[BUG] Claude Code Not Respecting `www-authenticate` header metadata
Resolved 💬 3 comments Opened Dec 18, 2025 by qstearns Closed Feb 14, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Since 2.0.70, authenticating with an OAuth-secured MCP Server fails when oauth metadata is not stored relative to the host name of the MCP server. Claude code fails to respect the www-authenticate server.
What Should Happen?
Claude should redirect to the protected resource and authorization server metadata indicated by the www-authenticate header.
Error Messages/Logs
Steps to Reproduce
You can add the mcp with:
claude mcp add --scope project --transport http "polar" \
"https://mcp.polar.sh/mcp/polar-mcp"
When executing claude >= 2.0.71, attempting to login to the mcp gives:
│ Error: HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected token '<', │
│ "<html> │
│ <h"... is not valid JSON. Raw body: <html> │
│ <head><title>404 Not Found</title></head> │
│ <body> │
│ <center><h1>404 Not Found</h1></center> │
│ <hr><center>nginx</center> │
│ </body> │
│ </html>
Executing claude pinned to 2.0.70 gives a successful result:
npx claude-code@2.0.70
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.0.70
Claude Code Version
2.0.72
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗