[BUG] Claude in Chrome: "Invalid token or user mismatch" bridge auth failure — CLI OAuth token rejected despite matching accounts (v2.1.92)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
claude --chrome fails to connect to the Chrome extension. The WebSocket bridge at bridge.claudeusercontent.com immediately rejects the connection with "Invalid token or user mismatch" (close code 1008).
Confirmed same account on both sides:
- CLI:
claude auth status→<redacted-email>, orgId<redacted-org-id> - Chrome: claude.ai Settings → Account → same orgId
<redacted-..., same email ANTHROPIC_API_KEYis unset — pure OAuth session
Token is valid and not expired — created today, expires in ~7 hours, scopes include user:sessions:claude_code.
Environment
- Claude Code CLI: v2.1.92 (latest)
- Chrome extension: v1.0.66
- OS: macOS Darwin 25.1.0 (Apple Silicon)
- Chrome: latest stable
- Node: v24.12.0
- Auth method: OAuth (
claude login), no API key
Detailed Debugging Evidence
1. MCP subprocess debug logs
Running claude --claude-in-chrome-mcp --debug-to-stderr and sending a tool call produces:
[INFO] Bridge URL: wss://bridge.claudeusercontent.com
[INFO] Executing tool: tabs_context_mcp
[INFO] ensureConnected called, connected=false, authenticated=false, wsState=undefined
[DEBUG] Fetching user ID for bridge connection
[DEBUG] Fetching OAuth token for bridge connection
[INFO] Connecting to bridge: wss://bridge.claudeusercontent.com/chrome/<redacted-account-uuid>
[INFO] WebSocket connected, sending connect message
[DEBUG] Bridge received: {"type":"error","error":"Invalid token or user mismatch"}
[WARN] Bridge error: Invalid token or user mismatch
[INFO] Bridge connection closed (code: 1008, duration: 0ms)
Retries fail identically (tested 3+ attempts with exponential backoff).
2. Manual WebSocket reproduction
Reproduced the exact failure with a standalone Node.js script — confirming it's not a CLI code path issue:
const ws = new WebSocket('wss://bridge.claudeusercontent.com/chrome/<userId>');
ws.onopen = () => ws.send(JSON.stringify({
type: 'connect', client_type: 'cli',
oauth_token: '<token from keychain>'
}));
ws.onmessage = (e) => console.log(e.data);
// → {"type":"error","error":"Invalid token or user mismatch"}
// → close code 1008
3. Multiple tokens tested — ALL fail
Tested the CLI's OAuth token AND 3 different extension OAuth tokens (extracted from Chrome's LevelDB) against the CLI's userId AND 4 other UUIDs from extension storage. Every combination fails. This rules out:
- Token-specific issues (multiple valid tokens fail)
- UUID mismatch (tried all available UUIDs)
4. What works
- Native host (
claude --chrome-native-host) spawns correctly - Unix socket at
/tmp/claude-mcp-browser-bridge-<user>/<pid>.sockaccepts connections and returns tool results - Extension executes tools through the native host socket (verified with direct Python/Node.js testing)
- CLI's OAuth token is valid (not expired, has correct scopes including
user:sessions:claude_code)
5. What doesn't fix it
unset ANTHROPIC_API_KEY && claude --chrome— same errorclaude login(fresh OAuth token via keychain) — same error- Fresh CLI session — same error
What Should Happen?
The bridge should accept the CLI's valid OAuth token and pair the connection with the Chrome extension, enabling browser automation tools.
Relation to Previous Issues
This appears to be the same server-side bridge auth issue reported in:
- #27055 (stale server-side state)
- #38068 (Chrome bridge auth failure)
- #37651 (cannot connect to Claude in Chrome)
- #25736, #25878, #24593
All were closed without a server-side fix. The disconnect/reconnect workaround from #27055 was for Claude Desktop, not CLI, and addresses client-side state only — it cannot fix server-side token validation failures.
Suggested Investigation
The bridge at bridge.claudeusercontent.com validates the oauth_token in the connect message against the userId in the URL path. Either:
- The bridge's token validation endpoint differs from the API's, rejecting valid CLI OAuth tokens
- There's stale server-side state associated with this account that no client-side action can clear
- The bridge requires a scope or token type that CLI OAuth tokens don't satisfy
Claude Model
Opus (claude --chrome uses same auth)
Is this a regression?
First time attempting to use Claude in Chrome, so unknown.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗