[BUG] Claude Code MCP OAuth aborts on server-advertised protected-resource path mismatch — IBKR connector works in Claude Chat, fails in Claude Code

Open 💬 0 comments Opened Jun 21, 2026 by viktor-milev

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

[BUG] Claude Code MCP OAuth aborts on server-advertised protected-resource path mismatch — IBKR connector works in Claude Chat, fails in Claude Code

The official Interactive Brokers (IBKR) remote MCP connector (https://api.ibkr.com/v1/api/mcp) fails to authenticate in Claude Code. The OAuth flow aborts client-side before any browser window opens, because the server advertises its protected resource at a different path on the same host (/alpha/api/mcp) than the configured URL (/v1/api/mcp), and Claude Code's OAuth client treats that as a fatal mismatch. The identical connector, URL, and account authenticate successfully in Claude Chat (claude.ai / desktop chat) — so this is a divergence in Claude Code's OAuth resource-matching, not an IBKR or config problem.

Summary

Claude Code refuses to start the OAuth flow for a remote HTTP MCP server when the
server's advertised protected-resource metadata (RFC 9728) points to a different
path on the same host
than the configured server URL. The client requires the
advertised resource to equal the dialed URL and aborts before opening a browser,
rather than honoring the server-advertised resource or matching by origin.

The same connector, same URL, same account authenticates successfully in Claude
Chat (claude.ai / desktop chat).
Only the Claude Code local OAuth client fails.

This blocks use of the official Interactive Brokers (IBKR) remote MCP connector
in Claude Code entirely.

Environment

  • Product: Claude Code (embedded desktop app)
  • OS: Windows 11 Home (10.0.26200)
  • Connector: Interactive Brokers (IBKR) official remote MCP
  • Config (~/.claude.json):

``json
"mcpServers": {
"ibkr": {
"type": "http",
"url": "https://api.ibkr.com/v1/api/mcp"
}
}
``

Exact error

Failed to start OAuth flow for ibkr: SDK auth failed: Protected resource
https://api.ibkr.com/alpha/api/mcp does not match expected
https://api.ibkr.com/v1/api/mcp (or origin). Ask the user to run /mcp and
authenticate manually.

Interpretation: the configured/dialed URL is …/v1/api/mcp. When the client hits it,
the server's protected-resource metadata advertises the resource as …/alpha/api/mcp
(same host, different path — IBKR appears to serve its OAuth resource off the /alpha
channel while /v1 is the published path). Claude Code's OAuth client treats the
advertised-vs-dialed difference as fatal and aborts the flow.

Steps to reproduce

  1. Add the IBKR remote MCP connector with URL https://api.ibkr.com/v1/api/mcp.
  2. Trigger authentication (connector connect / authenticate).
  3. Observe the error above. No browser/authorization window is ever opened.

Expected behavior

Consistent with the Claude Chat connector, which authenticates the same URL/account
successfully. The client should either:

  • Follow the server-advertised protected resource per RFC 9728 (i.e., proceed with

…/alpha/api/mcp as the resource the server told us to use), or

  • Accept a same-origin resource (the error text's own "(or origin)" branch suggests

this path exists but isn't being taken here), rather than requiring exact
path equality between the configured URL and the advertised resource.

Actual behavior

The flow is aborted client-side before any browser interaction. The fallback advice
("run /mcp and authenticate manually") is not actionable in the embedded desktop app,
where /mcp is unavailable.

Workarounds attempted (all failed or unacceptable)

  • Editing the configured URL to https://api.ibkr.com/alpha/api/mcp (to match the

advertised resource), then fully restarting the app: the connector then fails to
register / disconnects — /alpha is a preview path and not a viable stable target.
Reverted to /v1/api/mcp.

  • Manual bearer-token injection (bypass OAuth, paste Authorization: Bearer … into

config headers, per #52871): unacceptable for a brokerage account — plaintext token,
~hourly expiry, manual refresh.

Likely related issues

  • #52871 — MCP OAuth resource parameter normalization/mismatch
  • #52565 — connector OAuth works in-chat but menu Connect fails; tokens don't persist
  • #56208 — "Got new credentials, but reconnecting failed," server never connects

Impact

The official IBKR connector is unusable in Claude Code. This blocks building agentic
monitoring/automation workflows in Claude Code that depend on IBKR market and account
data. The connector working in Claude Chat but not Claude Code points to a divergence
in the two OAuth client implementations' resource-matching strictness.

What Should Happen?

Authentication should succeed in Claude Code as it does in Claude Chat. The client should honor the server-advertised protected resource per RFC 9728 (proceed using the /alpha/api/mcp resource the server returns), or match by origin — the error text's own "(or origin)" clause implies that branch exists but isn't being taken. Instead of aborting before opening a browser, it should open the authorization window.

Error Messages/Logs

Failed to start OAuth flow for ibkr: SDK auth failed: Protected resource
https://api.ibkr.com/alpha/api/mcp does not match expected
https://api.ibkr.com/v1/api/mcp (or origin). Ask the user to run /mcp and
authenticate manually.

Steps to Reproduce

  1. Add the IBKR remote MCP connector with URL https://api.ibkr.com/v1/api/mcp (type: http).
  2. Trigger authentication for the connector.
  3. Observe the error above. No browser/authorization window ever opens.
  4. For contrast: add the same connector URL in Claude Chat → authentication succeeds.

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

Claude 1.14271.0 (c8f4d8) 2026-06-18T05:47:57.000Z

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

Workarounds attempted and rejected: (1) editing the configured URL to /alpha/api/mcp and restarting — the connector then fails to register/disconnects, so /alpha is not a viable stable target; reverted to /v1. (2) Manual Authorization: Bearer token injection (per #52871) — unacceptable for a brokerage account (plaintext token, ~hourly expiry, manual refresh).

View original on GitHub ↗