MCP: 'Clear Authentication' / 'Reauthenticate' button doesn't clear OAuth state for HTTP MCP servers
Resolved 💬 4 comments Opened Apr 1, 2026 by ameliariely Closed May 9, 2026
Description
When clicking "Clear Authentication" or "Reauthenticate" on an HTTP MCP server with OAuth 2.1 authentication (Streamable HTTP transport), the button flashes but the authentication state is not cleared. The server remains connected with the old token.
Related: #10915 (closed for inactivity after 7 days)
Steps to reproduce
- Add an HTTP MCP server with OAuth authentication (e.g.,
http://localhost:8086/mcp) - Complete the OAuth flow successfully
- Go to MCP settings (
/mcp) - Click "Clear Authentication" on the server
- The button flashes but the server remains authenticated
- Clicking "Reauthenticate" also flashes with no effect
Investigation findings
We verified via server logs that when "Clear Authentication" is clicked:
- No
DELETE /mcprequest is sent (MCP spec session termination) - No POST to
revocation_endpointis sent (RFC 7009) - No
/.well-known/oauth-protected-resourceis fetched - The client just continues sending normal GET/POST to
/mcpwith the old token
The server correctly implements:
/.well-known/oauth-protected-resource(RFC 9728)revocation_endpointin auth server metadata (matching Linear's pattern)- Token revocation handler (RFC 7009)
- Bearer store cleanup on DELETE and tokenless reconnect
Tested with curl: the deauth flow works when the client actually sends DELETE or reconnects without a token.
Expected behavior
Clicking "Clear Authentication" should disconnect the MCP session and require re-authentication.
Workaround
Remove the MCP server entirely and re-add it.
Environment
- Claude Code VS Code extension v2.1.89
- HTTP MCP server with OAuth 2.1 (Streamable HTTP transport)
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗