MCP OAuth connections fail permanently when server-side tokens are invalidated

[Educg550]

What happened?

When an OAuth-protected MCP server invalidates previously issued tokens (e.g. after a server restart or key rotation), the client has no way to clear the stale stored credentials and re-authenticate. The connection fails permanently with invalid_token until the tokens expire by TTL in the database.

The root cause is twofold:

1. MCPConnectionFactory.handleOAuthRequired returns cached tokens from a recently COMPLETED OAuth flow (within 2 minutes) without checking server-side validity, causing retry loops with the same invalid token.
2. Stored tokens (access, refresh, client info) are never deleted from the database when the server explicitly returns invalid_token, so every subsequent reconnect attempt reuses the same bad credentials.

There is currently no UI affordance for the user to manually clear their stored OAuth tokens and trigger a fresh authorization flow. Having a "Clear tokens" button next to the existing "Authorize" button on the MCP server connect modal (screenshot) would let users recover from this state without needing to wait for token TTL expiry.

Version Information

v0.8.4 tag:

╰─ git rev-parse HEAD
0736ff26686e911c9785a237c63a799db1813f0b

Steps to Reproduce

1. Connect to an OAuth-protected MCP server and complete the authorization flow successfully.
2. Restart or reset the MCP server.
3. Trigger a new connection to the same MCP server.
4. Observe that the connection fails permanently.

What browsers are you seeing the problem on?

Chrome

Relevant log output

2026-04-07 17:15:54 info: [MCP][User: <user_hash>][<mcp_server_name>] Creating streamable-http transport: https://<mcp_domain>/mcp
2026-04-07 17:15:54 warn: [MCP][User: <user_hash>][<mcp_server_name>] OAuth authentication error detected
2026-04-07 17:15:54 error: [MCP][User: <user_hash>][<mcp_server_name>] Transport error (may require manual intervention): Streamable HTTP error: Error POSTing to endpoint: {"error": "invalid_token", "error_description": "Authentication failed. The provided bearer token is invalid, expired, or no longer recognized by the server. To resolve: clear authentication tokens in your MCP client and reconnect. Your client should automatically re-register and obtain new tokens."}

Screenshots

_{The new button could sit right next to "Authenticate" in this modal}

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Thanks for reporting! This cannot be reproduced, Your commit (0736ff26) is exactly the v0.8.4 tag, and the main issue you're describing, stale client registrations causing retry loops with invalid credentials, was fixed after that release in:

• ♻️ fix: Reuse Existing MCP OAuth Client Registrations to Prevent client_id Mismatch #11925: Reuse Existing MCP OAuth Client Registrations to Prevent client_id Mismatch. This added automatic detection and cleanup of stale client registrations when the server rejects them (invalid_client, unauthorized_client, client_id mismatch, etc.), and improved the OAuth flow retry logic.

There is currently no UI affordance for the user to manually clear their stored OAuth tokens and trigger a fresh authorization flow

Additionally, there's already a Revoke button (present since before v0.8.4, the red button in your screenshot) in the MCP server config section that deletes all stored OAuth tokens (access, refresh, and client info) and revokes them at the provider. This serves as the "Clear tokens" button you're requesting, it should be visible next to the server entry when OAuth is configured.

These improvements should resolve the permanent failure state you're seeing. Please try again on the latest version (use latest or wait until new release this week) and let me know if the issue persists.