Claude in Chrome: bridge rejects valid OAuth token with "Invalid token or user mismatch"
## Summary
Chrome extension cannot authenticate with wss://bridge.claudeusercontent.com, so Claude Code CLI always reports "Browser extension is not connected" even though the extension is correctly installed and signed
in.
## Environment
- Account: lawrancesiao@gmail.com (Max plan, organization admin)
- Claude Code: 2.1.101
- Chrome: 147.0.7727.56 (arm64, macOS 25.2.0)
- Claude in Chrome extension: 1.0.66 (Beta)
- Region: Taiwan (also tested with US VPN — same result)
## Expected behavior
mcp__claude-in-chrome__tabs_context_mcp returns tab information from the connected Chrome extension.
## Actual behavior
Tool call always returns:
> Browser extension is not connected. Please ensure the Claude browser extension is installed and running...
## Reproduction
- Install Claude in Chrome extension and complete OAuth login via Options page
- Verify tokens are stored:
chrome.storage.localhas validaccessToken,refreshToken,tokenExpiry,accountUuid,bridgeDeviceId - Call any Claude in Chrome MCP tool from Claude Code CLI → fails
## Diagnosis
From the extension's service worker console, the Pa() bridge connection flow always fails at the connect message:
``jswss://bridge.claudeusercontent.com/chrome/${accountUuid}`);
const ws = new WebSocket(
ws.onopen = () => ws.send(JSON.stringify({
type: 'connect',
client_type: 'chrome-extension',
device_id: bridgeDeviceId,
os_platform: 'macOS',
extension_version: '1.0.66',
oauth_token: accessToken
}));
Response:
MSG: {"type":"error","error":"Invalid token or user mismatch"}
CLOSE: 1008 Auth failed
What we verified
- ✅ The accessToken is valid — GET https://api.anthropic.com/api/oauth/profile with the same token returns HTTP 200 with correct account data, and account.uuid matches the URL path UUID.
- ✅ ping messages to the bridge get pong back (bridge is reachable and WebSocket itself works).
- ❌ connect messages always fail with the same error, regardless of:
- client_type: both chrome-extension and claude-code
- URL path UUID: tried account UUID, organization UUID, and application UUID
- Bridge environment: same on both prod (bridge.claudeusercontent.com) and staging (bridge-staging.claudeusercontent.com)
- Network: same on direct Taiwan connection and US VPN
The OAuth scopes on the issued token are user:profile user:inference user:chat (from the extension's OAuth config). Possibly the bridge requires an additional scope or server-side entitlement this account doesn't
have.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗