[BUG] Scheduled routines fail every MCP tool call with "MCP tool call requires approval" on custom connectors (regression ~2026-05-20)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet. Related but distinct: #58757 (Bypass Permissions in CLI blocks
requiresUserInteractionMCP tools). This report is for the claude.ai scheduled routine surface, reachable from Claude Code via/scheduleand theRemoteTriggertool. - [x] This is a single bug report.
- [x] I am using the latest version of Claude Code.
What's Wrong?
Around 2026-05-20, scheduled claude.ai routines that use a custom MCP connector silently stopped completing their work. Every MCP tool call inside the routine fails with:
Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval
There is no human in the loop on a scheduled routine, so the call never gets approved and the routine effectively no-ops. The routine itself fires (visible in last_fired_at), but nothing the routine was supposed to write to the connector ever lands.
The same connector works perfectly from every interactive surface:
- Claude Code on a local Mac
- Claude Code on a remote Linux box (this is where I'm filing from — used
mcp__claude_ai_Notes_Remote_MCP__list_notesandread_notehalf a dozen times in the session) - claude.ai chat
So the bug is scoped to the routine surface + custom MCP connector combo. First-party connectors (Linear, Granola) in the same routine slot don't appear to be affected.
Steps to Reproduce
- In claude.ai, register a custom MCP connector (mine is a Railway-hosted Obsidian server fronted by Auth0 OAuth — anything with the standard OAuth-protected-resource handshake will reproduce).
- Confirm it works from chat: ask Claude to call any tool on it, approve once.
- Create a scheduled routine that uses the connector. Easiest repro via
POST /v1/code/triggerswith body shape:
``json``
{
"name": "mcp-smoke",
"cron_expression": "0 0 1 1 *",
"enabled": true,
"mcp_connections": [{
"connector_uuid": "<uuid>",
"name": "<connector name>",
"permitted_tools": ["list_notes", "read_note", "create_note", "update_note"],
"url": "<server url>"
}],
"job_config": {
"ccr": {
"environment_id": "<env id>",
"events": [{ "data": { "message": { "content": "Call list_notes(folder=\"foo/\") then create_note(...) and reply 'ok'.", "role": "user" }, "type": "user", "uuid": "...", "session_id": "" } }],
"session_context": { "allowed_tools": ["Bash"], "model": "claude-opus-4-7" }
}
}
}
- Fire the routine manually via
POST /v1/code/triggers/<id>/run. - Observe: routine "ran" (200 response), but
list_notes/read_note/ etc. fail with the approval error and nothing gets written.
What Should Happen
A scheduled routine, by definition, runs unattended. If the user has attached an MCP connector to a routine — and especially if permitted_tools is explicitly populated on the routine's mcp_connections entry — that should be a standing grant for those tools when the routine fires. Anything else makes scheduled routines + custom MCP connectors structurally unusable.
What I Tried (none of which fixed it)
- Disconnected and reconnected the connector in claude.ai → Settings → Connectors. Interactive surfaces stayed working; routines stayed broken.
- PATCHed
mcp_connections.permitted_toolson an existing routine viaPOST /v1/code/triggers/<id>to explicitly list the tool names. Server accepted the update, but the routine still fails the same way on next fire. - Created a brand-new routine via API with
permitted_toolspopulated at creation time, same connector UUID. Same failure. This rules out "old routines hold a stale grant" — newly created routines reproduce immediately. - Looked for a per-tool "Always allow" / "Trusted for routines" toggle in the Connectors UI, the Routines/Skills editor, and via a fresh approval flow in chat. Nothing changes the routine behavior.
Environment
- Surface: claude.ai scheduled routines (
/v1/code/triggers), invoked through Claude Code's/scheduleskill andRemoteTriggertool. - Connector: custom MCP server, OAuth-protected (Auth0). Endpoint returns 401 to anonymous probes (correctly) and 200 to interactive calls (correctly).
- Claude Code version: latest.
- Failure window: started between ~14:00 UTC 2026-05-19 and ~14:00 UTC 2026-05-20.
- Cross-routine confirmation: at least two unrelated routines on the same account, with different prompts but the same custom connector, simultaneously stopped writing on those dates. So it's not a routine-specific config drift; it correlates with a platform change.
Error Messages / Logs
The only surfaced error is the one quoted above:
Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval
It is visible when the routine is run; there is no further detail in the API response, and last_fired_at does not update on manual run calls (separate minor issue).
Suggested Fix
- Treat a routine's attached connector as a standing grant for the tools listed in
mcp_connections[].permitted_tools. Routines are by construction non-interactive; gating them behind a separate approval flow makes them dead-on-arrival. - If a stricter policy is intended, surface the gate as a user-visible setting (per-connector or per-routine, "Trusted for unattended execution") and document the migration. Right now the only error returned is "requires approval", with no path the user can take to grant that approval for an unattended context.
- Cross-reference #58757 — the underlying gating logic is plausibly the same and a unified fix may address both.
Impact
Routines that use custom MCP connectors are the only practical way to drive multi-step, vault-style automations on claude.ai today. For me this powers a daily journaling/dispatch system that's been broken for two days. The workaround is to move the workload off claude.ai routines entirely and run it as local cron against the same connector — which works fine, but defeats the point of having claude.ai routines.
38 Comments
Found 1 possible duplicate issue:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
+1 — reproducing on the Notion connector (first-party in Customize, not a self-hosted MCP).
The routine settings UI states that tools from attached connectors can be used during execution without requesting approval (paraphrasing — I'm on the Japanese locale). Despite that, the routine fails at runtime with
MCP tool call requires approvalonmcp__Notion__notion-fetch. The container's settings.json only contains"allow": ["Skill"], and there is no UI surface for the user to grant MCP-tool approval.So this isn't limited to custom OAuth connectors — it also affects the Notion first-party connector attached via Customize, and the UI's own stated guarantee appears to be violated.
"Same issue. Gmail, Google Calendar, and Microsoft 365 connectors. Started today. All connectors are added to the routine with the no-approval banner confirmed."
For me this doesn't just happen with custom MCPs, but also with the standard Gmail and Google Calendar MCPs. What is the point of this feature if we can't use MCPs? Even when I am present, no UI prompt to approve requests appear. All my relevant connector settings are set to "always allow".
I am also experiencing the same issue when calling the Slack connector (MCP).
+1, same regression on first-party Datadog and Slack connectors (claude.ai EU). A routine that had been running fine for 6 days started failing on 2026-05-20 with
MCP tool call requires approvalon every MCP call.Local CLI from the same account can call
mcp__claude_ai_Datadog__*andmcp__claude_ai_Slack__*without issue, so the OAuth grant is intact — the failure is scoped to the routine surface.+1, experience the same issue when using Slack Connector.
Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval
+1, with slack and sentry
I wanted to report, but since its done already I will just attach here. Same routine was working yesterday. When I asked claude to find solution it kept insisting on working on permissions - which makes no sense in routines as I understand. Same behaviour on desktop and web client.
Title: MCP tool calls fail with "MCP tool call requires approval" inside Routine sessions on claude.ai/code
Description:
When a Routine runs on claude.ai/code (remote execution environment), MCP tool calls fail with the following error despite Routines being documented to run without confirmation prompts:
Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval
Environment:
Claude Code on the web (claude.ai/code)
Remote execution environment (ephemeral container, no local filesystem access)
Session type: Routine (automated, scheduled)
MCP servers affected: Slack (mcp.slack.com/mcp), Atlassian
Model: claude-sonnet-4-6
Steps to reproduce:
Configure a Routine on claude.ai/code that uses MCP tools (Slack, Atlassian)
Run the Routine
Observe MCP tool calls fail with MCP tool call requires approval
Expected behavior:
Routines run autonomously without any confirmation prompts. MCP tool calls should execute without requiring approval, by definition of how Routines work.
Actual behavior:
Every MCP tool call is blocked by Claude Code's internal permission check and throws MCP tool call requires approval. The Routine cannot proceed.
Workaround attempted:
Writing ~/.claude/settings.json with "defaultMode": "bypassPermissions" and MCP tool allow rules — this has no effect because the remote container is ephemeral and the settings file is not read mid-session. There is no persistent filesystem access in remote sessions to apply a fix.
Impact:
Routines that rely on MCP tools are completely non-functional in remote sessions.
Seeing this behaviour today too. Nothing changed my end but none of my connectors are authorising as expected.
I'm also seeing this with my routines when they are trying to use Slack, Google Calendar and Atlassian connectors. It was working yesterday afternoon and it was this morning my daily routines all started failing.
+1 on gmail..
+1 Slack,Jira
+1 Google Calendar
+1 Google Drive
+1 Jira, Snowflake (any MCP connector...)
It worked for sure on 2026-05-20, and today (2026-05-21) it doesn't.
definitely regression.
Very frustrating
the part that bites here isn't the approval gate itself, it's that interactive approval and unattended approval are getting treated as one grant. a routine has no human to click 'allow', so a permission model that only knows 'ask the user now' degrades to a hard no the moment nobody's sitting there. permitted_tools on the connector should act as a standing grant scoped to that surface, precisely because the surface is non-interactive by construction. the failure mode i keep running into is permission logic built for the interactive case first, then bolted onto scheduled runs where the same prompt silently becomes an infinite wait. cleaner to split approval-at-bind-time for unattended from approval-at-call-time for interactive, with the tool allowlist being the bind-time artifact.
Same bug happened recently and it's affecting all remote routines and connectors for me.
Every MCP tool call in my remote/scheduled routines fails instantly with:
Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval
Confirming on scheduled (cron-triggered) routines, not just API-fired ones, and any type triggered manually.
A few additional data points from debugging this session:
13-connector diagnostic: Attempted one read-only tool call from each of 13 connectors available in the execution environment (Slack, Google Drive, JIRA, Atlassian, Gmail, Google Calendar, Figma, Amplitude, Guru, Ramp, Zapier, monday.com). All 13 returned the identical error. This suggests the gate is environment-wide, not scoped to the routine's connector config.
Subagent test: Spawned a subagent and had it attempt the same calls. Same error. The block is consistent across the main agent and subagents.
~/.claude/settings.json workaround: Added mcp__Slack__, mcp__Google-Drive__, mcp__JIRA__, mcp__Atlassian__ to permissions.allow mid-session. File write confirmed, allow rules verified with jq. MCP calls still blocked immediately after.
No workaround found. Routine is non-functional until this is resolved on the platform side.
+1 — same issue on Gmail and Google Drive connectors in a remote routine. Worked fine 2026-05-20, broken since 2026-05-21.
Every MCP call returns "Streamable HTTP error: Error POSTing to endpoint: MCP tool call requires approval" — including read-only ones (Gmail:search_threads, Google-Drive:read_file_content).
Setup:
Things tried (none worked):
Confirms what others said: this is a routine-execution-layer regression, not a connector or OAuth issue. Unattended routines are completely broken for any MCP-dependent workflow.
Running into the same thing with Slack, Datadog and Sentry MCPs
Experiencing the same with G Cal, Notion, Todoist MCPs
Hi folks, we're aware of this issue and looking into it.
Update: This issue should be addressed. We are continuing to monitor, please let me know if you encounter any issues.
It's fixed.
Thanks @omid-ant
Claude Code routine now having issues seeing MCP, still digging but the original error is no longer present.
Routine is telling me: Please open this URL in your browser to authorize the [...] connector:
[URL]
after hitting the URL I see the attached image. This seems like it has to be the wrong flow? @omid-ant
<img width="816" height="182" alt="Image" src="https://github.com/user-attachments/assets/6d71a831-3186-4ff3-b827-7608c7183d8d" />
Reproducing post-fix. Created routine after your fix comment. Notion, Google Calendar, Todoist connectors all attached and visible in the routine config UI. Routine fires, but the agent's tool registry contains zero MCP tools - ToolSearch returns nothing for any of the three connectors. Not the "requires approval" error from the original report; this is a step earlier - tools never injected into the session at all. Deleted and recreated the routine, same symptom. Account on Pro plan, region DE.
+1, now seeing different error message from the original ("MCP tool call requires approval") - now routines are treating external MCPs as unauthorized, and trying to re-authenticate returns the same "Server Turned Down" message that devon mentioned above.
+1 facing the same issue. Gmail first-party connector on a scheduled daily triage routine. Tools are never injected into the session at all, no "requires approval" error, just zero Gmail tools visible. Secondary symptom: re-auth fallback hits rate limit for client registration requests with no UI path to resolve it.
Thanks @devonpohl and others, that issue should now be fixed as well.
Working! Thank you!
Yes, thanks!
My scheduled routines worked today without issue.
Still reproducing as of July 5, 2026. A scheduled routine calling the Slack connector (slack_read_channel / slack_send_message) fires but hangs on the approval prompt when run headless — no output. Manual "Run now" works since a human can approve; BigQuery and Google Drive connectors in the same routine are unaffected.
One extra data point that might help localize the fix: a trigger created before the ~May 19 regression still runs Slack tools headless with no prompt, while a trigger created after it never can — even for the same connector and account. Approving the connector on a manual run doesn't persist to later scheduled runs. Suggests the grant is bound at trigger creation and post-regression triggers can't obtain it.