Cursor connects, authenticates, and calls tools fine. However, when my access token expires, the subsequent tool call or interaction fails with 401 Unauthorized, and Cursor marks the MCP server as “Logged out” and I have to reauthenticate manually. This is very disruptive to my workflow.
The refresh logic is handled by WorkOS, and both GitHub Copilot (VSCode Insiders) and Gemini CLI handle this token refresh properly, making me think this is a Cursor issue. Notably Claude Code has a similar problem: (Issue 5706)
Here are my MCP logs from the Output tab. Any additional guidance on what [info] OAuth provider needs auth callback during connection refers to would be helpful. My current hypothesis from reading other threads is that Cursor only primarily supports the older specification where MCP and authorization server are one and the same.
2025-08-18 21:22:58.197 [info] Found 5 tools and 0 prompts
...
2025-08-18 21:26:24.067 [info] Handling CallTool action for tool 'my-tool'
2025-08-18 21:26:24.068 [info] Calling tool 'my-tool' with toolCallId: tool_2cdbb50f-1bb0-4988-98e4-5d122a846cc
2025-08-18 21:26:25.986 [info] OAuth provider needs auth callback during connection
2025-08-18 21:26:25.986 [error] Error calling tool 'my-tool': Unauthorized
Any additional help or documentation would be appreciated!
Steps to Reproduce
Setup an HTTP MCP server with a separate authorization server (e.g. mcp.shop)
Configure a short access token lifetime, e.g. 3 mins
Add the MCP server to Cursor and authenticate
Wait 3 minutes
Get Cursor to call an MCP tool (or disable+reenable the server)
Get an 401 Unauthorized error
Expected Behavior
Cursor should refresh the MCP Server access token using the provided refresh token
Operating System
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
While I don’t know any of its internals, I don’t experience this issue after a few days with the marketplace Linear server, making me think there is probably a specification difference, but I’m not sure.
I just tried in 1.6.45. When I call a tool after the normal session timeout (refresh token should be available to refresh), I get the following logs:
2025-09-26 07:10:15.206 [info] Found 5 tools, 0 prompts, and 0 resources
...
2025-09-26 07:21:30.835 [info] Handling CallTool action for tool 'my-tool'
2025-09-26 07:21:30.836 [info] Calling tool 'my-tool' with toolCallId: tool_fac42986-8419-4ed2-a84b-314101c79dc
2025-09-26 07:21:33.067 [info] Using redirect URL {"url":"cursor://anysphere.cursor-retrieval/oauth/project-0-repo-my-server/callback"}
2025-09-26 07:21:33.067 [info] Using redirect URL {"url":"cursor://anysphere.cursor-retrieval/oauth/project-0-repo-my-server/callback"}
2025-09-26 07:21:33.068 [info] Saving PKCE code verifier {"verifierLen":43}
2025-09-26 07:21:33.166 [info] Redirect to authorization requested {"url":"https://<redacted>/oauth2/authorize?response_type=code&client_id=<redacted>&code_challenge=<redacted>&code_challenge_method=S256&redirect_uri=cursor%3A%2F%2Fanysphere.cursor-retrieval%2Foauth%2Fproject-0-repo-my-server%2Fcallback&resource=<encoded-server-url>"}
2025-09-26 07:21:33.294 [info] Stored server URL for OAuth flow
2025-09-26 07:21:33.294 [info] OAuth provider needs auth callback during connection
2025-09-26 07:21:33.294 [error] Error calling tool 'my-tool': Unauthorized
I’m glad to see the new logs, but the information should be there for Cursor to refresh the token. Let me know if there’s something else I can look for more debugging.
Support for refresh tokens was implemented in 2.5. Please try upgrading to 2.6 and raise a new thread if you’re still having any issues with MCP OAuth!