[BUG] claude.ai Gmail connector: read/compose calls fail with 'insufficient authentication scopes', and in-session /mcp reconnect does not re-grant scopes or update session state (Windows, v2.1.200)

Open 💬 1 comment Opened Jul 7, 2026 by compusophy

Summary

Two coupled problems with the claude.ai Gmail connector in a CLI session:

  1. Granted OAuth scopes are insufficient even for read/compose — not just label mutation. After authenticating the connector (/mcp → "Authentication successful. Connected to claude.ai Gmail"), tool calls fail with Request had insufficient authentication scopes. This happens for search_threads (read) and create_draft (compose), not only the gmail.modify label tools already reported in #72052 / #47383. So the initial consent appears to grant no usable Gmail data scope at all.
  1. In-session /mcp disconnect / reconnect / re-authenticate does not re-grant scopes or update the running session. Trying to recover by toggling the connector via /mcp within the same session does not (a) trigger a fresh Google consent that grants the missing scopes, nor (b) reliably update the session's view of the connector. The state flaps (Connected → Disconnected → Reconnected → Disconnected) and the exposed Gmail tools appear/disappear, with no in-session recovery path — the session effectively must be restarted.

Environment

  • Claude Code 2.1.200
  • Platform: Windows 11 (win32)
  • Model: Opus 4.8
  • Connector: claude.ai Gmail (hosted connector)

Steps to reproduce

  1. Start a CLI session with the claude.ai Gmail connector present ("needs authentication").
  2. /mcp → authenticate Gmail → "Authentication successful. Connected."
  3. Call a Gmail tool — e.g. search_threads (read) or create_draft (compose).

Request had insufficient authentication scopes (both fail).

  1. /mcp again → disconnect, reconnect, re-authenticate (repeated several times) to try to widen scopes.
  2. Observed: scopes never broaden; the session does not reliably reflect the reconnect; the Gmail tools flap in and out.

Expected

  • The Gmail connector's OAuth grant should request the scopes its advertised tools need (search/read, compose/draft, and modify for labels).
  • Re-authenticating via /mcp should force a fresh Google consent that grants those scopes and update the live session without requiring a restart.

Actual

  • Initial grant lacks even read/compose scopes.
  • /mcp re-auth appears to reuse the stale grant/token and does not update the session; connector state and exposed tools flap.

Possibly related (cross-links for triage)

  • #72052, #47383 — gmail.modify missing for label tools (this report is broader: read + compose also fail).
  • #51326 (closed) — "Gmail MCP integration uses Google Drive OAuth client — cannot grant Gmail permissions" — possible regression/variant that would explain the total scope failure.
  • #48275 — connectors remain listed after disconnect.
  • #72914 — connectors show "Connected" but aren't loaded as tools.

The distinct new facts here: read + compose scope failure (not just labels) and the in-session /mcp reconnect not re-granting scopes / not updating session state, on Windows, CLI 2.1.200.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗