
+
 ```json
 {
   "mcp": {
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
index 604556692c..231b0cf2c3 100644
--- a/cmd/github-mcp-server/main.go
+++ b/cmd/github-mcp-server/main.go
@@ -7,9 +7,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/github/github-mcp-server/internal/buildinfo"
 	"github.com/github/github-mcp-server/internal/ghmcp"
+	"github.com/github/github-mcp-server/internal/oauth"
 	"github.com/github/github-mcp-server/pkg/github"
 	ghhttp "github.com/github/github-mcp-server/pkg/http"
+	ghoauth "github.com/github/github-mcp-server/pkg/http/oauth"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -34,8 +37,21 @@ var (
 		Long:  `Start a server that communicates via standard input/output streams using JSON-RPC messages.`,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			token := viper.GetString("personal_access_token")
-			if token == "" {
-				return errors.New("GITHUB_PERSONAL_ACCESS_TOKEN not set")
+			oauthClientID := viper.GetString("oauth-client-id")
+			oauthClientSecret := viper.GetString("oauth-client-secret")
+			// Fall back to the build-time baked-in client (official releases) when none is
+			// configured explicitly. The baked-in app is registered on github.com, so it is
+			// only applied to the default host; GHES/ghe.com users must bring their own
+			// --oauth-client-id. Recognizing the host via NormalizeHost means an explicit
+			// GITHUB_HOST=github.com (or api.github.com) still counts as the default and keeps
+			// zero-config login working. The secret tracks the id, so an explicitly provided
+			// id with no secret never picks up the baked-in secret.
+			if oauthClientID == "" && oauth.NormalizeHost(viper.GetString("host")) == "https://github.com" {
+				oauthClientID = buildinfo.OAuthClientID
+				oauthClientSecret = buildinfo.OAuthClientSecret
+			}
+			if token == "" && oauthClientID == "" {
+				return errors.New("authentication required: set GITHUB_PERSONAL_ACCESS_TOKEN, or pass --oauth-client-id to log in via OAuth")
 			}
 
 			// If you're wondering why we're not using viper.GetStringSlice("toolsets"),
@@ -95,6 +111,29 @@ var (
 				ExcludeTools:         excludeTools,
 				RepoAccessCacheTTL:   &ttl,
 			}
+
+			// When no static token is provided, log in via OAuth using the given
+			// client. The requested scopes default to the full supported set
+			// (which filters out no tools); an explicit, narrower --oauth-scopes
+			// both narrows the grant and hides tools needing other scopes.
+			if token == "" {
+				scopes := ghoauth.SupportedScopes
+				if viper.IsSet("oauth-scopes") {
+					if err := viper.UnmarshalKey("oauth-scopes", &scopes); err != nil {
+						return fmt.Errorf("failed to unmarshal oauth-scopes: %w", err)
+					}
+				}
+				oauthConfig := oauth.NewGitHubConfig(
+					oauthClientID,
+					oauthClientSecret,
+					scopes,
+					viper.GetString("host"),
+					viper.GetInt("oauth-callback-port"),
+				)
+				stdioServerConfig.OAuthManager = oauth.NewManager(oauthConfig, nil)
+				stdioServerConfig.OAuthScopes = scopes
+			}
+
 			return ghmcp.RunStdioServer(stdioServerConfig)
 		},
 	}
@@ -183,6 +222,14 @@ func init() {
 	rootCmd.PersistentFlags().Bool("insiders", false, "Enable insiders features")
 	rootCmd.PersistentFlags().Duration("repo-access-cache-ttl", 5*time.Minute, "Override the repo access cache TTL (e.g. 1m, 0s to disable)")
 
+	// stdio-specific OAuth flags. Provide --oauth-client-id (instead of a token)
+	// to log in via the browser-based OAuth flow on first use. Works for both
+	// OAuth Apps and GitHub Apps.
+	stdioCmd.Flags().String("oauth-client-id", "", "OAuth App or GitHub App client ID, enabling interactive OAuth login when no token is set")
+	stdioCmd.Flags().String("oauth-client-secret", "", "OAuth client secret, if the app requires one (it is a public, non-confidential credential for distributed clients)")
+	stdioCmd.Flags().StringSlice("oauth-scopes", nil, "Comma-separated OAuth scopes to request; also filters tools to those scopes. Defaults to the full supported set")
+	stdioCmd.Flags().Int("oauth-callback-port", 0, "Fixed local port for the OAuth callback server. Defaults to a random port; set a fixed port when mapping it through Docker")
+
 	// HTTP-specific flags
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("listen-host", "", "Host the HTTP server binds to (e.g. 127.0.0.1). Empty binds to all interfaces.")
@@ -205,6 +252,10 @@ func init() {
 	_ = viper.BindPFlag("lockdown-mode", rootCmd.PersistentFlags().Lookup("lockdown-mode"))
 	_ = viper.BindPFlag("insiders", rootCmd.PersistentFlags().Lookup("insiders"))
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
+	_ = viper.BindPFlag("oauth-client-id", stdioCmd.Flags().Lookup("oauth-client-id"))
+	_ = viper.BindPFlag("oauth-client-secret", stdioCmd.Flags().Lookup("oauth-client-secret"))
+	_ = viper.BindPFlag("oauth-scopes", stdioCmd.Flags().Lookup("oauth-scopes"))
+	_ = viper.BindPFlag("oauth-callback-port", stdioCmd.Flags().Lookup("oauth-callback-port"))
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("listen-host", httpCmd.Flags().Lookup("listen-host"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
diff --git a/docs/oauth-login.md b/docs/oauth-login.md
new file mode 100644
index 0000000000..35989be7b6
--- /dev/null
+++ b/docs/oauth-login.md
@@ -0,0 +1,263 @@
+# Local Server OAuth Login (stdio)
+
+The local (stdio) GitHub MCP Server can log you in with OAuth instead of a
+Personal Access Token (PAT). On first use it walks you through GitHub's
+authorization flow in your browser and keeps the resulting token **in memory
+only** — nothing is written to disk.
+
+Official released binaries and the `ghcr.io/github/github-mcp-server` image ship
+with a registered GitHub OAuth application baked in, so on **github.com** you can
+start the server with no token and no client ID at all. To target a different
+host (GitHub Enterprise Server or `ghe.com`), or to use your own application,
+pass `--oauth-client-id` (see [Bring your own app](#bring-your-own-app)).
+
+> OAuth login applies to the **stdio** server only. The remote server and the
+> `http` command have their own authentication; see
+> [Remote Server](remote-server.md).
+
+## Contents
+
+- [How it works](#how-it-works)
+- [Quick start](#quick-start)
+- [Configuration reference](#configuration-reference)
+- [Scope filtering](#scope-filtering)
+- [Running in Docker](#running-in-docker)
+- [Headless and device-code fallback](#headless-and-device-code-fallback)
+- [URL elicitation and the security advisory](#url-elicitation-and-the-security-advisory)
+- [Bring your own app](#bring-your-own-app)
+- [GitHub Enterprise Server and ghe.com](#github-enterprise-server-and-ghecom)
+- [Building from source with baked-in credentials](#building-from-source-with-baked-in-credentials)
+
+## How it works
+
+The server prefers the **authorization code flow with PKCE**: it starts a
+loopback callback server on your machine, opens GitHub's authorization page, and
+exchanges the returned code for a token. PKCE means the client secret is not
+required to complete the exchange, which is why a public, distributed client can
+ship without a confidential secret.
+
+To present the authorization URL, the server uses the most secure channel your
+MCP client offers, in order:
+
+1. **Open your browser automatically** (native runs).
+2. **URL elicitation** — the client prompts you with the link out of band, so the
+   URL never enters the model's context. Requires a client that supports MCP
+   elicitation (e.g. VS Code 1.101+).
+3. **A message in the first tool response** — a last resort for clients without
+   elicitation. This includes a [security advisory](#url-elicitation-and-the-security-advisory).
+
+If the authorization-code flow can't be used — for example, a container with no
+published callback port — the server falls back to the
+[device-code flow](#headless-and-device-code-fallback).
+
+GitHub App tokens that expire are refreshed transparently using the refresh
+token, so long-running sessions keep working without re-authorizing.
+
+## Quick start
+
+**Native binary (recommended).** Best experience: a random loopback port is
+used and your browser opens automatically. On github.com with an official build,
+no flags are needed:
+
+```bash
+github-mcp-server stdio
+```
+
+With your own application:
+
+```bash
+github-mcp-server stdio --oauth-client-id <YOUR_CLIENT_ID>
+```
+
+VS Code (`.vscode/mcp.json`), using your own app:
+
+```json
+{
+  "servers": {
+    "github": {
+      "command": "/path/to/github-mcp-server",
+      "args": ["stdio", "--oauth-client-id", "<YOUR_CLIENT_ID>"]
+    }
+  }
+}
+```
+
+For Docker, see [Running in Docker](#running-in-docker) — containers need a fixed
+callback port.
+
+## Configuration reference
+
+OAuth login is configured with these stdio flags (each has an environment
+variable equivalent). Flags apply only to the `stdio` command.
+
+| Flag | Environment variable | Description |
+|------|----------------------|-------------|
+| `--oauth-client-id` | `GITHUB_OAUTH_CLIENT_ID` | OAuth App or GitHub App client ID. Enables OAuth login when no token is set. Defaults to the baked-in app on github.com for official builds. |
+| `--oauth-client-secret` | `GITHUB_OAUTH_CLIENT_SECRET` | Client secret, **if your app requires one**. For distributed clients this is a public, non-confidential credential. |
+| `--oauth-scopes` | `GITHUB_OAUTH_SCOPES` | Comma-separated scopes to request. Also [filters tools](#scope-filtering) to those scopes. Defaults to the full supported set. |
+| `--oauth-callback-port` | `GITHUB_OAUTH_CALLBACK_PORT` | Fixed local port for the callback server. Defaults to a random port; set a fixed port when mapping it through Docker. |
+
+A static token still takes precedence: if `GITHUB_PERSONAL_ACCESS_TOKEN` is set,
+the server uses it and skips OAuth entirely.
+
+## Scope filtering
+
+The scopes you request determine which tools are exposed. Requesting the full
+supported set (the default) hides no tools. Narrowing `--oauth-scopes` both
+narrows the token's grant **and** filters out tools that would need a scope you
+didn't request, so the tool list reflects what the token can actually do.
+
+For example, requesting only `repo,read:org` hides tools that require `gist`,
+`workflow`, `notifications`, and so on.
+
+## Running in Docker
+
+A container can't reach a random loopback port on your host, so Docker OAuth
+needs a **fixed** callback port that you publish into the container. Use port
+**8085** to match the official app's registered callback URL.
+
+```bash
+docker run -i --rm \
+  -p 127.0.0.1:8085:8085 \
+  -e GITHUB_OAUTH_CALLBACK_PORT=8085 \
+  ghcr.io/github/github-mcp-server
+```
+
+VS Code (`.vscode/mcp.json`):
+
+```json
+{
+  "servers": {
+    "github": {
+      "command": "docker",
+      "args": [
+        "run", "-i", "--rm",
+        "-p", "127.0.0.1:8085:8085",
+        "-e", "GITHUB_OAUTH_CALLBACK_PORT",
+        "ghcr.io/github/github-mcp-server"
+      ],
+      "env": { "GITHUB_OAUTH_CALLBACK_PORT": "8085" }
+    }
+  }
+}
+```
+
+Because the container can't open your host browser, the authorization URL
+arrives via [URL elicitation](#url-elicitation-and-the-security-advisory) or the
+tool-response message. After you authorize, your browser hits
+`localhost:8085`, which Docker forwards into the container's callback.
+
+If you bring your own app for Docker, register its callback URL as exactly
+`http://localhost:8085/callback`.
+
+> **Two safety properties to be aware of with a fixed port:**
+>
+> - **Publish to loopback only** (`-p 127.0.0.1:8085:8085`, not `-p 8085:8085`).
+>   Inside a container the callback necessarily listens on all interfaces, so a
+>   plain publish would expose the authorization code to your network. The
+>   server logs a warning reminding you of this when it binds inside a container.
+> - **A busy port is fatal, by design.** With a fixed port, if the server can't
+>   bind it (another process already holds it), it **stops with an error** rather
+>   than silently falling back to the device flow. A port you didn't get could
+>   belong to another user's process positioned to receive the redirect, so the
+>   server refuses to continue. Free the port or choose a different
+>   `--oauth-callback-port`.
+
+## Headless and device-code fallback
+
+When there's no usable browser or callback — a remote shell, CI, or a container
+started without a published port — the server uses GitHub's **device-code
+flow**. You'll get a short code and a verification URL to open on any device:
+
+```
+Visit https://github.com/login/device and enter the code WDJB-MJHT to authorize
+the GitHub MCP Server.
+```
+
+The server polls GitHub until you finish authorizing, then continues. No
+callback port is involved, so this works anywhere.
+
+## URL elicitation and the security advisory
+
+URL elicitation lets your MCP client present the authorization URL to you
+directly, keeping it **out of the model's context** — the model never sees the
+link or any code embedded in it. This is the most secure way to hand off the
+authorization step.
+
+If your client doesn't support elicitation, the server falls back to placing the
+URL in a tool response and appends a short advisory:
+
+> Note: your MCP client does not appear to support secure URL elicitation. For
+> improved security, consider asking your agent, CLI, or IDE to add it (for
+> example, by opening an issue).
+
+If you see this, your authorization still works — but consider asking your client
+vendor to add elicitation support.
+
+## Bring your own app
+
+You need your own application when targeting a non-github.com host, or when you'd
+rather not use the baked-in app. Either application type works:
+
+- **[Create an OAuth App](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app)** —
+  simplest to set up. Grants the scopes you request.
+- **[Register a GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app)** —
+  finer-grained, per-resource permissions and short-lived tokens that refresh
+  automatically. Enable **Device Flow** in the app settings if you want the
+  [headless fallback](#headless-and-device-code-fallback).
+
+When registering, set the authorization callback URL:
+
+- **Native runs** use a random loopback port. For loopback redirects GitHub does
+  not require the callback port to match, so registering
+  `http://localhost/callback` is sufficient.
+- **Docker / fixed port** must match exactly: register
+  `http://localhost:8085/callback` (or whichever port you publish).
+
+Then pass the client ID (and secret, only if your app requires one):
+
+```bash
+github-mcp-server stdio \
+  --oauth-client-id <YOUR_CLIENT_ID> \
+  --oauth-client-secret <YOUR_CLIENT_SECRET>
+```
+
+## GitHub Enterprise Server and ghe.com
+
+The baked-in app is registered on github.com only, so it is **not** used when you
+set a custom host. GitHub Enterprise Server and `ghe.com` (Enterprise Cloud with
+data residency) users must **bring their own app** registered on that host and
+pass `--oauth-client-id`.
+
+Set the host with `--gh-host` / `GITHUB_HOST`; the server derives the OAuth
+authorization, token, and device endpoints from it, so login is directed at your
+instance's authorization server rather than github.com:
+
+```bash
+github-mcp-server stdio \
+  --gh-host https://github.example.com \
+  --oauth-client-id <YOUR_CLIENT_ID>
+```
+
+- For GitHub Enterprise Server, prefix the host with `https://`.
+- For `ghe.com`, use `https://YOURSUBDOMAIN.ghe.com`.
+
+Register the app's callback URL on the same host (e.g.
+`http://localhost/callback` for native runs, or `http://localhost:8085/callback`
+for Docker).
+
+## Building from source with baked-in credentials
+
+Official builds embed the default OAuth client via linker flags at build time, so
+they are not present in the source tree. To produce your own build with embedded
+credentials, set them with `-ldflags`:
+
+```bash
+go build -ldflags "\
+  -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=<CLIENT_ID> \
+  -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=<CLIENT_SECRET>" \
+  ./cmd/github-mcp-server
+```
+
+Without these, a source build simply has no baked-in app and expects
+`--oauth-client-id` (or a PAT) at runtime.
diff --git a/go.mod b/go.mod
index 080cdcfd8e..66c7a974ad 100644
--- a/go.mod
+++ b/go.mod
@@ -19,6 +19,7 @@ require (
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	github.com/yosida95/uritemplate/v3 v3.0.2
+	golang.org/x/oauth2 v0.35.0
 )
 
 require (
@@ -40,7 +41,6 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
diff --git a/internal/buildinfo/buildinfo.go b/internal/buildinfo/buildinfo.go
new file mode 100644
index 0000000000..cd5084fa29
--- /dev/null
+++ b/internal/buildinfo/buildinfo.go
@@ -0,0 +1,19 @@
+// Package buildinfo contains variables that are set at build time via ldflags.
+// These allow official releases to ship default OAuth credentials so users can
+// log in without configuring their own OAuth app. The values are public in
+// practice (security relies on PKCE, not on the client secret), but are kept out
+// of source and injected at build time.
+//
+// Example:
+//
+//	go build -ldflags="-X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=xxx"
+package buildinfo
+
+// OAuthClientID is the default OAuth client ID, set at build time. Empty in
+// local/dev builds.
+var OAuthClientID string
+
+// OAuthClientSecret is the default OAuth client secret, set at build time. For
+// public OAuth clients it is not truly secret per OAuth 2.1 — PKCE provides the
+// security — but it is still injected at build time rather than committed.
+var OAuthClientSecret string
diff --git a/internal/ghmcp/oauth.go b/internal/ghmcp/oauth.go
new file mode 100644
index 0000000000..abc6d3d11c
--- /dev/null
+++ b/internal/ghmcp/oauth.go
@@ -0,0 +1,133 @@
+package ghmcp
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"log/slog"
+
+	"github.com/github/github-mcp-server/internal/oauth"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+// sessionPrompter adapts an MCP server session to oauth.Prompter, presenting
+// authorization prompts to the user via elicitation. Keeping the prompt on the
+// MCP control channel (rather than a tool result) keeps the authorization URL
+// and any session-bound state out of the model's context.
+type sessionPrompter struct {
+	session *mcp.ServerSession
+}
+
+// elicitationCaps returns the client's declared elicitation capabilities, or nil
+// if the client did not advertise any.
+func (p *sessionPrompter) elicitationCaps() *mcp.ElicitationCapabilities {
+	params := p.session.InitializeParams()
+	if params == nil || params.Capabilities == nil {
+		return nil
+	}
+	return params.Capabilities.Elicitation
+}
+
+// CanPromptURL reports whether the client supports URL-mode elicitation.
+func (p *sessionPrompter) CanPromptURL() bool {
+	caps := p.elicitationCaps()
+	return caps != nil && caps.URL != nil
+}
+
+// PromptURL presents the authorization URL via URL-mode elicitation and blocks
+// until the user acknowledges, declines, or ctx is done.
+func (p *sessionPrompter) PromptURL(ctx context.Context, prompt oauth.Prompt) error {
+	res, err := p.session.Elicit(ctx, &mcp.ElicitParams{
+		Mode:          "url",
+		Message:       prompt.Message,
+		URL:           prompt.URL,
+		ElicitationID: rand.Text(),
+	})
+	if err != nil {
+		// The client advertised URL elicitation but the request itself failed:
+		// classify it as undeliverable (not a user decision) so the flow can fall
+		// back to a channel that needs no client capability.
+		return fmt.Errorf("%w: %w", oauth.ErrPromptUnavailable, err)
+	}
+	if res.Action != "accept" {
+		return oauth.ErrPromptDeclined
+	}
+	return nil
+}
+
+// CanPromptForm reports whether the client supports form-mode elicitation. The
+// SDK treats a client that advertises neither form nor URL capabilities as
+// supporting forms, for backward compatibility, so we mirror that here.
+func (p *sessionPrompter) CanPromptForm() bool {
+	caps := p.elicitationCaps()
+	if caps == nil {
+		return false
+	}
+	return caps.Form != nil || caps.URL == nil
+}
+
+// PromptForm presents a textual acknowledgement (used to display a device code
+// when URL elicitation is unavailable) and blocks until the user responds.
+func (p *sessionPrompter) PromptForm(ctx context.Context, prompt oauth.Prompt) error {
+	res, err := p.session.Elicit(ctx, &mcp.ElicitParams{
+		Mode:    "form",
+		Message: prompt.Message,
+	})
+	if err != nil {
+		// As with PromptURL, a delivery failure is undeliverable rather than a
+		// decline, so the flow can fall back instead of aborting.
+		return fmt.Errorf("%w: %w", oauth.ErrPromptUnavailable, err)
+	}
+	if res.Action != "accept" {
+		return oauth.ErrPromptDeclined
+	}
+	return nil
+}
+
+// oauthAuthenticator is the subset of *oauth.Manager that the middleware needs.
+// Depending on the interface (rather than the concrete manager) lets the
+// middleware be exercised with a deterministic fake, since driving the real
+// manager to its branches would require standing up live GitHub flows.
+type oauthAuthenticator interface {
+	HasToken() bool
+	Authenticate(ctx context.Context, prompter oauth.Prompter) (*oauth.Outcome, error)
+}
+
+// createOAuthMiddleware returns receiving middleware that authorizes the session
+// lazily, on the first tool call. Authorization is deferred until here (rather
+// than at startup) because the prompts depend on an initialized session whose
+// elicitation capabilities are known.
+//
+// When a token is already available the call proceeds untouched. Otherwise the
+// flow runs: secure channels (browser, URL elicitation) block until the token
+// arrives and then the call proceeds; the last-resort channel returns the
+// instruction to the user as a tool result and asks them to retry.
+func createOAuthMiddleware(mgr oauthAuthenticator, logger *slog.Logger) func(next mcp.MethodHandler) mcp.MethodHandler {
+	return func(next mcp.MethodHandler) mcp.MethodHandler {
+		return func(ctx context.Context, method string, request mcp.Request) (mcp.Result, error) {
+			if method != "tools/call" || mgr.HasToken() {
+				return next(ctx, method, request)
+			}
+
+			callReq, ok := request.(*mcp.CallToolRequest)
+			if !ok {
+				return next(ctx, method, request)
+			}
+
+			outcome, err := mgr.Authenticate(ctx, &sessionPrompter{session: callReq.Session})
+			if err != nil {
+				return nil, fmt.Errorf("github authorization failed: %w", err)
+			}
+			if outcome != nil && outcome.UserAction != nil {
+				logger.Info("surfacing github authorization instructions to user")
+				return &mcp.CallToolResult{
+					Content: []mcp.Content{&mcp.TextContent{Text: outcome.UserAction.Message}},
+				}, nil
+			}
+			return next(ctx, method, request)
+		}
+	}
+}
+
+// ensure sessionPrompter satisfies the Prompter contract.
+var _ oauth.Prompter = (*sessionPrompter)(nil)
diff --git a/internal/ghmcp/oauth_test.go b/internal/ghmcp/oauth_test.go
new file mode 100644
index 0000000000..732d080e40
--- /dev/null
+++ b/internal/ghmcp/oauth_test.go
@@ -0,0 +1,391 @@
+package ghmcp
+
+import (
+	"context"
+	"errors"
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/github/github-mcp-server/internal/oauth"
+	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/http/headers"
+	"github.com/github/github-mcp-server/pkg/utils"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func discardLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(io.Discard, nil))
+}
+
+// probeToolName is the name of the throwaway tool the harness registers; its
+// handler runs a probe closure against a sessionPrompter so the adapter can be
+// exercised against a real, fully-negotiated server session from the client side.
+const probeToolName = "probe"
+
+// runProbe stands up an in-memory MCP client/server pair, registers a tool whose
+// handler runs probe against a sessionPrompter wrapping the live server session,
+// and returns the text the probe produced. The client is configured with the
+// given capabilities and elicitation handler so the adapter sees a real,
+// fully-negotiated session rather than a hand-built fake.
+func runProbe(
+	t *testing.T,
+	clientCaps *mcp.ClientCapabilities,
+	elicitationHandler func(context.Context, *mcp.ElicitRequest) (*mcp.ElicitResult, error),
+	probe func(context.Context, *sessionPrompter) string,
+) string {
+	t.Helper()
+
+	server := mcp.NewServer(&mcp.Implementation{Name: "test-server", Version: "v0.0.1"}, nil)
+	mcp.AddTool(server, &mcp.Tool{Name: probeToolName}, func(ctx context.Context, req *mcp.CallToolRequest, _ struct{}) (*mcp.CallToolResult, any, error) {
+		text := probe(ctx, &sessionPrompter{session: req.Session})
+		return &mcp.CallToolResult{Content: []mcp.Content{&mcp.TextContent{Text: text}}}, nil, nil
+	})
+
+	st, ct := mcp.NewInMemoryTransports()
+
+	ss, err := server.Connect(context.Background(), st, nil)
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = ss.Close() })
+
+	client := mcp.NewClient(&mcp.Implementation{Name: "test-client", Version: "v0.0.1"}, &mcp.ClientOptions{
+		Capabilities:       clientCaps,
+		ElicitationHandler: elicitationHandler,
+	})
+	cs, err := client.Connect(context.Background(), ct, nil)
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = cs.Close() })
+
+	res, err := cs.CallTool(context.Background(), &mcp.CallToolParams{Name: probeToolName})
+	require.NoError(t, err)
+	require.Len(t, res.Content, 1)
+	text, ok := res.Content[0].(*mcp.TextContent)
+	require.True(t, ok, "probe result should be text content")
+	return text.Text
+}
+
+func TestSessionPrompterCapabilities(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		caps     *mcp.ClientCapabilities
+		wantURL  bool
+		wantForm bool
+	}{
+		{
+			name:     "no elicitation advertised",
+			caps:     &mcp.ClientCapabilities{},
+			wantURL:  false,
+			wantForm: false,
+		},
+		{
+			name:     "url only",
+			caps:     &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{URL: &mcp.URLElicitationCapabilities{}}},
+			wantURL:  true,
+			wantForm: false,
+		},
+		{
+			name:     "form only",
+			caps:     &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{Form: &mcp.FormElicitationCapabilities{}}},
+			wantURL:  false,
+			wantForm: true,
+		},
+		{
+			name:     "url and form",
+			caps:     &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{URL: &mcp.URLElicitationCapabilities{}, Form: &mcp.FormElicitationCapabilities{}}},
+			wantURL:  true,
+			wantForm: true,
+		},
+		{
+			name:     "empty elicitation capability implies form for backward compatibility",
+			caps:     &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{}},
+			wantURL:  false,
+			wantForm: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := runProbe(t, tc.caps, nil, func(_ context.Context, p *sessionPrompter) string {
+				if p.CanPromptURL() {
+					if p.CanPromptForm() {
+						return "url+form"
+					}
+					return "url"
+				}
+				if p.CanPromptForm() {
+					return "form"
+				}
+				return "none"
+			})
+
+			want := "none"
+			switch {
+			case tc.wantURL && tc.wantForm:
+				want = "url+form"
+			case tc.wantURL:
+				want = "url"
+			case tc.wantForm:
+				want = "form"
+			}
+			assert.Equal(t, want, got)
+		})
+	}
+}
+
+func TestSessionPrompterPromptActions(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		action      string
+		wantDecline bool
+	}{
+		{name: "accept", action: "accept", wantDecline: false},
+		{name: "decline", action: "decline", wantDecline: true},
+		{name: "cancel", action: "cancel", wantDecline: true},
+	}
+
+	caps := &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{
+		URL:  &mcp.URLElicitationCapabilities{},
+		Form: &mcp.FormElicitationCapabilities{},
+	}}
+
+	for _, tc := range tests {
+		// URL and form modes share the accept/decline mapping; cover both.
+		for _, mode := range []string{"url", "form"} {
+			t.Run(tc.name+"/"+mode, func(t *testing.T) {
+				t.Parallel()
+
+				handler := func(_ context.Context, _ *mcp.ElicitRequest) (*mcp.ElicitResult, error) {
+					return &mcp.ElicitResult{Action: tc.action}, nil
+				}
+
+				got := runProbe(t, caps, handler, func(ctx context.Context, p *sessionPrompter) string {
+					var err error
+					if mode == "url" {
+						err = p.PromptURL(ctx, oauth.Prompt{Message: "msg", URL: "https://example.com/auth"})
+					} else {
+						err = p.PromptForm(ctx, oauth.Prompt{Message: "msg"})
+					}
+					if err == nil {
+						return "ok"
+					}
+					if err == oauth.ErrPromptDeclined {
+						return "declined"
+					}
+					return "error: " + err.Error()
+				})
+
+				if tc.wantDecline {
+					assert.Equal(t, "declined", got)
+				} else {
+					assert.Equal(t, "ok", got)
+				}
+			})
+		}
+	}
+}
+
+// TestSessionPrompterTransportError verifies that a prompt which fails to be
+// delivered (the client errors instead of returning an action) is reported as
+// ErrPromptUnavailable, not ErrPromptDeclined. The manager relies on this
+// distinction to fall back to manual instructions instead of aborting.
+func TestSessionPrompterTransportError(t *testing.T) {
+	t.Parallel()
+
+	caps := &mcp.ClientCapabilities{Elicitation: &mcp.ElicitationCapabilities{
+		URL:  &mcp.URLElicitationCapabilities{},
+		Form: &mcp.FormElicitationCapabilities{},
+	}}
+
+	for _, mode := range []string{"url", "form"} {
+		t.Run(mode, func(t *testing.T) {
+			t.Parallel()
+
+			handler := func(_ context.Context, _ *mcp.ElicitRequest) (*mcp.ElicitResult, error) {
+				return nil, errors.New("client cannot deliver elicitation")
+			}
+
+			got := runProbe(t, caps, handler, func(ctx context.Context, p *sessionPrompter) string {
+				var err error
+				if mode == "url" {
+					err = p.PromptURL(ctx, oauth.Prompt{Message: "msg", URL: "https://example.com/auth"})
+				} else {
+					err = p.PromptForm(ctx, oauth.Prompt{Message: "msg"})
+				}
+				switch {
+				case err == nil:
+					return "ok"
+				case errors.Is(err, oauth.ErrPromptDeclined):
+					return "declined"
+				case errors.Is(err, oauth.ErrPromptUnavailable):
+					return "unavailable"
+				default:
+					return "error: " + err.Error()
+				}
+			})
+
+			assert.Equal(t, "unavailable", got,
+				"a delivery failure must be classified as undeliverable, not a decline")
+		})
+	}
+}
+
+// fakeAuthenticator is a deterministic stand-in for *oauth.Manager that lets the
+// middleware be tested at each branch without standing up live GitHub flows.
+type fakeAuthenticator struct {
+	hasToken     bool
+	outcome      *oauth.Outcome
+	err          error
+	authCalls    int
+	lastPrompter oauth.Prompter
+}
+
+func (f *fakeAuthenticator) HasToken() bool { return f.hasToken }
+
+func (f *fakeAuthenticator) Authenticate(_ context.Context, prompter oauth.Prompter) (*oauth.Outcome, error) {
+	f.authCalls++
+	f.lastPrompter = prompter
+	return f.outcome, f.err
+}
+
+func TestCreateOAuthMiddleware(t *testing.T) {
+	t.Parallel()
+
+	const nextText = "handler-ran"
+	newNext := func(called *bool) mcp.MethodHandler {
+		return func(_ context.Context, _ string, _ mcp.Request) (mcp.Result, error) {
+			*called = true
+			return &mcp.CallToolResult{Content: []mcp.Content{&mcp.TextContent{Text: nextText}}}, nil
+		}
+	}
+
+	t.Run("non tool call passes through without authenticating", func(t *testing.T) {
+		t.Parallel()
+		fake := &fakeAuthenticator{hasToken: false}
+		var called bool
+		mw := createOAuthMiddleware(fake, discardLogger())
+		_, err := mw(newNext(&called))(context.Background(), "initialize", &mcp.InitializeRequest{})
+		require.NoError(t, err)
+		assert.True(t, called, "next should run")
+		assert.Zero(t, fake.authCalls, "authentication must not run for non tool calls")
+	})
+
+	t.Run("existing token short circuits authentication", func(t *testing.T) {
+		t.Parallel()
+		fake := &fakeAuthenticator{hasToken: true}
+		var called bool
+		mw := createOAuthMiddleware(fake, discardLogger())
+		_, err := mw(newNext(&called))(context.Background(), "tools/call", &mcp.CallToolRequest{})
+		require.NoError(t, err)
+		assert.True(t, called, "next should run")
+		assert.Zero(t, fake.authCalls, "authentication must be skipped when a token already exists")
+	})
+
+	t.Run("successful authentication proceeds to handler", func(t *testing.T) {
+		t.Parallel()
+		fake := &fakeAuthenticator{hasToken: false, outcome: nil, err: nil}
+		var called bool
+		mw := createOAuthMiddleware(fake, discardLogger())
+		res, err := mw(newNext(&called))(context.Background(), "tools/call", &mcp.CallToolRequest{})
+		require.NoError(t, err)
+		assert.Equal(t, 1, fake.authCalls)
+		assert.True(t, called, "next should run once authorized")
+		callRes, ok := res.(*mcp.CallToolResult)
+		require.True(t, ok)
+		require.Len(t, callRes.Content, 1)
+		assert.Equal(t, nextText, callRes.Content[0].(*mcp.TextContent).Text)
+	})
+
+	t.Run("pending user action is surfaced as a tool result", func(t *testing.T) {
+		t.Parallel()
+		const message = "Open https://example.com/auth to authorize, then retry."
+		fake := &fakeAuthenticator{hasToken: false, outcome: &oauth.Outcome{UserAction: &oauth.UserAction{Message: message}}}
+		var called bool
+		mw := createOAuthMiddleware(fake, discardLogger())
+		res, err := mw(newNext(&called))(context.Background(), "tools/call", &mcp.CallToolRequest{})
+		require.NoError(t, err)
+		assert.False(t, called, "next must not run while the user still needs to authorize")
+		callRes, ok := res.(*mcp.CallToolResult)
+		require.True(t, ok)
+		require.Len(t, callRes.Content, 1)
+		assert.Equal(t, message, callRes.Content[0].(*mcp.TextContent).Text)
+	})
+
+	t.Run("authentication error is returned", func(t *testing.T) {
+		t.Parallel()
+		fake := &fakeAuthenticator{hasToken: false, err: assert.AnError}
+		var called bool
+		mw := createOAuthMiddleware(fake, discardLogger())
+		_, err := mw(newNext(&called))(context.Background(), "tools/call", &mcp.CallToolRequest{})
+		require.Error(t, err)
+		assert.ErrorIs(t, err, assert.AnError)
+		assert.False(t, called, "next must not run when authentication fails")
+	})
+}
+
+// TestRunStdioServerRejectsTokenAndOAuth verifies the mutually-exclusive guard:
+// supplying both a static token and an OAuth manager is rejected before the
+// server starts, rather than silently preferring one for auth and the other for
+// scope filtering.
+func TestRunStdioServerRejectsTokenAndOAuth(t *testing.T) {
+	t.Parallel()
+
+	mgr := oauth.NewManager(oauth.NewGitHubConfig("client-id", "", nil, "", 0), discardLogger())
+	err := RunStdioServer(StdioServerConfig{
+		Token:        "ghp_static",
+		OAuthManager: mgr,
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "mutually exclusive")
+}
+
+// TestCreateGitHubClientsTokenProvider proves the OAuth wiring: when a
+// TokenProvider is configured the REST client authenticates with the provider's
+// current token on every request (and never pins a stale one), which is what the
+// lazy, refreshing OAuth token depends on.
+func TestCreateGitHubClientsTokenProvider(t *testing.T) {
+	t.Parallel()
+
+	var gotAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotAuth = r.Header.Get(headers.AuthorizationHeader)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	current := ""
+	apiHost, err := utils.NewAPIHost(server.URL)
+	require.NoError(t, err)
+
+	clients, err := createGitHubClients(github.MCPServerConfig{
+		Version:       "test",
+		TokenProvider: func() string { return current },
+	}, apiHost)
+	require.NoError(t, err)
+
+	do := func() {
+		resp, err := clients.rest.Client().Get(server.URL)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+	}
+
+	do()
+	assert.Equal(t, "", gotAuth, "no auth header before authorization")
+
+	current = "oauth-token"
+	do()
+	assert.Equal(t, "Bearer oauth-token", gotAuth, "provider token used once available")
+
+	current = "refreshed-token"
+	do()
+	assert.Equal(t, "Bearer refreshed-token", gotAuth, "refreshed provider token used")
+}
diff --git a/internal/ghmcp/server.go b/internal/ghmcp/server.go
index a37c4d940d..1bf84453c8 100644
--- a/internal/ghmcp/server.go
+++ b/internal/ghmcp/server.go
@@ -12,6 +12,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/github/github-mcp-server/internal/oauth"
 	"github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/github"
 	"github.com/github/github-mcp-server/pkg/http/transport"
@@ -61,16 +62,30 @@ func createGitHubClients(cfg github.MCPServerConfig, apiHost utils.APIHostResolv
 		return nil, fmt.Errorf("failed to get Raw URL: %w", err)
 	}
 
-	// Construct REST client
+	// Construct REST client. When a TokenProvider is configured (OAuth), we
+	// authenticate via BearerAuthTransport and skip go-github's WithAuthToken:
+	// the latter installs its own round tripper that would pin the static token
+	// and shadow the dynamic one.
 	restUATransport := &transport.UserAgentTransport{
 		Transport: http.DefaultTransport,
 		Agent:     fmt.Sprintf("github-mcp-server/%s", cfg.Version),
 	}
-	restClient, err := gogithub.NewClient(
-		gogithub.WithHTTPClient(&http.Client{Transport: restUATransport}),
-		gogithub.WithAuthToken(cfg.Token),
-		gogithub.WithEnterpriseURLs(restURL.String(), uploadURL.String()),
-	)
+	var restClient *gogithub.Client
+	if cfg.TokenProvider != nil {
+		restClient, err = gogithub.NewClient(
+			gogithub.WithHTTPClient(&http.Client{Transport: &transport.BearerAuthTransport{
+				Transport:     restUATransport,
+				TokenProvider: cfg.TokenProvider,
+			}}),
+			gogithub.WithEnterpriseURLs(restURL.String(), uploadURL.String()),
+		)
+	} else {
+		restClient, err = gogithub.NewClient(
+			gogithub.WithHTTPClient(&http.Client{Transport: restUATransport}),
+			gogithub.WithAuthToken(cfg.Token),
+			gogithub.WithEnterpriseURLs(restURL.String(), uploadURL.String()),
+		)
+	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to create REST client: %w", err)
 	}
@@ -82,7 +97,8 @@ func createGitHubClients(cfg github.MCPServerConfig, apiHost utils.APIHostResolv
 			Transport: &transport.GraphQLFeaturesTransport{
 				Transport: http.DefaultTransport,
 			},
-			Token: cfg.Token,
+			Token:         cfg.Token,
+			TokenProvider: cfg.TokenProvider,
 		},
 	}
 
@@ -229,10 +245,29 @@ type StdioServerConfig struct {
 
 	// RepoAccessCacheTTL overrides the default TTL for repository access cache entries.
 	RepoAccessCacheTTL *time.Duration
+
+	// OAuthManager, when non-nil, enables OAuth 2.1 login for stdio mode. The
+	// server starts without a token and runs the authorization flow on the
+	// first tool call (see createOAuthMiddleware). It is mutually exclusive with
+	// a static Token.
+	OAuthManager *oauth.Manager
+
+	// OAuthScopes are the scopes requested during OAuth login. They double as
+	// the scope set for tool filtering: tools requiring a scope outside this set
+	// are hidden. The default set is the full supported list, which hides
+	// nothing; an explicit, narrower list filters accordingly.
+	OAuthScopes []string
 }
 
 // RunStdioServer is not concurrent safe.
 func RunStdioServer(cfg StdioServerConfig) error {
+	// OAuth login and a static token are mutually exclusive: they would
+	// disagree on how the token is sourced (lazy provider vs. static) and on
+	// scope filtering, so reject the ambiguous combination up front.
+	if cfg.OAuthManager != nil && cfg.Token != "" {
+		return fmt.Errorf("OAuthManager and a static Token are mutually exclusive: provide one or the other")
+	}
+
 	// Create app context
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop()
@@ -255,11 +290,13 @@ func RunStdioServer(cfg StdioServerConfig) error {
 	logger := slog.New(slogHandler)
 	logger.Info("starting server", "version", cfg.Version, "host", cfg.Host, "readOnly", cfg.ReadOnly, "lockdownEnabled", cfg.LockdownMode)
 
-	// Fetch token scopes for scope-based tool filtering (PAT tokens only)
-	// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
-	// Fine-grained PATs and other token types don't support this, so we skip filtering.
+	// Determine the scope set used to filter tools. Classic PATs expose their
+	// granted scopes via the API; OAuth uses the requested scopes (the default
+	// set hides nothing, a narrower explicit set filters accordingly). Other
+	// token types don't advertise scopes, so filtering is skipped.
 	var tokenScopes []string
-	if strings.HasPrefix(cfg.Token, "ghp_") {
+	switch {
+	case strings.HasPrefix(cfg.Token, "ghp_"):
 		fetchedScopes, err := fetchTokenScopesForHost(ctx, cfg.Token, cfg.Host)
 		if err != nil {
 			logger.Warn("failed to fetch token scopes, continuing without scope filtering", "error", err)
@@ -267,10 +304,20 @@ func RunStdioServer(cfg StdioServerConfig) error {
 			tokenScopes = fetchedScopes
 			logger.Info("token scopes fetched for filtering", "scopes", tokenScopes)
 		}
-	} else {
+	case cfg.OAuthManager != nil:
+		tokenScopes = cfg.OAuthScopes
+		logger.Info("using requested OAuth scopes for tool filtering", "scopes", tokenScopes)
+	default:
 		logger.Debug("skipping scope filtering for non-PAT token")
 	}
 
+	// For OAuth, the token is resolved lazily: empty until the user authorizes
+	// on the first tool call, then refreshed for the rest of the session.
+	var tokenProvider func() string
+	if cfg.OAuthManager != nil {
+		tokenProvider = cfg.OAuthManager.AccessToken
+	}
+
 	ghServer, err := NewStdioMCPServer(ctx, github.MCPServerConfig{
 		Version:           cfg.Version,
 		Host:              cfg.Host,
@@ -287,11 +334,18 @@ func RunStdioServer(cfg StdioServerConfig) error {
 		Logger:            logger,
 		RepoAccessTTL:     cfg.RepoAccessCacheTTL,
 		TokenScopes:       tokenScopes,
+		TokenProvider:     tokenProvider,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to create MCP server: %w", err)
 	}
 
+	// With OAuth, intercept tool calls to run the authorization flow on first
+	// use, before the handler tries to call GitHub with an empty token.
+	if cfg.OAuthManager != nil {
+		ghServer.AddReceivingMiddleware(createOAuthMiddleware(cfg.OAuthManager, logger))
+	}
+
 	if cfg.ExportTranslations {
 		// Once server is initialized, all translations are loaded
 		dumpTranslations()
diff --git a/internal/oauth/callback.go b/internal/oauth/callback.go
new file mode 100644
index 0000000000..1e643e207d
--- /dev/null
+++ b/internal/oauth/callback.go
@@ -0,0 +1,157 @@
+package oauth
+
+import (
+	"context"
+	"embed"
+	"fmt"
+	"html/template"
+	"net"
+	"net/http"
+	"time"
+)
+
+//go:embed templates/*.html
+var templateFS embed.FS
+
+var (
+	errorTemplate   = template.Must(template.ParseFS(templateFS, "templates/error.html"))
+	successTemplate = template.Must(template.ParseFS(templateFS, "templates/success.html"))
+)
+
+// callbackResult is delivered by the callback server once the browser redirect
+// arrives. Exactly one of code or err is set.
+type callbackResult struct {
+	code string
+	err  error
+}
+
+// callbackServer is a short-lived local HTTP server that captures the
+// authorization code from the OAuth redirect.
+type callbackServer struct {
+	server   *http.Server
+	listener net.Listener
+	redirect string
+	results  chan callbackResult
+}
+
+// listenCallback binds the local callback listener.
+//
+// It binds to loopback (127.0.0.1) by default so the callback server is never
+// exposed on other interfaces. bindAll is set only inside a container, where
+// Docker's published-port DNAT delivers traffic to the container's eth0 rather
+// than to loopback; host-side exposure is still constrained by the publish
+// (e.g. -p 127.0.0.1:8085:8085). A native run — even with a fixed port — stays
+// on loopback.
+func listenCallback(port int, bindAll bool) (net.Listener, error) {
+	host := "127.0.0.1"
+	if bindAll {
+		host = "0.0.0.0"
+	}
+	addr := fmt.Sprintf("%s:%d", host, port)
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("starting callback listener on %s: %w", addr, err)
+	}
+	return listener, nil
+}
+
+// newCallbackServer starts a callback server on listener that validates state
+// and reports the result on a buffered channel. The redirect URI always uses
+// localhost so it matches the value registered on the OAuth/GitHub App.
+func newCallbackServer(listener net.Listener, expectedState string) *callbackServer {
+	cs := &callbackServer{
+		server:   &http.Server{ReadHeaderTimeout: 10 * time.Second}, // ReadHeaderTimeout guards against Slowloris.
+		listener: listener,
+		redirect: fmt.Sprintf("http://localhost:%d/callback", listener.Addr().(*net.TCPAddr).Port),
+		results:  make(chan callbackResult, 1),
+	}
+	cs.server.Handler = cs.handler(expectedState)
+
+	go func() {
+		if err := cs.server.Serve(listener); err != nil && err != http.ErrServerClosed {
+			cs.report(callbackResult{err: fmt.Errorf("callback server: %w", err)})
+		}
+	}()
+
+	return cs
+}
+
+// handler renders the callback endpoint. It reports the outcome exactly once and
+// always shows the user a friendly page.
+func (cs *callbackServer) handler(expectedState string) http.Handler {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
+		q := r.URL.Query()
+
+		if errCode := q.Get("error"); errCode != "" {
+			msg := errCode
+			if desc := q.Get("error_description"); desc != "" {
+				msg = fmt.Sprintf("%s: %s", errCode, desc)
+			}
+			cs.report(callbackResult{err: fmt.Errorf("authorization failed: %s", msg)})
+			renderError(w, msg)
+			return
+		}
+
+		if q.Get("state") != expectedState {
+			cs.report(callbackResult{err: fmt.Errorf("state mismatch (possible CSRF)")})
+			renderError(w, "state mismatch")
+			return
+		}
+
+		code := q.Get("code")
+		if code == "" {
+			cs.report(callbackResult{err: fmt.Errorf("no authorization code in callback")})
+			renderError(w, "no authorization code received")
+			return
+		}
+
+		cs.report(callbackResult{code: code})
+		renderSuccess(w)
+	})
+	return mux
+}
+
+// report delivers the first outcome and drops later ones (the channel is
+// buffered for one; subsequent redirect retries must not block the handler).
+func (cs *callbackServer) report(res callbackResult) {
+	select {
+	case cs.results <- res:
+	default:
+	}
+}
+
+// wait blocks for the callback outcome or ctx cancellation, then shuts the
+// server down. It is safe to call once per server.
+func (cs *callbackServer) wait(ctx context.Context) (string, error) {
+	defer cs.close()
+	select {
+	case res := <-cs.results:
+		return res.code, res.err
+	case <-ctx.Done():
+		return "", ctx.Err()
+	}
+}
+
+func (cs *callbackServer) close() {
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	_ = cs.server.Shutdown(shutdownCtx)
+	_ = cs.listener.Close()
+}
+
+func renderSuccess(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := successTemplate.Execute(w, nil); err != nil {
+		http.Error(w, "internal error", http.StatusInternalServerError)
+	}
+}
+
+// renderError shows the failure page. html/template auto-escapes msg, so a
+// hostile error_description cannot inject markup.
+func renderError(w http.ResponseWriter, msg string) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := errorTemplate.Execute(w, struct{ ErrorMessage string }{ErrorMessage: msg}); err != nil {
+		http.Error(w, "internal error", http.StatusInternalServerError)
+	}
+}
diff --git a/internal/oauth/callback_test.go b/internal/oauth/callback_test.go
new file mode 100644
index 0000000000..45a8fa71c4
--- /dev/null
+++ b/internal/oauth/callback_test.go
@@ -0,0 +1,92 @@
+package oauth
+
+import (
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// serveCallback drives the callback handler with the given query string and
+// returns the recorded response and the single reported result.
+func serveCallback(t *testing.T, expectedState, query string) (*httptest.ResponseRecorder, callbackResult) {
+	t.Helper()
+	cs := &callbackServer{results: make(chan callbackResult, 1)}
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/callback?"+query, nil)
+
+	cs.handler(expectedState).ServeHTTP(rec, req)
+
+	select {
+	case res := <-cs.results:
+		return rec, res
+	default:
+		t.Fatal("handler did not report a result")
+		return nil, callbackResult{}
+	}
+}
+
+func TestCallbackHandlerSuccess(t *testing.T) {
+	rec, res := serveCallback(t, "state123", "code=the-code&state=state123")
+
+	require.NoError(t, res.err)
+	assert.Equal(t, "the-code", res.code)
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Body.String(), "Authorization Successful")
+}
+
+func TestCallbackHandlerStateMismatch(t *testing.T) {
+	rec, res := serveCallback(t, "expected", "code=the-code&state=attacker")
+
+	require.Error(t, res.err)
+	assert.Empty(t, res.code)
+	assert.Contains(t, res.err.Error(), "state mismatch")
+	assert.Contains(t, rec.Body.String(), "state mismatch")
+}
+
+func TestCallbackHandlerMissingCode(t *testing.T) {
+	_, res := serveCallback(t, "state123", "state=state123")
+
+	require.Error(t, res.err)
+	assert.Contains(t, res.err.Error(), "no authorization code")
+}
+
+func TestCallbackHandlerOAuthError(t *testing.T) {
+	_, res := serveCallback(t, "state123", "error=access_denied&error_description=user+said+no")
+
+	require.Error(t, res.err)
+	assert.Contains(t, res.err.Error(), "access_denied")
+	assert.Contains(t, res.err.Error(), "user said no")
+}
+
+func TestCallbackHandlerEscapesError(t *testing.T) {
+	rec, _ := serveCallback(t, "state123", "error=evil&error_description=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
+
+	body := rec.Body.String()
+	assert.NotContains(t, body, "<script>", "error message must be HTML-escaped")
+	assert.Contains(t, body, "&lt;script&gt;")
+}
+
+func TestListenCallbackRandomPortIsLoopback(t *testing.T) {
+	listener, err := listenCallback(0, false)
+	require.NoError(t, err)
+	defer listener.Close()
+
+	addr, ok := listener.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+	assert.True(t, addr.IP.IsLoopback(), "default bind must be loopback only, got %s", addr.IP)
+	assert.NotZero(t, addr.Port)
+}
+
+func TestListenCallbackBindAllForContainer(t *testing.T) {
+	listener, err := listenCallback(0, true)
+	require.NoError(t, err)
+	defer listener.Close()
+
+	addr, ok := listener.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+	assert.True(t, addr.IP.IsUnspecified(), "bindAll must bind all interfaces, got %s", addr.IP)
+}
diff --git a/internal/oauth/env.go b/internal/oauth/env.go
new file mode 100644
index 0000000000..34fa329973
--- /dev/null
+++ b/internal/oauth/env.go
@@ -0,0 +1,70 @@
+package oauth
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+)
+
+// errNoDisplay reports that the host has no display server, so no browser can be
+// launched. It is a definitive headless signal (unlike a generic launch error),
+// which lets the flow prefer device authorization — the only channel reachable
+// from a browser on another machine (e.g. a remote SSH session).
+var errNoDisplay = errors.New("no display server detected")
+
+// openBrowser tries to open url in the user's default browser. It returns an
+// error when no browser can plausibly be launched so the caller can fall back
+// to elicitation. On Linux it treats a headless session (no display server) as
+// unopenable, which is the common case for SSH and containers.
+func openBrowser(url string) error {
+	var cmd *exec.Cmd
+	switch runtime.GOOS {
+	case "linux":
+		if os.Getenv("DISPLAY") == "" && os.Getenv("WAYLAND_DISPLAY") == "" {
+			return errNoDisplay
+		}
+		cmd = exec.Command("xdg-open", url)
+	case "darwin":
+		cmd = exec.Command("open", url)
+	case "windows":
+		cmd = exec.Command("rundll32", "url.dll,FileProtocolHandler", url)
+	default:
+		return fmt.Errorf("unsupported platform: %s", runtime.GOOS)
+	}
+
+	cmd.Stdout = io.Discard
+	cmd.Stderr = io.Discard
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// The launcher (xdg-open/open/rundll32) exits as soon as it hands off to the
+	// browser. Reap it asynchronously so it does not linger as a zombie for the
+	// lifetime of this long-running server.
+	go func() { _ = cmd.Wait() }()
+	return nil
+}
+
+// isRunningInDocker reports whether the process is running inside a Docker (or
+// containerd) container. Detection relies on Linux-specific paths and is always
+// false elsewhere. It is used only to skip a PKCE flow that cannot work: a
+// random callback port inside a container cannot be reached from the host
+// browser, so we go straight to device flow in that case.
+func isRunningInDocker() bool {
+	if runtime.GOOS != "linux" {
+		return false
+	}
+	if _, err := os.Stat("/.dockerenv"); err == nil {
+		return true
+	}
+	if data, err := os.ReadFile("/proc/1/cgroup"); err == nil {
+		s := string(data)
+		if strings.Contains(s, "docker") || strings.Contains(s, "containerd") {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/oauth/flow.go b/internal/oauth/flow.go
new file mode 100644
index 0000000000..fda1dda19f
--- /dev/null
+++ b/internal/oauth/flow.go
@@ -0,0 +1,220 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+// deviceAuthTimeout bounds the synchronous device-code request made while
+// preparing the device flow (before any waiting on the user).
+const deviceAuthTimeout = 30 * time.Second
+
+// errCallbackBind marks a failure to bind the local OAuth callback listener, so
+// begin can treat a busy fixed port as fatal without mislabeling unrelated
+// errors (e.g. a failure to generate the state parameter) as a port conflict.
+var errCallbackBind = errors.New("OAuth callback listener could not bind")
+
+// flowPlan is a prepared authorization flow ready to run in the background.
+type flowPlan struct {
+	// run performs the blocking part of the flow (await callback + exchange, or
+	// poll the device endpoint) and returns the token.
+	run func(context.Context) (*oauth2.Token, error)
+	// display, if set, presents the prompt to the user via the Prompter and
+	// blocks until they act. ErrPromptDeclined (the user said no) or any other
+	// error aborts the flow, except ErrPromptUnavailable, which degrades to
+	// fallback when that is set.
+	display func(context.Context) error
+	// fallback, if set alongside display, is the manual user action to surface
+	// when the display prompt cannot be delivered (ErrPromptUnavailable). It lets
+	// a runtime elicitation failure degrade to the manual channel — keeping the
+	// background flow alive — instead of aborting.
+	fallback *UserAction
+	// userAction, if set, indicates the last-resort channel: the caller must
+	// surface it and the user retries after authorizing out of band.
+	userAction *UserAction
+}
+
+// begin selects and prepares the appropriate flow. PKCE is preferred for its
+// stronger security; device flow is the fallback. A random callback port inside
+// Docker cannot be reached from the host browser, so that combination goes
+// straight to device flow.
+func (m *Manager) begin(prompter Prompter) (*flowPlan, error) {
+	canPKCE := m.config.CallbackPort != 0 || !m.inDocker()
+	if canPKCE {
+		plan, err := m.beginPKCE(prompter)
+		if err == nil {
+			return plan, nil
+		}
+		// A fixed callback port that won't bind is fatal, not a cue to downgrade.
+		// The port was chosen deliberately (and registered with the OAuth app), so
+		// a bind failure means another process holds it — possibly one positioned
+		// to intercept the authorization redirect. Silently switching to device
+		// flow would mask that, so stop and make the user resolve it. Only genuine
+		// bind failures qualify; other errors fall through to device flow.
+		if m.config.CallbackPort != 0 && errors.Is(err, errCallbackBind) {
+			return nil, fmt.Errorf("OAuth callback port %d is not available; another process may be using it — free the port or set a different --oauth-callback-port: %w", m.config.CallbackPort, err)
+		}
+		m.logger.Info("PKCE flow unavailable, falling back to device flow", "reason", err)
+	} else {
+		m.logger.Info("no callback port inside container; using device flow")
+	}
+	return m.beginDevice(prompter)
+}
+
+// beginPKCE prepares the authorization-code + PKCE flow. It binds the callback
+// server and selects the most secure available display channel: browser
+// auto-open, then URL elicitation, then a tool-response message. On a headless
+// host with a random callback port it diverts to device flow, whose redirect
+// does not depend on reaching this machine's localhost.
+func (m *Manager) beginPKCE(prompter Prompter) (*flowPlan, error) {
+	state, err := randomState()
+	if err != nil {
+		return nil, err
+	}
+	verifier := oauth2.GenerateVerifier()
+
+	// Bind to all interfaces only inside a container, where the published port
+	// is delivered via eth0 rather than loopback. Native runs stay on loopback.
+	listener, err := listenCallback(m.config.CallbackPort, m.inDocker())
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", errCallbackBind, err)
+	}
+	if m.inDocker() {
+		// Inside a container the callback binds all interfaces so the published
+		// port is reachable, which also exposes it to the container network.
+		// Publishing to loopback only (e.g. -p 127.0.0.1:%d:%d) keeps the
+		// authorization code off the network.
+		m.logger.Warn(fmt.Sprintf("OAuth callback is listening on all container interfaces; publish it to loopback only (e.g. -p 127.0.0.1:%d:%d) so the authorization code is not exposed on your network", m.config.CallbackPort, m.config.CallbackPort))
+	}
+	cs := newCallbackServer(listener, state)
+
+	oc := m.oauth2Config(cs.redirect)
+	authURL := oc.AuthCodeURL(state, oauth2.S256ChallengeOption(verifier))
+
+	run := func(ctx context.Context) (*oauth2.Token, error) {
+		code, err := cs.wait(ctx)
+		if err != nil {
+			return nil, err
+		}
+		tok, err := oc.Exchange(ctx, code, oauth2.VerifierOption(verifier))
+		if err != nil {
+			return nil, fmt.Errorf("exchanging authorization code: %w", err)
+		}
+		return tok, nil
+	}
+
+	browserErr := m.openURL(authURL)
+	switch {
+	case browserErr == nil:
+		m.logger.Info("opened browser for GitHub authorization")
+		return &flowPlan{run: run}, nil
+	case errors.Is(browserErr, errNoDisplay) && m.config.CallbackPort == 0:
+		// Headless host with a random callback port: every PKCE channel ends in a
+		// redirect to this machine's localhost, which a browser on another machine
+		// (e.g. a remote SSH client) cannot reach — so even URL elicitation would
+		// dead-end. Device flow is the only channel reachable from elsewhere, so
+		// prefer it when the app supports it; otherwise fall through to the manual
+		// authorization URL below for a same-machine browser.
+		plan, deviceErr := m.beginDevice(prompter)
+		if deviceErr == nil {
+			cs.close()
+			m.logger.Info("no display server; using device flow")
+			return plan, nil
+		}
+		m.logger.Debug("device flow unavailable on headless host; offering manual authorization URL", "reason", deviceErr)
+	default:
+		m.logger.Debug("browser auto-open unavailable", "reason", browserErr)
+	}
+
+	// The manual instructions double as the fallback if a chosen display channel
+	// turns out to be undeliverable at runtime, so build them once here.
+	manual := &UserAction{
+		URL: authURL,
+		Message: fmt.Sprintf(
+			"To authorize the GitHub MCP Server, open this URL in your browser:\n\n%s\n\nAfter authorizing, retry your request.\n\n%s",
+			authURL, securityAdvisory,
+		),
+	}
+
+	if canPromptURL(prompter) {
+		display := func(ctx context.Context) error {
+			return prompter.PromptURL(ctx, Prompt{
+				Message: "Authorize the GitHub MCP Server in your browser to continue.",
+				URL:     authURL,
+			})
+		}
+		return &flowPlan{run: run, display: display, fallback: manual}, nil
+	}
+
+	return &flowPlan{run: run, userAction: manual}, nil
+}
+
+// beginDevice prepares the device authorization flow. It requests a device code
+// up front (so the code can be displayed) and selects a display channel:
+// URL elicitation, then form elicitation, then a tool-response message.
+func (m *Manager) beginDevice(prompter Prompter) (*flowPlan, error) {
+	oc := m.oauth2Config("")
+
+	ctx, cancel := context.WithTimeout(context.Background(), deviceAuthTimeout)
+	defer cancel()
+	da, err := oc.DeviceAuth(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("requesting device code: %w", err)
+	}
+
+	run := func(ctx context.Context) (*oauth2.Token, error) {
+		tok, err := oc.DeviceAccessToken(ctx, da)
+		if err != nil {
+			return nil, fmt.Errorf("awaiting device authorization: %w", err)
+		}
+		return tok, nil
+	}
+
+	// As with PKCE, the manual instructions double as the runtime fallback, so
+	// build them once and reuse for both display plans and the last resort.
+	manual := &UserAction{
+		URL:      da.VerificationURI,
+		UserCode: da.UserCode,
+		Message: fmt.Sprintf(
+			"%s\n\nAfter authorizing, retry your request.\n\n%s",
+			deviceInstruction(da), securityAdvisory,
+		),
+	}
+
+	if canPromptURL(prompter) {
+		display := func(ctx context.Context) error {
+			return prompter.PromptURL(ctx, Prompt{
+				Message:  fmt.Sprintf("Enter code %s to authorize the GitHub MCP Server.", da.UserCode),
+				URL:      da.VerificationURI,
+				UserCode: da.UserCode,
+			})
+		}
+		return &flowPlan{run: run, display: display, fallback: manual}, nil
+	}
+
+	if canPromptForm(prompter) {
+		display := func(ctx context.Context) error {
+			return prompter.PromptForm(ctx, Prompt{
+				Message:  deviceInstruction(da),
+				URL:      da.VerificationURI,
+				UserCode: da.UserCode,
+			})
+		}
+		return &flowPlan{run: run, display: display, fallback: manual}, nil
+	}
+
+	return &flowPlan{run: run, userAction: manual}, nil
+}
+
+// securityAdvisory nudges users on clients without URL elicitation to ask their
+// vendor for it, since it keeps the authorization URL out of the model context.
+const securityAdvisory = "Note: your MCP client does not appear to support secure URL elicitation. " +
+	"For improved security, consider asking your agent, CLI, or IDE to add it (for example, by opening an issue)."
+
+func deviceInstruction(da *oauth2.DeviceAuthResponse) string {
+	return fmt.Sprintf("Visit %s and enter the code %s to authorize the GitHub MCP Server.", da.VerificationURI, da.UserCode)
+}
diff --git a/internal/oauth/manager.go b/internal/oauth/manager.go
new file mode 100644
index 0000000000..a78e919df7
--- /dev/null
+++ b/internal/oauth/manager.go
@@ -0,0 +1,310 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"net/http"
+	"os"
+	"sync"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+// DefaultAuthTimeout bounds how long a single authorization attempt waits for
+// the user to complete the browser or device flow.
+const DefaultAuthTimeout = 5 * time.Minute
+
+// tokenRefreshTimeout bounds each background refresh of an expiring token so a
+// stalled GitHub token endpoint cannot block a tool call indefinitely.
+const tokenRefreshTimeout = 30 * time.Second
+
+// flowStatus tracks the manager's single-flight authorization state.
+type flowStatus int
+
+const (
+	statusIdle         flowStatus = iota // no flow running
+	statusStarting                       // a flow is being prepared (brief)
+	statusInProgress                     // a flow is running on a secure channel; callers may join
+	statusAwaitingUser                   // a flow is running but the user must act out-of-band
+)
+
+// Outcome reports the result of an authorization attempt that did not
+// immediately yield a token.
+type Outcome struct {
+	// UserAction, when non-nil, must be surfaced to the user. The authorization
+	// flow continues in the background; the user should retry once they have
+	// completed it.
+	UserAction *UserAction
+}
+
+// UserAction is an instruction for the user to complete authorization out of
+// band (the last-resort channel, used when neither a browser nor URL
+// elicitation is available).
+type UserAction struct {
+	// Message is ready to display to the user.
+	Message string
+	// URL is the authorization URL or device verification URI.
+	URL string
+	// UserCode is the device-flow code to enter, if any.
+	UserCode string
+}
+
+// Manager owns the OAuth login flows and the resulting (refreshing) token for a
+// single stdio session. It is safe for concurrent use; only one authorization
+// flow runs at a time.
+type Manager struct {
+	config        Config
+	refreshConfig *oauth2.Config
+	logger        *slog.Logger
+
+	// Test seams, set by NewManager to real implementations.
+	openURL  func(string) error
+	inDocker func() bool
+
+	mu               sync.Mutex
+	source           oauth2.TokenSource // refreshing source, set once authorized
+	status           flowStatus
+	pending          *UserAction
+	done             chan struct{}
+	lastErr          error
+	refreshErrLogged bool // true once a refresh failure has been logged, reset on re-auth
+}
+
+// NewManager builds a Manager for the given configuration. A nil logger logs to
+// stderr.
+func NewManager(cfg Config, logger *slog.Logger) *Manager {
+	if logger == nil {
+		logger = slog.New(slog.NewTextHandler(os.Stderr, nil))
+	}
+	m := &Manager{
+		config:   cfg,
+		logger:   logger,
+		openURL:  openBrowser,
+		inDocker: isRunningInDocker,
+	}
+	m.refreshConfig = m.oauth2Config("")
+	return m
+}
+
+// AccessToken returns a currently valid access token, refreshing it if needed,
+// or "" if the session is not authorized (or a refresh has failed and
+// re-authorization is required). It is cheap to call repeatedly: the underlying
+// token source caches and only refreshes when the token has expired.
+func (m *Manager) AccessToken() string {
+	m.mu.Lock()
+	src := m.source
+	m.mu.Unlock()
+	if src == nil {
+		return ""
+	}
+	// Refresh (if needed) happens here, off the lock, because ReuseTokenSource may
+	// make a blocking network call and holding m.mu would serialize every tool call.
+	tok, err := src.Token()
+	if err != nil {
+		// A refresh failure (expired GitHub App refresh token, revoked grant, or a
+		// network blip) leaves the session unauthorized and forces a re-login.
+		// Surface it once, otherwise it only manifests as a surprise re-authorization
+		// prompt. The oauth2 error carries the token endpoint's response, not the
+		// access or refresh token.
+		m.mu.Lock()
+		if !m.refreshErrLogged {
+			m.refreshErrLogged = true
+			m.logger.Warn("OAuth token refresh failed; re-authorization required", "error", err)
+		}
+		m.mu.Unlock()
+		return ""
+	}
+	if !tok.Valid() {
+		return ""
+	}
+	return tok.AccessToken
+}
+
+// HasToken reports whether a valid token is currently available.
+func (m *Manager) HasToken() bool {
+	return m.AccessToken() != ""
+}
+
+// Authenticate ensures the session is authorized.
+//
+// It returns (nil, nil) once a token is available, so the caller may proceed.
+// It returns (&Outcome{UserAction}, nil) when the user must complete the flow
+// out of band; the flow continues in the background and the caller should show
+// the action and have the user retry. It returns (nil, err) on failure.
+//
+// Only one flow runs at a time. Concurrent callers either join a running secure
+// flow, receive the pending user action, or are told to retry shortly.
+func (m *Manager) Authenticate(ctx context.Context, prompter Prompter) (*Outcome, error) {
+	if m.AccessToken() != "" {
+		return nil, nil
+	}
+
+	m.mu.Lock()
+	switch m.status {
+	case statusAwaitingUser:
+		ua := m.pending
+		m.mu.Unlock()
+		return &Outcome{UserAction: ua}, nil
+	case statusStarting:
+		m.mu.Unlock()
+		return &Outcome{UserAction: &UserAction{
+			Message: "GitHub authorization is already in progress. Please retry your request in a few seconds.",
+		}}, nil
+	case statusInProgress:
+		done := m.done
+		m.mu.Unlock()
+		return m.joinWait(ctx, done)
+	}
+
+	// Idle: this call owns the new flow.
+	m.status = statusStarting
+	m.lastErr = nil
+	m.done = make(chan struct{})
+	done := m.done
+	m.mu.Unlock()
+
+	plan, err := m.begin(prompter)
+	if err != nil {
+		m.complete(nil, err)
+		return nil, err
+	}
+
+	m.mu.Lock()
+	if plan.userAction != nil {
+		m.status = statusAwaitingUser
+		m.pending = plan.userAction
+	} else {
+		m.status = statusInProgress
+	}
+	m.mu.Unlock()
+
+	bgCtx, cancel := context.WithTimeout(context.Background(), DefaultAuthTimeout)
+	go m.runFlow(bgCtx, cancel, plan)
+
+	if plan.userAction != nil {
+		return &Outcome{UserAction: plan.userAction}, nil
+	}
+	return m.joinWait(ctx, done)
+}
+
+// runFlow executes a prepared flow in the background and records the result. The
+// optional display prompt runs concurrently: a decline (or other failure) aborts
+// the flow, while an undeliverable prompt degrades to the manual fallback without
+// tearing the flow down, so the user can still authorize out of band.
+func (m *Manager) runFlow(ctx context.Context, cancel context.CancelFunc, plan *flowPlan) {
+	defer cancel()
+
+	if plan.display != nil {
+		go func() {
+			err := plan.display(ctx)
+			switch {
+			case err == nil:
+				// Prompt shown; the flow completes when the token arrives.
+			case ctx.Err() != nil:
+				// The flow is already ending (timed out or cancelled elsewhere),
+				// so there is nothing to fall back to. Checking this before the
+				// fallback also prevents misreading a context-cancelled prompt as
+				// a transport failure.
+			case errors.Is(err, ErrPromptUnavailable) && plan.fallback != nil:
+				// The client advertised the capability but could not deliver the
+				// prompt. Surface the manual instructions instead of failing, and
+				// keep the background flow alive so the user can still authorize.
+				m.logger.Debug("authorization prompt undeliverable; falling back to manual instructions", "reason", err)
+				m.fallBackToUserAction(plan.fallback)
+			default:
+				// A user decline (ErrPromptDeclined) or any other prompt failure
+				// ends the flow.
+				m.logger.Debug("authorization prompt closed", "reason", err)
+				cancel()
+			}
+		}()
+	}
+
+	tok, err := plan.run(ctx)
+	m.complete(tok, err)
+}
+
+// fallBackToUserAction promotes a running secure flow to the manual user-action
+// channel after its prompt could not be delivered. The background flow keeps
+// running, so the user can complete authorization out of band and retry. It is a
+// no-op if the flow has already resolved.
+func (m *Manager) fallBackToUserAction(ua *UserAction) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.status != statusInProgress {
+		return
+	}
+	m.status = statusAwaitingUser
+	m.pending = ua
+	// Wake any callers joined on this flow so they receive the action, and clear
+	// done so complete() does not double-close it when run() later finishes.
+	if m.done != nil {
+		close(m.done)
+		m.done = nil
+	}
+}
+
+// complete records the flow result, installing a refreshing token source on
+// success, and wakes any joined callers.
+func (m *Manager) complete(tok *oauth2.Token, err error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.status = statusIdle
+	m.pending = nil
+	if err != nil {
+		m.lastErr = err
+		m.logger.Debug("oauth flow failed", "error", err)
+	} else {
+		m.lastErr = nil
+		// Config.TokenSource returns a ReuseTokenSource that refreshes expired
+		// tokens using the refresh token — this is what makes GitHub App
+		// (expiring) tokens work transparently. The refresh uses a bounded HTTP
+		// client so a stalled token endpoint can't block a tool call forever.
+		refreshCtx := context.WithValue(context.Background(), oauth2.HTTPClient, &http.Client{Timeout: tokenRefreshTimeout})
+		m.source = m.refreshConfig.TokenSource(refreshCtx, tok)
+		m.refreshErrLogged = false
+		m.logger.Info("github authorization complete")
+	}
+	if m.done != nil {
+		close(m.done)
+		m.done = nil
+	}
+}
+
+// joinWait blocks until the running flow finishes or ctx is cancelled. If the
+// flow was promoted to the manual channel while waiting (its prompt could not be
+// delivered), it returns that user action rather than an error.
+func (m *Manager) joinWait(ctx context.Context, done chan struct{}) (*Outcome, error) {
+	select {
+	case <-done:
+		if m.AccessToken() != "" {
+			return nil, nil
+		}
+		m.mu.Lock()
+		pending := m.pending
+		err := m.lastErr
+		m.mu.Unlock()
+		if pending != nil {
+			return &Outcome{UserAction: pending}, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+		return nil, errors.New("authorization did not complete")
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	}
+}
+
+func (m *Manager) oauth2Config(redirectURL string) *oauth2.Config {
+	return &oauth2.Config{
+		ClientID:     m.config.ClientID,
+		ClientSecret: m.config.ClientSecret,
+		RedirectURL:  redirectURL,
+		Scopes:       m.config.Scopes,
+		Endpoint:     m.config.Endpoint,
+	}
+}
diff --git a/internal/oauth/manager_test.go b/internal/oauth/manager_test.go
new file mode 100644
index 0000000000..6f43c03ef9
--- /dev/null
+++ b/internal/oauth/manager_test.go
@@ -0,0 +1,321 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"net"
+	"strconv"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// newManager wires a Manager to the fake GitHub server. By default the browser
+// auto-opens (driving the callback) and Docker detection is off.
+func newManager(t *testing.T, f *fakeGitHub) *Manager {
+	t.Helper()
+	cfg := Config{
+		ClientID:     "client-id",
+		ClientSecret: "client-secret",
+		Scopes:       []string{"repo"},
+		Endpoint:     f.endpoint(),
+	}
+	m := NewManager(cfg, testLogger())
+	m.openURL = browserGet
+	m.inDocker = func() bool { return false }
+	return m
+}
+
+func TestAuthenticatePKCEViaBrowser(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+	assert.Nil(t, out, "browser flow completes without a user action")
+	assert.Equal(t, "gho_access", m.AccessToken())
+
+	// PKCE must have been exercised end to end.
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	assert.Equal(t, "S256", f.codeChallengeMethod)
+	assert.NotEmpty(t, f.codeChallenge, "authorize must receive a code_challenge")
+	assert.NotEmpty(t, f.codeVerifier, "token exchange must send a code_verifier")
+	assert.Equal(t, []string{"authorization_code"}, f.grants)
+}
+
+func TestAuthenticateRefreshesExpiringGitHubAppToken(t *testing.T) {
+	f := newFakeGitHub(t)
+	// GitHub App: the initial token expires immediately and carries a refresh
+	// token, so the very next read must refresh transparently.
+	f.authToken = "ghu_initial"
+	f.authRefresh = "ghr_refresh"
+	f.authExpires = 1
+	f.refreshToken = "ghu_refreshed"
+	f.refreshExpires = 3600
+
+	m := newManager(t, f)
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+
+	assert.Equal(t, "ghu_refreshed", m.AccessToken(), "expired token must be refreshed")
+	assert.Equal(t, []string{"authorization_code", "refresh_token"}, f.recordedGrants())
+}
+
+func TestAuthenticateURLElicitation(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	prompter := &fakePrompter{
+		urlCapable: true,
+		onURL: func(_ context.Context, p Prompt) error {
+			return browserGet(p.URL) // user opens the URL and authorizes
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, prompter)
+	require.NoError(t, err)
+	assert.Nil(t, out)
+	assert.Equal(t, "gho_access", m.AccessToken())
+
+	prompter.mu.Lock()
+	defer prompter.mu.Unlock()
+	require.Len(t, prompter.urlCalls, 1)
+	assert.NotEmpty(t, prompter.urlCalls[0].URL)
+}
+
+func TestAuthenticateDeclinedPromptFails(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	prompter := &fakePrompter{
+		urlCapable: true,
+		onURL: func(_ context.Context, _ Prompt) error {
+			return ErrPromptDeclined
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := m.Authenticate(ctx, prompter)
+	require.Error(t, err, "declining the prompt must abort the flow")
+	assert.Empty(t, m.AccessToken())
+}
+
+func TestAuthenticateUndeliverablePromptFallsBack(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	// The client advertised URL elicitation but delivering the prompt fails (a
+	// transport/protocol error, not a user decision). This must degrade to the
+	// manual instructions rather than aborting like a decline does.
+	prompter := &fakePrompter{
+		urlCapable: true,
+		onURL: func(_ context.Context, _ Prompt) error {
+			return ErrPromptUnavailable
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, prompter)
+	require.NoError(t, err, "an undeliverable prompt must not abort the flow")
+	require.NotNil(t, out)
+	require.NotNil(t, out.UserAction, "an undeliverable prompt must fall back to a user action")
+	assert.NotEmpty(t, out.UserAction.URL)
+	assert.Contains(t, out.UserAction.Message, securityAdvisory)
+
+	// A concurrent retry while awaiting the user returns the same fallback action.
+	out2, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+	require.NotNil(t, out2.UserAction)
+	assert.Equal(t, out.UserAction.URL, out2.UserAction.URL)
+
+	// The background flow stayed alive: opening the URL out of band completes it.
+	require.NoError(t, browserGet(out.UserAction.URL))
+	assert.Equal(t, "gho_access", waitForToken(t, m))
+}
+
+func TestAuthenticateLastDitchUserAction(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	// No browser and a nil prompter: the only channel left is a user action
+	// returned to the caller.
+	out, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+	require.NotNil(t, out)
+	require.NotNil(t, out.UserAction)
+	assert.NotEmpty(t, out.UserAction.URL)
+	assert.Contains(t, out.UserAction.Message, "open this URL")
+	assert.Contains(t, out.UserAction.Message, securityAdvisory,
+		"missing URL elicitation should trigger the security advisory")
+
+	// A concurrent retry while awaiting the user returns the same action, not a
+	// second flow.
+	out2, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+	require.NotNil(t, out2.UserAction)
+	assert.Equal(t, out.UserAction.URL, out2.UserAction.URL)
+
+	// The user opens the URL out of band; the background flow then completes.
+	require.NoError(t, browserGet(out.UserAction.URL))
+	assert.Equal(t, "gho_access", waitForToken(t, m))
+}
+
+func TestAuthenticateDeviceFlow(t *testing.T) {
+	f := newFakeGitHub(t)
+	f.deviceToken = "gho_device_token"
+	m := newManager(t, f)
+	// Inside Docker with a random port, PKCE is impossible, so the device flow
+	// is selected.
+	m.inDocker = func() bool { return true }
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	prompter := &fakePrompter{urlCapable: true} // shows the code, no action needed
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, prompter)
+	require.NoError(t, err)
+	assert.Nil(t, out)
+	assert.Equal(t, "gho_device_token", m.AccessToken())
+	assert.Contains(t, f.recordedGrants(), "urn:ietf:params:oauth:grant-type:device_code")
+}
+
+func TestAuthenticateDevicePollingPending(t *testing.T) {
+	f := newFakeGitHub(t)
+	f.deviceToken = "gho_device_token"
+	f.devicePending = 1 // one authorization_pending before success
+	m := newManager(t, f)
+	m.inDocker = func() bool { return true }
+	m.openURL = func(string) error { return errors.New("no browser") }
+
+	ctx, cancel := context.WithTimeout(context.Background(), 8*time.Second)
+	defer cancel()
+
+	_, err := m.Authenticate(ctx, &fakePrompter{urlCapable: true})
+	require.NoError(t, err)
+	assert.Equal(t, "gho_device_token", m.AccessToken())
+}
+
+func TestAuthenticateHeadlessPrefersDeviceFlow(t *testing.T) {
+	f := newFakeGitHub(t)
+	f.deviceToken = "gho_device_token"
+	m := newManager(t, f)
+	// A headless host (no display server) with a random callback port: a PKCE
+	// redirect to this machine's localhost is unreachable from a browser on
+	// another machine, so device flow must be chosen even though the client can
+	// elicit a URL (which would otherwise win over device flow).
+	m.openURL = func(string) error { return errNoDisplay }
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, &fakePrompter{urlCapable: true})
+	require.NoError(t, err)
+	assert.Nil(t, out)
+	assert.Equal(t, "gho_device_token", m.AccessToken())
+	grants := f.recordedGrants()
+	assert.Contains(t, grants, "urn:ietf:params:oauth:grant-type:device_code")
+	assert.NotContains(t, grants, "authorization_code",
+		"headless host must skip the unreachable PKCE authorization-code flow")
+}
+
+func TestAuthenticateFixedCallbackPortUnavailableIsFatal(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+
+	// Occupy the fixed callback port so the OAuth listener cannot bind it. A held
+	// port could belong to another user's process that would receive the redirect,
+	// so the flow must fail loudly rather than quietly downgrade to device flow.
+	squatter, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer squatter.Close()
+	port := squatter.Addr().(*net.TCPAddr).Port
+	m.config.CallbackPort = port
+
+	// A browser that would have completed PKCE, proving the abort is caused by the
+	// unavailable port and not by a missing display channel.
+	m.openURL = browserGet
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	out, err := m.Authenticate(ctx, &fakePrompter{urlCapable: true})
+	require.Error(t, err)
+	assert.Nil(t, out)
+	assert.Contains(t, err.Error(), strconv.Itoa(port))
+	assert.Empty(t, m.AccessToken())
+	// The decisive check: no device-code grant was attempted, so the flow did not
+	// silently fall back when the deliberately chosen port was unavailable.
+	assert.Empty(t, f.recordedGrants(), "fixed-port bind failure must not fall back to device flow")
+}
+
+func TestAuthenticateNoTokenInitially(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+	assert.False(t, m.HasToken())
+	assert.Empty(t, m.AccessToken())
+}
+
+func TestAuthenticateSingleFlight(t *testing.T) {
+	f := newFakeGitHub(t)
+	m := newManager(t, f)
+
+	// Hold the owner inside begin() (browser open blocks) so a concurrent caller
+	// observes the in-progress flow rather than starting its own.
+	entered := make(chan struct{})
+	release := make(chan struct{})
+	var once sync.Once
+	m.openURL = func(u string) error {
+		once.Do(func() { close(entered) })
+		<-release
+		return browserGet(u)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	ownerDone := make(chan error, 1)
+	go func() {
+		_, err := m.Authenticate(ctx, nil)
+		ownerDone <- err
+	}()
+
+	<-entered // owner is now mid-flow with status "starting"
+
+	out, err := m.Authenticate(ctx, nil)
+	require.NoError(t, err)
+	require.NotNil(t, out.UserAction)
+	assert.Contains(t, out.UserAction.Message, "already in progress")
+
+	close(release)
+	require.NoError(t, <-ownerDone)
+
+	assert.Equal(t, "gho_access", waitForToken(t, m))
+	// Exactly one authorization happened despite the concurrent callers.
+	assert.Equal(t, []string{"authorization_code"}, f.recordedGrants())
+}
diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go
new file mode 100644
index 0000000000..dbf79f9975
--- /dev/null
+++ b/internal/oauth/oauth.go
@@ -0,0 +1,102 @@
+// Package oauth implements the user-facing OAuth 2.1 login flows the stdio
+// server uses to obtain a GitHub token without a pre-provisioned Personal
+// Access Token.
+//
+// It supports both GitHub OAuth Apps and GitHub Apps (user-to-server). The
+// only practical difference is that GitHub App user tokens expire and carry a
+// refresh token; this package always returns a refreshing [golang.org/x/oauth2.TokenSource]
+// so callers never have to special-case the app type.
+//
+// The package depends only on golang.org/x/oauth2 and the standard library. MCP
+// concerns (sessions, elicitation) are abstracted behind the [Prompter]
+// interface so the flows can be tested without a live client.
+package oauth
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"golang.org/x/oauth2"
+)
+
+// Config describes an OAuth client and the GitHub endpoints it talks to.
+type Config struct {
+	ClientID     string
+	ClientSecret string
+	// Scopes requested during authorization. GitHub Apps ignore these (their
+	// access is governed by installed permissions); OAuth Apps honor them.
+	Scopes []string
+	// Endpoint holds the authorization, token, and device endpoints. Build one
+	// with [GitHubEndpoint].
+	Endpoint oauth2.Endpoint
+	// CallbackPort is the fixed local port for the PKCE callback server. Zero
+	// requests a random port, which is the secure default for native binaries
+	// but cannot be reached through Docker port mapping (see the Manager).
+	CallbackPort int
+}
+
+// NewGitHubConfig builds a Config for the given GitHub host. An empty host
+// targets github.com; otherwise the host may be a GHES or ghe.com hostname,
+// with or without a scheme.
+func NewGitHubConfig(clientID, clientSecret string, scopes []string, host string, callbackPort int) Config {
+	return Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       scopes,
+		Endpoint:     GitHubEndpoint(host),
+		CallbackPort: callbackPort,
+	}
+}
+
+// GitHubEndpoint returns the OAuth authorization, token, and device endpoints
+// for a GitHub host. An empty host targets github.com.
+func GitHubEndpoint(host string) oauth2.Endpoint {
+	base := NormalizeHost(host)
+	return oauth2.Endpoint{
+		AuthURL:       base + "/login/oauth/authorize",
+		TokenURL:      base + "/login/oauth/access_token",
+		DeviceAuthURL: base + "/login/device/code",
+	}
+}
+
+// NormalizeHost turns a user-supplied host into a scheme+host base URL with no
+// trailing slash. The API subdomain is stripped because OAuth endpoints live on
+// the web host, not the API host (api.github.com -> github.com). An empty host
+// yields the github.com default, so callers can also use it to recognize the
+// default host (NormalizeHost(host) == "https://github.com").
+func NormalizeHost(host string) string {
+	host = strings.TrimSpace(host)
+	if host == "" {
+		return "https://github.com"
+	}
+
+	scheme := "https"
+	switch {
+	case strings.HasPrefix(host, "https://"):
+		host = strings.TrimPrefix(host, "https://")
+	case strings.HasPrefix(host, "http://"):
+		scheme = "http"
+		host = strings.TrimPrefix(host, "http://")
+	}
+
+	// Drop any path, query, or fragment; we only need scheme://host.
+	if i := strings.IndexAny(host, "/?#"); i >= 0 {
+		host = host[:i]
+	}
+
+	host = strings.TrimPrefix(host, "api.")
+
+	return fmt.Sprintf("%s://%s", scheme, host)
+}
+
+// randomState returns a cryptographically random URL-safe string used as the
+// OAuth state parameter (CSRF protection) and elicitation IDs.
+func randomState() (string, error) {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generating random state: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go
new file mode 100644
index 0000000000..331dda1279
--- /dev/null
+++ b/internal/oauth/oauth_test.go
@@ -0,0 +1,64 @@
+package oauth
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNormalizeHost(t *testing.T) {
+	tests := []struct {
+		name string
+		host string
+		want string
+	}{
+		{"empty defaults to github.com", "", "https://github.com"},
+		{"bare host", "github.com", "https://github.com"},
+		{"https scheme preserved", "https://github.com", "https://github.com"},
+		{"http scheme preserved", "http://localhost:3000", "http://localhost:3000"},
+		{"api subdomain stripped", "api.github.com", "https://github.com"},
+		{"whitespace trimmed", "  github.com  ", "https://github.com"},
+		{"path and api stripped", "https://api.github.com/api/v3", "https://github.com"},
+		{"ghes host", "ghe.example.com", "https://ghe.example.com"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, NormalizeHost(tt.host))
+		})
+	}
+}
+
+func TestGitHubEndpoint(t *testing.T) {
+	ep := GitHubEndpoint("")
+	assert.Equal(t, "https://github.com/login/oauth/authorize", ep.AuthURL)
+	assert.Equal(t, "https://github.com/login/oauth/access_token", ep.TokenURL)
+	assert.Equal(t, "https://github.com/login/device/code", ep.DeviceAuthURL)
+
+	ghes := GitHubEndpoint("https://ghe.example.com")
+	assert.Equal(t, "https://ghe.example.com/login/oauth/authorize", ghes.AuthURL)
+}
+
+func TestNewGitHubConfig(t *testing.T) {
+	cfg := NewGitHubConfig("client", "secret", []string{"repo", "read:org"}, "", 8085)
+	assert.Equal(t, "client", cfg.ClientID)
+	assert.Equal(t, "secret", cfg.ClientSecret)
+	assert.Equal(t, []string{"repo", "read:org"}, cfg.Scopes)
+	assert.Equal(t, 8085, cfg.CallbackPort)
+	assert.Equal(t, GitHubEndpoint(""), cfg.Endpoint)
+}
+
+func TestRandomState(t *testing.T) {
+	s1, err := randomState()
+	require.NoError(t, err)
+	s2, err := randomState()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, s1, s2, "state must be unique per call")
+	assert.NotContains(t, s1, "=", "state must be URL-safe without padding")
+	assert.NotContains(t, s1, "+")
+	assert.NotContains(t, s1, "/")
+	assert.GreaterOrEqual(t, len(s1), 22, "16 random bytes encode to 22 base64url chars")
+	assert.False(t, strings.ContainsAny(s1, " \t\n"))
+}
diff --git a/internal/oauth/prompter.go b/internal/oauth/prompter.go
new file mode 100644
index 0000000000..1d6aa6ec61
--- /dev/null
+++ b/internal/oauth/prompter.go
@@ -0,0 +1,65 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+)
+
+// ErrPromptDeclined is returned by a Prompter when the user actively cancels or
+// declines the authorization prompt. It is a deliberate "no", so the flow stops
+// rather than falling back to another channel.
+var ErrPromptDeclined = errors.New("authorization declined by user")
+
+// ErrPromptUnavailable is returned by a Prompter when the prompt could not be
+// delivered at all — for example the client advertised an elicitation capability
+// but the request failed at the transport or protocol level. Unlike
+// ErrPromptDeclined it reflects no user decision, so the flow falls back to a
+// channel that needs no client capability instead of giving up.
+var ErrPromptUnavailable = errors.New("authorization prompt could not be delivered")
+
+// Prompt is the content shown to the user when asking them to authorize.
+type Prompt struct {
+	// Message is a human-readable instruction.
+	Message string
+	// URL is the authorization URL (PKCE) or device verification URI.
+	URL string
+	// UserCode is the device-flow code the user must enter, if any.
+	UserCode string
+}
+
+// Prompter presents authorization prompts to the user out of band from the LLM
+// context — for example via MCP elicitation. Keeping prompts out of the model's
+// context prevents the authorization URL (and any session-bound state) from
+// leaking into tool arguments or transcripts.
+//
+// A nil Prompter is valid and reports no capabilities, which drives the flow to
+// its last-resort channel. Implementations wrap a transport-specific client
+// (e.g. an MCP session); see the ghmcp adapter.
+type Prompter interface {
+	// CanPromptURL reports whether the client can display a URL securely via
+	// URL-mode elicitation.
+	CanPromptURL() bool
+
+	// PromptURL securely presents an authorization URL to the user and blocks
+	// until the user acknowledges, declines, or ctx is done. Returning nil means
+	// the prompt was shown (not that authorization completed); the caller waits
+	// for the OAuth flow itself to finish. It returns ErrPromptDeclined if the
+	// user declines or cancels, or ErrPromptUnavailable if the prompt could not
+	// be delivered.
+	PromptURL(ctx context.Context, p Prompt) error
+
+	// CanPromptForm reports whether the client supports form elicitation, used
+	// to display a device code when URL elicitation is unavailable.
+	CanPromptForm() bool
+
+	// PromptForm presents a textual acknowledgement prompt and blocks until the
+	// user responds. It returns ErrPromptDeclined if the user declines, or
+	// ErrPromptUnavailable if the prompt could not be delivered.
+	PromptForm(ctx context.Context, p Prompt) error
+}
+
+// canPromptURL reports URL support, tolerating a nil Prompter.
+func canPromptURL(p Prompter) bool { return p != nil && p.CanPromptURL() }
+
+// canPromptForm reports form support, tolerating a nil Prompter.
+func canPromptForm(p Prompter) bool { return p != nil && p.CanPromptForm() }
diff --git a/internal/oauth/templates/error.html b/internal/oauth/templates/error.html
new file mode 100644
index 0000000000..9d8146159a
--- /dev/null
+++ b/internal/oauth/templates/error.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorization Failed</title>
+<style>
+html, body { height: 100%; margin: 0; }
+body {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background-color: #0d1117;
+  color: #e6edf3;
+}
+.card {
+  width: 500px;
+  background-color: #161b22;
+  border: 1px solid #30363d;
+  border-radius: 6px;
+  padding: 32px;
+  text-align: center;
+}
+.octicon { margin-bottom: 16px; }
+h1 {
+  font-size: 20px;
+  font-weight: 600;
+  margin: 0 0 12px 0;
+  color: #f85149;
+}
+p { font-size: 16px; color: #8b949e; margin: 16px 0 0 0; }
+.flash-error {
+  margin-top: 16px;
+  padding: 12px 16px;
+  background-color: rgba(248, 81, 73, 0.1);
+  border: 1px solid rgba(248, 81, 73, 0.4);
+  border-radius: 6px;
+}
+code {
+  font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+  font-size: 14px;
+  color: #f85149;
+}
+</style>
+</head>
+<body>
+<div class="card">
+  <svg class="octicon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
+    <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
+  </svg>
+  <h1>Authorization Failed</h1>
+  <div class="flash-error">
+    <code>{{.ErrorMessage}}</code>
+  </div>
+  <p>You can close this window.</p>
+</div>
+</body>
+</html>
diff --git a/internal/oauth/templates/success.html b/internal/oauth/templates/success.html
new file mode 100644
index 0000000000..f3bcdadc96
--- /dev/null
+++ b/internal/oauth/templates/success.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorization Successful</title>
+<style>
+html, body { height: 100%; margin: 0; }
+body {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background-color: #0d1117;
+  color: #e6edf3;
+}
+.card {
+  width: 500px;
+  background-color: #161b22;
+  border: 1px solid #30363d;
+  border-radius: 6px;
+  padding: 32px;
+  text-align: center;
+}
+.octicon { margin-bottom: 16px; }
+h1 {
+  font-size: 20px;
+  font-weight: 600;
+  margin: 0 0 12px 0;
+  color: #3fb950;
+}
+p { font-size: 16px; color: #8b949e; margin: 0; }
+.flash {
+  margin-top: 16px;
+  padding: 12px 16px;
+  background-color: rgba(56, 139, 253, 0.15);
+  border: 1px solid rgba(56, 139, 253, 0.4);
+  border-radius: 6px;
+}
+.flash p { font-size: 14px; }
+</style>
+</head>
+<body>
+<div class="card">
+  <svg class="octicon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
+    <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
+  </svg>
+  <h1>Authorization Successful</h1>
+  <p>You have successfully authorized the GitHub MCP Server.</p>
+  <div class="flash">
+    <p>You can close this window and retry your request.</p>
+  </div>
+</div>
+</body>
+</html>
diff --git a/internal/oauth/testutil_test.go b/internal/oauth/testutil_test.go
new file mode 100644
index 0000000000..dc34c3841c
--- /dev/null
+++ b/internal/oauth/testutil_test.go
@@ -0,0 +1,216 @@
+package oauth
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"sync"
+	"testing"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+// fakeGitHub is an httptest-backed stand-in for GitHub's OAuth endpoints. It
+// implements the authorize redirect, the token endpoint (authorization_code,
+// refresh_token, and device_code grants), and the device-code endpoint, while
+// recording what it received so tests can assert on real protocol behavior
+// (PKCE challenge/verifier, grant sequence) rather than re-implementing it.
+type fakeGitHub struct {
+	*httptest.Server
+
+	mu                  sync.Mutex
+	grants              []string // grant_type of each token request, in order
+	codeChallenge       string
+	codeChallengeMethod string
+	codeVerifier        string
+	devicePending       int // number of authorization_pending responses before success
+
+	// Token values returned per grant. A positive expires field is sent as
+	// expires_in (and makes the token expiring/refreshable).
+	authToken      string
+	authRefresh    string
+	authExpires    int
+	refreshToken   string
+	refreshExpires int
+	deviceToken    string
+}
+
+func newFakeGitHub(t *testing.T) *fakeGitHub {
+	t.Helper()
+	f := &fakeGitHub{
+		authToken:   "gho_access",
+		deviceToken: "gho_device",
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/login/oauth/authorize", f.handleAuthorize)
+	mux.HandleFunc("/login/oauth/access_token", f.handleToken)
+	mux.HandleFunc("/login/device/code", f.handleDeviceCode)
+
+	f.Server = httptest.NewServer(mux)
+	t.Cleanup(f.Server.Close)
+	return f
+}
+
+func (f *fakeGitHub) endpoint() oauth2.Endpoint {
+	return oauth2.Endpoint{
+		AuthURL:       f.URL + "/login/oauth/authorize",
+		TokenURL:      f.URL + "/login/oauth/access_token",
+		DeviceAuthURL: f.URL + "/login/device/code",
+	}
+}
+
+func (f *fakeGitHub) handleAuthorize(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	f.mu.Lock()
+	f.codeChallenge = q.Get("code_challenge")
+	f.codeChallengeMethod = q.Get("code_challenge_method")
+	f.mu.Unlock()
+
+	redirect := q.Get("redirect_uri") + "?code=authcode&state=" + url.QueryEscape(q.Get("state"))
+	http.Redirect(w, r, redirect, http.StatusFound)
+}
+
+func (f *fakeGitHub) handleToken(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	grant := r.Form.Get("grant_type")
+
+	f.mu.Lock()
+	f.grants = append(f.grants, grant)
+	switch grant {
+	case "authorization_code":
+		f.codeVerifier = r.Form.Get("code_verifier")
+		f.mu.Unlock()
+		writeToken(w, f.authToken, f.authRefresh, f.authExpires)
+	case "refresh_token":
+		f.mu.Unlock()
+		writeToken(w, f.refreshToken, "", f.refreshExpires)
+	case "urn:ietf:params:oauth:grant-type:device_code":
+		pending := f.devicePending
+		if pending > 0 {
+			f.devicePending--
+		}
+		f.mu.Unlock()
+		if pending > 0 {
+			writeJSON(w, http.StatusBadRequest, map[string]any{"error": "authorization_pending"})
+			return
+		}
+		writeToken(w, f.deviceToken, "", 0)
+	default:
+		f.mu.Unlock()
+		http.Error(w, "unsupported grant_type", http.StatusBadRequest)
+	}
+}
+
+func (f *fakeGitHub) handleDeviceCode(w http.ResponseWriter, _ *http.Request) {
+	writeJSON(w, http.StatusOK, map[string]any{
+		"device_code":      "devicecode",
+		"user_code":        "ABCD-1234",
+		"verification_uri": f.URL + "/device",
+		"expires_in":       900,
+		"interval":         1,
+	})
+}
+
+func (f *fakeGitHub) recordedGrants() []string {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return append([]string(nil), f.grants...)
+}
+
+func writeToken(w http.ResponseWriter, access, refresh string, expiresIn int) {
+	body := map[string]any{
+		"access_token": access,
+		"token_type":   "bearer",
+	}
+	if refresh != "" {
+		body["refresh_token"] = refresh
+	}
+	if expiresIn != 0 {
+		body["expires_in"] = expiresIn
+	}
+	writeJSON(w, http.StatusOK, body)
+}
+
+func writeJSON(w http.ResponseWriter, status int, body map[string]any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	_ = json.NewEncoder(w).Encode(body)
+}
+
+// fakePrompter is a configurable Prompter. The on* hooks simulate the user
+// acting on the prompt; a nil hook means the prompt is shown and acknowledged.
+type fakePrompter struct {
+	urlCapable  bool
+	formCapable bool
+	onURL       func(context.Context, Prompt) error
+	onForm      func(context.Context, Prompt) error
+
+	mu       sync.Mutex
+	urlCalls []Prompt
+}
+
+func (p *fakePrompter) CanPromptURL() bool { return p.urlCapable }
+
+func (p *fakePrompter) PromptURL(ctx context.Context, prompt Prompt) error {
+	p.mu.Lock()
+	p.urlCalls = append(p.urlCalls, prompt)
+	p.mu.Unlock()
+	if p.onURL != nil {
+		return p.onURL(ctx, prompt)
+	}
+	return nil
+}
+
+func (p *fakePrompter) CanPromptForm() bool { return p.formCapable }
+
+func (p *fakePrompter) PromptForm(ctx context.Context, prompt Prompt) error {
+	if p.onForm != nil {
+		return p.onForm(ctx, prompt)
+	}
+	return nil
+}
+
+// browserGet simulates a user completing the authorization-code flow by opening
+// the URL: it follows the authorize redirect to the local callback, delivering
+// the code to the manager's callback server. Used both as an openURL seam and
+// inside prompter hooks.
+func browserGet(rawurl string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawurl, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	_, _ = io.Copy(io.Discard, resp.Body)
+	return resp.Body.Close()
+}
+
+func testLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(io.Discard, nil))
+}
+
+// waitForToken polls until the manager has a token or the deadline passes. The
+// authorization-code flow completes asynchronously after the callback fires, so
+// tests wait for the resulting token rather than sleeping a fixed duration.
+func waitForToken(t *testing.T, m *Manager) string {
+	t.Helper()
+	deadline := time.Now().Add(3 * time.Second)
+	for time.Now().Before(deadline) {
+		if tok := m.AccessToken(); tok != "" {
+			return tok
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	t.Fatal("timed out waiting for access token")
+	return ""
+}
diff --git a/pkg/github/server.go b/pkg/github/server.go
index 7ec5837c3a..627cc678b2 100644
--- a/pkg/github/server.go
+++ b/pkg/github/server.go
@@ -68,6 +68,11 @@ type MCPServerConfig struct {
 	// This is used for PAT scope filtering where we can't issue scope challenges.
 	TokenScopes []string
 
+	// TokenProvider, when non-nil, supplies the GitHub token for each API
+	// request instead of the static Token. It backs OAuth login, where the
+	// token is obtained lazily on first use and refreshed thereafter.
+	TokenProvider func() string
+
 	// Additional server options to apply
 	ServerOptions []MCPServerOption
 }
diff --git a/pkg/http/oauth/oauth.go b/pkg/http/oauth/oauth.go
index ffa7669a9d..f7ffe67e6b 100644
--- a/pkg/http/oauth/oauth.go
+++ b/pkg/http/oauth/oauth.go
@@ -19,7 +19,13 @@ const (
 	OAuthProtectedResourcePrefix = "/.well-known/oauth-protected-resource"
 )
 
-// SupportedScopes lists all OAuth scopes that may be required by MCP tools.
+// SupportedScopes lists every OAuth scope that an MCP tool may require. It is the
+// source of truth in two places: HTTP mode advertises it as scopes_supported in
+// the protected-resource metadata, and stdio OAuth login requests it by default
+// and then filters the exposed tools to the granted scopes. A tool whose required
+// scope is absent here is therefore hidden under default OAuth even though a PAT
+// carrying that scope would expose it, so keep this list in sync with tool scope
+// requirements when scopes change.
 var SupportedScopes = []string{
 	"repo",
 	"read:org",
diff --git a/pkg/http/transport/bearer.go b/pkg/http/transport/bearer.go
index 66922bbdaa..0c12ddfc91 100644
--- a/pkg/http/transport/bearer.go
+++ b/pkg/http/transport/bearer.go
@@ -11,11 +11,25 @@ import (
 type BearerAuthTransport struct {
 	Transport http.RoundTripper
 	Token     string
+
+	// TokenProvider, when non-nil, supplies the bearer token for each request
+	// and takes precedence over Token. It backs OAuth, where the token is
+	// obtained after the client is built and is refreshed over the session's
+	// lifetime. It may return an empty string before authorization completes.
+	TokenProvider func() string
 }
 
 func (t *BearerAuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	req = req.Clone(req.Context())
-	req.Header.Set(headers.AuthorizationHeader, "Bearer "+t.Token)
+	token := t.Token
+	if t.TokenProvider != nil {
+		token = t.TokenProvider()
+	}
+	// Before OAuth authorization completes the token is empty; send an
+	// unauthenticated request rather than an empty "Bearer " header.
+	if token != "" {
+		req.Header.Set(headers.AuthorizationHeader, "Bearer "+token)
+	}
 
 	// Check for GraphQL-Features in context and add header if present
 	if features := ghcontext.GetGraphQLFeatures(req.Context()); len(features) > 0 {
diff --git a/pkg/http/transport/bearer_test.go b/pkg/http/transport/bearer_test.go
new file mode 100644
index 0000000000..76ef8686cd
--- /dev/null
+++ b/pkg/http/transport/bearer_test.go
@@ -0,0 +1,164 @@
+package transport
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/http/headers"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBearerAuthTransport(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name          string
+		token         string
+		tokenProvider func() string
+		wantAuth      string
+	}{
+		{
+			name:     "static token",
+			token:    "static-token",
+			wantAuth: "Bearer static-token",
+		},
+		{
+			name:          "token provider takes precedence over static token",
+			token:         "static-token",
+			tokenProvider: func() string { return "provided-token" },
+			wantAuth:      "Bearer provided-token",
+		},
+		{
+			name:          "token provider with empty static token",
+			tokenProvider: func() string { return "provided-token" },
+			wantAuth:      "Bearer provided-token",
+		},
+		{
+			name:          "token provider may return empty before authorization",
+			tokenProvider: func() string { return "" },
+			wantAuth:      "",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var gotAuth string
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				gotAuth = r.Header.Get(headers.AuthorizationHeader)
+				w.WriteHeader(http.StatusOK)
+			}))
+			defer server.Close()
+
+			rt := &BearerAuthTransport{
+				Transport:     http.DefaultTransport,
+				Token:         tc.token,
+				TokenProvider: tc.tokenProvider,
+			}
+
+			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
+			require.NoError(t, err)
+
+			resp, err := rt.RoundTrip(req)
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			assert.Equal(t, tc.wantAuth, gotAuth)
+		})
+	}
+}
+
+// TestBearerAuthTransport_TokenProviderResolvedPerRequest verifies that the
+// token provider is consulted on every request, so a token that arrives (or is
+// refreshed) after the transport is constructed takes effect without rebuilding
+// the client. This is the property OAuth relies on.
+func TestBearerAuthTransport_TokenProviderResolvedPerRequest(t *testing.T) {
+	t.Parallel()
+
+	var gotAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotAuth = r.Header.Get(headers.AuthorizationHeader)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	current := ""
+	rt := &BearerAuthTransport{
+		Transport:     http.DefaultTransport,
+		TokenProvider: func() string { return current },
+	}
+
+	do := func() {
+		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
+		require.NoError(t, err)
+		resp, err := rt.RoundTrip(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+	}
+
+	do()
+	assert.Equal(t, "", gotAuth, "no auth header before authorization")
+
+	current = "first-token"
+	do()
+	assert.Equal(t, "Bearer first-token", gotAuth, "token picked up once available")
+
+	current = "refreshed-token"
+	do()
+	assert.Equal(t, "Bearer refreshed-token", gotAuth, "refreshed token picked up")
+}
+
+func TestBearerAuthTransport_PassesGraphQLFeaturesHeader(t *testing.T) {
+	t.Parallel()
+
+	var gotFeatures string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotFeatures = r.Header.Get(headers.GraphQLFeaturesHeader)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	rt := &BearerAuthTransport{
+		Transport: http.DefaultTransport,
+		Token:     "token",
+	}
+
+	ctx := ghcontext.WithGraphQLFeatures(context.Background(), "feature1", "feature2")
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, server.URL, nil)
+	require.NoError(t, err)
+
+	resp, err := rt.RoundTrip(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	assert.Equal(t, "feature1, feature2", gotFeatures)
+}
+
+func TestBearerAuthTransport_DoesNotMutateOriginalRequest(t *testing.T) {
+	t.Parallel()
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	rt := &BearerAuthTransport{
+		Transport: http.DefaultTransport,
+		Token:     "token",
+	}
+
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
+	require.NoError(t, err)
+
+	resp, err := rt.RoundTrip(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	assert.Empty(t, req.Header.Get(headers.AuthorizationHeader), "original request must not be mutated")
+}
diff --git a/server.json b/server.json
index 15fdf47bdb..c77e98ef54 100644
--- a/server.json
+++ b/server.json
@@ -16,15 +16,27 @@
         "type": "stdio"
       },
       "runtimeArguments": [
+        {
+          "type": "named",
+          "name": "-p",
+          "description": "Publish the OAuth callback port to loopback so the in-container login callback is reachable",
+          "value": "127.0.0.1:8085:8085"
+        },
+        {
+          "type": "named",
+          "name": "-e",
+          "description": "Fixed OAuth callback port, matching the published port above",
+          "value": "GITHUB_OAUTH_CALLBACK_PORT=8085"
+        },
         {
           "type": "named",
           "name": "-e",
-          "description": "Set an environment variable in the runtime",
+          "description": "Optional GitHub Personal Access Token. Omit to log in with OAuth on first use.",
           "value": "GITHUB_PERSONAL_ACCESS_TOKEN={token}",
-          "isRequired": true,
+          "isRequired": false,
           "variables": {
             "token": {
-              "isRequired": true,
+              "isRequired": false,
               "isSecret": true,
               "format": "string"
             }