google-gemini
GitHub MCP Authentication Fails Despite Valid PAT
What happened?
The Gemini CLI's GitHub Model Context Protocol (MCP) server fails to authenticate, consistently returning an OAuth error (Failed to fetch authorization server metadata for client registration) even when a valid Personal Access Token (PAT) is present in the .env file as GITHUB_MCP_PAT.
What did you expect to happen?
I expected the GitHub MCP server to authenticate successfully using the GITHUB_MCP_PAT provided in the .env file. The gemini extension.json and server.json configurations for the GitHub extension clearly indicate that authentication should occur via an Authorization: Bearer $GITHUB_MCP_PAT header, bypassing any OAuth flow.
Steps to reproduce:
- Ensure a valid GITHUB_MCP_PAT is set in the .gemini/.env file (e.g., GITHUB_MCP_PAT=ghp_YOUR_VALID_TOKEN).
- Start the Gemini CLI.
- Attempt to authenticate the GitHub MCP using /mcp auth github.
Observed behavior: The command fails with the following output:
1 ✕ Error during discovery for server 'github': 401 error received for SSE server 'github' without OAuth configuration. Please authenticate using: /mcp auth github 2 3 ℹ Starting OAuth authentication for MCP server 'github'... 4 ✕ Failed to authenticate with MCP server 'github': Failed to fetch authorization server metadata for client registration (attempted issuers: https://github.com, https://github.com/login) The PAT itself was confirmed to be valid by a direct curl command:
1 curl -H "Authorization: token <YOUR_PAT>" https://api.github.com/user This command successfully returned user profile data, proving the token's validity and necessary scopes.
Client information
- CLI Version: 0.18.4
- Git Commit: 2e8d7831c
- Session ID: 77fdea42-5feb-44e3-8034-6c23b10c11ac
- Operating System: darwin v25.2.1
- Sandbox Environment: no sandbox
- Model Version: auto
- Memory Usage: 323.0 MB
Login information
I am attempting to authenticate the GitHub MCP using a Personal Access Token (PAT) stored as GITHUB_MCP_PAT in the .gemini/.env file.
Anything else we need to know?
The gemini-extension.json and server.json for the GitHub extension (extensions/github/) explicitly configure authentication via an Authorization: Bearer $GITHUB_MCP_PAT header to https://api.githubcopilot.com/mcp/. However, the CLI appears to be initiating a standard OAuth flow (looking for https://github.com and https://github.com/login for metadata) instead of utilizing the configured PAT. This suggests a disconnect between the extension's specified authentication method and the CLI's authentication handling for MCPs. The PAT's validity has been verified independently.
Found possible duplicate issues:
- #5397
- #13643
- #13840
- #10512
- #12628
- #5687
If you believe this is not a duplicate, please remove the status/possible-duplicate label.
![gemini-cli[bot] avatar](https://avatars.githubusercontent.com/in/1473539?v=4 "Published by a pub.dev verified publisher"){kind=small}
What configuration are you using? I've defined GITHUB_MCP_PAT in my ~/.gemini/.env file and in my settings.json I have:
"mcpServers": {
"github": {
"httpUrl": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "${GITHUB_MCP_PAT}"
},
"timeout": 5000
}
},
And it connects just fine.
@EEbrami, seems like you're using the github-mcp-server extension. Here is a quick workaround: remove Bearer from "Authorization": "Bearer $GITHUB_MCP_PAT"
{
"name": "github",
"version": "1.0.0",
"mcpServers": {
"github": {
"description": "Connect AI assistants to GitHub - manage repos, issues, PRs, and workflows through natural language.",
"httpUrl": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer $GITHUB_MCP_PAT"
}
}
}
}
in .gemini/extensions/github/gemini-extension.json
@scidomino The gemini-extension.json from github-mcp-server is valid (that's the correct format for Bearer authentication). Skimming through gemini-cli code, the issue might be that gemini-cli adds an extra Bearer to the Authorization header value.
Ok. So here's what I've discovered. You can connect to the github server with either "Bearer $GITHUB_MCP_PAT" or just "$GITHUB_MCP_PAT". I have tried both and it works so long as your PAT is good. You DO NOT need to run /mcp auth. If you do, and successfully go through auth, we will always overwrite the authorization header with the one we have stored locally (The token from your successful auth will be stored in ~/.gemini/mcp-oauth-tokens.json ). We will append it with:
"Authorization": "Bearer $GITHUB_MCP_PAT"
Once that's happened, there's nothing you can do to your configuration that will affect the Authorization header since it's being overwritten by code. Normally, that should not be an issue, but I guess it's messing you up in this case.
So my guess is that maybe you got yourself in a bad state by running /mcp auth'. You should be able to fix it by performing some surgery on your mcp-oauth-tokens.json`.
I can't repro this but I'm pretty confident that's what's happening. When I try /mcp auth github it gives me:
✕ Failed to authenticate with MCP server 'github': Failed to fetch authorization server metadata for client registration (attempted █
issuers: https://github.com, https://github.com/login)
Let me know if this doesn't work for you and I will reopen.
Hi Tommaso,
Thanks for the help! I can confirm your suspicion was correct.
The key was indeed to avoid running /mcp auth (which creates the mcp-oauth-tokens.json file that puts the CLI in a bad state) and instead manually configure the settings.json.
Specifically, manually setting the Authorization header with the Bearer scheme worked for me:
"headers": {
"Authorization": "Bearer $GITHUB_MCP_PAT"
}
Appreciate the pointer!