[BUG] Kit MCP server OAuth fails with PKCE rejection despite code_challenge being present
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Kit MCP authentication is broken. When calling mcp__kit__authenticate, Claude Code generates an authorization URL that
includes code_challenge and code_challenge_method=S256, but Kit's OAuth server rejects it with:
{"error":"invalid_request","error_description":"This app sent an authorization request without a PKCE code_challenge,
which Kit requires for public clients (RFC 7636, S256 only). This is a configuration issue on the app's side, not on
your Kit account."}
The generated URL does contain PKCE parameters, so the rejection is happening server side, suggesting the client_id
mQdz3obrvGsFS25hLxJZguyxPIyzsgvdAZSu8ljtojU registered with Kit is not configured as a PKCE enabled public client on
Kit's OAuth app settings.
Expected: OAuth flow completes and Kit tools become available
Actual: Kit rejects the request at the authorization step
The mcp-needs-auth-cache.json entry for "kit" ends up with a timestamp but no session id, confirming authentication
never completes.
Fix needed: The Kit OAuth app registration for this client_id needs to have PKCE (S256) enabled on Kit's developer
settings side, or a new client_id registered with the correct public client configuration.
Platform: macOS 25.4.0, Claude Code CLI
What Should Happen?
Opening the authorization URL in the browser should complete the OAuth flow successfully. After granting access,
Claude Code should receive the authorization code, exchange it for a token, and make the Kit MCP tools available in
the session. The kit entry in mcp-needs-auth-cache.json should include a valid session id, not just a timestamp.
Error Messages/Logs
Steps to Reproduce
Steps to reproduce:
- Add the Kit MCP server (https://app.kit.com/mcp) to Claude Code
- Trigger authentication via mcp__kit__authenticate
- Open the authorization URL in a browser
- Kit returns the PKCE error above
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
v2.1.173
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗