Missing Refresh Token logic for MCP OAuth

TylerJang27 · August 19, 2025, 4:36am

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I have built an HTTP MCP server that uses WorkOS AuthKit OAuth based on the starter project GitHub - workos/mcp.shop: mcp.shop storefront/app for MCP Night (docs here)

Cursor connects, authenticates, and calls tools fine. However, when my access token expires, the subsequent tool call or interaction fails with 401 Unauthorized, and Cursor marks the MCP server as “Logged out” and I have to reauthenticate manually. This is very disruptive to my workflow.

The refresh logic is handled by WorkOS, and both GitHub Copilot (VSCode Insiders) and Gemini CLI handle this token refresh properly, making me think this is a Cursor issue. Notably Claude Code has a similar problem: (Issue 5706)

Here are my MCP logs from the Output tab. Any additional guidance on what [info] OAuth provider needs auth callback during connection refers to would be helpful. My current hypothesis from reading other threads is that Cursor only primarily supports the older specification where MCP and authorization server are one and the same.

2025-08-18 21:22:58.197 [info] Found 5 tools and 0 prompts
...
2025-08-18 21:26:24.067 [info] Handling CallTool action for tool 'my-tool'
2025-08-18 21:26:24.068 [info] Calling tool 'my-tool' with toolCallId: tool_2cdbb50f-1bb0-4988-98e4-5d122a846cc
2025-08-18 21:26:25.986 [info] OAuth provider needs auth callback during connection
2025-08-18 21:26:25.986 [error] Error calling tool 'my-tool': Unauthorized

Any additional help or documentation would be appreciated!

Steps to Reproduce

Setup an HTTP MCP server with a separate authorization server (e.g. mcp.shop)
Configure a short access token lifetime, e.g. 3 mins
Add the MCP server to Cursor and authenticate
Wait 3 minutes
Get Cursor to call an MCP tool (or disable+reenable the server)
Get an 401 Unauthorized error

Expected Behavior

Cursor should refresh the MCP Server access token using the provided refresh token

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 1.4.5 (Universal)
VSCode Version: 1.99.3
Commit: af58d92614edb1f72bdd756615d131bf8dfa5290
Date: 2025-08-13T02:08:56.371Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Darwin arm64 24.6.0

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

TylerJang27 · August 19, 2025, 4:37am

Potentially related thread: How to implement a mcp server with auth, and trigger cursor login？ - #3 by da1z

TylerJang27 · August 19, 2025, 4:38am

While I don’t know any of its internals, I don’t experience this issue after a few days with the marketplace Linear server, making me think there is probably a specification difference, but I’m not sure.

TylerJang27 · September 8, 2025, 2:59pm

Any updates on this or at least some more docs?

sanjeed5 · September 26, 2025, 8:44am

Hi, thanks for the report. Can you please check if you face this issue on the latest version?

TylerJang27 · September 26, 2025, 2:27pm

I just tried in 1.6.45. When I call a tool after the normal session timeout (refresh token should be available to refresh), I get the following logs:

2025-09-26 07:10:15.206 [info] Found 5 tools, 0 prompts, and 0 resources
...
2025-09-26 07:21:30.835 [info] Handling CallTool action for tool 'my-tool'
2025-09-26 07:21:30.836 [info] Calling tool 'my-tool' with toolCallId: tool_fac42986-8419-4ed2-a84b-314101c79dc
2025-09-26 07:21:33.067 [info] Using redirect URL {"url":"cursor://anysphere.cursor-retrieval/oauth/project-0-repo-my-server/callback"}
2025-09-26 07:21:33.067 [info] Using redirect URL {"url":"cursor://anysphere.cursor-retrieval/oauth/project-0-repo-my-server/callback"}
2025-09-26 07:21:33.068 [info] Saving PKCE code verifier {"verifierLen":43}
2025-09-26 07:21:33.166 [info] Redirect to authorization requested {"url":"https://<redacted>/oauth2/authorize?response_type=code&client_id=<redacted>&code_challenge=<redacted>&code_challenge_method=S256&redirect_uri=cursor%3A%2F%2Fanysphere.cursor-retrieval%2Foauth%2Fproject-0-repo-my-server%2Fcallback&resource=<encoded-server-url>"}
2025-09-26 07:21:33.294 [info] Stored server URL for OAuth flow
2025-09-26 07:21:33.294 [info] OAuth provider needs auth callback during connection
2025-09-26 07:21:33.294 [error] Error calling tool 'my-tool': Unauthorized

I’m glad to see the new logs, but the information should be there for Cursor to refresh the token. Let me know if there’s something else I can look for more debugging.

sanjeed5 · September 26, 2025, 5:23pm

Thanks, I’ve raised it with the team!

BuiDGr8 · October 12, 2025, 7:04pm

Has this been fixed ?

Panda001 · October 28, 2025, 1:49pm

Is this fixed? My Supabase mcp access token expired how do i set a new token?

system · November 19, 2025, 1:50pm

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Refresh_tokens are not used Bug Reports	2	232	November 28, 2025
Atlassian MCP and Token Expiration Bug Reports	2	332	October 15, 2025
Remote MCP connections fails every few minutes Bug Reports java	9	145	January 8, 2026
Cursor 1.4.4 Cannot load remote mcp tools Bug Reports	8	353	September 18, 2025
Unable to read debug log from internal browser Bug Reports	3	180	November 22, 2025