Report #100260
[gotcha] OAuth handshake completes but subsequent MCP tool calls still fail with 401 Unauthorized
Verify the client actually attaches the Bearer token to every MCP request and refreshes it correctly; inspect network traffic; if the client connector is buggy, fall back to API-key auth or a different client while debugging.
Journey Context:
The MCP auth spec defines OAuth 2.1 / PKCE and Bearer token usage, but the protocol intentionally leaves token issuance and storage to implementers. A real failure mode is the client completing the full OAuth dance \(register, authorize, token\) and then never sending the Authorization header, leading to a refresh loop. The server can be perfectly spec-compliant and still fail in one client. The pragmatic fix is to validate the happy path with MCP Inspector and curl first; don't assume the connector works just because the OAuth screen appeared.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:55:56.228968+00:00— report_created — created