[BUG] Cowork macOS: all claude.ai-hosted MCP connectors fail — desktop OAuth token requested without `user:mcp_servers` scope
Symptom
In every Cowork session on macOS, the claude.ai-hosted MCP connectors (Gmail, Google Drive, Google Calendar, web search) expose zero tools and any call to them is rejected. The same account, on the same machine, works fine in:
- Claude Code CLI (Gmail, web search, etc. all functional)
- Claude.app web chat (Gmail, web search, etc. all functional)
So this is not a network/firewall issue, not an account-level connector authorization issue, and not a tenant policy issue. Network reachability to the per-connector endpoints (mcp.figma.com, mcp.slack.com, mcp.linear.app, etc.) succeeds at the TLS layer; the failure is purely at the OAuth scope check.
First observed approximately 2026-05-21. Persists across multiple Claude.app updates and across sign-out / sign-in.
Smoking-gun evidence — wrong OAuth scope set
The Cowork session's SDK debug log contains this line (from ~/Library/Application Support/Claude/local-agent-mode-sessions/<...>/outputs/sdk-debug.txt):
2026-05-26T16:24:42.742Z [DEBUG] [claudeai-mcp] Missing user:mcp_servers scope (scopes=user:inference)
Cross-referenced with ~/Library/Logs/Claude/main.log, every Cowork OAuth exchange requests this scope set:
[oauth] looking up token for orgId=<...>, cacheKey=<...>:https://api.anthropic.com:user:inference user:file_upload user:profile
Claude Code CLI requests a slightly different set on the same machine:
[oauth] looking up token ... :user:inference user:profile user:sessions:claude_code
Neither set includes user:mcp_servers. Because the scope list is part of the OAuth request's cache key (not loaded from a cached token), no amount of token flushing, sign-out, or reinstall changes what scope set the app's code asks for. This points to a fix needed in the Cowork OAuth request code path — it should be requesting user:mcp_servers (or whatever the current name of the scope that authorizes the claudeai-mcp gateway is).
Downstream effects observed in the SDK log
Once the master scope is missing, the inline Cowork plugins that rely on the claude.ai gateway fail with invalid MCP url:
[ERROR] Plugin MCP server error - mcp-config-invalid: MCP server gmail invalid: Plugin design has an invalid MCP url
[ERROR] Plugin MCP server error - mcp-config-invalid: MCP server google calendar invalid: Plugin design has an invalid MCP url
[ERROR] Plugin MCP server error - mcp-config-invalid: MCP server snowflake invalid: Plugin data has an invalid MCP url
[ERROR] Plugin MCP server error - mcp-config-invalid: MCP server databricks invalid: Plugin data has an invalid MCP url
The non-gateway connectors (Slack, Linear, Notion, Figma, Atlassian, etc.) reach their endpoints successfully and then fail with Unauthorized at the per-connector OAuth handshake — also explainable by the same root cause if those flows depend on the gateway-issued token.
Repro
- Sign in to Claude.app on macOS.
- Open Cowork → new session.
- Ask "search the web for X" or "show me my latest gmail thread."
- Observe that the relevant tools are absent or that any call fails.
- Inspect
~/Library/Application Support/Claude/local-agent-mode-sessions/<org>/<session>/outputs/sdk-debug.txt— grep forMissing user:mcp_servers scope.
Environment
- Claude.app: 1.1.381 (Electron 37.10.3 / Chrome 138 / Node 22.21.1)
- macOS: 25.5.0 (Darwin 25.2.0, Apple Silicon — M3 Pro, 36 GB)
- Plan: Max
- First observed: ~2026-05-21
Troubleshooting attempted (none fixed it)
- Multiple app auto-updates during the failure window — bug persists
- Quit and relaunch
- Sign out and sign back in (forces fresh OAuth — token re-minted with same scope set, still missing
user:mcp_servers) - Rebuilt the Cowork bundle via the Help menu
- Flushed cache via Help menu options
- Verified that the same account works in Claude Code CLI and claude.ai web on the same machine
- Verified network reachability to mcp.* endpoints (TLS handshakes succeed in the log)
Why this is not the same bug as adjacent open issues
- #62548 (Gmail/Calendar "caller does not have permission" for one account) — that's account/tenant-scoped, Drive works for them; mine has all claude.ai-hosted connectors broken with no Drive exception, and the failure has explicit
Missing user:mcp_servers scopelog evidence. - #48130 / #55634 (Cowork Windows Gmail connector auth state issues) — different platform, no scope-missing log line, framed as auth-state churn rather than a never-requested scope.
- #59854 (GitHub OAuth DCR) — DCR is the per-connector flow; this report is about the upstream claude.ai gateway scope.
What I think is needed
A change in the Claude desktop app's Cowork OAuth request code path to include user:mcp_servers (or the currently-correct gateway scope name) in the scope list it sends. After that, a normal sign-in on an existing install should mint a working token with no user-side state changes needed.
Logs available
sdk-debug.txt (852 lines) and ~/Library/Logs/Claude/main.log excerpts available on request. Happy to attach to the GitHub issue or send via in-app feedback if that gets them to a specific engineer faster.
This issue has 12 comments on GitHub. Read the full discussion on GitHub ↗