HTTP MCP OAuth: refresh token stored but never exercised, server drops to bootstrap tools when the access token expires (~12h)

Open 💬 1 comment Opened Jul 12, 2026 by Emredost

Environment

  • Claude Code 2.1.205
  • macOS (Darwin 25.5.0)

Setup

  • An HTTP MCP server that uses OAuth, for example https://mcp.slack.com/mcp, added to the client.
  • After the first sign-in, the OAuth grant is saved to the macOS Keychain, and a refresh token is stored alongside the access token.

Observed

  • The access token has a short TTL (about 12 hours).
  • When it expires, the server stops exposing its operational tools and only its authenticate and complete_authentication bootstrap tools remain.
  • The Keychain still holds a valid refresh token next to the expired access token, so the material needed to refresh is present.

Expected

  • When the access token is expired and a refresh token is available, the client runs the OAuth refresh flow and restores the operational tools without a manual re-auth.

Repro steps

  1. Add an OAuth-based HTTP MCP server and complete sign-in. Confirm its operational tools are listed.
  2. Wait for the access token to expire (about 12 hours), or shorten its lifetime if you can.
  3. Start a new session and list the server's tools.
  4. Only authenticate and complete_authentication appear; the operational tools are gone.
  5. Inspect the stored OAuth grant and confirm a refresh token is present alongside the expired access token.

Impact

  • Manual re-auth roughly every 12 hours for any OAuth-based HTTP MCP server, even though a refresh token is on hand.

Note

  • The manual re-auth workaround is documented on the user side, so this is about the missing automatic refresh, not a blocker with no path forward.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗