[BUG] OAuth authorization for HTTP MCP servers missing required scope parameter

Resolved 💬 5 comments Opened Nov 21, 2025 by raghulc Closed Feb 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When Claude Code initiates an OAuth 2.0 authorization flow for HTTP MCP servers, it fails to include the scope parameter in the authorization URL, even though the MCP server's _.well-known/oauth-protected-resource_ endpoint explicitly declares _scopes_supported_.

Response from well-known/oauth-protected-resource:

{
"resource": "https://mary-supersphenoid-michal.ngrok-free.dev/",
"authorization_servers": [
"https://pf.ngrok.dev/"
],
"scopes_supported": [
"agentREAD"
],
"bearer_methods_supported": [
"header"
]
}

Current Authorization URL (missing scope): https://pf.ngrok.dev/as/authorization.oauth2?response_type=code&client_id=dc-spxo8ed5qfqokkj0k8d2jxxdl&code_challenge=I0Dl8u2abviCIrkt9UUe9R9ZEni6L_4qaSaP_yieN0k&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A49962%2Fcallback&state=h_igddrux1NNvbYUb5ZIFipUUsQhsnIxNYTYzRNR98g&resource=https%3A%2F%2Fmary-supersphenoid-michal.ngrok-free.dev%2F

Note: No scope parameter is present.

What Should Happen?

According to OAuth 2.0 RFC 9470 (Resource Indicators) and the MCP specification, when a client discovers scopes from the resource's metadata endpoint, it should include the scope parameter in the authorization request.

Expected Authorization URL (with scope): https://pf.ngrok.dev/as/authorization.oauth2?response_type=code&client_id=dc-spxo8ed5qfqokkj0k8d2jxxdl&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A49962%2Fcallback&state=...&resource=https%3A%2F%2Fmary-supersphenoid-michal.ngrok-free.dev%2F&scope=agentREAD

The &scope=agentREAD parameter should be appended based on the scopes_supported from the well-known endpoint.

MCP Server Configuration

{
"agentPattern": {
"type": "http",
"url": "https://mary-supersphenoid-michal.ngrok-free.dev/mcp",
"env": {
"SCOPE": "agentREAD"
}
}
}

Error Messages/Logs

Steps to Reproduce

  1. Set up an HTTP MCP server with OAuth that returns the following from /.well-known/oauth-protected-resource:


{
"resource": "https://mary-supersphenoid-michal.ngrok-free.dev/",
"authorization_servers": ["https://pf.ngrok.dev/"],
"scopes_supported": ["agentREAD"],
"bearer_methods_supported": ["header"]
}

  1. Add the MCP server to Claude Code:

claude mcp add --transport http agentPattern https://mary-supersphenoid-michal.ngrok-free.dev/mcp

  1. Trigger OAuth authentication by either:
  • Starting Claude Code and allowing it to connect to the MCP server, OR
  • Running /mcp and manually triggering authentication
  1. Observe the OAuth authorization URL in your browser or authorization server logs
  2. Verify the bug: The URL will be missing the scope parameter entirely, even though scopes_supported was declared in the well-known endpoint

Claude Model

Not sure / Multiple models

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.0.3

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

Additional Context

  • The env.SCOPE field in the MCP configuration is not used for HTTP servers (it's only applicable for stdio

servers)

  • This appears to be a gap in Claude Code's OAuth client implementation when interacting with HTTP MCP servers
  • The issue prevents proper authorization when the authorization server requires explicit scope declaration

Environment

  • Claude Code Version: 2.0.30 (based on .claude.json)
  • Platform: Linux (WSL2)
  • OS Version: Linux 6.6.87.2-microsoft-standard-WSL2
  • MCP Server Type: HTTP with OAuth

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗