Description
Describe the bug
When using requireBearerAuth with a scope that the user doesnt currently have, a 403 is returned, and claude desktop breaks.
Is the spec supposed to do a 403 here? is the desktop app supposed to handle a 403 by going through oauth again?
Would be great to figure out as i wouldnt expect claude to crash on 403, if linear or other official integrations have sessions that end, would they return 403?
[76718] Using existing client port: 16442
[76718] [76718] Connecting to remote server: http://localhost:8000/mcp
[76718] Using transport strategy: http-first
[76718] Connection error: Error: Error POSTing to endpoint (HTTP 403): {"error":"insufficient_scope","error_description":"Insufficient scope"}
To Reproduce
Steps to reproduce the behavior:
- add
requireBearerAuth({
verifier: { verifyAccessToken },
requiredScopes: ["email"],
}),
to a route, use a token with a different scope, and claude desktop breaks.
Expected behavior
claude desktop to prompt for oauth flow or give an option to log out or back in
Logs
If applicable, add logs to help explain your problem.
Additional context
Add any other context about the problem here.