[FEATURE] Per-project OAuth tokens for project-scoped MCP servers (multi-workspace support)

Resolved 💬 7 comments Opened Mar 27, 2026 by ElliotDrel Closed Jun 19, 2026

Problem

When installing the Slack MCP plugin with --scope project in two different projects (each needing a different Slack workspace), the OAuth token is stored globally in ~/.claude/.credentials.json under a single key. This means authenticating into one Slack workspace overwrites the token for the other — you can only be connected to one workspace at a time.

Steps to reproduce

  1. cd project-a && claude plugin install slack --scope project → authenticate into Workspace A
  2. cd project-b && claude plugin install slack --scope project → authenticate into Workspace B
  3. Return to project-a → Slack MCP is now authenticated against Workspace B, not A

Expected behavior

Project-scoped MCP servers (installed via claude plugin install --scope project or claude mcp add --scope project) should store OAuth credentials per-project, not globally. Each project should maintain its own OAuth token so that different workspaces/accounts can be used in different projects.

Current behavior

  • OAuth credentials are stored in ~/.claude/.credentials.json under a single key per server URL (e.g., plugin:slack:slack|<hash>)
  • Only one token exists regardless of how many projects use the same MCP server
  • Authenticating in one project overwrites the credential used by all other projects

Use case

Working on multiple projects that each connect to a different Slack workspace (e.g., one for a client workspace, one for an internal workspace). The MCP server config is correctly project-scoped, but the auth is not.

Proposed solution

  • For project-scoped MCP servers, store OAuth tokens keyed by project path + server, not just server name/URL
  • User-scoped MCP servers can continue to use global tokens (see #37776 for the inverse request)
  • This would enable multi-workspace support for services like Slack where different projects need different accounts

Related issues

  • #37776 — Inverse request: share OAuth tokens globally for user-scoped servers

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗