[BUG] HTTP MCP servers (e.g., Atlassian MCP) with pre-configured auth headers fall back to OAuth in GitHub Actions (headless CI)

Resolved 💬 4 comments Opened Apr 13, 2026 by mklaber Closed May 24, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Remote HTTP-type MCP servers configured with auth headers (Bearer or Basic) via --mcp-config in claude-code-action fail to connect at runtime. Instead of using the provided credentials to initialize the JSON-RPC session, Claude Code falls back to an interactive OAuth prompt — which is impossible in headless CI. The same credentials and config work correctly in local Claude Code sessions.

We're seeing this with the Atlassian remote MCP (mcp.atlassian.com), but the issue likely affects any HTTP MCP server that requires session initialization when the CLI doesn't properly forward the auth headers.

[!IMPORTANT] Why we believe this is a Claude Code CLI issue (not claude-code-action): We tested across 5 different claude-code-action versions (v1.0.75 through v1.0.93, plus the PR #1192 fix branch) — all fail identically. The action correctly passes the MCP config to the CLI (visible in logs as CLAUDE_ARGS), and allowedTools is populated correctly. The config reaches the CLI, but the CLI doesn't use the provided auth headers to initialize the HTTP MCP session. Meanwhile, the same credentials work locally in Claude Code, confirming the tokens and MCP server are fine.

Symptoms:

  1. MCP config appears correctly in logs (CLAUDE_ARGS includes the full config with redacted token)
  2. allowedTools includes the MCP tools (parsed from config)
  3. At runtime, Claude reports the MCP "requires interactive OAuth" and proceeds without it
  4. The MCP server is reachable — curl returns a valid JSON-RPC error: {"jsonrpc":"2.0","error":{"code":-32600,"message":"Request must be an initialize request if no session ID is provided."}}
  5. The same credentials (both Bearer and Basic) work in local Claude Code sessions with the identical MCP config

What Should Happen?

Claude Code in GitHub Actions should use the provided auth headers in the MCP config to initialize the HTTP MCP session and make tool calls, the same way it does in local interactive sessions.

Error Messages/Logs

> Atlassian MCP status: OAuth flow requires browser interaction
> — not available in headless Actions environment. Code-only review.


Curl directly to the MCP server with the same token:


{"jsonrpc":"2.0","error":{"code":-32600,"message":"Request must be an initialize request if no session ID is provided."}}

Steps to Reproduce

  1. Configure a GitHub Actions workflow using anthropics/claude-code-action@v1 with an HTTP-type MCP server:
claude_args: >-
  --mcp-config '{"mcpServers":{"atlassian":{"type":"http","url":"https://mcp.atlassian.com/v1/mcp","headers":{"Authorization":"Bearer ${{ secrets.ATLASSIAN_MCP_API_TOKEN }}"}}}}'
  --allowedTools "mcp__atlassian__getJiraIssue,mcp__atlassian__searchJiraIssuesUsingJql"
  1. Trigger the workflow (e.g., via @claude comment on a PR)
  2. Observe that allowedTools includes the MCP tools in the logs
  3. Observe that Claude reports the MCP requires interactive OAuth and falls back to working without it
  4. Run the same config locally in Claude Code — it connects and works

What we tested to rule out other causes:

| What | Result |
|------|--------|
| claude-code-action@v1.0.75 (last working, Mar 19) | Fails today |
| claude-code-action@v1.0.85 | Fails |
| claude-code-action@v1.0.92 (current @v1) | Fails |
| claude-code-action@v1.0.93 (latest) | Fails |
| PR https://github.com/anthropics/claude-code-action/pull/1192 fix branch (MCP config merging) | Fails |
| Basic auth instead of Bearer | Fails (same OAuth fallback) |
| Adding Accept: application/json, text/event-stream header | Fails |

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

claude-code-action@v1.0.75 (SHA df37d2f0) — last confirmed working on Mar 19, 2026. Note: pinning to this version today still fails, so the regression is in the bundled CLI, not the action wrapper.

Claude Code Version

Runs inside claude-code-action@v1 (bundled CLI version varies by action tag). We do not control the CLI version directly.

Platform

Google Vertex AI

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Non-interactive/CI environment

Additional Information

Timeline for Last Working Version:

  • Mar 19: Last confirmed working run. MCP connected and tools called successfully.
  • Apr 2: First observed failure. MCP silently skipped without error.
  • Apr 10: Explicitly reports "not authenticated — code-only review."
  • Apr 13: Tested v1.0.75, v1.0.85, v1.0.93, PR https://github.com/anthropics/claude-code-action/pull/1192, Basic auth, Accept headers — all fail identically.

---

Our setup uses a custom GitHub App for the action's github_token (generated via actions/create-github-app-token), not a PAT. This is relevant because it means the action runs under a GitHub App identity, not a user identity. However, the MCP auth is entirely separate (Bearer/Basic token in headers), so this shouldn't affect the MCP connection.

Vertex AI auth: We use CLAUDE_CODE_USE_VERTEX=1 with GCP Workload Identity Federation for the Claude API. The MCP server auth is independent of this — it uses its own Bearer/Basic token in the headers config.

Possibly related issues:

Workflow environment:

| Key | Value |
|-----|-------|
| Action | anthropics/claude-code-action@v1 |
| GitHub App | Custom app via actions/create-github-app-token@v2 |
| MCP server | https://mcp.atlassian.com/v1/mcp (type: http) |
| Auth | Bearer and Basic auth tested via headers in MCP config |
| Runner | ubuntu-latest |
| Claude API auth | Vertex AI WIF (CLAUDE_CODE_USE_VERTEX=1) |

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗