claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 21 hours ago verified publisher icon anthropics

Missing Token Refresh Mechanism for MCP Server Integrations

Open fokkedekker opened this issue 5 months ago • 7 comments

Bug Description This isn't technically a bug but rather a missing feature. Currently there is no way for Claude Code to refresh tokens for MCP servers. This means that we either have to have a very long lived token or manually refresh it.

Our platform deeply integrates with Claude Code and our MCP is effecively a state machine that has claude call various MCP calls to build and deploy applications. This building process can take 30-60 minutes.

The MCP spec does seem to call for a refresh token ability but I don't think Claude Code implements it. Happy to provide more feedback if you want you can reach me at [email protected]

Environment Info

  • Platform: darwin
  • Terminal: WarpTerminal
  • Version: 1.0.77
  • Feedback ID: 03061b16-5aa1-46a6-9c91-4125d664ee73

Errors

[]

fokkedekker avatar Aug 13 '25 20:08 fokkedekker

I am seeing this same issue. I can get Claude Code to authenticate our MCP sever via Oauth (using WorkOS as the provider) but when the token expires, it does not refresh the token. We send a 401 with the /.well-known/oath-protected-resource header. Claude Code calls that end point but never goes to the /.well-known/oauth-authorization-server to get the authentication endpoint.

harrymower avatar Sep 10 '25 18:09 harrymower

Can someone actually comment if this is even working on WebUI? I currently have no way to know if we can refresh, like we never see any attempts and it's super frustrating. The idea may be to just allow for a long lived JWT but without the refresh mechanism it's kind of pointless

plappag avatar Oct 06 '25 04:10 plappag

Also btw to acknowledge OP: You can just use API key if you need to use it without any Oauth system.

plappag avatar Oct 06 '25 04:10 plappag

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

github-actions[bot] avatar Dec 08 '25 10:12 github-actions[bot]

i have built an MCP server using fastmcp and i am having this problem too

agusdmb avatar Dec 09 '25 11:12 agusdmb

Set JWT to 30 days.. don't do refresh

plappag avatar Dec 09 '25 12:12 plappag

Im seeing the same issue. @plappag - I dont have option to tweak the JWT

skishtapuram-loyaltymethods avatar Dec 10 '25 11:12 skishtapuram-loyaltymethods

Facing the same issue, our custom MCP is protected by Microsoft OAuth, which issues access tokens that expire in 60-90 minutes. Manual re-auth is super tedious. Refresh tokens are issued but not consumed by Claude Code

mauricekleine avatar Dec 17 '25 08:12 mauricekleine

Set JWT to 30 days.. don't do refresh

Well, it's an option.

I notice Linear's MCP server chose that workaround too: their access tokens expire in 7 days by default.

But I don't think it's the right solution, and neither do the MCP protocol authors, who say:

Authorization servers SHOULD issue short-lived access tokens to reduce the impact of leaked tokens.

The same page says MCP's authorization is based on OAuth 2.1, which says:

Authorization servers SHOULD issue short-lived bearer tokens, particularly when issuing tokens to clients that run within a web browser or other environments where information leakage may occur. Using short-lived bearer tokens can reduce the impact of them being leaked.

Somehow, Claude Code gives me an uninterrupted experience with the Linear MCP: I haven't had to reauthenticate or reauthorize in months. I don't think it can be dynamically registering a new client every time.

So I feel Claude Code must already implement refresh, but it's not working at shorter lifetimes?

Implementing or fixing refresh would make for a much smoother MCP experience.

pjcdawkins avatar Dec 17 '25 12:12 pjcdawkins