diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
index f6220aa71..e239210dc 100644
--- a/mcpgateway/admin.py
+++ b/mcpgateway/admin.py
@@ -5774,6 +5774,8 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
             oauth_redirect_uri = str(form.get("oauth_redirect_uri", ""))
             oauth_client_id = str(form.get("oauth_client_id", ""))
             oauth_client_secret = str(form.get("oauth_client_secret", ""))
+            oauth_username = str(form.get("oauth_username", ""))
+            oauth_password = str(form.get("oauth_password", ""))
             oauth_scopes_str = str(form.get("oauth_scopes", ""))
 
             # If any OAuth field is provided, assemble oauth_config
@@ -5797,6 +5799,12 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                     encryption = get_oauth_encryption(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
+                # Add username and password for password grant type
+                if oauth_username:
+                    oauth_config["username"] = oauth_username
+                if oauth_password:
+                    oauth_config["password"] = oauth_password
+
                 # Parse scopes (comma or space separated)
                 if oauth_scopes_str:
                     scopes = [s.strip() for s in oauth_scopes_str.replace(",", " ").split() if s.strip()]
@@ -6077,6 +6085,8 @@ async def admin_edit_gateway(
             oauth_redirect_uri = str(form.get("oauth_redirect_uri", ""))
             oauth_client_id = str(form.get("oauth_client_id", ""))
             oauth_client_secret = str(form.get("oauth_client_secret", ""))
+            oauth_username = str(form.get("oauth_username", ""))
+            oauth_password = str(form.get("oauth_password", ""))
             oauth_scopes_str = str(form.get("oauth_scopes", ""))
 
             # If any OAuth field is provided, assemble oauth_config
@@ -6100,6 +6110,12 @@ async def admin_edit_gateway(
                     encryption = get_oauth_encryption(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
+                # Add username and password for password grant type
+                if oauth_username:
+                    oauth_config["username"] = oauth_username
+                if oauth_password:
+                    oauth_config["password"] = oauth_password
+
                 # Parse scopes (comma or space separated)
                 if oauth_scopes_str:
                     scopes = [s.strip() for s in oauth_scopes_str.replace(",", " ").split() if s.strip()]
diff --git a/mcpgateway/services/oauth_manager.py b/mcpgateway/services/oauth_manager.py
index a7cd7a9d4..0678dad93 100644
--- a/mcpgateway/services/oauth_manager.py
+++ b/mcpgateway/services/oauth_manager.py
@@ -182,6 +182,8 @@ async def get_access_token(self, credentials: Dict[str, Any]) -> str:
 
         if grant_type == "client_credentials":
             return await self._client_credentials_flow(credentials)
+        if grant_type == "password":
+            return await self._password_flow(credentials)
         if grant_type == "authorization_code":
             # For authorization code flow in gateway initialization, we need to handle this differently
             # Since this is called during gateway setup, we'll try to use client credentials as fallback
@@ -282,6 +284,105 @@ async def _client_credentials_flow(self, credentials: Dict[str, Any]) -> str:
         # This should never be reached due to the exception above, but needed for type safety
         raise OAuthError("Failed to obtain access token after all retry attempts")
 
+    async def _password_flow(self, credentials: Dict[str, Any]) -> str:
+        """Resource Owner Password Credentials flow (RFC 6749 Section 4.3).
+
+        This flow is used when the application can directly handle the user's credentials,
+        such as with trusted first-party applications or legacy integrations like Keycloak.
+
+        Args:
+            credentials: OAuth configuration with client_id, optional client_secret, token_url, username, password
+
+        Returns:
+            Access token string
+
+        Raises:
+            OAuthError: If token acquisition fails after all retries
+        """
+        client_id = credentials.get("client_id")
+        client_secret = credentials.get("client_secret")
+        token_url = credentials["token_url"]
+        username = credentials.get("username")
+        password = credentials.get("password")
+        scopes = credentials.get("scopes", [])
+
+        if not username or not password:
+            raise OAuthError("Username and password are required for password grant type")
+
+        # Decrypt client secret if it's encrypted and present
+        if client_secret and len(client_secret) > 50:  # Simple heuristic: encrypted secrets are longer
+            try:
+                settings = get_settings()
+                encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                decrypted_secret = encryption.decrypt_secret(client_secret)
+                if decrypted_secret:
+                    client_secret = decrypted_secret
+                    logger.debug("Successfully decrypted client secret")
+                else:
+                    logger.warning("Failed to decrypt client secret, using encrypted version")
+            except Exception as e:
+                logger.warning(f"Failed to decrypt client secret: {e}, using encrypted version")
+
+        # Prepare token request data
+        token_data = {
+            "grant_type": "password",
+            "username": username,
+            "password": password,
+        }
+
+        # Add client_id (required by most providers including Keycloak)
+        if client_id:
+            token_data["client_id"] = client_id
+
+        # Add client_secret if present (some providers require it, others don't)
+        if client_secret:
+            token_data["client_secret"] = client_secret
+
+        if scopes:
+            token_data["scope"] = " ".join(scopes) if isinstance(scopes, list) else scopes
+
+        # Fetch token with retries
+        for attempt in range(self.max_retries):
+            try:
+                async with aiohttp.ClientSession() as session:
+                    async with session.post(token_url, data=token_data, timeout=aiohttp.ClientTimeout(total=self.request_timeout)) as response:
+                        response.raise_for_status()
+
+                        # Handle both JSON and form-encoded responses
+                        content_type = response.headers.get("content-type", "")
+                        if "application/x-www-form-urlencoded" in content_type:
+                            # Parse form-encoded response
+                            text_response = await response.text()
+                            token_response = {}
+                            for pair in text_response.split("&"):
+                                if "=" in pair:
+                                    key, value = pair.split("=", 1)
+                                    token_response[key] = value
+                        else:
+                            # Try JSON response
+                            try:
+                                token_response = await response.json()
+                            except Exception as e:
+                                logger.warning(f"Failed to parse JSON response: {e}")
+                                # Fallback to text parsing
+                                text_response = await response.text()
+                                token_response = {"raw_response": text_response}
+
+                        if "access_token" not in token_response:
+                            raise OAuthError(f"No access_token in response: {token_response}")
+
+                        logger.info("Successfully obtained access token via password grant")
+                        return token_response["access_token"]
+
+            except aiohttp.ClientError as e:
+                logger.warning(f"Token request attempt {attempt + 1} failed: {str(e)}")
+                if attempt == self.max_retries - 1:
+                    raise OAuthError(f"Failed to obtain access token after {self.max_retries} attempts: {str(e)}")
+                await asyncio.sleep(2**attempt)  # Exponential backoff
+
+        # This should never be reached due to the exception above, but needed for type safety
+        raise OAuthError("Failed to obtain access token after all retry attempts")
+
     async def get_authorization_url(self, credentials: Dict[str, Any]) -> Dict[str, str]:
         """Get authorization URL for user delegation flow.
 
diff --git a/mcpgateway/static/admin.js b/mcpgateway/static/admin.js
index a089e50d2..6a5812b53 100644
--- a/mcpgateway/static/admin.js
+++ b/mcpgateway/static/admin.js
@@ -9306,6 +9306,8 @@ function handleAuthTypeChange() {
 function handleOAuthGrantTypeChange() {
     const grantType = this.value;
     const authCodeFields = safeGetElement("oauth-auth-code-fields-gw");
+    const usernameField = safeGetElement("oauth-username-field-gw");
+    const passwordField = safeGetElement("oauth-password-field-gw");
 
     if (authCodeFields) {
         if (grantType === "authorization_code") {
@@ -9333,11 +9335,48 @@ function handleOAuthGrantTypeChange() {
             });
         }
     }
+
+    // Handle password grant type fields
+    if (usernameField && passwordField) {
+        if (grantType === "password") {
+            usernameField.style.display = "block";
+            passwordField.style.display = "block";
+
+            // Make username and password required for password grant
+            const usernameInput = safeGetElement("oauth-username-gw");
+            const passwordInput = safeGetElement("oauth-password-gw");
+            if (usernameInput) {
+                usernameInput.required = true;
+            }
+            if (passwordInput) {
+                passwordInput.required = true;
+            }
+
+            console.log(
+                "Password grant flow selected - username and password are now required",
+            );
+        } else {
+            usernameField.style.display = "none";
+            passwordField.style.display = "none";
+
+            // Remove required validation for hidden fields
+            const usernameInput = safeGetElement("oauth-username-gw");
+            const passwordInput = safeGetElement("oauth-password-gw");
+            if (usernameInput) {
+                usernameInput.required = false;
+            }
+            if (passwordInput) {
+                passwordInput.required = false;
+            }
+        }
+    }
 }
 
 function handleEditOAuthGrantTypeChange() {
     const grantType = this.value;
     const authCodeFields = safeGetElement("oauth-auth-code-fields-gw-edit");
+    const usernameField = safeGetElement("oauth-username-field-edit");
+    const passwordField = safeGetElement("oauth-password-field-edit");
 
     if (authCodeFields) {
         if (grantType === "authorization_code") {
@@ -9365,6 +9404,41 @@ function handleEditOAuthGrantTypeChange() {
             });
         }
     }
+
+    // Handle password grant type fields
+    if (usernameField && passwordField) {
+        if (grantType === "password") {
+            usernameField.style.display = "block";
+            passwordField.style.display = "block";
+
+            // Make username and password required for password grant
+            const usernameInput = safeGetElement("oauth-username-gw-edit");
+            const passwordInput = safeGetElement("oauth-password-gw-edit");
+            if (usernameInput) {
+                usernameInput.required = true;
+            }
+            if (passwordInput) {
+                passwordInput.required = true;
+            }
+
+            console.log(
+                "Password grant flow selected - username and password are now required",
+            );
+        } else {
+            usernameField.style.display = "none";
+            passwordField.style.display = "none";
+
+            // Remove required validation for hidden fields
+            const usernameInput = safeGetElement("oauth-username-gw-edit");
+            const passwordInput = safeGetElement("oauth-password-gw-edit");
+            if (usernameInput) {
+                usernameInput.required = false;
+            }
+            if (passwordInput) {
+                passwordInput.required = false;
+            }
+        }
+    }
 }
 
 function setupSchemaModeHandlers() {
diff --git a/mcpgateway/templates/admin.html b/mcpgateway/templates/admin.html
index 2e42f1703..5c889ce02 100644
--- a/mcpgateway/templates/admin.html
+++ b/mcpgateway/templates/admin.html
@@ -4564,6 +4564,9 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                       <option value="client_credentials">
                         Client Credentials (Machine-to-Machine)
                       </option>
+                      <option value="password">
+                        Resource Owner Password Credentials (Keycloak/Legacy)
+                      </option>
                     </select>
                   </div>
 
@@ -4618,6 +4621,42 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                     </p>
                   </div>
 
+                  <div id="oauth-username-field-gw" style="display: none;">
+                    <label
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                    >
+                      Username <span class="text-red-500">*</span> <span class="text-gray-500">(for password grant)</span>
+                    </label>
+                    <input
+                      type="text"
+                      name="oauth_username"
+                      id="oauth-username-gw"
+                      class="mt-1 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                      placeholder="systemadmin@system.com"
+                    />
+                    <p class="mt-1 text-sm text-gray-500">
+                      Required for Resource Owner Password Credentials grant type (Keycloak).
+                    </p>
+                  </div>
+
+                  <div id="oauth-password-field-gw" style="display: none;">
+                    <label
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                    >
+                      Password <span class="text-red-500">*</span> <span class="text-gray-500">(for password grant)</span>
+                    </label>
+                    <input
+                      type="password"
+                      name="oauth_password"
+                      id="oauth-password-gw"
+                      class="mt-1 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                      placeholder="Enter password"
+                    />
+                    <p class="mt-1 text-sm text-gray-500">
+                      Required for Resource Owner Password Credentials grant type (Keycloak).
+                    </p>
+                  </div>
+
                   <div>
                     <label
                       class="block text-sm font-medium text-gray-700 dark:text-gray-300"
@@ -7252,6 +7291,9 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                             <option value="client_credentials">
                               Client Credentials (Machine-to-Machine)
                             </option>
+                            <option value="password">
+                              Resource Owner Password Credentials (Keycloak/Legacy)
+                            </option>
                           </select>
                         </div>
 
@@ -7312,6 +7354,42 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                           </p>
                         </div>
 
+                        <div id="oauth-username-field-edit" style="display: none;">
+                          <label
+                            class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                          >
+                            Username <span class="text-red-500">*</span> <span class="text-gray-500">(for password grant)</span>
+                          </label>
+                          <input
+                            type="text"
+                            name="oauth_username"
+                            id="oauth-username-gw-edit"
+                            class="mt-1 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                            placeholder="systemadmin@system.com"
+                          />
+                          <p class="mt-1 text-sm text-gray-500">
+                            Required for Resource Owner Password Credentials grant type (Keycloak).
+                          </p>
+                        </div>
+
+                        <div id="oauth-password-field-edit" style="display: none;">
+                          <label
+                            class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                          >
+                            Password <span class="text-red-500">*</span> <span class="text-gray-500">(for password grant)</span>
+                          </label>
+                          <input
+                            type="password"
+                            name="oauth_password"
+                            id="oauth-password-gw-edit"
+                            class="mt-1 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                            placeholder="Enter password"
+                          />
+                          <p class="mt-1 text-sm text-gray-500">
+                            Required for Resource Owner Password Credentials grant type (Keycloak).
+                          </p>
+                        </div>
+
                         <div>
                           <label
                             class="block text-sm font-medium text-gray-700 dark:text-gray-300"
diff --git a/tests/unit/mcpgateway/test_oauth_manager.py b/tests/unit/mcpgateway/test_oauth_manager.py
index 12768b31e..7c7ec8737 100644
--- a/tests/unit/mcpgateway/test_oauth_manager.py
+++ b/tests/unit/mcpgateway/test_oauth_manager.py
@@ -10,10 +10,10 @@
 # Standard
 from datetime import datetime, timedelta, timezone
 from unittest.mock import AsyncMock, MagicMock, Mock, patch
-from pydantic import SecretStr
 
 # Third-Party
 import aiohttp
+from pydantic import SecretStr
 import pytest
 
 # First-Party
@@ -42,15 +42,53 @@ def test_init_defaults(self):
     async def test_get_access_token_client_credentials_success(self):
         """Test successful client credentials flow."""
         manager = OAuthManager()
+        credentials = {"grant_type": "client_credentials", "client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "scopes": ["read", "write"]}
+
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
+            # Create mock session instance
+            mock_session_instance = MagicMock()
+
+            # Create mock post method
+            mock_post = MagicMock()
+            mock_session_instance.post = mock_post
+
+            # Create mock response
+            mock_response = MagicMock()
+            mock_response.status = 200
+            mock_response.json = AsyncMock(return_value={"access_token": "test_token_123"})
+            mock_response.raise_for_status = MagicMock()
+
+            # Async context manager for response
+            mock_response.__aenter__ = AsyncMock(return_value=mock_response)
+            mock_response.__aexit__ = AsyncMock(return_value=None)
+
+            # Post returns response
+            mock_post.return_value = mock_response
+
+            # Session instance context manager
+            mock_session_instance.__aenter__ = AsyncMock(return_value=mock_session_instance)
+            mock_session_instance.__aexit__ = AsyncMock(return_value=None)
+
+            mock_session_class.return_value = mock_session_instance
+
+            result = await manager.get_access_token(credentials)
+            assert result == "test_token_123"
+
+    @pytest.mark.asyncio
+    async def test_get_access_token_password_flow_success(self):
+        """Test successful password grant flow (Resource Owner Password Credentials)."""
+        manager = OAuthManager()
         credentials = {
-            "grant_type": "client_credentials",
+            "grant_type": "password",
             "client_id": "test_client",
             "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "scopes": ["read", "write"]
+            "token_url": "https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token",
+            "username": "systemadmin@system.com",
+            "password": "test_password",
+            "scopes": ["openid", "profile"],
         }
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             # Create mock session instance
             mock_session_instance = MagicMock()
 
@@ -61,7 +99,8 @@ async def test_get_access_token_client_credentials_success(self):
             # Create mock response
             mock_response = MagicMock()
             mock_response.status = 200
-            mock_response.json = AsyncMock(return_value={"access_token": "test_token_123"})
+            mock_response.headers = {"content-type": "application/json"}
+            mock_response.json = AsyncMock(return_value={"access_token": "password_token_456", "token_type": "Bearer", "expires_in": 3600})
             mock_response.raise_for_status = MagicMock()
 
             # Async context manager for response
@@ -78,19 +117,72 @@ async def test_get_access_token_client_credentials_success(self):
             mock_session_class.return_value = mock_session_instance
 
             result = await manager.get_access_token(credentials)
-            assert result == "test_token_123"
+            assert result == "password_token_456"
+
+            # Verify the request was made with correct form data
+            mock_post.assert_called_once()
+            call_args = mock_post.call_args
+            assert call_args[0][0] == "https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token"
+            assert call_args[1]["data"]["grant_type"] == "password"
+            assert call_args[1]["data"]["username"] == "systemadmin@system.com"
+            assert call_args[1]["data"]["password"] == "test_password"
+            assert call_args[1]["data"]["client_id"] == "test_client"
 
     @pytest.mark.asyncio
-    async def test_get_access_token_unsupported_grant_type(self):
-        """Test error handling for unsupported grant type."""
+    async def test_get_access_token_password_flow_missing_credentials(self):
+        """Test password grant flow fails when username or password is missing."""
         manager = OAuthManager()
         credentials = {
-            "grant_type": "unsupported",
+            "grant_type": "password",
             "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
+            "token_url": "https://keycloak.example.com/token",
+            # Missing username and password
+        }
+
+        with pytest.raises(OAuthError, match="Username and password are required"):
+            await manager.get_access_token(credentials)
+
+    @pytest.mark.asyncio
+    async def test_get_access_token_password_flow_form_urlencoded_response(self):
+        """Test password grant flow with form-urlencoded response."""
+        manager = OAuthManager()
+        credentials = {
+            "grant_type": "password",
+            "token_url": "https://oauth.example.com/token",
+            "username": "user@example.com",
+            "password": "secret",
         }
 
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
+            mock_session_instance = MagicMock()
+            mock_post = MagicMock()
+            mock_session_instance.post = mock_post
+
+            mock_response = MagicMock()
+            mock_response.status = 200
+            mock_response.headers = {"content-type": "application/x-www-form-urlencoded"}
+            mock_response.text = AsyncMock(return_value="access_token=encoded_token_789&token_type=Bearer&expires_in=7200")
+            mock_response.raise_for_status = MagicMock()
+
+            mock_response.__aenter__ = AsyncMock(return_value=mock_response)
+            mock_response.__aexit__ = AsyncMock(return_value=None)
+
+            mock_post.return_value = mock_response
+
+            mock_session_instance.__aenter__ = AsyncMock(return_value=mock_session_instance)
+            mock_session_instance.__aexit__ = AsyncMock(return_value=None)
+
+            mock_session_class.return_value = mock_session_instance
+
+            result = await manager.get_access_token(credentials)
+            assert result == "encoded_token_789"
+
+    @pytest.mark.asyncio
+    async def test_get_access_token_unsupported_grant_type(self):
+        """Test error handling for unsupported grant type."""
+        manager = OAuthManager()
+        credentials = {"grant_type": "unsupported", "client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
+
         with pytest.raises(ValueError, match="Unsupported grant type: unsupported"):
             await manager.get_access_token(credentials)
 
@@ -98,12 +190,7 @@ async def test_get_access_token_unsupported_grant_type(self):
     async def test_get_authorization_url_success(self):
         """Test successful authorization URL generation."""
         manager = OAuthManager()
-        credentials = {
-            "client_id": "test_client",
-            "redirect_uri": "https://gateway.example.com/callback",
-            "authorization_url": "https://oauth.example.com/authorize",
-            "scopes": ["read", "write"]
-        }
+        credentials = {"client_id": "test_client", "redirect_uri": "https://gateway.example.com/callback", "authorization_url": "https://oauth.example.com/authorize", "scopes": ["read", "write"]}
 
         result = await manager.get_authorization_url(credentials)
 
@@ -116,14 +203,9 @@ async def test_get_authorization_url_success(self):
     async def test_exchange_code_for_token_success(self):
         """Test successful code exchange for token."""
         manager = OAuthManager()
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -144,7 +226,6 @@ async def test_exchange_code_for_token_success(self):
             result = await manager.exchange_code_for_token(credentials, "auth_code_123", "state_456")
             assert result == "exchanged_token_456"
 
-
     def test_oauth_error_inheritance(self):
         """Test that OAuthError inherits from Exception."""
         error = OAuthError("Test error")
@@ -155,15 +236,9 @@ def test_oauth_error_inheritance(self):
     async def test_get_access_token_authorization_code_fallback_success(self):
         """Test authorization code flow with client credentials fallback."""
         manager = OAuthManager()
-        credentials = {
-            "grant_type": "authorization_code",
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "scopes": ["read", "write"]
-        }
+        credentials = {"grant_type": "authorization_code", "client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "scopes": ["read", "write"]}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -187,23 +262,16 @@ async def test_get_access_token_authorization_code_fallback_success(self):
     async def test_get_access_token_authorization_code_fallback_failure(self):
         """Test authorization code flow with client credentials fallback failure."""
         manager = OAuthManager()
-        credentials = {
-            "grant_type": "authorization_code",
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"grant_type": "authorization_code", "client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 401
-            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=401, message="Unauthorized"
-            ))
+            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=401, message="Unauthorized"))
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -223,24 +291,19 @@ async def test_client_credentials_flow_with_encrypted_secret(self):
         # Create a long secret that would be considered encrypted
         encrypted_secret = "a" * 60  # Longer than 50 chars
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "scopes": ["read", "write"]
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "scopes": ["read", "write"]}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 mock_encryption.decrypt_secret.return_value = "decrypted_secret"
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -268,17 +331,13 @@ async def test_client_credentials_flow_encryption_error(self):
 
         encrypted_secret = "a" * 60  # Long secret
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             # Should fallback to using encrypted secret directly
-            with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+            with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                 mock_session_instance = MagicMock()
                 mock_post = MagicMock()
                 mock_session_instance.post = mock_post
@@ -305,24 +364,20 @@ async def test_client_credentials_flow_decryption_returns_none(self):
 
         encrypted_secret = "a" * 60  # Long secret
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption returns None - line 108
                 mock_encryption.decrypt_secret.return_value = None
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -349,13 +404,9 @@ async def test_client_credentials_flow_form_encoded_response(self):
         """Test client credentials flow with form-encoded response (lines 133-138)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -382,13 +433,9 @@ async def test_client_credentials_flow_json_parse_failure(self):
         """Test client credentials flow when JSON parsing fails (lines 143-147)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -417,13 +464,9 @@ async def test_client_credentials_flow_missing_access_token(self):
         """Test client credentials flow when response missing access_token (line 150)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -450,13 +493,9 @@ async def test_client_credentials_flow_final_fallback_error(self):
         """Test client credentials flow final fallback error (line 162)."""
         manager = OAuthManager(max_retries=0)  # Zero retries to force fallback
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -476,13 +515,9 @@ async def test_client_credentials_flow_with_retries(self):
         """Test client credentials flow with retry logic."""
         manager = OAuthManager(max_retries=3)
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -490,9 +525,7 @@ async def test_client_credentials_flow_with_retries(self):
             # First two calls fail, third succeeds
             fail_response = MagicMock()
             fail_response.status = 500
-            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=500, message="Server Error"
-            ))
+            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=500, message="Server Error"))
             fail_response.__aenter__ = AsyncMock(return_value=fail_response)
             fail_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -508,7 +541,7 @@ async def test_client_credentials_flow_with_retries(self):
             mock_session_instance.__aexit__ = AsyncMock(return_value=None)
             mock_session_class.return_value = mock_session_instance
 
-            with patch('asyncio.sleep') as mock_sleep:
+            with patch("asyncio.sleep") as mock_sleep:
                 result = await manager._client_credentials_flow(credentials)
                 assert result == "retry_success_token"
                 assert mock_sleep.call_count == 2  # Should sleep before retries
@@ -518,22 +551,16 @@ async def test_client_credentials_flow_max_retries_exceeded(self):
         """Test client credentials flow when all retries are exhausted."""
         manager = OAuthManager(max_retries=1)
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             fail_response = MagicMock()
             fail_response.status = 500
-            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=500, message="Server Error"
-            ))
+            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=500, message="Server Error"))
             fail_response.__aenter__ = AsyncMock(return_value=fail_response)
             fail_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -542,17 +569,18 @@ async def test_client_credentials_flow_max_retries_exceeded(self):
             mock_session_instance.__aexit__ = AsyncMock(return_value=None)
             mock_session_class.return_value = mock_session_instance
 
-            with patch('asyncio.sleep'):
+            with patch("asyncio.sleep"):
                 with pytest.raises(OAuthError, match="Failed to obtain access token after 1 attempts"):
                     await manager._client_credentials_flow(credentials)
 
     @pytest.mark.asyncio
     async def test_initiate_authorization_code_flow_success(self):
         """Test successful initiation of authorization code flow with PKCE."""
+        # Third-Party
         from pydantic import SecretStr
 
         # Mock settings to provide proper secret for HMAC
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = SecretStr("test-secret-key-for-hmac")
             mock_get_settings.return_value = mock_settings
@@ -561,12 +589,7 @@ async def test_initiate_authorization_code_flow_success(self):
             manager = OAuthManager(token_storage=mock_token_storage)
 
             gateway_id = "gateway123"
-            credentials = {
-                "client_id": "test_client",
-                "authorization_url": "https://oauth.example.com/authorize",
-                "redirect_uri": "https://gateway.example.com/callback",
-                "scopes": ["read", "write"]
-            }
+            credentials = {"client_id": "test_client", "authorization_url": "https://oauth.example.com/authorize", "redirect_uri": "https://gateway.example.com/callback", "scopes": ["read", "write"]}
 
             result = await manager.initiate_authorization_code_flow(gateway_id, credentials, app_user_email="test@example.com")
 
@@ -583,13 +606,14 @@ async def test_initiate_authorization_code_flow_success(self):
     @pytest.mark.asyncio
     async def test_complete_authorization_code_flow_success(self):
         """Test successful completion of authorization code flow."""
+        # Standard
         import base64
-        import json
         import hashlib
         import hmac
+        import json
         from unittest.mock import patch
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = SecretStr("test-secret-key")
             mock_get_settings.return_value = mock_settings
@@ -600,13 +624,10 @@ async def test_complete_authorization_code_flow_success(self):
             gateway_id = "gateway123"
             code = "auth_code_123"
             # Create state with new format and HMAC signature
+            # Standard
             from datetime import datetime, timezone
-            state_data = {
-                "gateway_id": "gateway123",
-                "app_user_email": "test@example.com",
-                "nonce": "state456",
-                "timestamp": datetime.now(timezone.utc).isoformat()
-            }
+
+            state_data = {"gateway_id": "gateway123", "app_user_email": "test@example.com", "nonce": "state456", "timestamp": datetime.now(timezone.utc).isoformat()}
             state_json = json.dumps(state_data, separators=(",", ":"))
             state_bytes = state_json.encode()
 
@@ -620,45 +641,38 @@ async def test_complete_authorization_code_flow_success(self):
 
             credentials = {"client_id": "test_client"}
 
-            token_response = {
-                "access_token": "access123",
-                "refresh_token": "refresh123",
-                "expires_in": 3600
-            }
+            token_response = {"access_token": "access123", "refresh_token": "refresh123", "expires_in": 3600}
 
             # Store the state with code_verifier (PKCE) to make it valid
             await manager._store_authorization_state(gateway_id, state, code_verifier="test_code_verifier_123")
 
-            with patch.object(manager, '_exchange_code_for_tokens') as mock_exchange:
-                    mock_exchange.return_value = token_response
+            with patch.object(manager, "_exchange_code_for_tokens") as mock_exchange:
+                mock_exchange.return_value = token_response
 
-                    with patch.object(manager, '_extract_user_id') as mock_extract_user:
-                        mock_extract_user.return_value = "user123"
+                with patch.object(manager, "_extract_user_id") as mock_extract_user:
+                    mock_extract_user.return_value = "user123"
 
-                        with patch.object(mock_token_storage, 'store_tokens', new_callable=AsyncMock) as mock_store_tokens:
-                            mock_token_record = Mock()
-                            mock_token_record.expires_at = None
-                            mock_store_tokens.return_value = mock_token_record
+                    with patch.object(mock_token_storage, "store_tokens", new_callable=AsyncMock) as mock_store_tokens:
+                        mock_token_record = Mock()
+                        mock_token_record.expires_at = None
+                        mock_store_tokens.return_value = mock_token_record
 
-                            result = await manager.complete_authorization_code_flow(gateway_id, code, state, credentials)
+                        result = await manager.complete_authorization_code_flow(gateway_id, code, state, credentials)
 
-                            expected = {
-                                "user_id": "user123",
-                                "expires_at": None,  # None because we set it to None in mock
-                                "success": True
-                            }
-                            assert result["user_id"] == expected["user_id"]
-                            assert result["success"] == expected["success"]
-                            assert result["expires_at"] == expected["expires_at"]
+                        expected = {"user_id": "user123", "expires_at": None, "success": True}  # None because we set it to None in mock
+                        assert result["user_id"] == expected["user_id"]
+                        assert result["success"] == expected["success"]
+                        assert result["expires_at"] == expected["expires_at"]
 
-                            # PKCE: Now includes code_verifier parameter
-                            mock_exchange.assert_called_once_with(credentials, code, code_verifier="test_code_verifier_123")
-                            mock_extract_user.assert_called_once_with(token_response, credentials)
-                            mock_store_tokens.assert_called_once()
+                        # PKCE: Now includes code_verifier parameter
+                        mock_exchange.assert_called_once_with(credentials, code, code_verifier="test_code_verifier_123")
+                        mock_extract_user.assert_called_once_with(token_response, credentials)
+                        mock_store_tokens.assert_called_once()
 
     @pytest.mark.asyncio
     async def test_complete_authorization_code_flow_invalid_state(self):
         """Test authorization code flow completion with invalid state."""
+        # Standard
         import base64
         import json
 
@@ -669,12 +683,7 @@ async def test_complete_authorization_code_flow_invalid_state(self):
         state_data = {"gateway_id": "wrong_gateway", "app_user_email": "test@example.com", "nonce": "state456"}
         state = base64.urlsafe_b64encode(json.dumps(state_data).encode()).decode()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/oauth/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/oauth/callback"}
 
         with pytest.raises(OAuthError):
             await manager.complete_authorization_code_flow("gateway123", "code", state, credentials)
@@ -716,13 +725,14 @@ async def test_get_access_token_for_user_no_token_storage(self):
 
     def test_generate_state_format(self):
         """Test state generation format with HMAC signature."""
+        # Standard
         import base64
-        import json
         import hashlib
         import hmac
-        from unittest.mock import patch, Mock
+        import json
+        from unittest.mock import Mock, patch
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = SecretStr("test-secret-key")
             mock_get_settings.return_value = mock_settings
@@ -784,12 +794,7 @@ def test_create_authorization_url(self):
         """Test authorization URL creation."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "authorization_url": "https://oauth.example.com/authorize",
-            "redirect_uri": "https://gateway.example.com/callback",
-            "scopes": ["read", "write"]
-        }
+        credentials = {"client_id": "test_client", "authorization_url": "https://oauth.example.com/authorize", "redirect_uri": "https://gateway.example.com/callback", "scopes": ["read", "write"]}
         state = "test_state"
 
         auth_url, returned_state = manager._create_authorization_url(credentials, state)
@@ -806,11 +811,7 @@ def test_create_authorization_url_no_scopes(self):
         """Test authorization URL creation without scopes."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "authorization_url": "https://oauth.example.com/authorize",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "authorization_url": "https://oauth.example.com/authorize", "redirect_uri": "https://gateway.example.com/callback"}
         state = "test_state"
 
         auth_url, returned_state = manager._create_authorization_url(credentials, state)
@@ -823,21 +824,12 @@ async def test_exchange_code_for_tokens_success(self):
         """Test successful code exchange for tokens."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
         code = "auth_code_123"
 
-        expected_response = {
-            "access_token": "access123",
-            "refresh_token": "refresh123",
-            "expires_in": 3600
-        }
+        expected_response = {"access_token": "access123", "refresh_token": "refresh123", "expires_in": 3600}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -863,24 +855,17 @@ async def test_exchange_code_for_tokens_error(self):
         """Test code exchange when server returns error."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
         code = "invalid_code"
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 400
-            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=400, message="Bad Request"
-            ))
+            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=400, message="Bad Request"))
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -898,25 +883,20 @@ async def test_exchange_code_for_tokens_decryption_returns_none(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption returns None - lines 438-439
                 mock_encryption.decrypt_secret.return_value = None
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -994,25 +974,20 @@ async def test_exchange_code_for_token_decryption_returns_none(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption returns None - lines 216-217
                 mock_encryption.decrypt_secret.return_value = None
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -1039,14 +1014,9 @@ async def test_exchange_code_for_token_form_encoded_response(self):
         """Test exchange code for token with form-encoded response (lines 241-246)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1073,14 +1043,9 @@ async def test_exchange_code_for_token_json_parse_failure(self):
         """Test exchange code for token when JSON parsing fails (lines 251-255)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1109,14 +1074,9 @@ async def test_exchange_code_for_token_missing_access_token(self):
         """Test exchange code for token when response missing access_token (line 258)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1143,23 +1103,16 @@ async def test_exchange_code_for_token_retry_logic(self):
         """Test exchange code for token retry logic with backoff (lines 263-267)."""
         manager = OAuthManager(max_retries=2)
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             # First call fails with ClientError
             fail_response = MagicMock()
-            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=500, message="Server Error"
-            ))
+            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=500, message="Server Error"))
             fail_response.__aenter__ = AsyncMock(return_value=fail_response)
             fail_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -1177,7 +1130,7 @@ async def test_exchange_code_for_token_retry_logic(self):
             mock_session_instance.__aexit__ = AsyncMock(return_value=None)
             mock_session_class.return_value = mock_session_instance
 
-            with patch('asyncio.sleep') as mock_sleep:
+            with patch("asyncio.sleep") as mock_sleep:
                 result = await manager.exchange_code_for_token(credentials, "auth_code", "state")
                 assert result == "retry_success_token"
                 # Should sleep once before retry (lines 263-267)
@@ -1188,22 +1141,15 @@ async def test_exchange_code_for_token_max_retries_exceeded(self):
         """Test exchange code for token when all retries are exhausted (lines 265-266)."""
         manager = OAuthManager(max_retries=1)
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             fail_response = MagicMock()
-            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(), history=(), status=500, message="Server Error"
-            ))
+            fail_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=500, message="Server Error"))
             fail_response.__aenter__ = AsyncMock(return_value=fail_response)
             fail_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -1212,7 +1158,7 @@ async def test_exchange_code_for_token_max_retries_exceeded(self):
             mock_session_instance.__aexit__ = AsyncMock(return_value=None)
             mock_session_class.return_value = mock_session_instance
 
-            with patch('asyncio.sleep'):
+            with patch("asyncio.sleep"):
                 with pytest.raises(OAuthError, match="Failed to exchange code for token after 1 attempts"):
                     await manager.exchange_code_for_token(credentials, "auth_code", "state")
 
@@ -1221,14 +1167,9 @@ async def test_exchange_code_for_token_final_fallback_error(self):
         """Test exchange code for token final fallback error (line 270)."""
         manager = OAuthManager(max_retries=0)  # Zero retries to force fallback
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1246,14 +1187,17 @@ async def test_exchange_code_for_token_final_fallback_error(self):
     @pytest.mark.asyncio
     async def test_complete_authorization_code_flow_no_token_storage(self):
         """Test complete authorization code flow without token storage with PKCE."""
+        # Standard
         import base64
-        import json
         import hashlib
         import hmac
+        import json
+
+        # Third-Party
         from pydantic import SecretStr
 
         # Mock settings to provide proper secret for HMAC
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = SecretStr("test-secret-key-for-hmac")
             mock_get_settings.return_value = mock_settings
@@ -1264,13 +1208,10 @@ async def test_complete_authorization_code_flow_no_token_storage(self):
             code = "auth_code_123"
 
             # Create state with HMAC signature using the mocked secret
+            # Standard
             from datetime import datetime, timezone
-            state_data = {
-                "gateway_id": "gateway123",
-                "app_user_email": "test@example.com",
-                "nonce": "state456",
-                "timestamp": datetime.now(timezone.utc).isoformat()
-            }
+
+            state_data = {"gateway_id": "gateway123", "app_user_email": "test@example.com", "nonce": "state456", "timestamp": datetime.now(timezone.utc).isoformat()}
             state_json = json.dumps(state_data, separators=(",", ":"))
             state_bytes = state_json.encode()
 
@@ -1284,35 +1225,27 @@ async def test_complete_authorization_code_flow_no_token_storage(self):
 
             credentials = {"client_id": "test_client", "token_url": "https://oauth.example.com/token", "redirect_uri": "http://localhost:4444/callback"}
 
-            token_response = {
-                "access_token": "access123",
-                "refresh_token": "refresh123",
-                "expires_in": 3600
-            }
+            token_response = {"access_token": "access123", "refresh_token": "refresh123", "expires_in": 3600}
 
             # Mock state validation to return state data with code_verifier
-            with patch.object(manager, '_validate_and_retrieve_state') as mock_validate:
+            with patch.object(manager, "_validate_and_retrieve_state") as mock_validate:
                 mock_validate.return_value = {"state": state, "gateway_id": gateway_id, "code_verifier": "test_verifier_abc123"}
 
-                with patch.object(manager, '_exchange_code_for_tokens') as mock_exchange:
-                        mock_exchange.return_value = token_response
+                with patch.object(manager, "_exchange_code_for_tokens") as mock_exchange:
+                    mock_exchange.return_value = token_response
 
-                        with patch.object(manager, '_extract_user_id') as mock_extract_user:
-                            mock_extract_user.return_value = "user123"
+                    with patch.object(manager, "_extract_user_id") as mock_extract_user:
+                        mock_extract_user.return_value = "user123"
 
-                            # This should work without token storage
-                            result = await manager.complete_authorization_code_flow(gateway_id, code, state, credentials)
+                        # This should work without token storage
+                        result = await manager.complete_authorization_code_flow(gateway_id, code, state, credentials)
 
-                            expected = {
-                                "success": True,
-                                "user_id": "user123",
-                                "expires_at": None  # No token storage means no expiration tracking
-                            }
-                            assert result == expected
+                        expected = {"success": True, "user_id": "user123", "expires_at": None}  # No token storage means no expiration tracking
+                        assert result == expected
 
-                            # PKCE: Now includes code_verifier parameter
-                            mock_exchange.assert_called_once_with(credentials, code, code_verifier="test_verifier_abc123")
-                            mock_extract_user.assert_called_once_with(token_response, credentials)
+                        # PKCE: Now includes code_verifier parameter
+                        mock_exchange.assert_called_once_with(credentials, code, code_verifier="test_verifier_abc123")
+                        mock_extract_user.assert_called_once_with(token_response, credentials)
 
     @pytest.mark.asyncio
     async def test_exchange_code_for_tokens_decryption_success(self):
@@ -1320,25 +1253,20 @@ async def test_exchange_code_for_tokens_decryption_success(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption succeeds - lines 435-437
                 mock_encryption.decrypt_secret.return_value = "decrypted_secret"
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -1366,25 +1294,20 @@ async def test_exchange_code_for_tokens_decryption_exception(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption throws exception - lines 440-441
                 mock_encryption.decrypt_secret.side_effect = ValueError("Decryption failed")
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -1411,14 +1334,9 @@ async def test_exchange_code_for_tokens_form_encoded_response(self):
         """Test _exchange_code_for_tokens with form-encoded response (lines 463-468)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1446,14 +1364,9 @@ async def test_exchange_code_for_tokens_json_parse_failure(self):
         """Test _exchange_code_for_tokens when JSON parsing fails (lines 473-477)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1482,14 +1395,9 @@ async def test_exchange_code_for_tokens_missing_access_token(self):
         """Test _exchange_code_for_tokens when response missing access_token (line 480)."""
         manager = OAuthManager()
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1516,14 +1424,9 @@ async def test_exchange_code_for_tokens_final_fallback_error(self):
         """Test _exchange_code_for_tokens final fallback error (line 492)."""
         manager = OAuthManager(max_retries=0)  # Zero retries to force fallback
 
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": "test_secret",
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": "test_secret", "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
@@ -1544,25 +1447,20 @@ async def test_exchange_code_for_token_decryption_success(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption succeeds - lines 213-215
                 mock_encryption.decrypt_secret.return_value = "decrypted_secret"
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -1590,25 +1488,20 @@ async def test_exchange_code_for_token_decryption_exception(self):
         manager = OAuthManager()
 
         encrypted_secret = "a" * 60  # Long secret
-        credentials = {
-            "client_id": "test_client",
-            "client_secret": encrypted_secret,
-            "token_url": "https://oauth.example.com/token",
-            "redirect_uri": "https://gateway.example.com/callback"
-        }
+        credentials = {"client_id": "test_client", "client_secret": encrypted_secret, "token_url": "https://oauth.example.com/token", "redirect_uri": "https://gateway.example.com/callback"}
 
-        with patch('mcpgateway.services.oauth_manager.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.oauth_manager.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.oauth_manager.get_oauth_encryption') as mock_get_encryption:
+            with patch("mcpgateway.services.oauth_manager.get_oauth_encryption") as mock_get_encryption:
                 mock_encryption = Mock()
                 # Decryption throws exception - lines 218-219
                 mock_encryption.decrypt_secret.side_effect = ValueError("Decryption failed")
                 mock_get_encryption.return_value = mock_encryption
 
-                with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+                with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
                     mock_session_instance = MagicMock()
                     mock_post = MagicMock()
                     mock_session_instance.post = mock_post
@@ -1635,24 +1528,16 @@ async def test_refresh_token_success(self):
         """Test successful token refresh."""
         manager = OAuthManager()
 
-        credentials = {
-            "token_url": "https://oauth.example.com/token",
-            "client_id": "test_client",
-            "client_secret": "test_secret"
-        }
+        credentials = {"token_url": "https://oauth.example.com/token", "client_id": "test_client", "client_secret": "test_secret"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 200
-            mock_response.json = AsyncMock(return_value={
-                "access_token": "new_access_token",
-                "refresh_token": "new_refresh_token",
-                "expires_in": 7200
-            })
+            mock_response.json = AsyncMock(return_value={"access_token": "new_access_token", "refresh_token": "new_refresh_token", "expires_in": 7200})
             mock_response.raise_for_status = MagicMock()
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
@@ -1664,11 +1549,7 @@ async def test_refresh_token_success(self):
 
             result = await manager.refresh_token("old_refresh_token", credentials)
 
-            assert result == {
-                "access_token": "new_access_token",
-                "refresh_token": "new_refresh_token",
-                "expires_in": 7200
-            }
+            assert result == {"access_token": "new_access_token", "refresh_token": "new_refresh_token", "expires_in": 7200}
 
             # Verify the correct data was sent
             mock_post.assert_called_once()
@@ -1683,22 +1564,16 @@ async def test_refresh_token_with_client_secret(self):
         """Test token refresh with client secret included."""
         manager = OAuthManager()
 
-        credentials = {
-            "token_url": "https://oauth.example.com/token",
-            "client_id": "test_client",
-            "client_secret": "test_secret"
-        }
+        credentials = {"token_url": "https://oauth.example.com/token", "client_id": "test_client", "client_secret": "test_secret"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 200
-            mock_response.json = AsyncMock(return_value={
-                "access_token": "new_token"
-            })
+            mock_response.json = AsyncMock(return_value={"access_token": "new_token"})
             mock_response.raise_for_status = MagicMock()
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
@@ -1719,27 +1594,18 @@ async def test_refresh_token_error_handling(self):
         """Test token refresh error handling."""
         manager = OAuthManager()
 
-        credentials = {
-            "token_url": "https://oauth.example.com/token",
-            "client_id": "test_client"
-        }
+        credentials = {"token_url": "https://oauth.example.com/token", "client_id": "test_client"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 400
-            mock_response.json = AsyncMock(return_value={
-                "error": "invalid_grant"
-            })
+            mock_response.json = AsyncMock(return_value={"error": "invalid_grant"})
             mock_response.text = AsyncMock(return_value='{"error": "invalid_grant"}')
-            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(
-                request_info=MagicMock(),
-                history=(),
-                status=400
-            ))
+            mock_response.raise_for_status = MagicMock(side_effect=aiohttp.ClientResponseError(request_info=MagicMock(), history=(), status=400))
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
 
@@ -1758,21 +1624,16 @@ async def test_refresh_token_missing_access_token(self):
         """Test token refresh when access_token is missing from response."""
         manager = OAuthManager()
 
-        credentials = {
-            "token_url": "https://oauth.example.com/token",
-            "client_id": "test_client"
-        }
+        credentials = {"token_url": "https://oauth.example.com/token", "client_id": "test_client"}
 
-        with patch('mcpgateway.services.oauth_manager.aiohttp.ClientSession') as mock_session_class:
+        with patch("mcpgateway.services.oauth_manager.aiohttp.ClientSession") as mock_session_class:
             mock_session_instance = MagicMock()
             mock_post = MagicMock()
             mock_session_instance.post = mock_post
 
             mock_response = MagicMock()
             mock_response.status = 200
-            mock_response.json = AsyncMock(return_value={
-                "expires_in": 3600  # Missing access_token
-            })
+            mock_response.json = AsyncMock(return_value={"expires_in": 3600})  # Missing access_token
             mock_response.raise_for_status = MagicMock()
             mock_response.__aenter__ = AsyncMock(return_value=mock_response)
             mock_response.__aexit__ = AsyncMock(return_value=None)
@@ -1795,12 +1656,12 @@ def test_init_with_encryption(self):
         """Test TokenStorageService initialization with encryption."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_secret_key"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.token_storage_service.get_oauth_encryption') as mock_get_enc:
+            with patch("mcpgateway.services.token_storage_service.get_oauth_encryption") as mock_get_enc:
                 mock_encryption = Mock()
                 mock_get_enc.return_value = mock_encryption
 
@@ -1814,7 +1675,7 @@ def test_init_without_encryption(self):
         """Test TokenStorageService initialization without encryption."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption available")
 
             service = TokenStorageService(mock_db)
@@ -1826,7 +1687,7 @@ def test_init_attribute_error(self):
         """Test TokenStorageService initialization with AttributeError."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = AttributeError("Missing attribute")
 
             service = TokenStorageService(mock_db)
@@ -1843,19 +1704,19 @@ async def test_store_tokens_new_record_with_encryption(self):
         mock_encryption = Mock()
         mock_encryption.encrypt_secret.side_effect = ["encrypted_access", "encrypted_refresh"]
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_secret"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.token_storage_service.get_oauth_encryption') as mock_get_enc:
+            with patch("mcpgateway.services.token_storage_service.get_oauth_encryption") as mock_get_enc:
                 mock_get_enc.return_value = mock_encryption
 
                 service = TokenStorageService(mock_db)
 
                 # Mock datetime.now for consistent testing
                 fixed_time = datetime(2025, 1, 1, 12, 0, 0)
-                with patch('mcpgateway.services.token_storage_service.datetime') as mock_dt:
+                with patch("mcpgateway.services.token_storage_service.datetime") as mock_dt:
                     mock_dt.now.return_value = fixed_time
                     mock_dt.now.return_value = fixed_time
 
@@ -1866,7 +1727,7 @@ async def test_store_tokens_new_record_with_encryption(self):
                         access_token="access_token_123",
                         refresh_token="refresh_token_123",
                         expires_in=3600,
-                        scopes=["read", "write"]
+                        scopes=["read", "write"],
                     )
 
                     # Verify encryption calls
@@ -1891,24 +1752,24 @@ async def test_store_tokens_new_record_without_encryption(self):
         mock_db = Mock()
         mock_db.execute.return_value.scalar_one_or_none.return_value = None
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             fixed_time = datetime(2025, 1, 1, 12, 0, 0)
-            with patch('mcpgateway.services.token_storage_service.datetime') as mock_dt:
+            with patch("mcpgateway.services.token_storage_service.datetime") as mock_dt:
                 mock_dt.now.return_value = fixed_time
                 mock_dt.now.return_value = fixed_time
 
                 result = await service.store_tokens(
                     gateway_id="gateway123",
                     user_id="user123",
-                        app_user_email="test@example.com",
+                    app_user_email="test@example.com",
                     access_token="access_token_123",
                     refresh_token="refresh_token_123",
                     expires_in=3600,
-                    scopes=["read", "write"]
+                    scopes=["read", "write"],
                 )
 
                 # Verify database operations
@@ -1937,25 +1798,25 @@ async def test_store_tokens_update_existing_record(self):
             expires_at=datetime(2025, 1, 1, 10, 0, 0),
             scopes=["read"],
             created_at=datetime(2025, 1, 1, 9, 0, 0),
-            updated_at=datetime(2025, 1, 1, 9, 0, 0)
+            updated_at=datetime(2025, 1, 1, 9, 0, 0),
         )
         mock_db.execute.return_value.scalar_one_or_none.return_value = existing_token
 
         mock_encryption = Mock()
         mock_encryption.encrypt_secret.side_effect = ["encrypted_access", "encrypted_refresh"]
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_secret"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.token_storage_service.get_oauth_encryption') as mock_get_enc:
+            with patch("mcpgateway.services.token_storage_service.get_oauth_encryption") as mock_get_enc:
                 mock_get_enc.return_value = mock_encryption
 
                 service = TokenStorageService(mock_db)
 
                 fixed_time = datetime(2025, 1, 1, 12, 0, 0)
-                with patch('mcpgateway.services.token_storage_service.datetime') as mock_dt:
+                with patch("mcpgateway.services.token_storage_service.datetime") as mock_dt:
                     mock_dt.now.return_value = fixed_time
                     mock_dt.now.return_value = fixed_time
 
@@ -1966,7 +1827,7 @@ async def test_store_tokens_update_existing_record(self):
                         access_token="new_access_token",
                         refresh_token="new_refresh_token",
                         expires_in=3600,
-                        scopes=["read", "write", "admin"]
+                        scopes=["read", "write", "admin"],
                     )
 
                     # Verify existing token was updated
@@ -1988,29 +1849,23 @@ async def test_store_tokens_without_refresh_token(self):
         mock_encryption = Mock()
         mock_encryption.encrypt_secret.return_value = "encrypted_access"
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_secret"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.token_storage_service.get_oauth_encryption') as mock_get_enc:
+            with patch("mcpgateway.services.token_storage_service.get_oauth_encryption") as mock_get_enc:
                 mock_get_enc.return_value = mock_encryption
 
                 service = TokenStorageService(mock_db)
 
                 fixed_time = datetime(2025, 1, 1, 12, 0, 0)
-                with patch('mcpgateway.services.token_storage_service.datetime') as mock_dt:
+                with patch("mcpgateway.services.token_storage_service.datetime") as mock_dt:
                     mock_dt.now.return_value = fixed_time
                     mock_dt.now.return_value = fixed_time
 
                     result = await service.store_tokens(
-                        gateway_id="gateway123",
-                        user_id="user123",
-                        app_user_email="test@example.com",
-                        access_token="access_token_123",
-                        refresh_token=None,
-                        expires_in=3600,
-                        scopes=["read"]
+                        gateway_id="gateway123", user_id="user123", app_user_email="test@example.com", access_token="access_token_123", refresh_token=None, expires_in=3600, scopes=["read"]
                     )
 
                     # Verify only access token was encrypted
@@ -2026,20 +1881,14 @@ async def test_store_tokens_database_error(self):
         mock_db = Mock()
         mock_db.execute.side_effect = Exception("Database error")
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             with pytest.raises(OAuthError, match="Token storage failed: Database error"):
                 await service.store_tokens(
-                    gateway_id="gateway123",
-                    user_id="user123",
-                        app_user_email="test@example.com",
-                    access_token="access_token_123",
-                    refresh_token="refresh_token_123",
-                    expires_in=3600,
-                    scopes=["read"]
+                    gateway_id="gateway123", user_id="user123", app_user_email="test@example.com", access_token="access_token_123", refresh_token="refresh_token_123", expires_in=3600, scopes=["read"]
                 )
 
             mock_db.rollback.assert_called_once()
@@ -2051,25 +1900,18 @@ async def test_get_valid_token_success_with_encryption(self):
 
         # Create valid token record
         future_time = datetime.now(tz=timezone.utc) + timedelta(hours=1)
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="encrypted_token",
-            refresh_token="encrypted_refresh",
-            expires_at=future_time,
-            scopes=["read", "write"]
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="encrypted_token", refresh_token="encrypted_refresh", expires_at=future_time, scopes=["read", "write"])
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
         mock_encryption = Mock()
         mock_encryption.decrypt_secret.return_value = "decrypted_access_token"
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_settings = Mock()
             mock_settings.auth_encryption_secret = "test_secret"
             mock_get_settings.return_value = mock_settings
 
-            with patch('mcpgateway.services.token_storage_service.get_oauth_encryption') as mock_get_enc:
+            with patch("mcpgateway.services.token_storage_service.get_oauth_encryption") as mock_get_enc:
                 mock_get_enc.return_value = mock_encryption
 
                 service = TokenStorageService(mock_db)
@@ -2085,17 +1927,10 @@ async def test_get_valid_token_success_without_encryption(self):
         mock_db = Mock()
 
         future_time = datetime.now(tz=timezone.utc) + timedelta(hours=1)
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="plain_access_token",
-            refresh_token="plain_refresh",
-            expires_at=future_time,
-            scopes=["read", "write"]
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="plain_access_token", refresh_token="plain_refresh", expires_at=future_time, scopes=["read", "write"])
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2110,7 +1945,7 @@ async def test_get_valid_token_not_found(self):
         mock_db = Mock()
         mock_db.execute.return_value.scalar_one_or_none.return_value = None
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2126,23 +1961,16 @@ async def test_get_valid_token_expired_with_refresh(self):
 
         # Create expired token record
         past_time = datetime.now(tz=timezone.utc) - timedelta(hours=1)
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="expired_token",
-            refresh_token="refresh_token",
-            expires_at=past_time,
-            scopes=["read", "write"]
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="expired_token", refresh_token="refresh_token", expires_at=past_time, scopes=["read", "write"])
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             # Mock the _refresh_access_token method
-            with patch.object(service, '_refresh_access_token') as mock_refresh:
+            with patch.object(service, "_refresh_access_token") as mock_refresh:
                 mock_refresh.return_value = "new_access_token"
 
                 result = await service.get_user_token("gateway123", "test@example.com")
@@ -2156,17 +1984,10 @@ async def test_get_valid_token_expired_no_refresh(self):
         mock_db = Mock()
 
         past_time = datetime.now(tz=timezone.utc) - timedelta(hours=1)
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="expired_token",
-            refresh_token=None,
-            expires_at=past_time,
-            scopes=["read", "write"]
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="expired_token", refresh_token=None, expires_at=past_time, scopes=["read", "write"])
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2182,23 +2003,16 @@ async def test_get_valid_token_near_expiry(self):
 
         # Token expires in 2 minutes, threshold is 5 minutes (300 seconds)
         near_expiry = datetime.now(tz=timezone.utc) + timedelta(minutes=2)
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="near_expiry_token",
-            refresh_token="refresh_token",
-            expires_at=near_expiry,
-            scopes=["read", "write"]
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="near_expiry_token", refresh_token="refresh_token", expires_at=near_expiry, scopes=["read", "write"])
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             # Mock the _refresh_access_token method
-            with patch.object(service, '_refresh_access_token') as mock_refresh:
+            with patch.object(service, "_refresh_access_token") as mock_refresh:
                 mock_refresh.return_value = "refreshed_token"
 
                 result = await service.get_user_token("gateway123", "test@example.com", threshold_seconds=300)
@@ -2212,7 +2026,7 @@ async def test_get_valid_token_exception(self):
         mock_db = Mock()
         mock_db.execute.side_effect = Exception("Database error")
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2224,25 +2038,17 @@ async def test_get_valid_token_exception(self):
     @pytest.mark.asyncio
     async def test_refresh_access_token_success(self):
         """Test successful token refresh in TokenStorageService."""
-        # Standard
+        # First-Party
         from mcpgateway.db import Gateway
 
         mock_db = Mock()
 
         # Create a mock gateway with OAuth config
-        mock_gateway = Gateway(
-            id="gateway123",
-            name="Test Gateway",
-            oauth_config={
-                "token_url": "https://oauth.example.com/token",
-                "client_id": "test_client",
-                "client_secret": "test_secret"
-            }
-        )
+        mock_gateway = Gateway(id="gateway123", name="Test Gateway", oauth_config={"token_url": "https://oauth.example.com/token", "client_id": "test_client", "client_secret": "test_secret"})
         mock_db.query.return_value.filter.return_value.first.return_value = mock_gateway
         mock_db.commit = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2253,17 +2059,13 @@ async def test_refresh_access_token_success(self):
                 app_user_email="test@example.com",
                 access_token="expired_token",
                 refresh_token="old_refresh_token",
-                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)
+                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1),
             )
 
             # Mock the OAuthManager refresh_token method
-            with patch('mcpgateway.services.oauth_manager.OAuthManager') as mock_oauth_manager_class:
+            with patch("mcpgateway.services.oauth_manager.OAuthManager") as mock_oauth_manager_class:
                 mock_manager = mock_oauth_manager_class.return_value
-                mock_manager.refresh_token = AsyncMock(return_value={
-                    "access_token": "new_access_token",
-                    "refresh_token": "new_refresh_token",
-                    "expires_in": 7200
-                })
+                mock_manager.refresh_token = AsyncMock(return_value={"access_token": "new_access_token", "refresh_token": "new_refresh_token", "expires_in": 7200})
 
                 result = await service._refresh_access_token(token_record)
 
@@ -2277,17 +2079,13 @@ async def test_refresh_access_token_no_refresh_token(self):
         """Test refresh when no refresh token is available."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="expired_token",
-                refresh_token=None,  # No refresh token
-                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)
+                gateway_id="gateway123", user_id="user123", access_token="expired_token", refresh_token=None, expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)  # No refresh token
             )
 
             result = await service._refresh_access_token(token_record)
@@ -2300,17 +2098,13 @@ async def test_refresh_access_token_no_gateway(self):
         mock_db = Mock()
         mock_db.query.return_value.filter.return_value.first.return_value = None  # Gateway not found
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="expired_token",
-                refresh_token="refresh_token",
-                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)
+                gateway_id="gateway123", user_id="user123", access_token="expired_token", refresh_token="refresh_token", expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)
             )
 
             result = await service._refresh_access_token(token_record)
@@ -2320,7 +2114,7 @@ async def test_refresh_access_token_no_gateway(self):
     @pytest.mark.asyncio
     async def test_refresh_access_token_invalid_token(self):
         """Test refresh with invalid refresh token."""
-        # Standard
+        # First-Party
         from mcpgateway.db import Gateway
 
         mock_db = Mock()
@@ -2328,18 +2122,10 @@ async def test_refresh_access_token_invalid_token(self):
         mock_db.commit = Mock()
 
         # Create a mock gateway with OAuth config
-        mock_gateway = Gateway(
-            id="gateway123",
-            name="Test Gateway",
-            oauth_config={
-                "token_url": "https://oauth.example.com/token",
-                "client_id": "test_client",
-                "client_secret": "test_secret"
-            }
-        )
+        mock_gateway = Gateway(id="gateway123", name="Test Gateway", oauth_config={"token_url": "https://oauth.example.com/token", "client_id": "test_client", "client_secret": "test_secret"})
         mock_db.query.return_value.filter.return_value.first.return_value = mock_gateway
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2350,11 +2136,11 @@ async def test_refresh_access_token_invalid_token(self):
                 app_user_email="test@example.com",
                 access_token="expired_token",
                 refresh_token="invalid_refresh_token",
-                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1)
+                expires_at=datetime.now(tz=timezone.utc) - timedelta(hours=1),
             )
 
             # Mock the OAuthManager refresh_token method to raise an error
-            with patch('mcpgateway.services.oauth_manager.OAuthManager') as mock_oauth_manager_class:
+            with patch("mcpgateway.services.oauth_manager.OAuthManager") as mock_oauth_manager_class:
                 mock_manager = mock_oauth_manager_class.return_value
                 mock_manager.refresh_token = AsyncMock(side_effect=Exception("Refresh token invalid or expired"))
 
@@ -2369,17 +2155,12 @@ def test_is_token_expired_no_expires_at(self):
         """Test _is_token_expired with no expiration date."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
-            token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="token",
-                expires_at=None
-            )
+            token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="token", expires_at=None)
 
             result = service._is_token_expired(token_record)
 
@@ -2389,18 +2170,13 @@ def test_is_token_expired_past_expiry(self):
         """Test _is_token_expired with past expiration."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             past_time = datetime.now(tz=timezone.utc) - timedelta(hours=1)
-            token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="token",
-                expires_at=past_time
-            )
+            token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="token", expires_at=past_time)
 
             result = service._is_token_expired(token_record)
 
@@ -2410,19 +2186,14 @@ def test_is_token_expired_within_threshold(self):
         """Test _is_token_expired with token expiring within threshold."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             # Token expires in 2 minutes, threshold is 5 minutes
             near_expiry = datetime.now(tz=timezone.utc) + timedelta(minutes=2)
-            token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="token",
-                expires_at=near_expiry
-            )
+            token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="token", expires_at=near_expiry)
 
             result = service._is_token_expired(token_record, threshold_seconds=300)
 
@@ -2432,19 +2203,14 @@ def test_is_token_expired_beyond_threshold(self):
         """Test _is_token_expired with token valid beyond threshold."""
         mock_db = Mock()
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             # Token expires in 10 minutes, threshold is 5 minutes
             future_time = datetime.now(tz=timezone.utc) + timedelta(minutes=10)
-            token_record = OAuthToken(
-                gateway_id="gateway123",
-                user_id="user123",
-                access_token="token",
-                expires_at=future_time
-            )
+            token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="token", expires_at=future_time)
 
             result = service._is_token_expired(token_record, threshold_seconds=300)
 
@@ -2468,17 +2234,17 @@ async def test_get_token_info_success(self):
             expires_at=expires_time,
             scopes=["read", "write"],
             created_at=created_time,
-            updated_at=updated_time
+            updated_at=updated_time,
         )
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
             # Mock is_expired check to return False
-            with patch.object(service, '_is_token_expired') as mock_is_expired:
+            with patch.object(service, "_is_token_expired") as mock_is_expired:
                 mock_is_expired.return_value = False
 
                 result = await service.get_token_info("gateway123", "test@example.com")
@@ -2503,7 +2269,7 @@ async def test_get_token_info_not_found(self):
         mock_db = Mock()
         mock_db.execute.return_value.scalar_one_or_none.return_value = None
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2525,16 +2291,16 @@ async def test_get_token_info_with_none_expires_at(self):
             expires_at=None,
             scopes=["read"],
             created_at=datetime(2025, 1, 1, 10, 0, 0),
-            updated_at=datetime(2025, 1, 1, 11, 0, 0)
+            updated_at=datetime(2025, 1, 1, 11, 0, 0),
         )
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
-            with patch.object(service, '_is_token_expired') as mock_is_expired:
+            with patch.object(service, "_is_token_expired") as mock_is_expired:
                 mock_is_expired.return_value = True
 
                 result = await service.get_token_info("gateway123", "test@example.com")
@@ -2548,7 +2314,7 @@ async def test_get_token_info_exception(self):
         mock_db = Mock()
         mock_db.execute.side_effect = Exception("Database error")
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2562,14 +2328,10 @@ async def test_revoke_user_tokens_success(self):
         """Test successfully revoking user tokens."""
         mock_db = Mock()
 
-        token_record = OAuthToken(
-            gateway_id="gateway123",
-            user_id="user123",
-            access_token="token"
-        )
+        token_record = OAuthToken(gateway_id="gateway123", user_id="user123", access_token="token")
         mock_db.execute.return_value.scalar_one_or_none.return_value = token_record
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2586,7 +2348,7 @@ async def test_revoke_user_tokens_not_found(self):
         mock_db = Mock()
         mock_db.execute.return_value.scalar_one_or_none.return_value = None
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2603,7 +2365,7 @@ async def test_revoke_user_tokens_exception(self):
         mock_db = Mock()
         mock_db.execute.side_effect = Exception("Database error")
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2625,12 +2387,12 @@ async def test_cleanup_expired_tokens_success(self):
 
         mock_db.execute.return_value.scalars.return_value.all.return_value = expired_tokens
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
 
-            with patch('mcpgateway.services.token_storage_service.datetime') as mock_dt:
+            with patch("mcpgateway.services.token_storage_service.datetime") as mock_dt:
                 mock_dt.now.return_value = datetime(2025, 1, 1, 12, 0, 0)
                 mock_dt.now.return_value = datetime(2025, 1, 1, 12, 0, 0)
 
@@ -2648,7 +2410,7 @@ async def test_cleanup_expired_tokens_none_found(self):
         mock_db = Mock()
         mock_db.execute.return_value.scalars.return_value.all.return_value = []
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2665,7 +2427,7 @@ async def test_cleanup_expired_tokens_exception(self):
         mock_db = Mock()
         mock_db.execute.side_effect = Exception("Database error")
 
-        with patch('mcpgateway.services.token_storage_service.get_settings') as mock_get_settings:
+        with patch("mcpgateway.services.token_storage_service.get_settings") as mock_get_settings:
             mock_get_settings.side_effect = ImportError("No encryption")
 
             service = TokenStorageService(mock_db)
@@ -2762,7 +2524,7 @@ def test_encrypt_secret_exception_handling(self):
         encryption = OAuthEncryption(SecretStr("test_key"))
 
         # Mock the Fernet instance to raise an exception
-        with patch.object(encryption, '_get_fernet') as mock_get_fernet:
+        with patch.object(encryption, "_get_fernet") as mock_get_fernet:
             mock_fernet = Mock()
             mock_fernet.encrypt.side_effect = Exception("Encryption failed")
             mock_get_fernet.return_value = mock_fernet
@@ -2863,6 +2625,7 @@ def test_is_encrypted_valid_base64_but_not_encrypted(self):
         # Create base64 data that's long enough but not encrypted
         # Standard
         import base64
+
         fake_data = b"a" * 40  # 40 bytes of 'a'
         base64_fake = base64.urlsafe_b64encode(fake_data).decode()
 
@@ -2883,7 +2646,7 @@ def test_is_encrypted_exception_handling(self):
         encryption = OAuthEncryption(SecretStr("test_key"))
 
         # Test with None (should handle gracefully)
-        with patch('base64.urlsafe_b64decode', side_effect=Exception("Base64 error")):
+        with patch("base64.urlsafe_b64decode", side_effect=Exception("Base64 error")):
             result = encryption.is_encrypted("any_string")
             assert result is False