Claude in Chrome bridge 403 every session: token auto-refresh drops user:mcp_servers scope (refreshed token has only user:inference)

Resolved 💬 2 comments Opened May 25, 2026 by ajanderson1 Closed May 25, 2026

Summary

On macOS, mcp__claude-in-chrome__* tools report "Browser extension is not connected" at the start of every session, fixed only by running /login.

Root cause (found via --debug): the Chrome integration's CLI leg connects to the cloud bridge wss://bridge.claudeusercontent.com using the OAuth token. The auto-refreshed token carries only user:inference scope — it's missing user:mcp_servers (and the other login-time scopes). The bridge rejects it with 403 "missing scope or org access." /login mints a full-scope token and the bridge pairs immediately — until the next silent token refresh strips the scopes again, so it breaks the next session.

The local native messaging host + Unix socket are fully healthy throughout (the socket answers JSON-RPC). The failure is entirely the CLI → cloud-bridge OAuth scope, not the extension or native host.

Environment

  • Claude Code 2.1.150
  • macOS (Darwin 25.4.0), Apple Silicon
  • Chrome extension v1.0.72
  • Personal Max account, firstParty OAuth via claude.ai (single-user org)

Evidence (--debug --debug-file)

Broken (auto-refreshed token), repeated 10× with backoff then gives up:

[claudeai-mcp] Missing user:mcp_servers scope (scopes=user:inference)
[Claude in Chrome] Connecting to bridge: wss://bridge.claudeusercontent.com/chrome/<ACCOUNT_UUID>
[Claude in Chrome] Bridge received: {"type":"error","error":"OAuth token forbidden (403) — missing scope or org access","reason":"upstream_403","upstream_status":403,"transient":false}
[Claude in Chrome] Bridge error: OAuth token forbidden (403) — missing scope or org access
[Claude in Chrome] Bridge connection closed (code: 1008)

After /login in the same session:

[Claude in Chrome] Bridge received: {"type":"paired"}
[Claude in Chrome] ensureConnected called, connected=true, authenticated=true, wsState=1
[Claude in Chrome] Bridge received: {"type":"extensions_list","extensions":[{...,"extensionVersion":"1.0.72"}]}

Token scopes:

  • Auto-refreshed (broken): [user:inference]
  • After /login (working): [user:file_upload, user:inference, user:mcp_servers, user:profile, user:sessions:claude_code]

Expected behavior

Refreshed access tokens should retain the same scopes as the originally-issued (login) token — in particular user:mcp_servers and user:sessions:claude_code — so the Claude in Chrome bridge stays authorized across sessions without re-running /login.

Actual behavior

The token refresh path issues a narrower scope set (user:inference only), silently dropping the bridge-required scopes. The 403 surfaces only as the generic "Browser extension is not connected" message, which sends users to investigate the extension/native host (all healthy) rather than token scope.

Workaround

Run /login (or /chrome → Reconnect) at the start of each session.

Suggestions

  1. Preserve full scope set on token refresh.
  2. Surface the real error ("OAuth token missing user:mcp_servers scope — run /login") instead of the generic "extension not connected."

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗