[BUG] Re-authenticate menu crashes with JSON parse error on bearer-only MCP servers in v2.1.120 (not covered by #52158 fix)

Resolved 💬 2 comments Opened Apr 25, 2026 by akegaviar Closed May 28, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The /mcp → server → Re-authenticate menu item still throws a JSON parse crash on streamable-HTTP MCP servers that don't implement OAuth. This is not the same code path as #52158, which the v2.1.119 changelog covered:

"Fixed MCP HTTP connections failing with 'Invalid OAuth error response' when servers returned non-JSON bodies for OAuth discovery requests"

That fix addressed the connection-handshake OAuth probe. The Re-authenticate menu hits a separate OAuth-discovery code path that still crashes when the server returns a non-JSON 4xx on /.well-known/oauth-protected-resource or /.well-known/oauth-authorization-server.

Anthropic's bot is currently auto-closing related reports (e.g. #47424, #34008) as duplicates of #52158 with the comment "fixed in 2.1.119" — but this Re-authenticate-menu repro on v2.1.120 demonstrates the bug is still live.

A separate UX issue compounds the confusion: the /mcp panel shows Auth: ✓ authenticated for any HTTP MCP server whose initial handshake didn't 401, regardless of whether a Bearer header is configured or valid. So users hit "Re-authenticate" expecting a recovery path, and instead see this stack trace.

What Should Happen?

When the OAuth discovery probe (whether connection-time or Re-authenticate-time) gets a non-JSON 4xx body on the well-known endpoints:

  1. The MCP SDK should not crash on JSON.parse(). It should treat the response as "this server doesn't expose OAuth metadata."
  2. The Re-authenticate menu should surface that as a graceful "this server doesn't support OAuth re-authentication — please configure auth via your MCP config" message, not a SyntaxError stack trace.

Error Messages/Logs

SDK auth failed: HTTP 404: Invalid OAuth error response: SyntaxError: JSON Parse error: Unexpected identifier "Not". Raw body: Not Found

Steps to Reproduce

Public, anyone-can-repro server: https://mcp.chainstack.com/mcp (Chainstack's MCP server — uses static-Bearer auth, no OAuth provider).

# Fresh shell, fresh ~/.claude.json
claude mcp add --transport http --scope user chainstack-repro https://mcp.chainstack.com/mcp
claude

In the Claude Code TUI:

  1. Run /mcp
  2. Select chainstack-repro
  3. Pick 2. Re-authenticate

Expected: a graceful "this server does not support OAuth re-authentication" or similar.
Actual: SDK auth failed: HTTP 404: Invalid OAuth error response: SyntaxError: JSON Parse error: Unexpected identifier "Not". Raw body: Not Found

The /mcp panel also shows Auth: ✓ authenticated even though no Authorization header was configured — which is a separate UX bug that makes the broken Re-authenticate flow more confusing.

Why this is NOT a duplicate of #52158

  • #52158's v2.1.119 changelog entry says: "Fixed MCP HTTP connections failing…" — i.e. the connection-handshake OAuth probe.
  • The repro above is on v2.1.120, triggered by the Re-authenticate menu after the connection has already succeeded. The crash is in the OAuth-discovery code path that the /mcp menu invokes, not the connection path.
  • The customer-facing impact is identical to #52158, but the code path is different, hence the partial fix.

Claude Model

Opus

Is this a regression?

Partial regression — #52158 was advertised as fixed in v2.1.119, but the fix did not cover the Re-authenticate menu path.

Last Working Version

n/a — Re-authenticate has never worked on bearer-only MCP servers (would have to verify pre-v2.1.117 behavior).

Claude Code Version

2.1.120 (also reproduces on 2.1.119)

Platform

Anthropic API

Operating System

Linux (Ubuntu) — also reproduces on macOS

Terminal/Shell

bash / zsh

Additional Information

Cross-reference: Codex CLI (OpenAI) on the same MCP server gracefully labels auth as Unsupported instead of crashing, and a related fix shipped in modelcontextprotocol/typescript-sdk PR #1108 (merged 2025-11-13). Multiple existing issues describe the same bug class: #42716, #47424, #34008, #46640, #44774.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗