← Claude Code Hub
✦ Tip #123 Jul 3, 2026

Never let an MCP login interrupt your session again in Claude Code

An MCP login always lands mid-task: it stops you, opens the browser, makes you fight the callback. There's a command that pulls it out of the session and gets it done once. And it's the only thing that works headless.

One login from the terminal with claude mcp login stores the token in the keychain and auto-refreshes it, so every session and every headless run starts with the MCP ready without asking for a login again

TL;DR claude mcp login <name> (since v2.1.186) runs an MCP server's OAuth flow from your shell, no /mcp panel mid-session. The token is stored securely and refreshed automatically, so you authenticate once and every future session (and every headless run) starts with the server ready. claude mcp logout <name> revokes it. Over SSH, --no-browser prints the URL.

You're halfway through a task, an MCP server goes red asking for a login, and suddenly you're wrestling with the browser and the callback instead of coding. That mid-session interruption has always felt like a drag. The good news: you can pull that step out of the flow entirely.

How it works

Many remote MCP servers (Sentry, Notion, Linear…) require OAuth 2.0. When the server responds with 401 or 403, Claude Code flags it as "needs auth". Until recently the only path was opening /mcp inside the session and following the browser. Since v2.1.186 there's a direct command:

claude mcp login sentry

The browser opens, you sign in, and the token is stored (macOS keychain or a credentials file) and refreshed automatically. It's not a per-session login: you do it once and you're done.

Why log in outside the session?

If you're sitting there coding, /mcp is fine. claude mcp login wins in three cases:

  • Pre-authenticate. Do it before you start, and no session interrupts you for a login again.
  • Headless. In claude -p, the Agent SDK, or a cron job there is no /mcp panel: Claude Code can't open the browser for you. Since v2.1.196 the run tells you a server needs auth, but the only way to leave it ready is to have logged in beforehand with claude mcp login. Here the one using the MCP isn't you: it's the automation.
  • Provisioning. claude mcp add … && claude mcp login … in a setup script leaves a machine ready without opening Claude even once.

What you see

$ claude mcp add --transport http sentry https://mcp.sentry.dev/mcp
Added HTTP MCP server sentry

$ claude mcp login sentry
Opening browser to authorize sentry…
✓ Authenticated. Credentials stored securely.

Getting started

1. Add the server

claude mcp add --transport http sentry https://mcp.sentry.dev/mcp

2. Authenticate from the shell

claude mcp login sentry

3. Verify and revoke

claude mcp get sentry      # confirm OAuth is configured
claude mcp logout sentry   # clear the stored credentials

Over SSH or with no browser

Since v2.1.191, if there's no local browser (an SSH session, Linux with no display server), the command prints the URL instead of trying to open one. Open it on your machine, authenticate, and paste the full redirect URL back at the prompt. It needs an interactive terminal for the paste step, so connect with ssh -t. Force that mode even when a browser is available with --no-browser:

claude mcp login sentry --no-browser

Reference

Command What it does
claude mcp login <name> Runs the OAuth flow from the shell (v2.1.186+)
claude mcp login <name> --no-browser Prints the URL instead of opening the browser
claude mcp logout <name> Clears the stored credentials
claude mcp get <name> Confirms OAuth is configured
/mcp (in session) The interactive alternative: "Re-authenticate" / "Clear authentication"

When OAuth isn't enough:

  • If the server doesn't support dynamic registration ("Incompatible auth server"), fix the port with --callback-port and pass your credentials with --client-id / --client-secret.
  • To grant only the scopes you want, set oauth.scopes in .mcp.json.
  • If your auth isn't OAuth (Kerberos, SSO, short-lived tokens), generate the headers at connect time with headersHelper. And for a static token, --header "Authorization: Bearer …" when adding the server.

This is the step after connecting your first MCP: you added it, now authenticate it. And when one goes red, the "Failed to connect" decision tree tells you whether that 401/403 is exactly this.

Official docs: Authenticate with remote MCP servers

Related: Set up your first MCP · MCP "Failed to connect"

Requirements

  • claude mcp login / logout require Claude Code v2.1.186+; the "no browser" detection, v2.1.191.
  • OAuth works with HTTP (and SSE) servers, not local stdio ones.
Free guide

51 tips to master Claude Code.

One page per tip. Five chapters. What I actually use daily in production — no theory, no fluff.

  • I. Getting started 10 tips
  • II. Awareness 3 tips
  • III. Mastery 22 tips
  • IV. Autonomy 10 tips
  • V. Comparison 6 tips
Are you a professional Web developer?

You'll receive the guide by email · You join the Gravitas newsletter · Unsubscribe anytime

of 51
#

Wmedia · 51 Tips
Free guide · 51 tips · 5 chapters

51 tips to master Claude Code.

Are you a professional Web developer? · Unsubscribe anytime