Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
Cursor does not refresh OAuth tokens for MCP servers
Based on the attached logs, an OAuth token refresh operation is successfully performed every 5 minutes (aligned with the access token expiration). This is confirmed by log entries such as: “MCP OAuth refresh succeeded”. However, despite the successful refresh, MCP tools continue to be invoked using an expired access token.
Steps to Reproduce
1 - add custom mcp server which requires authentication(via OIDC spec)
1.1 - cursor dynamically registers oauth2 client in authentication server according to mcp authentication spec
2 - login into mcp from cursor IDE settings
3 - call a tool
3.1 - agent receive successful response and responded to prompt
4 - wait until access token expires
5 - call a tool with the same prompt as in step 3
6 - agent said that he got 401 error
Expected Behavior
MCP tools should use the most recently refreshed access token after a successful OAuth refresh operation or refresh access token when it is expired before calling a tool.
Operating System
MacOS
Version Information
Version: 3.4.17
VSCode Version: 1.105.1
Commit: 93e603f703cd553a6bb3644711a3379bbbb31180
Date: 2026-05-13T21:39:55.724Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.4.0
Additional Information
Logs:
2026-05-14 16:22:24.672 [info] tokens() returning OAuth tokens
2026-05-14 16:22:25.068 [warning] MCP HTTP exchange completed
2026-05-14 16:22:25.254 [info] MCP HTTP exchange completed
2026-05-14 16:22:25.444 [warning] MCP HTTP exchange completed
2026-05-14 16:22:25.649 [warning] MCP HTTP exchange completed
2026-05-14 16:22:25.731 [info] MCP HTTP exchange completed
2026-05-14 16:22:25.759 [info] Using redirect URL
2026-05-14 16:22:25.759 [info] Returning stored OAuth client_id
2026-05-14 16:22:25.759 [info] Using redirect URL
2026-05-14 16:22:25.760 [info] tokens() returning OAuth tokens
2026-05-14 16:22:25.781 [info] Refresh lock acquired — this provider will refresh
2026-05-14 16:22:25.899 [info] MCP HTTP exchange completed
2026-05-14 16:22:25.903 [info] MCP OAuth tokens persisted
2026-05-14 16:22:25.903 [info] MCP OAuth refresh succeeded
2026-05-14 16:22:25.924 [info] Refresh lock released (save_success)
2026-05-14 16:22:25.924 [info] OAuth tokens saved
2026-05-14 16:22:25.925 [info] tokens() returning OAuth tokens
2026-05-14 16:22:26.020 [info] MCP HTTP exchange completed
2026-05-14 16:27:16.140 [info] tokens() returning OAuth tokens
2026-05-14 16:27:16.457 [info] MCP HTTP exchange completed
2026-05-14 16:27:40.674 [info] tokens() returning OAuth tokens
2026-05-14 16:27:40.940 [warning] MCP HTTP exchange completed
2026-05-14 16:27:41.115 [info] MCP HTTP exchange completed
2026-05-14 16:27:41.313 [warning] MCP HTTP exchange completed
2026-05-14 16:27:41.780 [warning] MCP HTTP exchange completed
2026-05-14 16:27:41.864 [info] MCP HTTP exchange completed
2026-05-14 16:27:41.883 [info] Using redirect URL
2026-05-14 16:27:41.883 [info] Returning stored OAuth client_id
2026-05-14 16:27:41.883 [info] Using redirect URL
2026-05-14 16:27:41.885 [info] tokens() returning OAuth tokens
2026-05-14 16:27:41.893 [info] Refresh lock acquired — this provider will refresh
2026-05-14 16:27:42.002 [info] MCP HTTP exchange completed
2026-05-14 16:27:42.005 [info] MCP OAuth tokens persisted
2026-05-14 16:27:42.005 [info] MCP OAuth refresh succeeded
2026-05-14 16:27:42.044 [info] Refresh lock released (save_success)
2026-05-14 16:27:42.045 [info] OAuth tokens saved
2026-05-14 16:27:42.048 [info] tokens() returning OAuth tokens
2026-05-14 16:27:42.155 [info] MCP HTTP exchange completed
2026-05-14 16:33:06.397 [info] tokens() returning OAuth tokens
2026-05-14 16:33:06.747 [warning] MCP HTTP exchange completed
2026-05-14 16:33:06.924 [info] MCP HTTP exchange completed
2026-05-14 16:33:07.114 [warning] MCP HTTP exchange completed
2026-05-14 16:33:07.296 [warning] MCP HTTP exchange completed
2026-05-14 16:33:07.390 [info] MCP HTTP exchange completed
2026-05-14 16:33:07.408 [info] Using redirect URL
2026-05-14 16:33:07.408 [info] Returning stored OAuth client_id
2026-05-14 16:33:07.408 [info] Using redirect URL
2026-05-14 16:33:07.410 [info] tokens() returning OAuth tokens
2026-05-14 16:33:07.429 [info] Refresh lock acquired — this provider will refresh
2026-05-14 16:33:07.534 [info] MCP HTTP exchange completed
2026-05-14 16:33:07.537 [info] MCP OAuth tokens persisted
2026-05-14 16:33:07.537 [info] MCP OAuth refresh succeeded
2026-05-14 16:33:07.563 [info] Refresh lock released (save_success)
2026-05-14 16:33:07.563 [info] OAuth tokens saved
2026-05-14 16:33:07.565 [info] tokens() returning OAuth tokens
2026-05-14 16:33:07.670 [info] MCP HTTP exchange completed
2026-05-14 16:38:27.427 [info] tokens() returning OAuth tokens
2026-05-14 16:38:27.804 [warning] MCP HTTP exchange completed
2026-05-14 16:38:28.091 [info] MCP HTTP exchange completed
2026-05-14 16:38:28.297 [warning] MCP HTTP exchange completed
2026-05-14 16:38:28.490 [warning] MCP HTTP exchange completed
2026-05-14 16:38:28.576 [info] MCP HTTP exchange completed
2026-05-14 16:38:28.606 [info] Using redirect URL
2026-05-14 16:38:28.606 [info] Returning stored OAuth client_id
2026-05-14 16:38:28.606 [info] Using redirect URL
2026-05-14 16:38:28.609 [info] tokens() returning OAuth tokens
2026-05-14 16:38:28.645 [info] Refresh lock acquired — this provider will refresh
2026-05-14 16:38:28.754 [info] MCP HTTP exchange completed
2026-05-14 16:38:28.760 [info] MCP OAuth tokens persisted
2026-05-14 16:38:28.760 [info] MCP OAuth refresh succeeded
2026-05-14 16:38:28.810 [info] Refresh lock released (save_success)
2026-05-14 16:38:28.812 [info] OAuth tokens saved
2026-05-14 16:38:28.816 [info] tokens() returning OAuth tokens
2026-05-14 16:38:28.930 [info] MCP HTTP exchange completed
Does this stop you from using Cursor
No - Cursor works, but with this issue