Streamable HTTP MCP: auth requirement should be based on 401 response, not well-known endpoint discovery

Resolved 💬 3 comments Opened Apr 12, 2026 by ishii-masaki-646 Closed Apr 12, 2026

When connecting to a Streamable HTTP MCP server, Claude Code determines that authentication is required based solely on the presence of /.well-known/oauth-authorization-server (or /.well-known/oauth-protected-resource), and displays "needs authentication".

Per the MCP spec, the OAuth flow should only be triggered when the server responds with 401 Unauthorized to an MCP request — not when OAuth metadata endpoints merely exist. A server may expose these endpoints for clients that need them while still accepting unauthenticated requests (e.g., when a pre-authorized token is available server-side).

Observed behavior

  • Server responds 200 to MCP initialize request (no Bearer token required)
  • /.well-known/oauth-authorization-server returns metadata
  • Claude Code displays "needs authentication"

Expected behavior

  • Claude Code sends the MCP request first
  • Only if the server responds with 401 should the OAuth flow be initiated

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗