[BUG] Claude in Chrome: "Invalid token or user mismatch" bridge auth failure — CLI OAuth token rejected despite matching accounts (v2.1.92)

Resolved 💬 3 comments Opened Apr 6, 2026 by mw10104587 Closed Apr 10, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

claude --chrome fails to connect to the Chrome extension. The WebSocket bridge at bridge.claudeusercontent.com immediately rejects the connection with "Invalid token or user mismatch" (close code 1008).

Confirmed same account on both sides:

  • CLI: claude auth status<redacted-email>, orgId <redacted-org-id>
  • Chrome: claude.ai Settings → Account → same orgId <redacted-..., same email
  • ANTHROPIC_API_KEY is unset — pure OAuth session

Token is valid and not expired — created today, expires in ~7 hours, scopes include user:sessions:claude_code.

Environment

  • Claude Code CLI: v2.1.92 (latest)
  • Chrome extension: v1.0.66
  • OS: macOS Darwin 25.1.0 (Apple Silicon)
  • Chrome: latest stable
  • Node: v24.12.0
  • Auth method: OAuth (claude login), no API key

Detailed Debugging Evidence

1. MCP subprocess debug logs

Running claude --claude-in-chrome-mcp --debug-to-stderr and sending a tool call produces:

[INFO] Bridge URL: wss://bridge.claudeusercontent.com
[INFO] Executing tool: tabs_context_mcp
[INFO] ensureConnected called, connected=false, authenticated=false, wsState=undefined
[DEBUG] Fetching user ID for bridge connection
[DEBUG] Fetching OAuth token for bridge connection
[INFO] Connecting to bridge: wss://bridge.claudeusercontent.com/chrome/<redacted-account-uuid>
[INFO] WebSocket connected, sending connect message
[DEBUG] Bridge received: {"type":"error","error":"Invalid token or user mismatch"}
[WARN] Bridge error: Invalid token or user mismatch
[INFO] Bridge connection closed (code: 1008, duration: 0ms)

Retries fail identically (tested 3+ attempts with exponential backoff).

2. Manual WebSocket reproduction

Reproduced the exact failure with a standalone Node.js script — confirming it's not a CLI code path issue:

const ws = new WebSocket('wss://bridge.claudeusercontent.com/chrome/<userId>');
ws.onopen = () => ws.send(JSON.stringify({
  type: 'connect', client_type: 'cli',
  oauth_token: '<token from keychain>'
}));
ws.onmessage = (e) => console.log(e.data);
// → {"type":"error","error":"Invalid token or user mismatch"}
// → close code 1008
3. Multiple tokens tested — ALL fail

Tested the CLI's OAuth token AND 3 different extension OAuth tokens (extracted from Chrome's LevelDB) against the CLI's userId AND 4 other UUIDs from extension storage. Every combination fails. This rules out:

  • Token-specific issues (multiple valid tokens fail)
  • UUID mismatch (tried all available UUIDs)
4. What works
  • Native host (claude --chrome-native-host) spawns correctly
  • Unix socket at /tmp/claude-mcp-browser-bridge-<user>/<pid>.sock accepts connections and returns tool results
  • Extension executes tools through the native host socket (verified with direct Python/Node.js testing)
  • CLI's OAuth token is valid (not expired, has correct scopes including user:sessions:claude_code)
5. What doesn't fix it
  • unset ANTHROPIC_API_KEY && claude --chrome — same error
  • claude login (fresh OAuth token via keychain) — same error
  • Fresh CLI session — same error

What Should Happen?

The bridge should accept the CLI's valid OAuth token and pair the connection with the Chrome extension, enabling browser automation tools.

Relation to Previous Issues

This appears to be the same server-side bridge auth issue reported in:

  • #27055 (stale server-side state)
  • #38068 (Chrome bridge auth failure)
  • #37651 (cannot connect to Claude in Chrome)
  • #25736, #25878, #24593

All were closed without a server-side fix. The disconnect/reconnect workaround from #27055 was for Claude Desktop, not CLI, and addresses client-side state only — it cannot fix server-side token validation failures.

Suggested Investigation

The bridge at bridge.claudeusercontent.com validates the oauth_token in the connect message against the userId in the URL path. Either:

  1. The bridge's token validation endpoint differs from the API's, rejecting valid CLI OAuth tokens
  2. There's stale server-side state associated with this account that no client-side action can clear
  3. The bridge requires a scope or token type that CLI OAuth tokens don't satisfy

Claude Model

Opus (claude --chrome uses same auth)

Is this a regression?

First time attempting to use Claude in Chrome, so unknown.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗