Remote MCP with expired bearer token triggers misleading OAuth error

emily_cypressio · March 9, 2026, 3:10pm

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

When connecting to a remote MCP server that uses bearer token auth (via the headers field in mcp.json), if the token expires or is invalid, Cursor returns a deeply misleading error instead of a clean auth failure:

Error: HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON. Raw body: <!DOCTYPE html>...
Cannot POST /register

Cursor appears to fall through to OAuth discovery when it receives a 401, probing /register — an endpoint that doesn’t exist on non-OAuth servers. The HTML 404 from that probe is then misread as a failed OAuth JSON response, completely obscuring the real error (expired bearer token).

Steps to Reproduce

Configure a remote MCP server using url + headers: { Authorization: Bearer <token> } in mcp.json
Configure with an invalid bearer token
Attempt to connect — observe the OAuth /register 404 error instead of a 401 auth failure

Expected Behavior

Cursor should surface a clear auth error (e.g. “Bearer token expired or invalid”) without attempting OAuth discovery on servers that don’t support it.

Actual behavior:
Cursor attempts OAuth dynamic client registration, hits a non-existent /register endpoint, and throws a JSON parse error on the HTML response.

Operating System

MacOS

Version Information

Version: 2.6.13
VSCode Version: 1.105.1
Commit: 60faf7b51077ed1df1db718157bbfed740d2e160
Date: 2026-03-06T06:17:49.499Z (3 days ago)
Build Type: Stable
Release Track: Default
Electron: 39.6.0
Chromium: 142.0.7444.265
Node.js: 22.22.0
V8: 14.2.231.22-electron.0
OS: Darwin arm64 23.5.0

Does this stop you from using Cursor

Yes - Cursor is unusable

deanrie · March 9, 2026, 4:30pm

Hey, thanks for the detailed report. It’s really well explained.

This is definitely a bug. When a bearer token expires on a non-OAuth MCP server, Cursor shouldn’t fall back to OAuth discovery at all. It should show a clear “401 Unauthorized / invalid token” message instead of probing /register and triggering that confusing JSON parse error.

I’ve flagged this to the team.

In the meantime, the workaround is simple. Just refresh the bearer token in your mcp.json whenever it expires. Not ideal, but it should unblock you right away.

Let me know if you run into anything else.

Topic		Replies	Views
MCP OAuth callback loses authorization server URL discovered from resource_metadata, causing token exchange failure Bug Reports mcp	2	261	March 3, 2026
MCP OAuth callback returns ERR_EMPTY_RESPONSE — localhost callback handler sends no data Bug Reports mcp	1	13	March 12, 2026
Remote MCP server "Connect" button produces zero network requests (OAuth flow never starts) Bug Reports mcp	2	174	February 20, 2026
Cursor fails to fall back from Streamable HTTP to SSE transport for remote MCP servers Bug Reports mcp	1	34	March 11, 2026
MCP: Connecting to remote server with OAUTH partially succeeds Bug Reports mcp	2	76	February 3, 2026