MCP OAuth workspace binding can be ambiguous in multi-client workflows
Summary
I work as one consultant across multiple client workspaces. The same remote MCP provider can represent different client data environments. Today it is too easy for a Claude Code / Claude connector MCP OAuth binding to point at the wrong workspace, while another local tool or CLI profile for the same provider still points at the correct one.
This creates a data-boundary risk for consultants and agencies: one shared MCP connector can be re-authenticated to Client B, then a later task for Client A can appear authenticated but search/query the wrong workspace.
Environment
- Claude Code / Claude connectors
- Remote HTTP MCP server with OAuth
- Same provider host for multiple workspaces
- Provider CLI supports named profiles correctly
- Project MCP config may contain a shared server entry such as:
{
"mcpServers": {
"example": {
"type": "http",
"url": "https://example.com/mcp"
}
}
}
Observed behavior
In a real local setup, with client names and workspace IDs redacted:
- The provider CLI profile remained logged into Client A.
- A Claude/Codex MCP binding for the same provider returned Client B projects after a separate OAuth flow.
- Browser incognito only controlled the workspace selected during OAuth. After callback, the durable binding belonged to the MCP client/server alias/auth store, not the browser window.
- A user can reasonably think "I authenticated in a separate browser/session" means the workspaces are isolated, but they are not.
In practice this meant:
provider CLI profile -> Client A workspace
MCP search via shared connector/alias -> Client B workspace/projects
Expected behavior
Claude Code should make multi-workspace MCP auth safer and more explicit. Ideally:
- Show the authenticated MCP workspace/account/org in
/mcp,claude mcp list, and/orclaude mcp get <server>when the server/provider exposes it. - Warn before re-auth changes an existing remote MCP binding for a server/connector.
- Document the intended hard-isolation model for MCP OAuth: server alias, endpoint, account connector,
CLAUDE_CONFIG_DIR, project.mcp.json, or app-support OAuth cache. - Provide a recommended workflow for consultants with one machine and multiple client workspaces.
- If possible, support first-class per-MCP auth profiles or multiple instances of the same connector, each with a visible account/workspace label.
Current workaround
Hard isolation appears to require separate Claude Code configuration directories plus explicit MCP config, then a workspace probe after login:
CLAUDE_CONFIG_DIR=~/.claude-client-a claude --mcp-config /path/to/client-a.mcp.json --strict-mcp-config
CLAUDE_CONFIG_DIR=~/.claude-client-b claude --mcp-config /path/to/client-b.mcp.json --strict-mcp-config
Alias-only isolation may work in some clients, but it is not a safe assumption because MCP token storage is client-specific and some clients/providers can deduplicate by endpoint or connector identity. In local investigation, Claude app support storage also appeared to contain OAuth token-cache state, so CLAUDE_CONFIG_DIR isolation should still be verified after login rather than assumed.
Why this matters
This is not just convenience. For consultants and agencies, querying the wrong client workspace is a data-boundary incident. The product should make the active MCP identity visible and hard to confuse.
Related issues
This is related to, but more specific than:
- #27567 - multi-account MCP connectors in Cowork
- #33430 -
CLAUDE_CONFIG_DIRdocumentation for multi-account setups - #50062 - account-level MCP connectors auto-loaded into CLI sessions
- #24317 - concurrent Claude Code sessions and OAuth refresh-token race conditions
The missing piece in this report is the multi-client workspace-boundary risk: provider CLI profiles and MCP OAuth bindings can diverge, and the active MCP workspace is not visible enough to catch that before a tool call uses the wrong client context.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗