[Bug] MCP HTTP OAuth token exchange ignores authorization URL scopes, uses metadata instead
Resolved 💬 3 comments Opened May 7, 2026 by felgeekpe Closed May 10, 2026
Bug Description
Claude Code's MCP HTTP OAuth flow overrides API scopes with the auth server's metadata scopes_supported during token exchange, producing tokens without the required API permissions. Result: 403 Forbidden on every MCP call.
## Repro
Connect to Function Health MCP (https://services.functionhealth.com/ai-chat/mcp).
## Log trace
Scopes in URL: read:action_plan read:biomarkers read:health_summary offline_access✅Using scope from metadata: openid profile offline_access name given_name email...❌ (overrides step 1)HTTP Connection failed: 403 Forbidden
## Env
- Claude Code 2.1.132
- macOS arm64, Node v24.3.0
## Expected
Scopes captured from authorization URL should be reused at token exchange, not replaced with the auth server's scopes_supported metadata.
Environment Info
- Platform: darwin
- Terminal: ghostty
- Version: 2.1.132
- Feedback ID: 83967865-977f-46cf-869f-e5688f0e5463
Errors
[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/theuser/.local/share/claude/versions/2.1.132 (expected in multi-process scenarios)\n at I96 (/$bunfs/root/src/entrypoints/cli.js:2651:2257)\n at ZRH (/$bunfs/root/src/entrypoints/cli.js:2651:1337)\n at processTicksAndRejections (native:7:39)","timestamp":"2026-05-07T01:59:37.103Z"}]This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗