[Bug] MCP HTTP OAuth token exchange ignores authorization URL scopes, uses metadata instead

Resolved 💬 3 comments Opened May 7, 2026 by felgeekpe Closed May 10, 2026

Bug Description
Claude Code's MCP HTTP OAuth flow overrides API scopes with the auth server's metadata scopes_supported during token exchange, producing tokens without the required API permissions. Result: 403 Forbidden on every MCP call.

## Repro

Connect to Function Health MCP (https://services.functionhealth.com/ai-chat/mcp).

## Log trace

  1. Scopes in URL: read:action_plan read:biomarkers read:health_summary offline_access
  2. Using scope from metadata: openid profile offline_access name given_name email... ❌ (overrides step 1)
  3. HTTP Connection failed: 403 Forbidden

## Env

  • Claude Code 2.1.132
  • macOS arm64, Node v24.3.0

## Expected
Scopes captured from authorization URL should be reused at token exchange, not replaced with the auth server's scopes_supported metadata.

Environment Info

  • Platform: darwin
  • Terminal: ghostty
  • Version: 2.1.132
  • Feedback ID: 83967865-977f-46cf-869f-e5688f0e5463

Errors

[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/theuser/.local/share/claude/versions/2.1.132 (expected in multi-process scenarios)\n    at I96 (/$bunfs/root/src/entrypoints/cli.js:2651:2257)\n    at ZRH (/$bunfs/root/src/entrypoints/cli.js:2651:1337)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-07T01:59:37.103Z"}]

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗