HTTP MCP OAuth: refresh token stored but never exercised, server drops to bootstrap tools when the access token expires (~12h)
Open 💬 1 comment Opened Jul 12, 2026 by Emredost
Environment
- Claude Code 2.1.205
- macOS (Darwin 25.5.0)
Setup
- An HTTP MCP server that uses OAuth, for example
https://mcp.slack.com/mcp, added to the client. - After the first sign-in, the OAuth grant is saved to the macOS Keychain, and a refresh token is stored alongside the access token.
Observed
- The access token has a short TTL (about 12 hours).
- When it expires, the server stops exposing its operational tools and only its
authenticateandcomplete_authenticationbootstrap tools remain. - The Keychain still holds a valid refresh token next to the expired access token, so the material needed to refresh is present.
Expected
- When the access token is expired and a refresh token is available, the client runs the OAuth refresh flow and restores the operational tools without a manual re-auth.
Repro steps
- Add an OAuth-based HTTP MCP server and complete sign-in. Confirm its operational tools are listed.
- Wait for the access token to expire (about 12 hours), or shorten its lifetime if you can.
- Start a new session and list the server's tools.
- Only
authenticateandcomplete_authenticationappear; the operational tools are gone. - Inspect the stored OAuth grant and confirm a refresh token is present alongside the expired access token.
Impact
- Manual re-auth roughly every 12 hours for any OAuth-based HTTP MCP server, even though a refresh token is on hand.
Note
- The manual re-auth workaround is documented on the user side, so this is about the missing automatic refresh, not a blocker with no path forward.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗