Indeed MCP OAuth fails with `invalid_client / Client not allowed` — same pattern as #47185
Summary
The Indeed MCP server (https://mcp.indeed.com/claude/mcp) cannot be authenticated from Claude Code. Every OAuth attempt is rejected by the server with HTTP 403 invalid_client / "Client not allowed", even immediately after claude mcp remove indeed + claude mcp add (fresh dynamic client registration). The symptom is identical in shape to #47185 (Linear MCP), and likely shares the same root cause: Claude Code's Client ID Metadata Document advertises loopback redirect URIs without an ephemeral port, but the OAuth request includes one.
Reproduction
claude mcp add --transport http indeed https://mcp.indeed.com/claude/mcp/mcp→ indeed → Authenticate- Browser auth completes successfully.
- Claude Code reports: "Got new credentials, but indeed rejected them on reconnect. Try re-authenticating, or restart Claude Code if it persists."
- Full Cmd+Q restart + retry → same result.
claude mcp remove indeed+ re-add + re-auth → same result.
Log excerpt
From ~/Library/Caches/claude-cli-nodejs/<project>/mcp-logs-indeed/:
Returning tokens
Token length: 720
Has refresh token: true
Expires in: 3562s
HTTP Connection failed after 154ms: Streamable HTTP error: Error POSTing to endpoint:
{"error": "invalid_client", "error_description": "Client not allowed"} (code: 403)
Authentication required for HTTP server
The token is freshly issued (full refresh token, ~59 min validity), but the very next POST to the MCP endpoint with that token is rejected with invalid_client. This is the same shape as the Linear case in #47185.
Suspected root cause
Two possibilities (overlapping):
- Redirect URI port mismatch (same as #47185). Claude Code's metadata declares
http://localhost/callbackandhttp://127.0.0.1/callback, but the authorization request useshttp://localhost:<ephemeral>/callback. Indeed's gateway, like Linear's, performs strict string matching against the declared list rather than honoring RFC 8252 §7.3's port-wildcard rule for loopback.
- Manual client allowlist on Indeed's side. Indeed's MCP gateway may not honor dynamic client registration at all — only allowing pre-approved
client_idvalues used by Claude Desktop / claude.ai integrations. If so, every fresh registration from Claude Code will be rejected on principle.
Environment
- Claude Code 2.1.145 (sdk-cli)
- Node v24.3.0
- macOS Darwin 25.3.0 (Tahoe)
- Server:
https://mcp.indeed.com/claude/mcp(HTTP transport)
Workaround attempts (all failed)
claude mcp remove indeed+ re-add → same 403- Full Cmd+Q restart of Claude Code → same 403
- (Not yet tried) nuke
Claude Code-credentialsKeychain entry — would force re-auth of all MCPs, high blast radius
Ask
- Confirm whether Indeed's MCP gateway is on the same redirect-URI strict-match path as Linear in #47185.
- If yes: fix Claude Code's metadata to declare
http://localhost:*/callback(port-wildcard) or switch to port-less loopback URIs. - If Indeed enforces a manual
client_idallowlist: coordinate with Indeed to register Claude Code's metadata client_id, or document that Indeed MCP is not currently supported in Claude Code.
Related
- #47185 — Linear MCP, same root error shape
- #52565 — OAuth tokens fail to persist; menu "Connect" silently fails
- #26917 — HTTP MCP servers requiring OAuth silently fail
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗