Fix MCP OAuth Regression: client_id_metadata_document redirect_uris Missing Port Causes invalid_redirect_uri in Claude Desktop, Granola, Slack, Notion, and Meta Ads
Starting in Claude Code v2.1.80, all MCP OAuth providers advertising `client_id_metadata_document_supported: true` are broken. Claude Code sends portless redirect_uris via the published client metadata document (https://claude.ai/oauth/claude-code-client-metadata), while the local OAuth callback server listens on a dynamic port (default 3118). The mismatch causes every CIMD-supporting provider to reject auth with `invalid_redirect_uri`. Additionally, the metadata document was missing `application_type: "native"`, causing providers to treat Claude Code as a web app (RFC 7591 default) and reject loopback redirect URIs. Confirmed affected: Granola, Slack, Notion, Meta Ads, and any FastMCP-based server with CIMD enabled. The fix requires both: (1) setting `application_type: "native"` in the hosted client metadata, and (2) CLI-side changes to send `127.0.0.1` redirect URIs. Fix shipped in v2.1.144+.
Symptoms
- OAuth authentication fails immediately with `invalid_redirect_uri` when connecting MCP servers from Claude Code v2.1.80+
- Browser opens but shows error: `redirect_uri did not match any configured URIs. Passed URI: http://localhost:3118/callback`
- `/mcp` → server → Authenticate results in `SDK auth failed: The provided redirect_uris are not registered for this client`
- Affected providers include Granola (mcp.granola.ai), Slack (mcp.slack.com), Notion MCP, Meta Ads (mcp.facebook.com/ads), and any FastMCP-based server
- Previously working MCP OAuth connections break after upgrading from v2.1.79 to v2.1.80+
- Meta Ads MCP and some providers still affected even in v2.1.141 (partial fix for Notion only)
Error signatures
invalid_redirect_uri
redirect_uri did not match any configured URIs
The provided redirect_uris are not registered for this client
SDK auth failed
Possible causes
- In v2.1.80, the MCP OAuth provider class gained a `clientMetadataUrl` getter (defaulting to `https://claude.ai/oauth/claude-code-client-metadata`). Previously this property was undefined, so the OAuth flow always used dynamic client registration which sends correct `redirect_uris` with the port (e.g., `http://localhost:3118/callback`)
- When a provider advertises `client_id_metadata_document_supported: true`, Claude Code switches to the CIMD path which reads the published metadata at claude.ai. That document contains portless redirect_uris: `["http://localhost/callback", "http://127.0.0.1/callback"]` — no port 3118
- The published client metadata document was missing `application_type`. Per RFC 7591, omitting this defaults to `"web"`. RFC 9700 Section 4.1.3's loopback-port exception only applies to native apps (`application_type: "native"`), so providers correctly rejected the port mismatch
- The `clientMetadataUrl` property is always truthy when CIMD is supported, so there was no fallback path to dynamic client registration when the metadata document's redirect_uris don't account for the dynamic port
Solutions
Downgrade to Claude Code v2.1.79 as Temporary Workaround (Last Pre-Regression Version)
If you cannot wait for the server-side metadata document fix and need MCP OAuth working immediately, downgrade to v2.1.79 — the last version before the `clientMetadataUrl` getter was introduced in v2.1.80. v2.1.79 always uses Dynamic Client Registration (DCR), which correctly handles dynamic port assignment for redirect_uris.
- Uninstall current version: `npm uninstall -g @anthropic-ai/claude-code`
- Install v2.1.79: `npm install -g @anthropic-ai/claude-code@2.1.79`
- Verify: `claude --version 2>&1; echo exit=$?` → expect stdout: '2.1.79 (Claude Code)', exit code 0
- Re-authenticate your MCP OAuth providers — they should work via DCR flow
- Note: v2.1.79 is from March 2026 and lacks all fixes and features from v2.1.80 through current (v2.1.177 as of June 2026)
Commands
npm uninstall -g @anthropic-ai/claude-code
npm install -g @anthropic-ai/claude-code@2.1.79
npm view @anthropic-ai/claude-code@2.1.79 version
claude --version 2>&1; echo exit=$?
Risks
- v2.1.79 is outdated — misses ~3 months of security patches, bug fixes, and features
- npm auto-update may override the pinned version — pin explicitly or use version constraint
Verification
- Step 1: Run `npm view @anthropic-ai/claude-code@2.1.79 version 2>&1; echo exit=$?` → expect stdout: '2.1.79', exit code 0. If exit code is non-zero, abort — version doesn't exist.
- Step 2: Run `claude --version 2>&1; echo exit=$?` → expect stdout: '2.1.79 (Claude Code)', exit code 0
- Step 3: Launch Claude Code, run `/mcp` → select OAuth-enabled MCP server → Authenticate → expect: browser opens, OAuth completes without `invalid_redirect_uri`
- Step 4: Run `npm view @anthropic-ai/claude-code version` to check latest → note the features you're missing by being on v2.1.79
AGENT DIAGNOSTIC DECISION TREE: Identify Whether Your MCP OAuth Failure Is the CIMD Port Mismatch Bug
AI agents should use this decision tree to diagnose whether an MCP OAuth failure is caused by the CIMD port mismatch bug before attempting fixes. This prevents agents from applying wrong solutions to different OAuth issues.
- Step A: Check Claude Code version — `claude --version`. If < 2.1.80, this is NOT the CIMD bug.
- Step B: Check the provider's OAuth discovery document — curl the provider's `/.well-known/oauth-authorization-server` and look for `client_id_metadata_document_supported: true`. If absent, this is NOT the CIMD bug.
- Step C: Check the error message — grep for `invalid_redirect_uri` or `redirect_uri did not match` in logs. These are the CIMD bug's signature errors.
- Step D: Check the metadata document — `curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -c "import json,sys; d=json.load(sys.stdin); print('application_type:', d.get('application_type','MISSING'), 'redirect_uris:', d.get('redirect_uris',[]))"`. If `application_type` is `'native'`, the server fix is deployed and the issue is provider-specific — see Solution 2.
- Step E: If all checks pass (version ≥ 2.1.80, CIMD supported, invalid_redirect_uri error, application_type missing or not 'native'), this IS the CIMD port mismatch bug — apply Solution 0 (re-authenticate) or Solution 1 (downgrade).
Commands
claude --version 2>&1
curl -s PROVIDER_URL/.well-known/oauth-authorization-server | python3 -c "import json,sys; d=json.load(sys.stdin); print('CIMD supported:', 'client_id_metadata_document_supported' in d and d['client_id_metadata_document_supported'])"curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -c "import json,sys; d=json.load(sys.stdin); print('app_type:', d.get('application_type','MISSING'), 'redirects:', d.get('redirect_uris',[]))"Risks
- Decision tree is diagnostic only — does not fix the issue. Apply Solution 0 after confirming the CIMD bug.
Verification
- Step 1: Run the diagnostic tree steps A-E in order → expect: each step produces the expected boolean/string result
- Step 2: If step E confirms CIMD bug, proceed to Solution 0 → expect: Solution 0 resolves the issue
Re-authenticate After Server-Side Metadata Document Fix (Official Resolution)
Anthropic staff (localden) confirmed the fix involves updating the hosted client metadata document at `https://claude.ai/oauth/claude-code-client-metadata` to include `application_type: 'native'`. This is a SERVER-SIDE change — no specific npm version upgrade is required. The fix enables RFC 9700 Section 4.1.3's loopback-port exception, which allows providers to accept redirect_uris with dynamic ports (like `http://localhost:3118/callback`) for native application clients. After the metadata document is updated, existing OAuth sessions must be re-authenticated. The issue was closed May 24, 2026 — the metadata document should reflect the fix for all versions ≥ 2.1.80. IMPORTANT: This is NOT tied to any specific Claude Code version; no downgrade or upgrade is necessary beyond running ≥ 2.1.80.
- Verify the metadata document reflects the fix: check for `application_type: 'native'` at the published endpoint
- Delete existing OAuth tokens for affected MCP connectors — look in your MCP config directory or remove and re-add the MCP server entry
- Re-initiate the OAuth flow: run Claude Code, use `/mcp` → select provider → Authenticate
- The OAuth flow should now complete successfully — the provider recognizes Claude Code as a native app and accepts the port-bearing redirect_uri
- If the flow still fails, wait for the server-side deployment to propagate and retry
Commands
curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -m json.tool | grep -E 'application_type|redirect_uris'
claude --version
Risks
- The server-side fix deployment is controlled by Anthropic — there is no npm version to check for confirmation
- Re-authentication is REQUIRED even after the metadata document is updated — existing tokens were issued under the old (broken) flow
Verification
- Step 1: Run `curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -m json.tool 2>&1; echo exit=$?` → expect stdout: JSON object containing `"application_type": "native"`, exit code 0. If `application_type` is missing or not `"native"`, the server-side fix hasn't been deployed yet — wait and retry.
- Step 2: Run `claude --version 2>&1; echo exit=$?` → expect: version ≥ 2.1.80, exit code 0. If version is below 2.1.80, you're pre-regression and unaffected.
- Step 3: Launch Claude Code, run `/mcp` → select an OAuth-enabled MCP server → click Authenticate → expect: browser opens, OAuth flow completes, returns to Claude Code without `invalid_redirect_uri` error.
- Step 4: After successful authentication, run the MCP tool (e.g., search Slack, query Notion) → expect: tool executes successfully without auth errors.
Agent JSON
Canonical machine-readable representation of this issue:
{
"issue_id": "52d42a1c-8a33-40e9-83f5-6416eae42831",
"slug": "fix-mcp-oauth-regression-client-id-metadata-document-redirect-uris-missing-port-causes-invalid-redirect-uri-in-claude-de-45cr8x",
"verification_status": "unverified",
"canonical_json": "https://codekb.dev/v1/issues/fix-mcp-oauth-regression-client-id-metadata-document-redirect-uris-missing-port-causes-invalid-redirect-uri-in-claude-de-45cr8x"
}