Atlassian MCP plugin OAuth authentication fails at token exchange

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Somewhere else…

Describe the Bug

What happens:

Plugin connects successfully via streamable HTTP
OAuth callback is received with authorization code (browser redirect works)
Token exchange fails with HTTP 404 — response body is plain text “404 Not Found” instead of JSON
Error from logs:

Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response:
SyntaxError: Unexpected non-whitespace character after JSON at position 4.
Raw body: 404 Not Found
Environment:

OS: Linux (RHEL/CentOS 9)
Cursor version: [fill in from Help > About]
Atlassian plugin version: [fill in from Extensions panel]
No existing OAuth apps in Atlassian Developer Console
Atlassian account has active Jira/Confluence access

Steps to Reproduce

Install the Atlassian plugin (“Atlassian plugin for Cursor with MCP and skills for Jira, Confluence…”) from the Cursor Extensions marketplace
Cursor prompts to authenticate the Atlassian MCP server — click to proceed
Browser opens to the Atlassian OAuth consent screen — log in and authorize
Browser redirects back to Cursor with an authorization code (this step succeeds)
Plugin attempts to exchange the authorization code for an access token
Token exchange fails — the endpoint returns HTTP 404 with plain text body 404 Not Found instead of a JSON response

Expected Behavior

Expected result: Token exchange succeeds, MCP tools become available in Cursor.

Operating System

Linux

Version Information

  • Cursor version: 2.7.0-pre.124.patch.0
  • Atlassian plugin version: [from Extensions panel]

For AI issues: which model did you use?

Composer 2

Additional Information

Environment:

  • Cursor: 2.7.0-pre.124.patch.0 (x64, commit dbff8e29)
  • Atlassian plugin: [from Extensions panel]
  • Connection: SSH remote (Cursor connected to remote Linux host)
    Host system:
  • OS: Red Hat Enterprise Linux 9.7 (Plow)
  • Kernel: 5.14.0-611.16.1.el9_7.x86_64
  • Arch: x86_64
    SSH:
  • OpenSSH 8.7p1, OpenSSL 3.5.1
    Runtime:
  • Node.js: v20.19.5
  • npm: 10.8.2
  • curl: 7.76.1 (OpenSSL 3.5.1, brotli, nghttp2)

Does this stop you from using Cursor

No - Cursor works, but with this issue

2 Likes
5

Hi @Jay_Coleman,

This is a known issue with how Cursor handles OAuth token exchange for MCP servers that use a separate authorization server (which is how Atlassian’s OAuth works).

You may also find this related thread helpful: MCP OAuth callback loses authorization server URL discovered from resource_metadata

Our team is aware of this and actively tracking it. Unfortunately, there isn’t a workaround available since the issue is in the internal token exchange logic. We’ll make sure this report is tracked alongside the fix effort.

1 Like
7

Hi,

Same issue after upgrading to 3.0.9 — likely a regression

This was working for me on the previous stable build and broke right after I installed the release from this morning.

Current environment

  • Cursor: 3.0.9 (Universal), stable, default track

  • VS Code base: 1.105.1

  • Commit: 93e276db8a03af947eafb2d10241e2de17806c20

  • Build date: 2026-04-03T02:06:46.446Z

  • OS: Darwin arm64 25.3.0

  • Electron: 39.8.1 / Node: 22.22.1

2026-04-03 16:46:11.184 [info] Creating streamableHttp transport
2026-04-03 16:46:11.353 [info] Connecting to streamableHttp server
2026-04-03 16:46:11.859 [info] Using redirect URL
2026-04-03 16:46:11.863 [info] Using redirect URL
2026-04-03 16:46:11.863 [info] Using redirect URL
2026-04-03 16:46:11.863 [info] Saving PKCE code verifier
2026-04-03 16:46:11.868 [info] MCP OAuth redirect to authorization
2026-04-03 16:46:11.872 [info] Stored server URL for OAuth flow
2026-04-03 16:46:11.872 [warning] UnauthorizedError in onerror (current status: 'needsAuth'): Unauthorized
2026-04-03 16:46:11.872 [warning] Auth-related error connecting to streamableHttp server, returning transport
2026-04-03 16:46:11.872 [info] Successfully connected to streamableHttp server
2026-04-03 16:46:11.872 [info] Storing streamableHttp client
2026-04-03 16:46:11.872 [warning] [MCP Allowlist] No serverName provided for adapter, falling back to stripIdentifierPrefix. identifier="plugin-atlassian-atlassian", displayName="plugin-atlassian-atlassian"
2026-04-03 16:46:11.872 [info] CreateClient completed, server stored: true
2026-04-03 16:46:11.878 [info] MCP OAuth needsAuth (v1)
2026-04-03 16:46:19.633 [info] Received OAuth callback with code
2026-04-03 16:46:20.309 [info] Using attempt-scoped OAuth client information for callback flow
2026-04-03 16:46:20.311 [info] Using redirect URL
2026-04-03 16:46:20.423 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found

What happens

  1. Browser OAuth completes; I get redirected back with an authorization code (as before).

  2. Token exchange then fails with HTTP 404 and a plain-text body 404 Not Found (not JSON), so the client errors on JSON parse — same pattern as in the original report.

So this looks like a 3.0.9 regression in MCP OAuth / token exchange (possibly related to the separate authorization-server flow mentioned above), not a new misconfiguration on my side.

Happy to run any specific logging steps if that helps narrow it down.

1 Like
8

fwiw I just experienced the same issue after upgrading

2026-04-03 12:04:44.083 [info] Successfully reloaded client
2026-04-03 12:04:44.100 [info] MCP OAuth needsAuth (v1)
2026-04-03 12:04:56.216 [info] Received OAuth callback with code
2026-04-03 12:04:57.865 [info] Using attempt-scoped OAuth client information for callback flow
2026-04-03 12:04:57.868 [info] Using redirect URL
2026-04-03 12:04:58.128 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found
9

Same here:

2026-04-03 12:04:55.342 [info] Successfully reloaded client
2026-04-03 12:04:55.351 [info] MCP OAuth needsAuth (v1)
2026-04-03 12:05:02.843 [info] Received OAuth callback with code
2026-04-03 12:05:03.466 [info] Using attempt-scoped OAuth client information for callback flow
2026-04-03 12:05:03.468 [info] Using redirect URL
2026-04-03 12:05:03.596 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found
10

Hi all! Eng from the Cursor team here. We’re aware of this issue and are actively working on fix. Sorry for the disruption

4 Likes
11

Same error here.
The login process works and it redirects to Cursor. But it shows 404 error:

2026-04-03 16:07:12.146 [info] [V2] Handling CreateClient action

2026-04-03 16:07:12.146 [info] [V2 FSM] connection:connect_start: conn=idle,auth=unknown -> conn=connecting,auth=unknown

2026-04-03 16:07:14.680 [info] Using redirect URL

2026-04-03 16:07:14.686 [info] Using redirect URL

2026-04-03 16:07:14.686 [info] Using redirect URL

2026-04-03 16:07:14.687 [info] Saving PKCE code verifier

2026-04-03 16:07:14.700 [info] MCP OAuth redirect to authorization

2026-04-03 16:07:14.728 [info] Stored server URL for OAuth flow

2026-04-03 16:07:14.728 [info] OAuth provider needs auth callback during connection

2026-04-03 16:07:14.729 [info] Connect failed after auth_required; returning needsAuth (streamableHttp)

2026-04-03 16:07:14.733 [info] MCP OAuth needsAuth (v2)

2026-04-03 16:07:14.733 [warning] [V2 FSM] connection:connect_failure: conn=connecting,auth=unknown -> conn=transient_failure,auth=unknown

2026-04-03 16:07:14.734 [info] CreateClient completed, connected: false, statusType: needsAuth

2026-04-03 16:07:32.643 [info] [V2] Handling LogoutServer action

2026-04-03 16:07:32.644 [info] Clearing stored OAuth data

2026-04-03 16:07:32.665 [info] Successfully cleared OAuth tokens

2026-04-03 16:07:32.665 [info] [V2] Removing client, reason: logout_server

2026-04-03 16:07:32.668 [info] [V2] Handling ReloadClient action

2026-04-03 16:07:32.668 [info] [V2 FSM] connection:connect_start: conn=idle,auth=unknown -> conn=connecting,auth=unknown

2026-04-03 16:07:35.343 [info] No stored client information found

2026-04-03 16:07:35.345 [info] Using redirect URL

2026-04-03 16:07:36.028 [info] Saving client information

2026-04-03 16:07:36.033 [info] Using redirect URL

2026-04-03 16:07:36.035 [info] Using redirect URL

2026-04-03 16:07:36.035 [info] Using redirect URL

2026-04-03 16:07:36.036 [info] Saving PKCE code verifier

2026-04-03 16:07:36.058 [info] MCP OAuth redirect to authorization

2026-04-03 16:07:36.064 [info] Stored server URL for OAuth flow

2026-04-03 16:07:36.065 [info] OAuth provider needs auth callback during connection

2026-04-03 16:07:36.065 [info] Connect failed after auth_required; returning needsAuth (streamableHttp)

2026-04-03 16:07:36.066 [info] MCP OAuth needsAuth (v2)

2026-04-03 16:07:36.066 [warning] [V2 FSM] connection:connect_failure: conn=connecting,auth=unknown -> conn=transient_failure,auth=unknown

2026-04-03 16:07:36.067 [info] ReloadClient completed, connected: false, statusType: needsAuth

2026-04-03 16:08:09.350 [info] [V2] Handling LogoutServer action

2026-04-03 16:08:09.350 [info] Clearing stored OAuth data

2026-04-03 16:08:09.367 [info] Successfully cleared OAuth tokens

2026-04-03 16:08:09.367 [info] [V2] Removing client, reason: logout_server

2026-04-03 16:08:09.369 [info] [V2] Handling ReloadClient action

2026-04-03 16:08:09.369 [info] [V2 FSM] connection:connect_start: conn=idle,auth=unknown -> conn=connecting,auth=unknown

2026-04-03 16:08:13.182 [info] No stored client information found

2026-04-03 16:08:13.187 [info] Using redirect URL

2026-04-03 16:08:13.948 [info] Saving client information

2026-04-03 16:08:13.956 [info] Using redirect URL

2026-04-03 16:08:13.960 [info] Using redirect URL

2026-04-03 16:08:13.960 [info] Using redirect URL

2026-04-03 16:08:13.961 [info] Saving PKCE code verifier

2026-04-03 16:08:13.968 [info] MCP OAuth redirect to authorization

2026-04-03 16:08:14.008 [info] Stored server URL for OAuth flow

2026-04-03 16:08:14.008 [info] OAuth provider needs auth callback during connection

2026-04-03 16:08:14.008 [info] Connect failed after auth_required; returning needsAuth (streamableHttp)

2026-04-03 16:08:14.010 [info] MCP OAuth needsAuth (v2)

2026-04-03 16:08:14.010 [warning] [V2 FSM] connection:connect_failure: conn=connecting,auth=unknown -> conn=transient_failure,auth=unknown

2026-04-03 16:08:14.010 [info] ReloadClient completed, connected: false, statusType: needsAuth

2026-04-03 16:08:54.964 [info] [V2] Handling LogoutServer action

2026-04-03 16:08:54.964 [info] Clearing stored OAuth data

2026-04-03 16:08:54.982 [info] Successfully cleared OAuth tokens

2026-04-03 16:08:54.982 [info] [V2] Removing client, reason: logout_server

2026-04-03 16:08:54.985 [info] [V2] Handling ReloadClient action

2026-04-03 16:08:54.985 [info] [V2 FSM] connection:connect_start: conn=idle,auth=unknown -> conn=connecting,auth=unknown

2026-04-03 16:08:57.528 [info] No stored client information found

2026-04-03 16:08:57.533 [info] Using redirect URL

2026-04-03 16:08:58.144 [info] Saving client information

2026-04-03 16:08:58.151 [info] Using redirect URL

2026-04-03 16:08:58.154 [info] Using redirect URL

2026-04-03 16:08:58.154 [info] Using redirect URL

2026-04-03 16:08:58.155 [info] Saving PKCE code verifier

2026-04-03 16:08:58.172 [info] MCP OAuth redirect to authorization

2026-04-03 16:08:58.179 [info] Stored server URL for OAuth flow

2026-04-03 16:08:58.179 [info] OAuth provider needs auth callback during connection

2026-04-03 16:08:58.179 [info] Connect failed after auth_required; returning needsAuth (streamableHttp)

2026-04-03 16:08:58.180 [info] MCP OAuth needsAuth (v2)

2026-04-03 16:08:58.180 [warning] [V2 FSM] connection:connect_failure: conn=connecting,auth=unknown -> conn=transient_failure,auth=unknown

2026-04-03 16:08:58.180 [info] ReloadClient completed, connected: false, statusType: needsAuth

2026-04-03 16:09:08.132 [info] Received OAuth callback with code

2026-04-03 16:09:10.720 [info] Using attempt-scoped OAuth client information for callback flow

2026-04-03 16:09:10.724 [info] Using redirect URL

2026-04-03 16:09:11.251 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found
12

Hi all. The root cause has been found and we have a candidate fix that we are working on getting out. Will have an update on the min good version here shortly. Thank you for your patience, and sorry again about the disruption.

Update: Fix on 3.0.12

5 Likes
13

I’ll speak for everyone because obv I’m important enough to do that.
Thank you!

2 Likes
14

I’m looking forward to the fixed version! :raising_hands:

15

Hi all! This issue has been fixed on version 3.0.12 and above. Thank you for raising and reporting it, and sorry about the inconvenience!

1 Like
16

Unfortunately issue is not fixed for everyone

2026-04-07 11:34:28.853 [info] Using redirect URL
2026-04-07 11:34:29.001 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected token '<', "<html>
<h"... is not valid JSON. Raw body: <html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

I’m on version:

Version: 3.0.12 (Universal)
VSCode Version: 1.105.1
Commit: a80ff7dfcaa45d7750f6e30be457261379c29b00
Date: 2026-04-04T00:13:18.452Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.4.0
17

Thanks for reporting this, @Karlis_Melderis

Looking at your error, this appears to be a different issue from what was fixed in 3.0.12. The original bug returned a plain text 404 Not Found body during token exchange, while yours is returning an nginx-served HTML 404 page. That nginx signature suggests a different root cause – possibly a proxy, CDN, or a different endpoint URL issue.

Could you create a new thread for this with the following details? That way the engineering team can track and investigate your specific variant properly:

  1. Full MCP log output from the connection attempt – go to View > Output, select the Atlassian MCP channel from the dropdown, and copy everything from when the connection starts through the error

  2. Whether you’re connecting via SSH to a remote host or running Cursor locally

  3. Whether you’re behind a corporate proxy or VPN

The two log lines you shared don’t show the earlier steps of the OAuth flow, which would help determine where it diverges from the original issue.

18

The issue is still there and not fixed.
2026-04-10 10:08:24.234 [error] Failed to complete OAuth exchange HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found

Version: 3.0.4 (Universal)
VSCode Version: 1.105.1
Commit: 63715ffc1807793ce209e935e5c3ab9b79fddc80
Date: 2026-04-02T09:36:23.265Z (1 wk ago)
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.4.0

19

Look at the replies please.

21

The fix for this issue was shipped in version 3.0.12 (as Devang noted in post #12). You’re currently on 3.0.4, which predates the fix.

Could you update to 3.0.12 or later and try again? You can check for updates via Help > Check for Updates or by downloading the latest version from cursor.com.