[Bug] Gmail connector OAuth scopes insufficient for advertised label mutation tools

Resolved 💬 3 comments Opened May 1, 2026 by juankost Closed May 5, 2026

Bug Description
Bug: claude.ai Gmail connector requests insufficient OAuth scopes for advertised tools.

▎ Repro:
▎ 1. Connect Gmail in claude.ai (Settings → Connectors).
▎ 2. Under the connector's Tool permissions, set the Write/delete tools group (Adds
▎ labels to thread/message, Removes labels from thread/message, etc.) to "Always allow".
▎ 3. From Claude Code or claude.ai, call mcp__claude_ai_Gmail__create_label (or
▎ label_thread, label_message, unlabel_thread, unlabel_message).

▎ Expected: label is created / applied.

▎ Actual: all label-mutation tools fail with Request had insufficient authentication
▎ scopes.

▎ Root cause: The Google OAuth grant requested by the connector includes only
▎ gmail.readonly + gmail.compose/gmail.send. It does not include gmail.modify or
▎ gmail.labels, even though the connector exposes label-mutation tools that require them.
▎ Verified via https://myaccount.google.com/permissions — the listed scopes for "Claude"
▎ are only read + manage drafts/send.

▎ Fix: either (a) add gmail.modify (or gmail.labels) to the connector's requested scopes,
▎ or (b) hide the label-mutation tools when those scopes weren't granted, so users
▎ aren't told the tool is allowed when it can never succeed.

▎ Impact: breaks any agent workflow built on the hosted Gmail MCP that needs to
▎ label/archive mail (the canonical email-triage use case advertised in the connector
▎ description).

Environment Info

  • Platform: darwin
  • Terminal: ghostty
  • Version: 2.1.126
  • Feedback ID: b4c79d47-ff91-401d-8714-b070ac7374fc

Errors

[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/juankostelec/.local/share/claude/versions/2.1.126 (expected in multi-process scenarios)\n    at r86 (/$bunfs/root/src/entrypoints/cli.js:2768:2177)\n    at HD8 (/$bunfs/root/src/entrypoints/cli.js:2768:1257)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-01T09:38:21.257Z"},{"error":"Error: Streamable HTTP error: Error POSTing to endpoint: event: message\r\ndata: {\"id\":4,\"jsonrpc\":\"2.0\",\"result\":{\"content\":[{\"text\":\"Request had insufficient authentication scopes.\",\"type\":\"text\"}],\"isError\":true}}\r\n\r\n\n    at send (/$bunfs/root/src/entrypoints/cli.js:869:36437)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-01T09:41:03.446Z"},{"error":"Error: Streamable HTTP error: Error POSTing to endpoint: event: message\r\ndata: {\"id\":3,\"jsonrpc\":\"2.0\",\"result\":{\"content\":[{\"text\":\"Request had insufficient authentication scopes.\",\"type\":\"text\"}],\"isError\":true}}\r\n\r\n\n    at send (/$bunfs/root/src/entrypoints/cli.js:869:36437)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-01T09:41:38.692Z"},{"error":"Error: Streamable HTTP error: Error POSTing to endpoint: event: message\r\ndata: {\"id\":3,\"jsonrpc\":\"2.0\",\"result\":{\"content\":[{\"text\":\"Request had insufficient authentication scopes.\",\"type\":\"text\"}],\"isError\":true}}\r\n\r\n\n    at send (/$bunfs/root/src/entrypoints/cli.js:869:36437)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-01T09:43:31.027Z"},{"error":"Error: Streamable HTTP error: Error POSTing to endpoint: event: message\r\ndata: {\"id\":3,\"jsonrpc\":\"2.0\",\"result\":{\"content\":[{\"text\":\"Request had insufficient authentication scopes.\",\"type\":\"text\"}],\"isError\":true}}\r\n\r\n\n    at send (/$bunfs/root/src/entrypoints/cli.js:869:36437)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-01T09:51:59.279Z"}]

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗