[BUG] HTTP MCP servers (e.g., Atlassian MCP) with pre-configured auth headers fall back to OAuth in GitHub Actions (headless CI)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Remote HTTP-type MCP servers configured with auth headers (Bearer or Basic) via --mcp-config in claude-code-action fail to connect at runtime. Instead of using the provided credentials to initialize the JSON-RPC session, Claude Code falls back to an interactive OAuth prompt — which is impossible in headless CI. The same credentials and config work correctly in local Claude Code sessions.
We're seeing this with the Atlassian remote MCP (mcp.atlassian.com), but the issue likely affects any HTTP MCP server that requires session initialization when the CLI doesn't properly forward the auth headers.
[!IMPORTANT] Why we believe this is a Claude Code CLI issue (not claude-code-action): We tested across 5 differentclaude-code-actionversions (v1.0.75 through v1.0.93, plus the PR #1192 fix branch) — all fail identically. The action correctly passes the MCP config to the CLI (visible in logs asCLAUDE_ARGS), andallowedToolsis populated correctly. The config reaches the CLI, but the CLI doesn't use the provided auth headers to initialize the HTTP MCP session. Meanwhile, the same credentials work locally in Claude Code, confirming the tokens and MCP server are fine.
Symptoms:
- MCP config appears correctly in logs (
CLAUDE_ARGSincludes the full config with redacted token) allowedToolsincludes the MCP tools (parsed from config)- At runtime, Claude reports the MCP "requires interactive OAuth" and proceeds without it
- The MCP server is reachable —
curlreturns a valid JSON-RPC error:{"jsonrpc":"2.0","error":{"code":-32600,"message":"Request must be an initialize request if no session ID is provided."}} - The same credentials (both Bearer and Basic) work in local Claude Code sessions with the identical MCP config
What Should Happen?
Claude Code in GitHub Actions should use the provided auth headers in the MCP config to initialize the HTTP MCP session and make tool calls, the same way it does in local interactive sessions.
Error Messages/Logs
> Atlassian MCP status: OAuth flow requires browser interaction
> — not available in headless Actions environment. Code-only review.
Curl directly to the MCP server with the same token:
{"jsonrpc":"2.0","error":{"code":-32600,"message":"Request must be an initialize request if no session ID is provided."}}
Steps to Reproduce
- Configure a GitHub Actions workflow using
anthropics/claude-code-action@v1with an HTTP-type MCP server:
claude_args: >-
--mcp-config '{"mcpServers":{"atlassian":{"type":"http","url":"https://mcp.atlassian.com/v1/mcp","headers":{"Authorization":"Bearer ${{ secrets.ATLASSIAN_MCP_API_TOKEN }}"}}}}'
--allowedTools "mcp__atlassian__getJiraIssue,mcp__atlassian__searchJiraIssuesUsingJql"
- Trigger the workflow (e.g., via
@claudecomment on a PR) - Observe that
allowedToolsincludes the MCP tools in the logs - Observe that Claude reports the MCP requires interactive OAuth and falls back to working without it
- Run the same config locally in Claude Code — it connects and works
What we tested to rule out other causes:
| What | Result |
|------|--------|
| claude-code-action@v1.0.75 (last working, Mar 19) | Fails today |
| claude-code-action@v1.0.85 | Fails |
| claude-code-action@v1.0.92 (current @v1) | Fails |
| claude-code-action@v1.0.93 (latest) | Fails |
| PR https://github.com/anthropics/claude-code-action/pull/1192 fix branch (MCP config merging) | Fails |
| Basic auth instead of Bearer | Fails (same OAuth fallback) |
| Adding Accept: application/json, text/event-stream header | Fails |
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
claude-code-action@v1.0.75 (SHA df37d2f0) — last confirmed working on Mar 19, 2026. Note: pinning to this version today still fails, so the regression is in the bundled CLI, not the action wrapper.
Claude Code Version
Runs inside claude-code-action@v1 (bundled CLI version varies by action tag). We do not control the CLI version directly.
Platform
Google Vertex AI
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Non-interactive/CI environment
Additional Information
Timeline for Last Working Version:
- Mar 19: Last confirmed working run. MCP connected and tools called successfully.
- Apr 2: First observed failure. MCP silently skipped without error.
- Apr 10: Explicitly reports "not authenticated — code-only review."
- Apr 13: Tested v1.0.75, v1.0.85, v1.0.93, PR https://github.com/anthropics/claude-code-action/pull/1192, Basic auth, Accept headers — all fail identically.
---
Our setup uses a custom GitHub App for the action's github_token (generated via actions/create-github-app-token), not a PAT. This is relevant because it means the action runs under a GitHub App identity, not a user identity. However, the MCP auth is entirely separate (Bearer/Basic token in headers), so this shouldn't affect the MCP connection.
Vertex AI auth: We use CLAUDE_CODE_USE_VERTEX=1 with GCP Workload Identity Federation for the Claude API. The MCP server auth is independent of this — it uses its own Bearer/Basic token in the headers config.
Possibly related issues:
- #42470 — MCP HTTP client fails to connect to Paper MCP server, falls back to auth prompt
- https://github.com/anthropics/claude-code-action/issues/1191 (claude-code-action) — External MCP servers listed in allowedTools but never connected at runtime
Workflow environment:
| Key | Value |
|-----|-------|
| Action | anthropics/claude-code-action@v1 |
| GitHub App | Custom app via actions/create-github-app-token@v2 |
| MCP server | https://mcp.atlassian.com/v1/mcp (type: http) |
| Auth | Bearer and Basic auth tested via headers in MCP config |
| Runner | ubuntu-latest |
| Claude API auth | Vertex AI WIF (CLAUDE_CODE_USE_VERTEX=1) |
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗