[BUG] Dynamic Client Registration requests omit scope, leading to over-privileged client registrations

Resolved 💬 3 comments Opened Sep 22, 2025 by Nitin2108 Closed Jan 8, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When Claude Desktop performs OAuth 2.0 Dynamic Client Registration, it does not include the scope client metadata in the registration request body. Because our server then falls back to a permissive default, the client gets registered as allowed for all scopes, which is a security risk.

Current behaviour (observed):
Registration request from Claude omits scope.
Our server registers the client with a broad default, effectively enabling all scopes.

What Should Happen?

Claude should include a scope value in the registration request, chosen using least-privilege:
Discover scopes_supported from the protected resource (/.well-known/oauth-protected-resource)
Request only the subset required for the intended operations (ideally progressive/just-in-time scoping).

Error Messages/Logs

Steps to Reproduce

  1. Open claude desktop app
  2. Try to add any mcp server url
  3. Click on connect
  4. Notice Dynamic client registration request omits scope in registration request body.

Claude Model

None

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

0.13.19 (Claude Desktop)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗