Describe the bug
Automatic MCP Server Token Refresh
Problem
When using long-running autopilot workflows (e.g., multi-PR feature development via custom agents), MCP server OAuth tokens expire mid-workflow. This causes:
- Silent tool failures — MCP tool calls return
AADSTS9010010 auth errors
- Workflow interruption — the agent must stop and ask the user to manually run
/mcp reload
- Lost autopilot momentum — what should be a hands-off workflow becomes a babysitting exercise
Real-world impact
During a unit test coverage feature delivered via a custom agent plugin (4 PRs, 258 tests), MCP auth expired multiple times. Each time:
- The agent retried 3× with 10s delays (workaround we built into the plugin)
- After 3 failures, it had to pause and ask the user to run
/mcp reload
- The user had to switch context, reload, then tell the agent to continue
- Total disruption: ~2-5 minutes per occurrence, multiple occurrences per session
This completely undermines the value proposition of autopilot mode.
Proposed Solution
Proactive token refresh: The CLI should detect when an MCP server's OAuth token is approaching expiry and refresh it automatically in the background, similar to how az login maintains a token cache with automatic refresh.
Implementation suggestions
- Use the OAuth refresh token (if available) to obtain a new access token before expiry
- If using device code flow, detect the approaching expiry window (e.g., 5 minutes before) and initiate re-auth proactively
- Surface a non-blocking notification: "🔄 Refreshed MCP auth for [server-name]"
- If silent refresh is impossible (no refresh token), fall back to prompting — but only once, not on every tool call
Environment
- Copilot CLI on Windows (PowerShell)
- MCP servers using Entra ID (Azure AD) OAuth
- Token lifetime: typically 1 hour
- Workflows: 2-6+ hours in autopilot mode
Current Workaround
We built an "MCP Auth Recovery Gate" pattern into our plugin, but this requires manual intervention.
Retry 3× with 10s delay → if all fail with AADSTS error → ask user to run /mcp reload
This works but defeats autopilot's purpose.
Affected version
No response
Steps to reproduce the behavior
No response
Expected behavior
No response
Additional context
No response
Describe the bug
Automatic MCP Server Token Refresh
Problem
When using long-running autopilot workflows (e.g., multi-PR feature development via custom agents), MCP server OAuth tokens expire mid-workflow. This causes:
AADSTS9010010auth errors/mcp reloadReal-world impact
During a unit test coverage feature delivered via a custom agent plugin (4 PRs, 258 tests), MCP auth expired multiple times. Each time:
/mcp reloadThis completely undermines the value proposition of autopilot mode.
Proposed Solution
Proactive token refresh: The CLI should detect when an MCP server's OAuth token is approaching expiry and refresh it automatically in the background, similar to how
az loginmaintains a token cache with automatic refresh.Implementation suggestions
Environment
Current Workaround
We built an "MCP Auth Recovery Gate" pattern into our plugin, but this requires manual intervention.
This works but defeats autopilot's purpose.
Affected version
No response
Steps to reproduce the behavior
No response
Expected behavior
No response
Additional context
No response