OAuth Consent and Refresh Behavior
Expected Lifecycle
- Client discovers OAuth metadata from the MCP endpoint.
- User completes browser consent.
- Client stores access token and refresh token.
- Client refreshes access token before/at expiry.
- User is only re-prompted when refresh fails or consent is revoked.
What should be automatic
- Access token refresh without additional user interaction.
- Retry of failed calls after successful refresh.
- Stable session across long-running agent workflows.
Signals of a bug
- Re-auth required too frequently despite active usage.
- Refresh succeeds but subsequent tool calls still use expired token.
- Different clients behave inconsistently against the same server.
Verification prompt
Show me authentication state for this MCP connection: whether OAuth is active, whether refresh has recently succeeded, and whether a new consent is required.