Figma plugin MCP server bypasses OAuth detection in Claude Desktop app
Description
The Figma plugin (figma@claude-plugins-official) registers an MCP server that bypasses OAuth authentication detection when used from the Claude Desktop app. The server shows "✓ Connected" in claude mcp list based on HTTP reachability alone, but tools silently fail to register because the OAuth token is never obtained.
Steps to Reproduce
- Install the Figma plugin:
claude plugin install figma@claude-plugins-official - Open the Claude Desktop app (Claude.app on macOS)
- Start a new conversation in a project directory
- Run
claude mcp list— the Figma server shows "✓ Connected" - Check available tools — no Figma MCP tools are registered (
get_design_context,use_figma, etc.) curl -X POST https://mcp.figma.com/mcp -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'returns "Unauthorized"
Expected Behavior
The Figma MCP server should show "! Needs authentication" (like it does when added manually via claude mcp add), triggering the OAuth flow so the user can authenticate.
Actual Behavior
The plugin's MCP registration reports "✓ Connected" (false positive), so the OAuth flow never triggers. Tools are silently unavailable.
Workaround
Adding the Figma MCP manually alongside the plugin install correctly detects the auth requirement:
claude plugin install figma@claude-plugins-official # for skills
claude mcp add --transport http figma https://mcp.figma.com/mcp # for proper auth detection
Then authenticate via the terminal CLI (claude in terminal triggers browser OAuth), and start a new conversation in the Desktop app.
Root Cause Analysis
Three separate issues compound:
- Plugin MCP health check tests reachability, not authentication:
claude mcp listfor plugin-registered servers only checks if the HTTP endpoint responds, not whether authenticated tool listing succeeds. A direct POST totools/listreturns "Unauthorized", but the health check reports "Connected".
- Claude Desktop app cannot trigger browser OAuth flows: The Desktop app runs
claudeas a subprocess with--output-format stream-json. Unlike the terminal CLI, it doesn't open a browser window for OAuth when an MCP server needs authentication. The CLI handles this correctly.
- Session resume reuses stale MCP state: Desktop app conversations pass
--resume <session-id>, which reuses MCP tool discovery from the original session creation. If tools weren't discovered then, they won't appear on resume.
Environment
- Claude Code: 2.1.87
- Claude Desktop app (macOS)
- Figma plugin: 2.0.7
- macOS Darwin 25.3.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗