Refresh Claude MCP auth via headersHelper (no mid-session expiry)#200
Closed
sunishsheth2009 wants to merge 1 commit into
Closed
Refresh Claude MCP auth via headersHelper (no mid-session expiry)#200sunishsheth2009 wants to merge 1 commit into
sunishsheth2009 wants to merge 1 commit into
Conversation
Claude Code freezes an MCP header's `${OAUTH_TOKEN}` at config-load time, so a
session running past the Databricks OAuth token lifetime (~1h) sees MCP calls
start failing until relaunch. Register Claude's MCP servers with a `headersHelper`
command instead: Claude re-runs it on every connect/reconnect and on a 401/403
retry, so the bearer is always fresh.
- `ucode auth-token --mcp-header`: new flag that emits the JSON
`{"Authorization": "Bearer <token>"}` object Claude's headersHelper expects,
reusing the existing cross-platform token logic (OAuth refresh / PAT / bearer
short-circuit). Bare-token output (for apiKeyHelper / codex) is unchanged.
- `build_claude_mcp_entry(url, headers_helper)`: Claude HTTP MCP entry using
`headersHelper` rather than a static `Authorization` header.
- `configure_mcp_command` builds the helper command (via `build_auth_shell_command
(..., mcp_header=True)`) when Claude is among the target clients and threads it
through `apply_mcp_server_changes` -> `configure_client_mcp_server`. Other
clients keep the launch-set `${OAUTH_TOKEN}` header.
Investigated Codex/Gemini/OpenCode/Copilot: none expose a per-request auth hook
for MCP (only static headers or env-var bearer), and a parent can't mutate a
running child's env, so there's no clean self-refresh for them — documented as a
known limitation in the README.
Verified against a live workspace: `ucode auth-token --mcp-header` emits a valid
OAuth JSON header and MCP `initialize` returns 200 with it. Tests: 142 pass in
test_mcp.py + test_cli.py; ruff clean.
Co-authored-by: Isaac
Author
|
Superseded by #201, which routes all MCP clients (including Claude) through the uniform |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a mid-session MCP auth expiry for Claude Code. Claude freezes an MCP header's
${OAUTH_TOKEN}at config-load time, so a session running past the Databricks OAuth token lifetime (~1h) sees MCP calls fail with 401/403 until relaunch. This registers Claude's Databricks MCP servers with aheadersHelpercommand instead of a static header — Claude re-runs it on every connect/reconnect and automatically on a 401/403 retry (v2.1.193+), so the bearer is always fresh.Changes
ucode auth-token --mcp-header— new flag that emits the JSON{\"Authorization\": \"Bearer <token>\"}object Claude'sheadersHelperconsumes, reusing the existing cross-platform token logic (OAuth refresh / PAT /DATABRICKS_BEARERshort-circuit). Bare-token output (for the modelapiKeyHelperand Codex) is unchanged.build_claude_mcp_entry(url, headers_helper)— a Claude HTTP MCP entry that usesheadersHelperrather than a staticAuthorizationheader.configure_mcp_commandbuilds the helper command (build_auth_shell_command(..., mcp_header=True)→ucode auth-token --mcp-header) when Claude is a target client, and threads it throughapply_mcp_server_changes→configure_client_mcp_server. Every other client keeps the launch-set${OAUTH_TOKEN}header (unchanged).Other clients — investigated, documented as a known limitation
I checked Codex, Gemini, OpenCode, and Copilot for an equivalent self-refresh hook:
headersHelper(command), OAuth/DCRbearer_token_env_var, statichttp_headers, OAuth-login (DCR)None of the others expose a per-request auth command for MCP, and a parent process can't mutate a running child's env var — so there's no clean self-refresh for them. Documented in the README; a long session on those clients needs relaunch to pick up a fresh token (pre-existing behavior, unchanged here).
Verification
Against a live workspace:
ucode auth-token --mcp-headeremits a valid OAuth JSON header, and MCPinitializereturns 200 with that exact header — confirming the helper mints a working, fresh token. Unit tests:build_claude_mcp_entryshape, the Claude branch usingheadersHelperwhen provided (and falling back to the static entry otherwise), and the--mcp-headerJSON output. 142 tests pass across test_mcp.py + test_cli.py;ruff checkclean.This pull request and its description were written by Isaac.