HTTP MCP servers with static Bearer token shown as needing authentication

Resolved 💬 3 comments Opened Mar 25, 2026 by tyler-yukich Closed Mar 29, 2026

Description

The /mcp dialog shows HTTP MCP servers as "needing authentication" even when they have a working static Bearer token configured via headers in ~/.claude.json.

Configuration

{
  "mcpServers": {
    "n8n": {
      "type": "http",
      "url": "http://192.168.1.87:5678/mcp-server/http",
      "headers": {
        "Authorization": "Bearer eyJ..."
      }
    }
  }
}

The server connects successfully, tools load, and all MCP requests are authenticated. Verified via curl — the Bearer token is valid and the server responds with a proper MCP initialize response (200 OK).

Problem

The /mcp dialog's auth status indicator only tracks OAuth state. When the server advertises OAuth metadata at /.well-known/oauth-authorization-server, Claude Code:

  1. Discovers the OAuth endpoints
  2. Checks whether an OAuth handshake has been completed (it hasn't — static token is used instead)
  3. Shows the server as "needs authentication"

Clicking through the OAuth prompt shows n8n's consent screen with "Invalid or expired authorization session" — the OAuth flow was never intended to be used since auth is handled by the static Bearer token.

Expected behavior

If a server has headers with an Authorization value configured and the server responds successfully to MCP requests, the /mcp dialog should show it as authenticated (or at minimum, not prompt for OAuth authentication).

Suggested fix

Any of:

  • Recognize headers-based auth as "authenticated" in the UI
  • Add a config flag like "skipOAuthDiscovery": true to suppress OAuth probing for servers that use static tokens
  • Don't show "needs authentication" when the server's MCP connection is actually working

Related

Previously reported as #17152 (closed as stale).

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗