[BUG] HTTP OAuth MCP servers silently fail in Claude Code inside Claude Desktop — no error, no guidance
Environment
- Claude Code version: 2.1.87
- Running inside: Claude Desktop (com.anthropic.claudefordesktop)
- Operating System: macOS 15 (Darwin 25.2.0)
Bug Description
When adding an HTTP MCP server that requires OAuth but doesn't support Dynamic Client Registration (DCR), Claude Code silently fails with no user-facing error. The server appears in config but never loads tools. This is especially confusing inside Claude Desktop where there are no debug logs visible.
The user experience is a multi-hour loop:
- Run
claude mcp add --transport http hubspot https://mcp.hubspot.com/anthropic - Config is written to
~/.claude.json✓ - Restart session — no hubspot tools appear, no error shown
- User assumes config is wrong, tries again, creates duplicate entries at different scopes
- Repeat
Steps to Reproduce
- Open Claude Code inside Claude Desktop, cwd
~/git - In a separate terminal:
claude mcp add hubspot --transport http https://mcp.hubspot.com/anthropic - Restart Claude Code session
- No
mcp__hubspot__*tools load. No error message. Themcp__hubspot__authenticatetool may appear but calling it returns: "SDK auth failed: Incompatible auth server: does not support dynamic client registration"
Root Causes Found (after hours of debugging)
1. Silent OAuth failure: The server returns 401 with OAuth metadata, Claude Code attempts DCR, it fails (no registration_endpoint), and the failure is swallowed. No message is shown to the user.
2. Scope shadowing: claude mcp add defaults to local scope, writing to ~/.claude.json under projects["/Users/username"]. If the user later manually adds a working config at user scope (top-level mcpServers), the broken local-scoped entry takes precedence due to the scope hierarchy (local > project > user). This is invisible and undocumented behavior.
3. Project-level .mcp.json override: If any session writes a .mcp.json to the working directory with the broken HTTP entry, it overrides the working user-level config in subsequent sessions.
Expected Behavior
- Show an error when OAuth/DCR fails: "This server requires OAuth but doesn't support Dynamic Client Registration. Use a local MCP server with an API key instead, or configure OAuth client credentials manually."
- Warn about scope shadowing when a server name exists at multiple scopes
- Don't silently swallow connection failures — surface them in
/mcpstatus or session startup
Workaround
Use the local npm package (@hubspot/mcp-server) with a Private App access token instead of the remote HTTP OAuth endpoint. Configure at user scope in ~/.claude.json:
"hubspot": {
"command": "/opt/homebrew/bin/npx",
"args": ["-y", "@hubspot/mcp-server"],
"env": {
"PRIVATE_APP_ACCESS_TOKEN": "pat-xxx"
}
}
Related Issues
- #3273 — Claude Code doesn't work with MCP servers without DCR (CLI-focused, different angle)
- #26675 — Support pre-configured OAuth client credentials without DCR
- #36832 — macOS TCC permission popup looping (separate but co-occurs)
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗