TL;DR
claude mcp login <name>(since v2.1.186) runs an MCP server's OAuth flow from your shell, no/mcppanel mid-session. The token is stored securely and refreshed automatically, so you authenticate once and every future session (and every headless run) starts with the server ready.claude mcp logout <name>revokes it. Over SSH,--no-browserprints the URL.
You're halfway through a task, an MCP server goes red asking for a login, and suddenly you're wrestling with the browser and the callback instead of coding. That mid-session interruption has always felt like a drag. The good news: you can pull that step out of the flow entirely.
How it works
Many remote MCP servers (Sentry, Notion, Linear…) require OAuth 2.0. When the server responds with 401 or 403, Claude Code flags it as "needs auth". Until recently the only path was opening /mcp inside the session and following the browser. Since v2.1.186 there's a direct command:
claude mcp login sentry
The browser opens, you sign in, and the token is stored (macOS keychain or a credentials file) and refreshed automatically. It's not a per-session login: you do it once and you're done.
Why log in outside the session?
If you're sitting there coding, /mcp is fine. claude mcp login wins in three cases:
- Pre-authenticate. Do it before you start, and no session interrupts you for a login again.
- Headless. In
claude -p, the Agent SDK, or a cron job there is no/mcppanel: Claude Code can't open the browser for you. Since v2.1.196 the run tells you a server needs auth, but the only way to leave it ready is to have logged in beforehand withclaude mcp login. Here the one using the MCP isn't you: it's the automation. - Provisioning.
claude mcp add … && claude mcp login …in a setup script leaves a machine ready without opening Claude even once.
What you see
$ claude mcp add --transport http sentry https://mcp.sentry.dev/mcp
Added HTTP MCP server sentry
$ claude mcp login sentry
Opening browser to authorize sentry…
✓ Authenticated. Credentials stored securely.
Getting started
1. Add the server
claude mcp add --transport http sentry https://mcp.sentry.dev/mcp
2. Authenticate from the shell
claude mcp login sentry
3. Verify and revoke
claude mcp get sentry # confirm OAuth is configured
claude mcp logout sentry # clear the stored credentials
Over SSH or with no browser
Since v2.1.191, if there's no local browser (an SSH session, Linux with no display server), the command prints the URL instead of trying to open one. Open it on your machine, authenticate, and paste the full redirect URL back at the prompt. It needs an interactive terminal for the paste step, so connect with ssh -t. Force that mode even when a browser is available with --no-browser:
claude mcp login sentry --no-browser
Reference
| Command | What it does |
|---|---|
claude mcp login <name> |
Runs the OAuth flow from the shell (v2.1.186+) |
claude mcp login <name> --no-browser |
Prints the URL instead of opening the browser |
claude mcp logout <name> |
Clears the stored credentials |
claude mcp get <name> |
Confirms OAuth is configured |
/mcp (in session) |
The interactive alternative: "Re-authenticate" / "Clear authentication" |
When OAuth isn't enough:
- If the server doesn't support dynamic registration ("Incompatible auth server"), fix the port with
--callback-portand pass your credentials with--client-id/--client-secret. - To grant only the scopes you want, set
oauth.scopesin.mcp.json. - If your auth isn't OAuth (Kerberos, SSO, short-lived tokens), generate the headers at connect time with
headersHelper. And for a static token,--header "Authorization: Bearer …"when adding the server.
This is the step after connecting your first MCP: you added it, now authenticate it. And when one goes red, the "Failed to connect" decision tree tells you whether that 401/403 is exactly this.
Official docs: Authenticate with remote MCP servers
Related: Set up your first MCP · MCP "Failed to connect"
Requirements
claude mcp login/logoutrequire Claude Code v2.1.186+; the "no browser" detection, v2.1.191.- OAuth works with HTTP (and SSE) servers, not local stdio ones.