Hey, great bug report, it’s super clear.
This is a confirmed bug. When the MCP server responds to the OAuth discovery endpoints, Cursor starts the OAuth flow before it sends the POST with your Authorization header. There’s no logic like “if Authorization is already in the headers, skip OAuth.” We’ve seen the same root cause in a similar report: Remote MCP with expired bearer token triggers misleading OAuth error
The team is aware of the issue. There’s no ETA yet, but your report helps with prioritization, especially since it expands the scope to valid headers plus OAuth discovery, not just an expired token.
Your workaround with an alternate /api/mcp endpoint that returns 404 for OAuth discovery is the most reliable option right now.
Let me know if the workaround doesn’t work, or if anything changes.