Auto-refresh MCP OAuth tokens on expiry
Problem
When MCP server OAuth tokens expire, all tool calls to that server fail until the user manually runs /login to re-authenticate. This is disruptive — especially when working with multiple MCP servers (Linear, Notion, Google Workspace, etc.) that may expire at different times.
There's no warning before expiry, no automatic refresh, and no way to hook into the failure to trigger re-auth.
Current Behavior
- OAuth token expires silently
- Next MCP tool call fails with auth error
- User must manually run
/login - Work resumes
Desired Behavior
Option A (ideal): MCP servers with refresh tokens should automatically refresh the access token when it expires or is about to expire — similar to how apiKeyHelper re-calls on 401 or TTL expiry for the Claude API key.
Option B (minimum viable): Detect token expiry proactively (e.g., check token TTL before making a tool call) and prompt the user to re-authenticate before the call fails, rather than after.
Option C (stopgap): Expose a hook event (e.g., McpAuthFailure) that users could wire up to trigger /login or display a notification, so at least the failure can be handled programmatically.
Context
The apiKeyHelper + CLAUDE_CODE_API_KEY_HELPER_TTL_MS pattern already solves this for Claude API authentication. The challenge for MCP is that OAuth typically requires a browser redirect flow, but many OAuth servers issue refresh tokens that can be exchanged for new access tokens without user interaction — this path could be handled silently.
Environment
- Claude Code CLI
- Affected MCP servers: any using OAuth (Linear, Notion, Google Workspace, Supabase, etc.)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗