[BUG] OAuth for plugins and MCP servers goes past scope

Resolved 💬 6 comments Opened Feb 13, 2026 by stephenbryant-opentrace Closed Mar 25, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a plugin or an MCP server is configured with project or local scope, any OAuth credentials set there are forcibly used outside of that scope, causing credential leakage.

This becomes apparent when using the same a plugin or MCP server in various projects for different entities - such as different logins for different repositories, ticket systems etc, according to who each project is for.

The user must _explicitly_ and manually re-authenticate, otherwise one entity's credentials may accidentally be used with another entity's data. From a data security standpoint, this is an absolute no-go.

It would be reasonable to expect authentication scope to be equal to configuration scope. Currently, credentials from one scope are forcibly (and perhaps unexpectedly) passed to another scope. This may therefore be not just a bug but also a security hole.

This is the opposite use case of #18890, which wants shared credentials. For security, credential sharing must be explicit, never implicit. It is not enough to assume that a user will only ever use one set of credentials for one remote endpoint.

What Should Happen?

OAuth credentials must be restricted to the configuration scope (for project and local), as is already the case with bearer tokens.

Credentials from the user scope are available everywhere, _except_ where the same plugin or MCP server is configured using project and local scope. The project/local credentials would be used in that case, overriding the user configuration.

Note: this issue does _not_ include creating a solution for explicitly sharing OAuth credentials between individual projects.

Error Messages/Logs

Steps to Reproduce

  1. Create empty project directories client1 and client2
  2. In client1, add an MCP server that requires OAuth, using claude mcp add --scope project ...
  3. In client2, add an MCP server that requires OAuth, using claude mcp add --scope project ...
  4. In client1 run claude and authenticate the MCP server with a user from that first client
  5. In client2 run claude and try using the MCP server - it _should_ require authentication, but uses the credentials from client1

Claude Model

Sonnet (default)

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.42

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗