-
|
I'm building an MCP server and trying to understand the correct way to handle token refresh. When access tokens expire and my server returns 401, clients keep sending the same expired token instead of calling my token endpoint with grant_type=refresh_token My questions: What triggers refreshOAuthTokens() in MCP Jam? Is automatic refresh on 401 supported? I understand if the test inspector doesn't support auto-refresh, but I'm trying to figure out how to make this work in production with real clients. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @madtank! I'm Dosu and I’m helping the inspector team. In MCP Jam, the refreshOAuthTokens() function is not triggered automatically by a 401 response. Instead, it must be called explicitly—either by user action or as part of connection setup logic. The codebase does not intercept 401s to trigger a refresh, and clients like Claude Code do not appear to initiate a refresh flow when they receive a 401; they just keep sending the expired token, resulting in repeated 401 errors (source, source). If a client does not implement automatic token refresh, there is nothing you can do server-side to keep sessions alive except to issue longer-lived access tokens or require the client to re-authenticate (source). There is no server-side mechanism to force a refresh or extend a session for clients that do not support the refresh flow. For best results with third-party clients, ensure they support and correctly implement the OAuth2 refresh token flow. If not, you may need to increase the access token lifetime or prompt users to re-authenticate when tokens expire. To reply, just mention @dosu. How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other
|
Beta Was this translation helpful? Give feedback.
Hi @madtank! I'm Dosu and I’m helping the inspector team.
In MCP Jam, the refreshOAuthTokens() function is not triggered automatically by a 401 response. Instead, it must be called explicitly—either by user action or as part of connection setup logic. The codebase does not intercept 401s to trigger a refresh, and clients like Claude Code do not appear to initiate a refresh flow when they receive a 401; they just keep sending the expired token, resulting in repeated 401 errors (source, source).
If a client does not implement automatic token refresh, there is nothing you can do server-side to keep sessions alive except to issue longer-lived access tokens or require the client to re-authent…