Streamable HTTP MCP: auth requirement should be based on 401 response, not well-known endpoint discovery
Resolved 💬 3 comments Opened Apr 12, 2026 by ishii-masaki-646 Closed Apr 12, 2026
When connecting to a Streamable HTTP MCP server, Claude Code determines that authentication is required based solely on the presence of /.well-known/oauth-authorization-server (or /.well-known/oauth-protected-resource), and displays "needs authentication".
Per the MCP spec, the OAuth flow should only be triggered when the server responds with 401 Unauthorized to an MCP request — not when OAuth metadata endpoints merely exist. A server may expose these endpoints for clients that need them while still accepting unauthenticated requests (e.g., when a pre-authorized token is available server-side).
Observed behavior
- Server responds 200 to MCP
initializerequest (no Bearer token required) /.well-known/oauth-authorization-serverreturns metadata- Claude Code displays "needs authentication"
Expected behavior
- Claude Code sends the MCP request first
- Only if the server responds with 401 should the OAuth flow be initiated
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗