[FEATURE] MCP connector sync should work with CLAUDE_CODE_OAUTH_TOKEN from setup-token
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
MCP servers configured at claude.ai/settings/connectors do not sync when authenticated via CLAUDE_CODE_OAUTH_TOKEN generated by claude setup-token. The same subscription account's MCP connectors appear correctly when authenticated via interactive /login.
claude setup-token is Anthropic's official method for generating long-lived OAuth tokens for headless/container/CI environments (Pro/Max subscriptions). The generated token is a subscription-bound OAuth token — the same type produced by /login — and includes the user:mcp_servers scope. Despite this, Claude Code does not trigger MCP connector discovery when the token is provided via the environment variable.
How setup-token works
- Run
claude setup-tokenon a machine with a browser - Complete browser-based OAuth flow
- Receive a long-lived token (valid ~1 year)
- Export it:
export CLAUDE_CODE_OAUTH_TOKEN=<token> - Use Claude Code in headless environments without browser login
Steps to reproduce
- Run
claude setup-tokenon host machine, export the token - Configure MCP servers at claude.ai/settings/connectors
- Start Claude Code with
CLAUDE_CODE_OAUTH_TOKENset → run/mcp→ no claude.ai connectors ❌ - In a separate session, run
/loginwith the same account → run/mcp→ connectors appear ✅
Expected behavior
If CLAUDE_CODE_OAUTH_TOKEN contains a valid subscription OAuth token with user:mcp_servers scope, Claude Code should fetch and sync MCP servers from claude.ai/settings/connectors — identical to the /login flow.
Why this matters
claude setup-token + CLAUDE_CODE_OAUTH_TOKEN is the documented path for headless environments (Docker containers, SSH sessions, CI/CD, devcontainers) where interactive browser-based /login is not possible. Users in these environments completely lose access to their configured MCP connectors despite having a valid, properly-scoped token from the same subscription account.
This creates a feature gap where setup-token authentication is treated as second-class compared to /login, even though the tokens are functionally equivalent.
Proposed Solution
During startup, when CLAUDE_CODE_OAUTH_TOKEN is present:
- Check if the token has
user:mcp_serversscope - If yes, run the same MCP connector fetch/sync logic that the
/loginauth path triggers - If the fetch fails, surface the error visibly (don't fail silently — see #32955)
Alternative Solutions
- A separate CLI command like
claude mcp syncthat works with the env var token - Document the limitation explicitly so users know MCP connectors require
/login
Related issues
- #8938 —
setup-token/CLAUDE_CODE_OAUTH_TOKENnot enough to fully authenticate (onboarding, still open) - #16238 —
CLAUDE_CODE_OAUTH_TOKENsilently overrides credentials with no warning - #21107 — MCP UI auth button attempts incompatible OAuth flow
Priority
Medium - Blocks MCP connector usage in all headless/remote environments
Feature Category
MCP / Authentication
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗