KBCodeKB
Claude CodeModel Context ProtocolUnverified

Fix MCP OAuth CIMD redirect_uris Port Mismatch (invalid_redirect_uri) in Claude Code 2.1.80+ for Granola, Slack, Notion MCP, Meta Ads MCP, and All CIMD-Enabled Providers

Starting in Claude Code v2.1.80 (March 2026), a new clientMetadataUrl getter on the MCP OAuth provider class causes every MCP provider that supports Client ID Metadata Documents (CIMD, per IETF OAuth 2.1 draft-ietf-oauth-v2-1-13 §8.4.2) to receive portless redirect_uris (http://localhost/callback) from the published metadata at https://claude.ai/oauth/claude-code-client-metadata, while the local OAuth callback server binds to port 3118 (or custom MCP_OAUTH_CALLBACK_PORT). The port mismatch triggers 'invalid_redirect_uri' errors for ALL CIMD-supporting MCP providers. Confirmed broken on Granola (mcp.granola.ai), Slack (mcp.slack.com), Notion MCP, and Meta Ads MCP (mcp.facebook.com/ads). Root cause: before v2.1.80, clientMetadataUrl was undefined so the flow always fell through to dynamic client registration which sent correct redirect_uris with port. The v2.1.80 change added a getter that always returns the metadata URL, flipping the registration path. Anthropic staff (localden) confirmed the fix: updating the published metadata to include application_type: 'native' and supporting native app OAuth registration. Server-side fix applied ~May 24, 2026; verified working from v2.1.152+ (May 26, 2026). For users on affected versions, downgrade to v2.1.79 or clear Keychain OAuth cache as workarounds.

Symptoms

  • MCP OAuth authentication fails with 'invalid_redirect_uri' or 'redirect_uri did not match any configured URIs' error immediately after opening the browser authorization page
  • Error message references portless URI like 'http://localhost/callback' while the actual redirect goes to 'http://localhost:3118/callback'
  • All MCP providers advertising 'client_id_metadata_document_supported: true' in their OAuth discovery metadata are affected simultaneously
  • Downgrading Claude Code to v2.1.79 immediately resolves authentication without any provider-side changes

Error signatures

invalid_redirect_uri
redirect_uri did not match any configured URIs
The provided redirect_uris are not registered for this client
SDK auth failed: The provided redirect_uris are not registered
Passed URI: http://localhost:3118/callback

Possible causes

  • Claude Code v2.1.80 introduced a new clientMetadataUrl getter on the MCP OAuth provider class that always returns 'https://claude.ai/oauth/claude-code-client-metadata' instead of undefined. Before v2.1.80, when clientMetadataUrl was undefined, the OAuth flow always fell through to dynamic client registration which sent the correct redirect_uris including the port (e.g. http://localhost:3118/callback). After v2.1.80, when a provider advertises client_id_metadata_document_supported: true, Claude Code uses the published metadata document which contains only portless redirect_uris (http://localhost/callback and http://127.0.0.1/callback). The provider compares the portless published URI against the actual redirect URI with port 3118, they don't match, and authentication fails.
  • The published Claude Code OAuth metadata at https://claude.ai/oauth/claude-code-client-metadata contained 'redirect_uris': ['http://localhost/callback', 'http://127.0.0.1/callback'] without any port specification, which violates IETF OAuth 2.1 draft §8.4.2 requiring support for any port on localhost redirect URIs.
  • Even after clearing and re-adding MCP servers in Claude Code, the macOS Keychain caches stale OAuth tokens. A failed OAuth attempt before the server-side metadata fix can leave a cached state that blocks retry — the Keychain must be manually cleared.
  • The regression went undetected for weeks because the published metadata document was updated server-side without a corresponding client-side version bump, making it hard to correlate the fix with a specific Claude Code version.

Solutions

Downgrade to Claude Code v2.1.79 (Immediate Workaround)

risk: lowgithubpublished

Downgrade to the last known-good version (v2.1.79) before the clientMetadataUrl regression was introduced in v2.1.80. In v2.1.79, clientMetadataUrl is undefined, so the OAuth flow always falls through to dynamic client registration, which sends correct redirect_uris including the port.

  1. Uninstall current Claude Code: npm uninstall -g @anthropic-ai/claude-code
  2. Install specific version: npm install -g @anthropic-ai/claude-code@2.1.79
  3. Verify version: claude --version
  4. Re-authenticate with MCP providers

Commands

npm uninstall -g @anthropic-ai/claude-code
npm install -g @anthropic-ai/claude-code@2.1.79
claude --version

Risks

  • v2.1.79 is 3+ months old and lacks security fixes, bug fixes, and features from newer versions
  • May trigger auto-update back to a broken version; pin the version or disable auto-update

Verification

  • Step 1: Run `claude --version` → expect: '2.1.79'
  • Step 2: Attempt MCP OAuth authentication → expect: successful authentication without redirect_uri mismatch errors
  • Step 3: Run `npm list -g @anthropic-ai/claude-code` → expect: version 2.1.79, not any higher version
0 verified0 failed

Upgrade Claude Code to v2.1.152+ (Recommended Fix)

risk: lowofficialpublished

Upgrade Claude Code to v2.1.152 or later, which works with the updated server-side OAuth metadata (application_type: 'native' support). The server-side metadata document at claude.ai was updated ~May 24, 2026 to properly handle native app redirect URIs with ports.

  1. Upgrade Claude Code: npm install -g @anthropic-ai/claude-code@latest
  2. Verify version >= 2.1.152: claude --version
  3. Clear macOS Keychain cache: security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null; security delete-generic-password -l 'Claude Code MCP' 2>/dev/null
  4. Re-attempt MCP OAuth authentication for each affected provider

Commands

npm install -g @anthropic-ai/claude-code@latest
claude --version
# Clear OAuth token cache (macOS):
security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null
security delete-generic-password -l 'Claude Code MCP' 2>/dev/null

Risks

  • Upgrading claude-code may introduce other regressions; test in a non-production environment first
  • Clearing Keychain entries will require re-authentication for all MCP providers

Verification

  • Step 1: Run `claude --version` → expect: version >= 2.1.152
  • Step 2: Run `/mcp` in Claude Code and attempt OAuth authentication for an affected provider → expect: browser redirect completes successfully, MCP server connects without 'invalid_redirect_uri' error
  • Step 3: Check Claude Code debug logs with `ANTHROPIC_LOG=debug claude` → expect: no 'redirect_uri did not match' errors in OAuth flow
0 verified0 failed

Clear macOS Keychain OAuth Cache (For Users Already on v2.1.152+ Still Seeing Errors)

risk: lowgithubpublished

If you upgraded to v2.1.152+ and still see OAuth failures, the macOS Keychain may have cached stale OAuth tokens from a failed pre-fix attempt. Clear the Keychain entries and retry.

  1. List all Claude Code Keychain entries: security find-generic-password -s 'Claude Code' 2>/dev/null
  2. Delete MCP OAuth entries: security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null
  3. Delete any other Claude Code MCP entries: security delete-generic-password -l 'Claude Code MCP' 2>/dev/null
  4. Restart Claude Code and re-attempt MCP OAuth authentication

Commands

security find-generic-password -s 'Claude Code' 2>/dev/null
security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null
security delete-generic-password -l 'Claude Code MCP' 2>/dev/null

Risks

  • Clearing Keychain entries will sign you out of all Claude Code MCP sessions; you must re-authenticate each provider
  • On Linux, equivalent cache may be in ~/.config or a secrets service; adjust commands accordingly

Verification

  • Step 1: Run `security find-generic-password -s 'Claude Code' 2>/dev/null` → expect: no MCP-related entries remain
  • Step 2: Restart Claude Code and authenticate an MCP provider → expect: OAuth flow completes successfully
0 verified0 failed

Agent JSON

Canonical machine-readable representation of this issue:

{
  "issue_id": "1723f24e-10fb-45e0-8471-76b59b026f0f",
  "slug": "fix-mcp-oauth-cimd-redirect-uris-port-mismatch-invalid-redirect-uri-in-claude-code-2-1-80-for-granola-slack-notion-mcp-m-1be4gn",
  "verification_status": "unverified",
  "canonical_json": "https://codekb.dev/v1/issues/fix-mcp-oauth-cimd-redirect-uris-port-mismatch-invalid-redirect-uri-in-claude-code-2-1-80-for-granola-slack-notion-mcp-m-1be4gn"
}
← Back to all issuesPowered by CodeKB