MCP OAuth callback fails with 'Invalid state parameter' for remote MCP servers

Resolved 💬 3 comments Opened Apr 3, 2026 by Polly25-creator Closed Apr 3, 2026

Description

When authenticating with a remote MCP server that uses OAuth (specifically https://api.scite.ai/mcp), the OAuth flow consistently fails with "Invalid state parameter" after the user completes authorization in the browser.

Steps to reproduce

  1. Have scite MCP configured as a remote server (https://api.scite.ai/mcp)
  2. Call mcp__scite__authenticate — generates an auth URL with redirect_uri=http://localhost:<port>/callback
  3. Open the URL in browser
  4. Log in to scite.ai and click "Authorize"
  5. Page briefly shows success, then immediately shows "Invalid state parameter. Please try again."

Observed behavior

  • The redirect to localhost:<port>/callback appears to land, but the state parameter validation fails
  • This happens consistently across multiple attempts with freshly generated auth URLs
  • Cleared mcp-needs-auth-cache.json between attempts — no change
  • The brief flash of success before the error suggests a possible double-redirect or race condition

Expected behavior

OAuth callback should complete successfully and the MCP server tools should become available.

Environment

  • macOS (Darwin 25.3.0)
  • Claude Code CLI (latest)
  • Remote MCP server: https://api.scite.ai/mcp

🤖 Generated with Claude Code

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗