Second Brain

claude-desktop-custom-connectors-require-oauth-20-dcr-static

2 min read

Claude Desktop Custom Connectors require OAuth 2.0 DCR — static Bearer tokens unsupported

Constraint

Claude Desktop’s Custom Connector configuration (15-Apr-2026) supports only two MCP auth modes:

  1. Public no-auth (most common) — just paste URL, works
  2. OAuth 2.0 Dynamic Client Registration (per MCP spec 2025-03-26+) — Desktop discovers via /.well-known/oauth-authorization-server, registers itself, completes interactive flow

NOT supported: static Authorization: Bearer <token> headers. The Desktop connector UI has no header-entry field, and the failure mode is silent — when /mcp returns 401 without OAuth discovery metadata, Desktop abandons the connection before initialize and shows “You are not connected to yet” without logging anything server-side.

Verification evidence

  • Deployed xint-mcp.arjtech.in via Traefik file-provider with valid Let’s Encrypt cert + Bearer auth pass-through
  • curl -H "Authorization: Bearer <token>" returned HTTP 200 with valid MCP initialize response
  • Adding https://xint-mcp.arjtech.in/mcp to Claude Desktop Custom Connector → Desktop never sent ANY request (verified via journalctl -u xint-mcp.service --since "2 minutes ago" — zero entries during attempt)
  • Desktop probed /.well-known/oauth-authorization-server, /.well-known/openid-configuration, /oauth/authorize, /oauth/token — all 401 (no OAuth server) → gave up

Implication for MCP architecture

For any Bearer-auth’d MCP, choose one path:

  1. Keep VPS-permanent (~/.claude.json mcpServers.<name>.headers.Authorization) — Bearer works fine here
  2. Add OAuth 2.0 DCR server-side — significant work (discovery metadata + client registration endpoint + token issuance)
  3. Remove auth + IP allowlist — impractical for laptops with changing IPs

Public no-auth MCPs should prefer Desktop connector (dynamic context cost — off when disabled).

Cross-reference

  • error-playbook.md 15-Apr-2026 entry (full diagnosis pattern)
  • MEMORY.md § System Pointers (Permanent 7 rationale: xint stays because Bearer)

Graph View

Backlinks