[BUG] Slack MCP plugin: 1-hour token expiry with no refresh token forces frequent re-authentication
Bug Description
The Slack MCP plugin (mcp.slack.com) issues OAuth access tokens with a 1-hour (3600s) expiry and no refresh token, forcing users to re-authenticate via browser every time the token expires. For active users, this means multiple re-authentications per day.
Steps to Reproduce
- Install the Slack MCP plugin from the Claude Code marketplace
- Authenticate via OAuth in browser
- Use Slack MCP tools normally
- Wait ~1 hour or start a new session after 1 hour
- Slack MCP tools will fail and prompt for re-authentication
Expected Behavior
- Token should either have a longer expiry (12h+), or
- A refresh token should be issued so Claude Code can silently refresh the access token
Actual Behavior
- Access token expires in 3600 seconds (1 hour)
- No refresh token is provided
- User must re-authenticate via browser each time
Debug Log Evidence
From ~/.claude/debug/ logs:
MCP server "slack": Token expires in: undefined
MCP server "slack": Has refresh token: false
MCP server "slack": Expires in: 3599s
Token exchange response only includes access_token and expires_in, no refresh_token:
MCP server "slack": Saving tokens
MCP server "slack": Token expires in: undefined
MCP server "slack": Has refresh token: false
MCP server "slack": Auth result: AUTHORIZED
MCP server "slack": Token access_token length: 78
MCP server "slack": Token expires_in: 3599.999
In ~/.claude/.credentials.json, the mcpOAuth entry for Slack contains only accessToken and expiresAt — no refreshToken field (unlike claudeAiOauth which does have one).
Frequency
Over a 5-day period (Feb 23–27), re-authentication was required 18 times — averaging 3–4 times per day.
Environment
- Claude Code CLI (v2.1.50)
- Platform: Linux (Ubuntu)
- Slack MCP plugin (official marketplace,
https://mcp.slack.com/mcp) - Slack MCP server version: 1.0.0
Analysis
This appears to be an issue with the Slack MCP server's OAuth implementation — it does not return a refresh_token in the token exchange response. Slack's own token rotation docs describe a refresh token mechanism, but the MCP server does not seem to use it.
Possible fixes:
- Slack MCP server side: Return a refresh token in the OAuth token exchange, and/or increase token lifetime
- Claude Code side: If the server doesn't provide a refresh token, consider caching credentials or prompting less aggressively (e.g., only when a tool is actually invoked rather than on session start)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗