[SECURITY] Claude Teams: Custom MCP connectors expose shared credentials to all team members — no per-user scoping
What is the expected behavior?
When an admin adds a custom MCP connector on Claude Teams, they should be able to assign it to specific team members. Only assigned members should see and be able to connect to that connector. Members not assigned should not see the connector URL or be able to authenticate with it.
Steps to reproduce
- On a Claude Teams plan, go to Organization Settings → Connectors
- Add a custom MCP connector with a URL (e.g., a Cloudflare Worker at
https://my-worker.example.com/mcp) - Log in as a different team member
- Go to Customize → Connectors
- Observe: the custom connector is visible with its full URL
- Click Connect — authentication completes via auto-approve OAuth with no identity verification
- The team member now has full access to whatever the connector provides
Expected: Only assigned team members can see and connect to the connector.
Actual: Every team member can see the URL and connect with zero identity verification.
Why this is a security issue
The connector URL IS the credential. Auto-approve OAuth means anyone who clicks Connect gets a valid bearer token. There is no per-user scoping, no identity binding, and no way for the MCP server to distinguish which team member is connecting.
Real-world impact: We built a custom Gmail MCP connector (Cloudflare Worker with Google Service Account delegation) for multi-account email access. We cannot deploy it for personal inboxes because any team member could connect and access another person's email. The same risk applies to CRM, financial, and task management connectors.
What we tried that doesn't work:
- Cloudflare Access (SSO gate): Claude's MCP client cannot complete browser-based SSO flows or send custom auth headers like
CF-Access-Client-Id - URL-embedded secrets: The full URL (including any secrets) is visible in Teams connector settings to all members
- Per-subdomain routing: Tokens from auto-approve OAuth are bearer credentials — possession = access
Requested features (any would help)
- Per-user connector scoping — admins assign specific connectors to specific team members
- User-provided secret during Connect flow — a prompt for a key/passphrase when clicking Connect, validated by the MCP server
- Custom header support — allow the MCP client to send configurable headers (e.g., for external auth layers like Cloudflare Access)
- Per-user connector visibility — team members only see connectors assigned to them
- Identity passthrough — pass the authenticated Teams user's identity (email) to the MCP server so it can enforce per-user access control server-side
MCP Server
Custom Cloudflare Worker implementing MCP protocol (JSON-RPC 2.0, protocol version 2025-03-26) with OAuth 2.1 + PKCE (S256) auto-approve flow. Architecture documented and reviewed through 4 rounds of security review before discovering this Teams-level limitation.
Environment
- Claude Teams plan
- Custom MCP connector via Cloudflare Workers (self-hosted)
- macOS, Claude Desktop + Claude Code
- MCP protocol version 2025-03-26
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗