claude-code - 💡(How to fix) Fix CRITICAL: claude.ai MCP connector OAuth completes but Bearer token never sent to server [2 comments, 2 participants]

Priority: CRITICAL / URGENT

Summary

claude.ai's MCP connector completes the full OAuth 2.1 authorization_code + PKCE flow successfully (Dynamic Client Registration → authorize → token exchange), but never sends the subsequent MCP request with the Bearer token. The server issues a valid access_token, but claude.ai reports "Authorization with the MCP server failed" without ever attempting an authenticated request.

This affects ALL self-hosted remote MCP servers using OAuth. The server-side implementation is correct — verified by simulating the full flow with curl through the same tunnel.

Environment

• Self-hosted MCP server behind Cloudflare named tunnel
• Transport: Streamable HTTP (POST for JSON-RPC, GET for SSE)
• Protocol version: 2025-03-26
• Server correctly implements: RFC 9728 (Protected Resource Metadata), RFC 8414 (Authorization Server Metadata), RFC 7591 (Dynamic Client Registration), PKCE (S256)

Reproduction

Every attempt follows this exact sequence (from server logs):

POST /gws → 200 (initialize succeeds)
GET /.well-known/oauth-protected-resource/gws → 404
GET /.well-known/oauth-protected-resource → 404  
GET /.well-known/oauth-authorization-server → 404
POST /register → 201 (client registered successfully)
GET /authorize → 302 (code issued, redirect to claude.ai callback)
POST /token → 200 (access_token issued, PKCE verified ✓)
... silence. No authenticated MCP request ever arrives.

Claude.ai then displays: "Authorization with the MCP server failed"

Proof the server works

Full OAuth + authenticated MCP call via curl through the same tunnel:

# Register → Authorize → Token (all succeed)
# Then:
curl -X POST https://mcp.prtrust.fund/gws \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
# Returns: 6 tools successfully

The server is reachable, OAuth is correct, authenticated MCP calls work. claude.ai just never sends step 8.

Variations tested (all fail identically)

PKCE verification proof (from server logs)

OAuth /token: grant_type=authorization_code code=a9693dc3… verifier=present
OAuth /token: PKCE: challenge=0Qdw7BNb6SUK… computed=0Qdw7BNb6SUK… match=true
OAuth: token issued for 0b5d725f1b047d1757c3b6bb3e299f2f (token=ab956009…)

PKCE passes. Token is valid. claude.ai has the token. It never uses it.

Support references

• ofid_5b4f176052475e66
• ofid_24385e3ebac39bf8
• ofid_00912162dce5872c
• ofid_3ddc9e36fada07fa
• ofid_42c4f5ce4ebf5530
• ofid_0124fba879402e77
• ofid_f8bab433728a98e9
• ofid_0c0e836314b4995f
• ofid_5211d10fd69c4ff0

Related issues

• modelcontextprotocol/modelcontextprotocol#2157
• Multiple reports on community forums of the same "Authorization failed" pattern
• Cloudflare community thread: "Authorization with the MCP server failed" (WAF ruled out)

Impact

Cannot use any self-hosted MCP server with claude.ai web interface. Claude Code CLI works perfectly with the same server (OAuth completes and Bearer token is correctly sent). This blocks all remote MCP integrations for users who need claude.ai web access.

Expected behavior

After receiving a valid access_token from POST /token, claude.ai should retry the original MCP request with Authorization: Bearer <token> header.

Actual behavior

claude.ai receives the access_token, discards it, and reports "Authorization with the MCP server failed" without attempting any authenticated request.