SocketDev
diff --git a/‎README.md‎
Lines changed: 23 additions & 0 deletions b/‎README.md‎
Lines changed: 23 additions & 0 deletions
@@ -182,6 +182,29 @@ This approach automatically uses the latest version without requiring global ins
    MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http
    ```
 
+   HTTP mode supports these environment variables:
+
+   | Variable | Required | Default | Description |
+   |---|---|---|---|
+   | `SOCKET_API_KEY` | Required unless OAuth is enabled | None | Socket API key used for outbound API calls. |
+   | `SOCKET_OAUTH_ISSUER` | Set together with the two introspection vars to enable OAuth | None | OAuth issuer URL used for metadata discovery and incoming bearer-token validation. |
+   | `SOCKET_OAUTH_INTROSPECTION_CLIENT_ID` | With OAuth | None | Client ID used for token introspection. |
+   | `SOCKET_OAUTH_INTROSPECTION_CLIENT_SECRET` | With OAuth | None | Client secret used for token introspection. |
+   | `SOCKET_OAUTH_REQUIRED_SCOPES` | No | `packages:list` | Space-delimited scopes required on incoming access tokens. |
+   | `SOCKET_API_URL` | No | Production Socket API URL, or localhost when `SOCKET_DEBUG=true` | Override the upstream Socket API endpoint. Useful for local development and testing. |
+   | `SOCKET_DEBUG` | No | `false` | Switches the default upstream Socket API endpoint to localhost when `SOCKET_API_URL` is unset. |
+   | `MCP_PORT` | No | `3000` | Port to bind the HTTP server to. |
+
+   To enable OAuth-backed auth for incoming MCP requests:
+
+   ```bash
+   MCP_HTTP_MODE=true \
+   SOCKET_OAUTH_ISSUER=https://issuer.example.com \
+   SOCKET_OAUTH_INTROSPECTION_CLIENT_ID=your-client-id \
+   SOCKET_OAUTH_INTROSPECTION_CLIENT_SECRET=your-client-secret \
+   npx @socketsecurity/mcp@latest --http
+   ```
+
 2. Configure your MCP client to connect to the HTTP server:
    ```json
    {