You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have verified this would not be more appropriate as a feature request in a specific repository
I have searched existing discussions to avoid duplicates
Your Idea
The MCP Server is protected by OAuth 2.0 [1] and typically acts as an OAuth 2.0 resource server. According to the OAuth 2.0 standard, when the resource server returns an error, it should include a WWW-Authenticate header [2].
When the MCP Server fails, it currently returns a 401 error to the MCP Client with additional information in the WWW-Authenticate header. However, the MCP Client does not expose the WWW-Authenticate header. This makes it difficult for clients to understand the reason for the failure and to react accordingly—such as initiating step-up authentication or requesting additional scopes. The server should expose the header so that the MCP Client can properly handle the error in compliance with the OAuth 2.0 specification.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Model Context Protocol
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
Your Idea
The MCP Server is protected by OAuth 2.0 [1] and typically acts as an OAuth 2.0 resource server. According to the OAuth 2.0 standard, when the resource server returns an error, it should include a WWW-Authenticate header [2].
When the MCP Server fails, it currently returns a 401 error to the MCP Client with additional information in the WWW-Authenticate header. However, the MCP Client does not expose the WWW-Authenticate header. This makes it difficult for clients to understand the reason for the failure and to react accordingly—such as initiating step-up authentication or requesting additional scopes. The server should expose the header so that the MCP Client can properly handle the error in compliance with the OAuth 2.0 specification.
[1] https://modelcontextprotocol.io/specification/2025-03-26
[2] https://www.rfc-editor.org/rfc/rfc6750.html
Scope
Beta Was this translation helpful? Give feedback.
All reactions