MCP OAuth callback fails with 'Invalid state parameter' for remote MCP servers
Resolved 💬 3 comments Opened Apr 3, 2026 by Polly25-creator Closed Apr 3, 2026
Description
When authenticating with a remote MCP server that uses OAuth (specifically https://api.scite.ai/mcp), the OAuth flow consistently fails with "Invalid state parameter" after the user completes authorization in the browser.
Steps to reproduce
- Have scite MCP configured as a remote server (
https://api.scite.ai/mcp) - Call
mcp__scite__authenticate— generates an auth URL withredirect_uri=http://localhost:<port>/callback - Open the URL in browser
- Log in to scite.ai and click "Authorize"
- Page briefly shows success, then immediately shows "Invalid state parameter. Please try again."
Observed behavior
- The redirect to
localhost:<port>/callbackappears to land, but the state parameter validation fails - This happens consistently across multiple attempts with freshly generated auth URLs
- Cleared
mcp-needs-auth-cache.jsonbetween attempts — no change - The brief flash of success before the error suggests a possible double-redirect or race condition
Expected behavior
OAuth callback should complete successfully and the MCP server tools should become available.
Environment
- macOS (Darwin 25.3.0)
- Claude Code CLI (latest)
- Remote MCP server:
https://api.scite.ai/mcp
🤖 Generated with Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗