[FEATURE] MCP connector sync should work with CLAUDE_CODE_OAUTH_TOKEN from setup-token

Resolved 💬 4 comments Opened Mar 15, 2026 by keyolk Closed Jun 13, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

MCP servers configured at claude.ai/settings/connectors do not sync when authenticated via CLAUDE_CODE_OAUTH_TOKEN generated by claude setup-token. The same subscription account's MCP connectors appear correctly when authenticated via interactive /login.

claude setup-token is Anthropic's official method for generating long-lived OAuth tokens for headless/container/CI environments (Pro/Max subscriptions). The generated token is a subscription-bound OAuth token — the same type produced by /login — and includes the user:mcp_servers scope. Despite this, Claude Code does not trigger MCP connector discovery when the token is provided via the environment variable.

How setup-token works

  1. Run claude setup-token on a machine with a browser
  2. Complete browser-based OAuth flow
  3. Receive a long-lived token (valid ~1 year)
  4. Export it: export CLAUDE_CODE_OAUTH_TOKEN=<token>
  5. Use Claude Code in headless environments without browser login

Steps to reproduce

  1. Run claude setup-token on host machine, export the token
  2. Configure MCP servers at claude.ai/settings/connectors
  3. Start Claude Code with CLAUDE_CODE_OAUTH_TOKEN set → run /mcpno claude.ai connectors
  4. In a separate session, run /login with the same account → run /mcpconnectors appear

Expected behavior

If CLAUDE_CODE_OAUTH_TOKEN contains a valid subscription OAuth token with user:mcp_servers scope, Claude Code should fetch and sync MCP servers from claude.ai/settings/connectors — identical to the /login flow.

Why this matters

claude setup-token + CLAUDE_CODE_OAUTH_TOKEN is the documented path for headless environments (Docker containers, SSH sessions, CI/CD, devcontainers) where interactive browser-based /login is not possible. Users in these environments completely lose access to their configured MCP connectors despite having a valid, properly-scoped token from the same subscription account.

This creates a feature gap where setup-token authentication is treated as second-class compared to /login, even though the tokens are functionally equivalent.

Proposed Solution

During startup, when CLAUDE_CODE_OAUTH_TOKEN is present:

  1. Check if the token has user:mcp_servers scope
  2. If yes, run the same MCP connector fetch/sync logic that the /login auth path triggers
  3. If the fetch fails, surface the error visibly (don't fail silently — see #32955)

Alternative Solutions

  • A separate CLI command like claude mcp sync that works with the env var token
  • Document the limitation explicitly so users know MCP connectors require /login

Related issues

  • #8938 — setup-token/CLAUDE_CODE_OAUTH_TOKEN not enough to fully authenticate (onboarding, still open)
  • #16238 — CLAUDE_CODE_OAUTH_TOKEN silently overrides credentials with no warning
  • #21107 — MCP UI auth button attempts incompatible OAuth flow

Priority

Medium - Blocks MCP connector usage in all headless/remote environments

Feature Category

MCP / Authentication

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗