[BUG] Managed MCP server tools permanently stuck in "Needs Approval" — users cannot approve unlisted tools, contradicting docs and UI

Resolved 💬 2 comments Opened Jun 1, 2026 by pnancarrow Closed Jul 12, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When an MCP server is deployed via managedMcpServers, all tools are shown to users as "Needs Approval" and are grayed out with no way to act on them.

The in-app Tool policy UI tooltip from the configuration menu reads:

_"Lock the approval state for specific tools. Unlisted tools stay user-controlled."_

The configuration reference docs describe toolPolicy as:

Map of tool name → "allow" / "ask" / "blocked". Locks the per-tool approval state for that server.

Neither source documents or justifies what actually happens: unlisted tools are permanently locked in an unresolvable "Needs Approval" state that users cannot act on.

Steps to Reproduce

  1. Deploy a remote MCP server via managedMcpServers in Cowork on 3P configuration
  2. Do not set a toolPolicy on the server entry (e.g. a minimal config like below)
  3. Open the app as a user and go to Settings → the managed MCP server
{
  "name": "My Server",
  "transport": "http",
  "url": "https://example.com/mcp",
  "oauth": true
}

Expected: Tools are user-controllable — users can approve or deny them on demand, consistent with the UI tooltip and docs.

Actual: Every tool shows "Needs Approval" and is grayed out. Users have no way to approve or deny tools. Tools are completely unusable.

Workaround (and why it's unacceptable)

The only workaround is to manually enumerate every tool name and set each to "allow":

{
  "name": "My Server",
  "transport": "http",
  "url": "https://example.com/mcp",
  "oauth": true,
  "toolPolicy": {
    "tool_one": "allow",
    "tool_two": "allow"
  }
}

This is problematic because:

  • The admin must know every tool name in advance with no discovery mechanism in the config UI
  • If the MCP server adds or renames tools, they silently revert to the broken grayed-out state
  • This requires a config update + full app restart to fix, with no user-facing recourse
  • It directly contradicts the stated behavior: "unlisted tools stay user-controlled"

Expected Behavior

One of the following (in order of preference):

  1. Unlisted tools are genuinely user-controlled — users see an approve/deny prompt when a tool is first invoked, consistent with the UI copy and docs. This matches stated intent and requires no config changes.
  2. A wildcard toolPolicy value (e.g. "*": "allow") that lets admins approve all tools without enumeration — also requested in #58082.
  3. At minimum, accurate documentation — if enumerate-or-broken is intentional, the docs and UI tooltip must say so explicitly, and the config UI should provide a tool discovery mechanism.

Impact

Any organization deploying managed MCP servers without knowing to explicitly enumerate every tool in toolPolicy will find their users completely unable to use any MCP tools. This is the silent default behavior with no warning.

Environment

  • Product: Claude desktop app (Cowork on 3P)
  • Area: Managed MCP servers / tool policy
  • Severity: High — blocks all tool use for users on managed MCP deployments

What Should Happen?

Unlisted tools are genuinely user-controlled — users see an approve/deny prompt when a tool is first invoked, consistent with the UI copy and docs. This matches stated intent and requires no config changes. Users can set their own policy from the "customize" settings.

Alternatively, helpful behavior:

  • A wildcard toolPolicy value (e.g. "*": "allow") that lets admins approve all tools without enumeration — also requested in #58082.
  • At minimum, accurate documentation — if enumerate-or-broken is intentional, the docs and UI tooltip must say so explicitly, and the config UI should provide a tool discovery mechanism.

Error Messages/Logs

Steps to Reproduce

  1. Deploy a remote MCP server via managedMcpServers in Cowork on 3P configuration
  2. Do not set a toolPolicy on the server entry (e.g. a minimal config like below)
  3. Open the app as a user and go to Settings → the managed MCP server
{
  "name": "My Server",
  "transport": "http",
  "url": "https://example.com/mcp",
  "oauth": true
}

Expected: Tools are user-controllable — users can approve or deny them on demand, consistent with the UI tooltip and docs.

Actual: Every tool shows "Needs Approval" and is grayed out. Users have no way to approve or deny tools. Tools are completely unusable.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude 1.8555.0 (8245b7)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Related Issue

This is related to but distinct from #58082, which requests glob-syntax support for toolPolicy. That issue is framed as a feature request. This is a bug report: the current behavior contradicts what the documentation and in-app UI explicitly state.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗