MCP Client OAuth Refresh-Token Support Matrix (June 2026) RedCaller Team · June 7, 2026 · 10 min read MCP OAuth refresh tokens client support Claude Code Cursor VS Code mcp-remote Summary The MCP authorization specification (November 2025) mandates OAuth 2.1 with PKCE for remote MCP servers. A security best practice derived from this spec is to issue short-lived access tokens (5–60 minutes) paired with long-lived refresh tokens (30–90 days, rotated on every use). In practice, this security model is only achievable if MCP clients implement the OAuth refresh_token grant. As of June 2026, the ecosystem has made measurable progress since our initial April survey, with Gemini CLI achieving full support and several clients upgrading from "not implemented" to partial. Metric Count Change from April Full support 1 +1 Partial / broken 10 +3 Not implemented 2 -4 Unknown 1 — Specification Context The MCP community formally addressed this gap through SEP-2207 (OIDC-Flavored Refresh Token Guidance), accepted as a Standards Track proposal on February 4, 2026. SEP-2207 acknowledges directly that major clients — Cursor, Claude, VS Code — are not requesting refresh tokens via the offline_access scope. It specifies that clients SHOULD include refresh_token in their grant_types client metadata and MAY augment authorization requests with offline_access when the Authorization Server lists it in scopes_supported . The MCP TypeScript SDK merged SEP-2207 on March 30, 2026, providing the client-side plumbing for scope augmentation and prompt=consent . The Rust SDK merged its implementation on March 24, 2026. The Python SDK implementation (PR #2039) remains open as of June 2026 with no activity since March 31. Most clients have not yet consumed the SDK updates. Client Support Matrix Client Type refresh_token Status Notes Gemini CLI CLI Full PR #26312 merged May 13, 2026: dynamic OAuth provider now checks token expiry before every request and refreshes mid-session. Fixes Issues #18895 and #23776. No restart required on token expiry. Zed IDE Partial Auto-refresh works in HTTP transport (Mar 2026, PR #51768). DCR request omits refresh_token from grant_types , breaking strict Python SDK servers (Issue #53784, still open). VS Code (GitHub Copilot CLI) IDE Extension Partial Silent refresh implemented (Issue #1797 closed completed Mar 10, 2026). Stale keychain entries cause repeated OAuth popups when token exceeds OS keychain size limits (Issue #2112). Cline VS Code Extension Partial OAuth 2.1 with PKCE implemented (PR #3019). Re-auth after token expiry broken due to OAuth state management bug (Issue #7964). Missing scope parameter breaks strict providers (Issue #9116). Workaround: delete and re-add the MCP server. Continue.dev VS Code / JetBrains Extension Partial Delegates to mcp-remote on 401. Tracks EXPIRED_MCP_OAUTH errors, 24-hour expiry warnings. Not native — depends on mcp-remote bridge. Open WebUI Web UI Partial Token refresh bug fixed (PR #20138). Mid-session re-auth via toast/popup added (PR #22341). Background proactive refresh PR #19811 was closed by maintainer. On-demand refresh only. Goose (Block) CLI / Agent Partial Proactive refresh merged (PR #8386): checks stored credentials before unauthenticated connection, silent refresh when available. Falls back to browser auth if no refresh token. Claude Code (CLI) CLI Partial v2.1.136 (May 8, 2026) fixed multi-server refresh-token race via cross-process lock and preserves existing refresh tokens per RFC 6749 section 6. _doRefresh metadata discovery bug for non-root path URLs remains unfixed. Issue #55055 (May 2026) confirms HTTP MCP servers still drop to bootstrap tools on expiry. Claude Desktop Desktop App Partial Shares Claude Code SDK. Benefits from v2.1.136 race fix. Token persistence partially fixed (Issue #47554). Proactive refresh on session start still not implemented. Cursor IDE Partial Refresh token support implemented in v2.5 (Mar 2026). Multi-window token store sync fixed (merged May 11-13). Background refresh works (logs confirm "MCP OAuth refresh succeeded"), but refreshed token not picked up by active MCP transport (Issue thread, Jun 2). Team working on architectural fix. LibreChat Web UI Partial PR #12812 fixed silent crash from unhandled reconnect rejections (Apr 2026). PR #12162 added refresh token fallback in canReconnect() . PR #12171 fixed OAuth race conditions and token expiry handling. Proactive refresh with jitter (Issue #12802) still unimplemented. Claude.ai (Web) Web UI Not implemented Custom connectors via mcp-proxy.anthropic.com never attempt token refresh. Issue #52905 (May 2026) confirms zero /token requests reach server after initial auth. Fix exists for direct HTTP path (~v2.1.59) but not ported to proxy path. Amazon Q CLI CLI Not implemented Feature request #2921 still open. Issue #3638 filed for OAuth discovery failures without fallback. Still requires mcp-remote as workaround for OAuth-enabled servers. Windsurf (Codeium) IDE Unknown Changelog not...