The smoke test requires an OAuth 2.1 access token. The embedded AS supports only the auth code (+ PKCE) and refresh grants, so curl cannot fetch a token unattended. Get one once via the browser, then export it.
Quick way to obtain an OWNSONA_ACCESS_TOKEN for testing:
OWNSONA_LOGIN_USERNAME / OWNSONA_LOGIN_PASSWORD, click
Allow on the consent page, and the client stores the access
token in its local config. Copy that token out.
/oauth/register, /oauth/authorize, and
/oauth/token. With the default config, the AS issues tokens
with aud = <OAuthAuthorizationServer> and the RS validates
against the same value, so the resource= parameter (RFC 8707)
can be omitted.
Then a single MCP initialize call:
export OWNSONA_ACCESS_TOKEN="eyJhbGciOiJSUzI1NiIs..."
curl -sS -X POST https://<your-host>/mcp \
-H "Authorization: Bearer $OWNSONA_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
Expected:
{"result":{"capabilities":{"tools":{"listChanged":false}},
"serverInfo":{"name":"ownsona-mcp","version":"1.0.0"},
"protocolVersion":"2025-06-18"},"id":1,"jsonrpc":"2.0"}
A 401 means the token is missing, malformed, expired, or signed by
a different AS key than the one in the current oauth.ini.
The 401 response carries an RFC 6750 / RFC 9728
WWW-Authenticate header that points clients at the
resource-metadata document. A connection refused/reset generally
means Tomcat failed to bind 443 — check
journalctl -u ownsona.service.
End-to-end exercise of every tool:
OWNSONA_ACCESS_TOKEN="..." /home/ownsona/ownsona/sql/smoke_test.sh https://<your-host>/mcp
Run the test suite:
sql/run_tests.sh # unit only
OWNSONA_TEST_DATABASE_URL="postgresql://ownsona:$PGPW@localhost:5432/ownsona_test" \
sql/run_tests.sh # also integration