diff --git a/api/controllers/console/workspace/tool_providers.py b/api/controllers/console/workspace/tool_providers.py
index 0a7fa35a5d..3e4ba0ff73 100644
--- a/api/controllers/console/workspace/tool_providers.py
+++ b/api/controllers/console/workspace/tool_providers.py
@@ -1012,7 +1012,7 @@ class ToolMCPAuthApi(Resource):
                 except MCPRefreshTokenError as e:
                     with session.begin():
                         service.clear_provider_credentials(provider=db_provider)
-                    raise ValueError(f"Failed to refresh token: {e}") from e
+                    raise ValueError(f"Failed to refresh token, please try to authorize again: {e}") from e
             except MCPError as e:
                 with session.begin():
                     service.clear_provider_credentials(provider=db_provider)
diff --git a/api/core/entities/mcp_provider.py b/api/core/entities/mcp_provider.py
index 4295aa91f1..a010da74f9 100644
--- a/api/core/entities/mcp_provider.py
+++ b/api/core/entities/mcp_provider.py
@@ -189,34 +189,16 @@ class MCPProviderEntity(BaseModel):
             return None
 
         # Check if we have nested client_information structure
-        if "client_information" in credentials:
-            # Handle nested structure (Authorization Code flow)
-            client_info_data = credentials["client_information"]
-            if isinstance(client_info_data, dict):
-                return OAuthClientInformation.model_validate(client_info_data)
+        if "client_information" not in credentials:
             return None
-
-        # Handle flat structure (Client Credentials flow)
-        if "client_id" not in credentials:
-            return None
-
-        # Build client information from flat structure
-        client_info = {
-            "client_id": credentials.get("client_id", ""),
-            "client_secret": credentials.get("client_secret", ""),
-            "client_name": credentials.get("client_name", CLIENT_NAME),
-        }
-
-        # Parse JSON fields if they exist
-        json_fields = ["redirect_uris", "grant_types", "response_types"]
-        for field in json_fields:
-            if field in credentials:
-                client_info[field] = json.loads(credentials[field])
-
-        if "scope" in credentials:
-            client_info["scope"] = credentials["scope"]
-
-        return OAuthClientInformation.model_validate(client_info)
+        client_info_data = credentials["client_information"]
+        if isinstance(client_info_data, dict):
+            if "encrypted_client_secret" in client_info_data:
+                client_info_data["client_secret"] = encrypter.decrypt_token(
+                    self.tenant_id, client_info_data["encrypted_client_secret"]
+                )
+            return OAuthClientInformation.model_validate(client_info_data)
+        return None
 
     def retrieve_tokens(self) -> OAuthTokens | None:
         """OAuth tokens if available"""
diff --git a/api/services/tools/mcp_tools_manage_service.py b/api/services/tools/mcp_tools_manage_service.py
index 57a2cd49f9..89a454fae3 100644
--- a/api/services/tools/mcp_tools_manage_service.py
+++ b/api/services/tools/mcp_tools_manage_service.py
@@ -305,7 +305,7 @@ class MCPToolManageService:
             if not authed:
                 provider.tools = EMPTY_TOOLS_JSON
 
-        self._session.flush()
+        self._session.commit()
 
     def save_oauth_data(self, provider_id: str, tenant_id: str, data: dict[str, Any], data_type: str = "mixed") -> None:
         """
@@ -360,7 +360,7 @@ class MCPToolManageService:
             return json.dumps({"content": icon, "background": icon_background})
         return icon
 
-    def _encrypt_dict_fields(self, data: dict[str, Any], secret_fields: list[str], tenant_id: str) -> str:
+    def _encrypt_dict_fields(self, data: dict[str, Any], secret_fields: list[str], tenant_id: str) -> dict[str, str]:
         """Encrypt specified fields in a dictionary.
 
         Args:
@@ -386,12 +386,12 @@ class MCPToolManageService:
         )
 
         encrypted_data = encrypter_instance.encrypt(data)
-        return json.dumps(encrypted_data)
+        return encrypted_data
 
     def _prepare_encrypted_dict(self, headers: dict[str, str], tenant_id: str) -> str:
         """Encrypt headers and prepare for storage."""
         # All headers are treated as secret
-        return self._encrypt_dict_fields(headers, list(headers.keys()), tenant_id)
+        return json.dumps(self._encrypt_dict_fields(headers, list(headers.keys()), tenant_id))
 
     def _prepare_auth_headers(self, provider_entity: MCPProviderEntity) -> dict[str, str]:
         """Prepare headers with OAuth token if available."""
@@ -530,11 +530,12 @@ class MCPToolManageService:
         # Create a flat structure with all credential data
         credentials_data = {
             "client_id": client_id,
-            "client_secret": client_secret,
+            "encrypted_client_secret": client_secret,
             "client_name": CLIENT_NAME,
             "is_dynamic_registration": False,
         }
 
         # Only client_id and client_secret need encryption
-        secret_fields = ["client_id", "client_secret"] if client_secret else ["client_id"]
-        return self._encrypt_dict_fields(credentials_data, secret_fields, tenant_id)
+        secret_fields = ["encrypted_client_secret"] if client_secret else []
+        client_info = self._encrypt_dict_fields(credentials_data, secret_fields, tenant_id)
+        return json.dumps({"client_information": client_info})