[BUG] Slack plugin fails to authenticate - "does not support dynamic client registration"

Open 💬 19 comments Opened Jan 13, 2026 by devangmotwani

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

## Description
Slack plugin fails to authenticate with OAuth error. Authentication flow starts but immediately fails.

## Environment

  • Claude Code version: 2.1.6
  • OS: macOS (Darwin 24.4.0)
  • Plugin: slack@claude-plugins-official (version f70b65538da0)

MCP server "plugin:slack:slack": No client info found
MCP server "plugin:slack:slack": SDK auth error: Error: Incompatible auth server: does not support dynamic client registration
MCP server "plugin:slack:slack": SSE Connection failed: Non-200 status code (404)

## Additional Context

  • Server URL: https://mcp.slack.com/sse
  • Multiple retry attempts all fail with same error
  • Other plugins (atlassian, code-review, pr-review-toolkit) work fine

What Should Happen?

It should authenticate and connect to slack using OAuth.

Error Messages/Logs

From `~/.claude/debug/latest`:

Steps to Reproduce

## Steps to Reproduce

  1. Install Slack plugin via /plugin
  2. Run /plugin to authenticate
  3. Auth fails immediately

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.6

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

19 Comments

abhimanyu891998 · 6 months ago

facing the same issue

ProdigyMaster · 6 months ago

Same here

maxsloef-goodfire · 6 months ago

Additional Data Point: Team Plan User

Same issue here.

Environment

  • Plan: Team, Premium seat
  • Claude Code version: Latest, native install
  • OS: local macOS (Darwin 24.6.0) and via ssh on to an ubuntu VM

Setup

  • Installed Slack plugin from the official Anthropic plugin marketplace in Claude Code via /plugin > Discover
  • Same Claude account used for both claude.ai web and Claude Code CLI
  • Slack connector is enabled on claude.ai web (Settings > Connectors) - works fine
  • Claude in Slack (the Slack app integration) also works fine
  • Other MCP connectors work fine in Claude Code

Steps to Reproduce

  1. Run /mcp - Slack connector shows:
  • Status: ❌ failed
  • Auth: ❌ not authenticated
  • URL: https://mcp.slack.com/sse
  • Config location: Dynamically configured
  1. Select "Authenticate" from the menu
  2. No browser window opens - fails after a few moments with: Incompatible auth server: does not support dynamic client registration

/mcp Output

Plugin:slack:slack MCP Server
Status: ❌ failed
Auth: ❌ not authenticated
URL: https://mcp.slack.com/sse
Config location: Dynamically configured

Error: Incompatible auth server: does not support dynamic client registration
gosuto-inzasheru · 6 months ago
dangkaka · 5 months ago

same issue here, any updates?

yaroslav-koval · 5 months ago

+1

blipee-dev · 5 months ago

Same issue here.

Environment:

  • Claude Code version: 2.1.37
  • OS: macOS 26.2 (Darwin 25.2.0)
  • Plugin: slack (from claude-plugins-official marketplace)

Error:

Error: Incompatible auth server: does not support dynamic client registration

Status shows failed with not authenticated in the /plugin UI. Other plugins (GitHub, Supabase, Greptile) work fine.

clgtm · 5 months ago

Looks like there is more to slack mcp with issuer mismatch, is that tripping the client -

Command:   authprobe scan --llm-max-tokens=1080 https://mcp.slack.com/sse
Scanning:  https://mcp.slack.com/sse
Scan time: Feb 10, 2026 18:24:25 UTC
Github:    https://github.com/authprobe/authprobe

Funnel
  [1] MCP probe (401 + WWW-Authenticate)      [-] SKIP
        auth not required

  [2] MCP initialize + tools/list             [X] FAIL
        initialize -> 404 (non-JSON response)

  [3] PRM fetch matrix                        [X] FAIL
        https://mcp.slack.com/.well-known/oauth-protected-resource -> 200
        https://mcp.slack.com/.well-known/oauth-protected-resource/sse -> 404

  [4] Auth server metadata                    [X] FAIL
        issuer: https://mcp.slack.com
        https://mcp.slack.com/.well-known/oauth-authorization-server -> 200
        https://mcp.slack.com/.well-known/openid-configuration -> 200
        https://mcp.slack.com/.well-known/openid-configuration -> 200

  [5] Token endpoint readiness (heuristics)   [-] SKIP
        no token_endpoint in metadata

  [6] Dynamic client registration (RFC 7591)  [-] SKIP
        no registration_endpoint in metadata

Primary Finding (HIGH): AUTH_SERVER_ISSUER_MISMATCH (confidence 1.00)
  Evidence:
      issuer mismatch: metadata issuer "https://slack.com", expected "https://mcp.slack.com"
      RFC 8414 requires the metadata issuer to exactly match the issuer used for discovery.

┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe

  ┌────────────┐                                                    ┌────────────┐
  │ authprobe  │                                                    │ MCP Server │
  └─────┬──────┘                                                    └─────┬──────┘
        │                                                                 │                                                                                                                                                                                                                                           │ ╔═══ Step 1: MCP probe                    ═══════╪═══════════════════╗
        │  GET https://mcp.slack.com/sse
        │  Reason: 401 + WWW-Authenticate discovery
        │    Accept:  text/event-stream
        │    Host:    mcp.slack.com
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Cache-Control:                       private, no-cache, no-store, must-revalidate
        │    Content-Type:                        text/html; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:22 GMT
        │    Expires:                             Sat, 26 Jul 1997 05:00:00 GMT
        │    Pragma:                              no-cache
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Set-Cookie:                          [redacted]
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-tyexpuhj,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       144
        │    X-Robots-Tag:                        noindex,nofollow
        │    X-Server:                            slack-www-hhvm-main-iad-de60tlgpkzn6
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt31gMextanou2vLriBowAAEBw
        │    X-Xss-Protection:                    0
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 2: MCP initialize               ═══════╪═══════════════════╗                                                                                                                                                                                                                    [206/8569]
        │  POST https://mcp.slack.com/sse
        │  Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  mcp.slack.com
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Cache-Control:                       private, no-cache, no-store, must-revalidate
        │    Content-Type:                        text/html; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:22 GMT
        │    Expires:                             Sat, 26 Jul 1997 05:00:00 GMT
        │    Pragma:                              no-cache
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Set-Cookie:                          [redacted]
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-zabblrkp,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       138
        │    X-Robots-Tag:                        noindex,nofollow
        │    X-Server:                            slack-www-hhvm-main-iad-y7bv4gqxfmlr
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt31hwVLs0gXwsPaTeRTAAAAAQ
        │    X-Xss-Protection:                    0
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://mcp.slack.com/sse
        │  Reason: Step 2: MCP initialize + tools/list (initialize)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  mcp.slack.com
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Cache-Control:                       private, no-cache, no-store, must-revalidate
        │    Content-Type:                        text/html; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:22 GMT
        │    Expires:                             Sat, 26 Jul 1997 05:00:00 GMT
        │    Pragma:                              no-cache
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Set-Cookie:                          [redacted]
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-xhexapqm,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       137
        │    X-Robots-Tag:                        noindex,nofollow
        │    X-Server:                            slack-www-hhvm-main-iad-o2suvwdfrsm1
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt31uM3Qcv-m54cDLkDEQAAEBY
        │    X-Xss-Protection:                    0
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 3: PRM Discovery                ═══════╪═══════════════════╗
        │  GET https://mcp.slack.com/.well-known/oauth-protected-resource
        │  Reason: Step 3: PRM fetch matrix
        │    Accept:  application/json
        │    Host:    mcp.slack.com
       ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Access-Control-Allow-Origin:         *
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Content-Type:                        application/json
        │    Date:                                Tue, 10 Feb 2026 18:24:23 GMT
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-hgekmnvz,envoy-edge-pdx-bqbjvmqr
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       62
        │    X-Frame-Options:                     SAMEORIGIN
        │    X-Server:                            slack-www-hhvm-main-iad-g67qg1lbj2vq
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt311r8rZ1ubs9RxFAhQAAAAAg
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://mcp.slack.com/.well-known/oauth-protected-resource/sse
        │  Reason: Step 3: PRM fetch matrix
        │    Accept:  application/json
        │    Host:    mcp.slack.com
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Cache-Control:                       private, no-cache, no-store, must-revalidate
        │    Content-Type:                        text/html; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:23 GMT
        │    Expires:                             Sat, 26 Jul 1997 05:00:00 GMT
        │    Pragma:                              no-cache
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Set-Cookie:                          [redacted]
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-blaoitqk,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       139
        │    X-Robots-Tag:                        noindex,nofollow
        │    X-Server:                            slack-www-hhvm-main-iad-uu4mvwz5119a
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt311VI_WyJOEMuHHIoAwAAECM
        │    X-Xss-Protection:                    0
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 4: Auth Server Metadata         ═══════╪═══════════════════╗
        │  GET https://mcp.slack.com/.well-known/oauth-authorization-server
        │  Reason: Step 4: Auth server metadata
        │    Accept:  application/json
        │    Host:    mcp.slack.com
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Access-Control-Allow-Origin:         *
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Content-Type:                        application/json
        │    Date:                                Tue, 10 Feb 2026 18:24:24 GMT
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-jqoehugu,envoy-edge-pdx-bqbjvmqr
        │    X-Backend:                           main_canary_with_overflow
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       62
        │    X-Frame-Options:                     SAMEORIGIN
        │    X-Server:                            slack-www-hhvm-canary-main-iad-94g89yv2n7lb
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt32Asex2YPWUNlRJ7-eQAAAAg
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://mcp.slack.com/.well-known/openid-configuration
        │  Reason: Step 4: Auth server metadata
        │    Accept:  application/json
        │    Host:    mcp.slack.com
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Content-Type:                        application/json; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:24 GMT
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-kqyezkwp,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       146
        │    X-Frame-Options:                     SAMEORIGIN
        │    X-Server:                            slack-www-hhvm-main-iad-ctgv1zkltox1
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt32AKDrNlVqgKeOOtSUQAAEBs
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://mcp.slack.com/.well-known/openid-configuration
        │  Reason: Step 4: Auth server metadata
        │    Accept:  application/json
        │    Host:    mcp.slack.com
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Alt-Svc:                             h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000
        │    Content-Type:                        application/json; charset=utf-8
        │    Date:                                Tue, 10 Feb 2026 18:24:24 GMT
        │    Referrer-Policy:                     no-referrer
        │    Server:                              Apache
        │    Strict-Transport-Security:           max-age=31536000; includeSubDomains; preload
        │    Timing-Allow-Origin:                 *
        │    Vary:                                Accept-Encoding
        │    Via:                                 1.1 slack-prod.tinyspeck.com, envoy-www-iad-etuxemjv,envoy-edge-pdx-hqfzdlap
        │    X-Backend:                           main_normal
        │    X-Edge-Backend:                      envoy-www
        │    X-Envoy-Attempt-Count:               1
        │    X-Envoy-Upstream-Service-Time:       144
        │    X-Frame-Options:                     SAMEORIGIN
        │    X-Server:                            slack-www-hhvm-main-iad-wteskjnt7wf0
        │    X-Slack-Backend:                     r
        │    X-Slack-Edge-Shared-Secret-Outcome:  no-match
        │    X-Slack-Shared-Secret-Outcome:       no-match
        │    X-Slack-Unique-Id:                   aYt32OwNWJ2Pe2NXSSs2xgAAEAo
        │◄─────────────────────────────────────────────────────────────────┤
        ▼                                                                  ▼

┌────────────────────┤ LLM EXPLANATION ├─────────────────────┐

Primary Finding Explanation: AUTH_SERVER_ISSUER_MISMATCH (high confidence, 1.00)

Summary:
The MCP OAuth server metadata returned from the discovery endpoint at https://mcp.slack.com/.well-known/oauth-authorization-server reports an issuer "https://slack.com" which mismatches the expected issuer "https://mcp.slack.com" used to perform the discovery.

---

Spec-grounded Analysis

Relevant Specifications:
  • RFC 8414 (OAuth 2.0 Authorization Server Metadata)
  • MCP 2025-11-25 (MCP OAuth specification)
  • RFC 9728 (Protected Resource Metadata)
  • JSON-RPC 2.0 (general interaction protocol)
Why this mismatch is a valid and justified failure:
  1. Issuer Identifier MUST EXACTLY MATCH in Metadata (RFC 8414, Section 3):

> "authorization server metadata MUST include an issuer property that is the issuer identifier of the authorization server as defined in [OpenID.issuer]. The issuer value in the metadata document MUST match the issuer value used for discovery."

Here, the discovery URI was anchored in the issuer https://mcp.slack.com namespace, but the JSON metadata claims "issuer": "https://slack.com". According to RFC 8414, this lack of exact string match constitutes a discovery failure.

  1. Issuer Consistency Required for Trust (RFC 9728, Section 3):

MCP leverages issuer consistency to bind metadata, token issuance, and protected resource validation. A mismatch risks security and operational failure.

  1. MCP 2025-11-25 Requirements for OAuth Provider Metadata:

MCP explicitly mandates strict matching between authorization server metadata issuer and discovery URLs to avoid ambiguity or cross-issuer issues. The MCP tooling depends on this for critical flows such as token issuance and client registration.

  1. Security and Interoperability Implications:
  • The mismatched issuer may result in clients accepting tokens or metadata from a different domain, breaking trust boundaries and facilitating attacks (token substitution, replay, or phishing).
  • OAuth clients and MCP tooling will reject authorization servers whose issuer does not match the discovery URI; this is by design and necessary for secure interoperability.

---

Correct Server Behavior

  • The OAuth authorization server metadata at https://mcp.slack.com/.well-known/oauth-authorization-server must contain an issuer field exactly equal to the discovery issuer URI:

``
{
...
"issuer": "https://mcp.slack.com",
...
}
``

  • The metadata should conform to RFC 8414 with all required fields present and consistent.
  • The server must not redirect or provide metadata pointing to a different issuer domain (e.g., "https://slack.com").
  • Compliance tools will validate the issuer field against the initial discovery URL and fail if there is any discrepancy.

This binding guarantees that the authorization server, protected resource, and client share a consistent trust domain as mandated by MCP and OAuth 2.0 standards.

---

Secondary Notes

  • Other findings such as MCP initialization failure (non-JSON 404 on initialize) and PRM resource mismatch compound interoperability issues but are not as impactful as the fundamental issuer identity failure.
  • Per JSON-RPC 2.0, MCP devices must respond to initialize requests with valid JSON-RPC responses. Returning a 404 non-JSON constitutes a protocol compliance failure.
  • RFC 9728 requires exact resource URL matching for protected resource metadata, relevant to secured resource identification but secondary to the issuer mismatch.
  • RFC 7591 (dynamic client registration) and token endpoint readiness were skipped due to absent metadata fields, which may be a result of this issuer metadata inconsistency.

---

Conclusion

The AUTH_SERVER_ISSUER_MISMATCH failure is valid, justified, and critical under RFC 8414 and MCP 2025-11-25 requirements. The metadata issuer must be corrected to exactly match the MCP OAuth discovery URI https://mcp.slack.com. Without this fix, compliance, interoperability, and security guarant
ees are compromised.

---

If you need further assistance on resolving remaining findings or guidance on MCP tooling corrections, please ask.

Eventlessdrop · 4 months ago

+1 — This is blocking real workflow automation for us.

Why the bot token workaround (@modelcontextprotocol/server-slack) doesn't work:

  • Bot tokens require the bot to be invited to every channel. In an enterprise workspace with dozens of relevant channels, this is impractical and requires admin coordination for private channels.
  • The archived @modelcontextprotocol/server-slack package only supports bot-scoped tokens, not user tokens — so you can't act as yourself.
  • Many teams (ours included) need to read across channels, search history, and post as the authenticated user — all things the claude.ai web plugin handles perfectly but Claude Code cannot.

What we need: The same Slack access that works in claude.ai web (via the plugin connector) should work in Claude Code. The plugin bridge works fine for Gmail and Google Calendar — Slack is the outlier because of the issuer mismatch (https://slack.com vs https://mcp.slack.com) documented in the excellent authprobe analysis above.

Environment: Claude Code CLI, macOS, Team plan.

clgtm · 4 months ago
+1 — This is blocking real workflow automation for us. Why the bot token workaround (@modelcontextprotocol/server-slack) doesn't work: Bot tokens require the bot to be invited to every channel. In an enterprise workspace with dozens of relevant channels, this is impractical and requires admin coordination for private channels. The archived @modelcontextprotocol/server-slack package only supports bot-scoped tokens, not user tokens — so you can't act as yourself. * Many teams (ours included) need to read across channels, search history, and post as the authenticated user — all things the claude.ai web plugin handles perfectly but Claude Code cannot. What we need: The same Slack access that works in claude.ai web (via the plugin connector) should work in Claude Code. The plugin bridge works fine for Gmail and Google Calendar — Slack is the outlier because of the issuer mismatch (https://slack.com vs https://mcp.slack.com) documented in the excellent authprobe analysis above. Environment: Claude Code CLI, macOS, Team plan.

@Eventlessdrop If you found authprobe useful, toss us a ⭐

roblopez-qz · 4 months ago

Updating the mcp.json to have certain Oauth variables was a viable work around for me.

    "slack": {
      "type": "http",
      "url": "https://mcp.slack.com/mcp",
      "oauth": {
        "clientId": "1601185624273.8899143856786",
        "callbackPort": 3118
      }
    }
tan-hipages · 3 months ago

@roblopez-qz it's work <3

rajivpant · 3 months ago

Slack MCP works despite the DCR error in VS Code's MCP panel (v2.1.81)

For anyone seeing "does not support dynamic client registration" in the VS Code MCP servers panel — the Slack tools actually work fine. The error is a misleading UI status.

The actual tool execution goes through Anthropic's MCP proxy (authenticated via your claudeAiOauth session), which handles Slack OAuth server-side. The VS Code MCP panel is attempting a direct OAuth check that fails at DCR, but this doesn't affect functionality.

If you're blocked, try actually using a Slack tool — it should work even though the panel says "Needs Auth."

Environment: Claude Code v2.1.81, macOS Sequoia

pandr · 3 months ago

Let me just leave this here for anyone ending up here like me. This is what was the cause (and fix) for me and a few others who had the same problem.

Symptom

MCP server "plugin:slack:slack": No client info found
MCP server "plugin:slack:slack": SDK auth error: Error: Incompatible auth server: does not support dynamic client registration

Or: Slack MCP was working, but disappeared silently after a restart with no error.

Root Cause

Stale plugin cache. The claude-plugins-official marketplace updated the Slack plugin to
point at https://github.com/slackapi/slack-mcp-plugin.git, which uses the new
https://mcp.slack.com/mcp endpoint with a pre-configured client ID. Older installs still
use the old https://mcp.slack.com/sse endpoint with no client ID, causing Claude Code to
attempt dynamic client registration — which Slack's server rejects.

The "disappeared after restart" variant has the same cause: the plugin cache got into an
orphaned state and wasn't reinstalled cleanly.

Fix

Run these commands:

# 1. Update the marketplace to get the new Slack plugin source
git -C ~/.claude/plugins/marketplaces/claude-plugins-official pull origin main

# 2. Delete the stale plugin cache
rm -rf ~/.claude/plugins/cache/claude-plugins-official/slack/

Then verify that ~/.claude/settings.json contains this (add it if missing):

"enabledPlugins": {
  "slack@claude-plugins-official": true
}

Then restart Claude Code. It will clone the Slack plugin fresh from GitHub with the correct
endpoint and pre-configured client ID.

ericrobinson-indeed · 2 months ago

I get this error when I try to authenticate: no_bot_scopes_requested whether i use the official plugin or the workaround from @roblopez-qz

Anyone have any ideas what is going wrong? I'm using CC 2.1.142

<img width="663" height="535" alt="Image" src="https://github.com/user-attachments/assets/155d49c7-1874-46ac-8f18-aad574369cfb" />

m13v · 2 months ago

this is the DCR gap, every MCP client against an enterprise SaaS will hit it. RFC 7591 dynamic client registration is supported by almost no production OAuth provider. slack, google workspace, hubspot, microsoft graph, salesforce, all require a pre-registered app with a fixed client_id/secret from their developer portal or app directory. the SDK assumes DCR works, which is fine against self-hosted IdPs and a handful of newer SaaS, but it breaks against the providers you actually want at work. fix means the plugin ships a registered slack app with stored credentials, not asking the auth server to mint them at runtime.

justinbains-collab · 2 months ago

Running into the same issue, none of the fixes in this thread worked

coarsehorse · 1 month ago

I managed to make it work with claude cli. Add this to you mcp servers list(~/.claude.json):

"slack-mcp": {
      "type": "http",
      "url": "https://mcp.slack.com/mcp",
      "oauth": {
        "clientId": "1601185624273.8899143856786",
        "callbackPort": 3118
      }
    }

clientId / callbackPort - are the same for all users. Since it is related to the Claude app itself and not just your creds.

Then fully exit claude cli, open again, ask it to use slack-mcp - this time it won't fail and post a link into the terminal. Click the link, authorize, here you go.

Note: I have the Enterprise subscription type, maybe it affects the ability to access Claude app in Slack.

victor-makovsky-covergo · 20 days ago

For me it worked to remove Slack MCP section from ~/.claude/.credentials.json