[BUG] Slack MCP plugin: 1-hour token expiry with no refresh token forces frequent re-authentication

Resolved 💬 3 comments Opened Feb 27, 2026 by takeaship Closed Mar 2, 2026

Bug Description

The Slack MCP plugin (mcp.slack.com) issues OAuth access tokens with a 1-hour (3600s) expiry and no refresh token, forcing users to re-authenticate via browser every time the token expires. For active users, this means multiple re-authentications per day.

Steps to Reproduce

  1. Install the Slack MCP plugin from the Claude Code marketplace
  2. Authenticate via OAuth in browser
  3. Use Slack MCP tools normally
  4. Wait ~1 hour or start a new session after 1 hour
  5. Slack MCP tools will fail and prompt for re-authentication

Expected Behavior

  • Token should either have a longer expiry (12h+), or
  • A refresh token should be issued so Claude Code can silently refresh the access token

Actual Behavior

  • Access token expires in 3600 seconds (1 hour)
  • No refresh token is provided
  • User must re-authenticate via browser each time

Debug Log Evidence

From ~/.claude/debug/ logs:

MCP server "slack": Token expires in: undefined
MCP server "slack": Has refresh token: false
MCP server "slack": Expires in: 3599s

Token exchange response only includes access_token and expires_in, no refresh_token:

MCP server "slack": Saving tokens
MCP server "slack": Token expires in: undefined
MCP server "slack": Has refresh token: false
MCP server "slack": Auth result: AUTHORIZED
MCP server "slack": Token access_token length: 78
MCP server "slack": Token expires_in: 3599.999

In ~/.claude/.credentials.json, the mcpOAuth entry for Slack contains only accessToken and expiresAt — no refreshToken field (unlike claudeAiOauth which does have one).

Frequency

Over a 5-day period (Feb 23–27), re-authentication was required 18 times — averaging 3–4 times per day.

Environment

  • Claude Code CLI (v2.1.50)
  • Platform: Linux (Ubuntu)
  • Slack MCP plugin (official marketplace, https://mcp.slack.com/mcp)
  • Slack MCP server version: 1.0.0

Analysis

This appears to be an issue with the Slack MCP server's OAuth implementation — it does not return a refresh_token in the token exchange response. Slack's own token rotation docs describe a refresh token mechanism, but the MCP server does not seem to use it.

Possible fixes:

  1. Slack MCP server side: Return a refresh token in the OAuth token exchange, and/or increase token lifetime
  2. Claude Code side: If the server doesn't provide a refresh token, consider caching credentials or prompting less aggressively (e.g., only when a tool is actually invoked rather than on session start)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗