cloudflare
mcp-client: Issue with Token verification with Remote MCP
Using this Remote MCP Server
For Testing use my deployed link: https://remote-mcp-server.ankit992827.workers.dev/sse Authentication window opens but at the end token verification failed
Token verification Error :
Error in MyAgent:6af8a93b-464a-431d-9dbc-02876371f0a2 fetch: Error: Token exchange failed: HTTP 400
at exchangeAuthorization (D:/MCP/agents/examples/mcp-client/node_modules/.vite/deps_mcp_client/@modelcontextprotocol_sdk_client_sse__js.js:643:11)
at auth (D:/MCP/agents/examples/mcp-client/node_modules/.vite/deps_mcp_client/@modelcontextprotocol_sdk_client_sse__js.js:531:21)
at SSEEdgeClientTransport.finishAuth (D:/MCP/agents/examples/mcp-client/node_modules/.vite/deps_mcp_client/@modelcontextprotocol_sdk_client_sse__js.js:811:20)
at MCPClientConnection.init (D:/MCP/agents/packages/agents/dist/chunk-YAYSMYUN.js:65:9)
at MCPClientManager.connect (D:/MCP/agents/packages/agents/dist/chunk-YAYSMYUN.js:92:5)
at MCPClientManager.handleCallbackRequest (D:/MCP/agents/packages/agents/dist/chunk-YAYSMYUN.js:163:5)
at D:/MCP/agents/packages/agents/dist/chunk-FOYBPUFC.js:392:13
at MyAgent.fetch (D:/MCP/agents/examples/mcp-client/node_modules/.vite/deps_mcp_client/partyserver.js:384:16)
I am encountering this as well when trying to connect my Agent to a remote server (in my case, Asana's official remote mcp server, though I am assuming the issue exists with other remote servers as well). it is failing at the same step arre-ankit mentioned, when trying to approve the connection in the authentication window.
I was using v 0.0.84 of the agents package (I was testing out the new changes that moved the mcp client management code into the Agent class in https://github.com/cloudflare/agents/pull/254). After testing different versions, this appears to be a regression in 0.0.82 that was then fixed in 0.0.86. version 0.0.82-0.0.85 are all affected by this issue, while I am not seeing this in 0.0.81 nor in 0.0.86.
Would be good if someone else could verify if they're seeing the same behaviour, because judging by the release notes for 0.0.86, I don't see anything that looks related to this, so it seems odd that it should be resolved in that version.
I am encountering this as well when trying to connect my Agent to a remote server (in my case, Asana's official remote mcp server, though I am assuming the issue exists with other remote servers as well). it is failing at the same step arre-ankit mentioned, when trying to approve the connection in the authentication window.
I was using v 0.0.84 of the agents package (I was testing out the new changes that moved the mcp client management code into the Agent class in #254). After testing different versions, this appears to be a regression in 0.0.82 that was then fixed in 0.0.86. version 0.0.82-0.0.85 are all affected by this issue, while I am not seeing this in 0.0.81 nor in 0.0.86.
Would be good if someone else could verify if they're seeing the same behaviour, because judging by the release notes for 0.0.86, I don't see anything that looks related to this, so it seems odd that it should be resolved in that version.
Can confirm! I just updated from 0.0.82 to 0.0.88 for the new mcp client management stuff and I'm now seeing this issue. Trying to connect to Linear's MCP server (https://mcp.linear.app/sse).
Just was working on debugging this, kinda a nasty bug. I don't think it's related to the versions/regressions. I'm fairly certain it's a race condition. When you go through the auth flow, sometimes it generates a new auth URL before the existing auth flow succeeds. That invalidates the old auth URL (the part that specifically gets invalidated is the code challenge identifier afaik). Sometimes that auth flow can succeed, if the auth initialization finishes before the MCP server generates a new auth URL. But if the auth URL gets regenerated before that, then the token exchange will fail.
Going to work on 100% verifying/fixing this tomorrow.
Hey, are you still working on this problem?
I've run into the same issue, and it was caused by worker being restarted in between auth flow. I've added following method to the agent in order to rehydrate the auth flow on agent's onStart method. It fixed the problem I was running into when adding MCP connection to the cloudflare binding server.
/**
* Rehydrates an MCP Server connection from persisted state without re-triggering the auth flow.
* This is used on agent startup to prepare for pending oauth callbacks.
*/
rehydrateServer(
id: string,
url: string,
callbackUrl: string,
options: {
transport?: SSEClientTransportOptions & { authProvider?: AgentsOAuthProvider };
client?: ConstructorParameters<typeof Client>[1];
} = {}
) {
this.mcpConnections[id] = new MCPClientConnection(
new URL(url),
{
name: this._name,
version: this._version,
},
{
client: options.client ?? {},
transport: options.transport ?? {},
}
);
this._callbackUrls.push(callbackUrl);
}
Facing the same issue.
Bash Error:
New SSE connection request. NOTE: The sse transport is deprecated and has been replaced by StreamableHttp
Query parameters: {"url":"http://remote-mcp-server.xxx.workers.dev/sse","transportType":"sse"}
SSE transport: url=http://remote-mcp-server.xxx.workers.dev/sse, headers={"Accept":"text/event-stream"}
Received 401 Unauthorized from MCP server. Authentication failure.
Inspector error
