HTTP MCP client doesn't follow OAuth authorization redirects, kills session with uncaught Unauthorized

Resolved 💬 3 comments Opened May 7, 2026 by ForesightAero Closed May 11, 2026

Summary

When an HTTP-transport MCP server requiring OAuth is added to .mcp.json, Claude Code initiates the OAuth flow but logs "Redirection handling is disabled, skipping redirect" and then throws an uncaught Error: Unauthorized from inside the bundled CLI. The exception propagates up and exits the session. After the first crash, a cached needs-auth flag prevents subsequent sessions in the same project from retrying — but every fresh project/worktree without that cache hits the same crash.

This makes the entire class of "remote MCP server via OAuth" effectively unusable on Claude Code today, including Sentry's official hosted MCP at https://mcp.sentry.dev.

Reproduction

  1. Create a project-level .mcp.json:
{
  "mcpServers": {
    "sentry": {
      "type": "http",
      "url": "https://mcp.sentry.dev/mcp"
    }
  }
}
  1. Launch claude in that project, accept the trust prompt
  2. Within ~1 second of MCP connection, the session crashes silently
  3. No prompt to complete OAuth in a browser ever appears
  4. Subsequent launches in the same project show "Skipping connection (cached needs-auth)" and don't retry — but new worktrees / projects without the cache repeat the crash

Death signature in the MCP cache log

%LOCALAPPDATA%\claude-cli-nodejs\Cache\<project>\mcp-logs-sentry\<timestamp>.jsonl:

{"debug":"Initializing HTTP transport to https://mcp.sentry.dev/mcp"}
{"debug":"No token data found"}
{"debug":"HTTP transport options: {\"url\":\"https://mcp.sentry.dev/mcp\",\"hasAuthProvider\":true,\"timeoutMs\":60000}"}
{"debug":"Starting connection with timeout of 30000ms"}
{"debug":"Saving discovery state (authServer: https://mcp.sentry.dev/)"}
{"debug":"No access token in storage"}
{"debug":"Generated new OAuth state"}
{"debug":"Saving code verifier"}
{"debug":"Authorization URL: https://mcp.sentry.dev/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A3118%2Fcallback&state=..."}
{"debug":"Scopes in URL: NOT FOUND"}
{"debug":"No scopes available from URL or metadata"}
{"debug":"Redirection handling is disabled, skipping redirect"}
{"debug":"HTTP Connection failed after 1057ms: Unauthorized (code: none, errno: none)"}
{"error":"Error: Unauthorized\n    at send (B:/~BUN/root/src/entrypoints/cli.js:892:35837)\n    at processTicksAndRejections (native:7:39)"}
{"debug":"Authentication required for HTTP server"}

The local callback server (http://localhost:3118/callback) is set up correctly in the URL, but redirection handling is explicitly disabled before the redirect can fire — so the user's browser never opens, OAuth can never complete, and the connection fails with Unauthorized.

Suggested fix

Either:

  1. Enable browser-redirect handling for OAuth-based HTTP MCP servers — open the user's default browser to the authorization URL, run the callback server on the configured port, complete the code-for-token exchange, persist the token, then retry the connection. This is what the Sentry MCP and other OAuth-based remote MCPs expect.
  1. If redirect handling is intentionally disabled for security/sandbox reasons, surface a clear error to the user (e.g., "Sentry MCP requires OAuth authentication. Run claude mcp authenticate sentry to complete the flow.") and catch the Unauthorized so it doesn't kill the session. Then provide a separate claude mcp authenticate <name> subcommand that runs the OAuth flow outside an active session.

The current behavior — silently dying with no UI for the user to complete auth — is the worst of both worlds.

Workaround

Don't use OAuth-based HTTP MCP servers in .mcp.json. Use stdio-transport MCP servers with token-based auth (e.g., npx @sentry/mcp-server --access-token=...) or shell out to the vendor's CLI tools.

Environment

  • OS: Windows 11 ARM64 (10.0.26200)
  • Shell: PowerShell 7.6.1
  • Node: v24.3.0 (logged by the Sentry MCP probe; NOT the Node version used to run Claude Code itself, which is v20.19.2 x64)
  • Claude Code: 2.1.132 (auto-updated from 2.1.131 mid-session)
  • MCP server tested: Sentry's official hosted MCP at https://mcp.sentry.dev/mcp

Related

Filed alongside #56938 (the orphaned-plugin autoupdate crash). Both are silent-exit-on-Windows bugs surfaced during the same investigation. Different code paths, related symptom class.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗