[BUG] MCP HTTP OAuth: refresh token never used; multi-session sharing broken
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code's MCP HTTP OAuth layer never uses the stored refresh token. Access tokens for the Atlassian MCP (https://mcp.atlassian.com/v1/mcp) expire roughly every 8 hours, and instead of silently
refreshing using the refresh token already in ~/.claude/.credentials.json, Claude Code forces a full browser-based /mcp re-authentication.
This duplicates #28262 (closed as "not planned"), #44416, #18442, and #19456. Filing fresh because the closed status communicates this is acceptable behavior, and it isn't — for users on remote MCP
servers that gate real work (Jira, Notion, Linear), it's a steady tax on every working day. Atlassian fixed the server side in atlassian/atlassian-mcp-server#12; the gap is in Claude Code.
New evidence — multi-session state is also broken: today I authenticated in session A (terminal 1). Switched to session B (terminal 2, same machine) and was forced to authenticate again, even though
.credentials.json had been freshly updated by session A. Sessions appear to cache OAuth state in memory and don't re-read .credentials.json on the next failed call. So the cost scales with concurrent
sessions: I'm hitting 4–5 re-auths per week.
What Should Happen?
- On token expiry, Claude Code calls the OAuth refresh endpoint using the stored refresh token, without browser interaction.
- All concurrent sessions read the latest tokens from .credentials.json before failing a call.
- Refreshed tokens are persisted back to .credentials.json.
Error Messages/Logs
Steps to Reproduce
- Configure Atlassian MCP via
claude mcp addwith HTTP transport, server URL https://mcp.atlassian.com/v1/mcp. - Authenticate via
/mcpin session A. - Open a second terminal with another Claude Code session (session B).
- In session B, try to call any Atlassian MCP tool (e.g., searchJiraIssuesUsingJql) → "Authentication required".
- Re-auth in session B. Now session A may also need re-auth on its next call.
- Even with only one session: leave Claude Code idle for ~8 hours and the next call requires re-auth, despite a valid refresh token sitting in ~/.claude/.credentials.json.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.119
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
Inspected ~/.claude/.credentials.json — the mcpOAuth.atlassian|<id> entry contains both accessToken and refreshToken, plus expiresAt set ~8h in the future after each fresh auth. The refresh token is
present but never used.
Bug also reproduced on 2.1.117 and 2.1.118.
Related: #28262, #44416, #18442, #19456, atlassian/atlassian-mcp-server#12.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗