[BUG] HTTP MCP servers requiring OAuth silently fail with no user notification
Environment
- Claude CLI version: 2.1.47
- Operating System: macOS 15 (Darwin 25.2.0)
- Terminal: iTerm2
Bug Description
When an HTTP MCP server requiring OAuth is configured but the user hasn't completed authentication, Claude Code silently fails — no tools appear from that server and no notification or error is shown. The user must independently discover they need to navigate to /mcp > Authenticate to complete the OAuth flow.
The server is live and responsive. An initialize handshake succeeds (unauthenticated), and the server advertises tool capabilities, but tools/list returns Unauthorized. Claude Code swallows this and presents no indication that anything is wrong.
Steps to Reproduce
- Add an HTTP MCP server that requires OAuth (e.g., Granola):
``json``
{
"mcpServers": {
"granola": {
"type": "http",
"url": "https://mcp.granola.ai/mcp"
}
}
}
- Start a new Claude Code session
- Observe: no tools from the server appear, no error or notification is shown
- Manually navigate to
/mcp> Authenticate to discover the server needs auth - After authenticating, tools appear and work correctly
Expected Behavior
When an HTTP MCP server's tools/list returns Unauthorized after a successful initialize, Claude Code should notify the user that authentication is required — either by:
- Displaying a startup notification (e.g., "MCP server 'granola' requires authentication. Use /mcp to connect.")
- Auto-triggering the OAuth flow (with user consent)
- Showing the server in a degraded/unauthenticated state in the
/mcpstatus view
Actual Behavior
Complete silence. No tools, no errors, no indication the server exists or needs attention. The user has to know to check /mcp independently.
Additional Context
- The server's OAuth metadata endpoint (
.well-known/oauth-authorization-server) is properly configured and discoverable - The
initializecall succeeds without auth, confirming the server is reachable - Once authenticated via
/mcp, everything works perfectly - This may be related to #14220, where auto-triggering OAuth on startup was considered unwanted — but the current behavior swings too far in the other direction. A non-intrusive notification would thread the needle between "surprise browser popup" and "complete silence."
Related Issues
- #14220 — Auto browser launch on startup (opposite complaint: too aggressive)
- #23512 / #6057 — Feature request for
claude mcp auth <name>CLI command - #12051 — Batch authenticate all MCP servers
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗