Streamable HTTP: "Not Acceptable" error after OAuth completes

[jreynar]

Description

After connecting to a Streamable HTTP MCP server that requires OAuth, the OAuth dance completes successfully but subsequent POST requests to the server fail with:

MCP error -32099: Streamable HTTP error: Error POSTing to endpoint:
{"jsonrpc":"2.0","error":{"code":-32000,"message":"Not Acceptable: Client must accept both application/json and text/event-stream"},"id":null}

The Streamable HTTP transport spec requires clients to send Accept: application/json, text/event-stream on POST requests. Inspector 0.21.2 appears to send an Accept header that does not include both types, so the server's StreamableHTTPServerTransport.handleRequest rejects with -32000.

Reproduction

1. Connect to any public MCP server using Streamable HTTP transport with OAuth (e.g., a server using @clerk/mcp-tools).
2. Complete the OAuth flow in the browser.
3. After redirect back, Inspector attempts the initialize request.
4. The request fails with the -32000 "Not Acceptable" error.

Server-side verification

The same server returns a normal 401 (no token) when hit with curl using the correct Accept header, proving the server's Accept-validation is correct:

curl -i -X POST https://<server>/mcp \
  -H "Accept: application/json, text/event-stream" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"curl","version":"1"}}}'

Environment

• Inspector version: 0.21.2 (latest published as of filing)
• Server: HTTP MCP server using @modelcontextprotocol/sdk wrapped by @clerk/mcp-tools, behind AWS API Gateway

Expected behavior

Inspector sends Accept: application/json, text/event-stream on all POST requests to a Streamable HTTP endpoint, per the spec.

Actual behavior

The Accept header is missing one of the two required types, causing the server to reject the request with -32000 after OAuth completes.

[jreynar]

Update: this was a misdiagnosis on our side. The 406 was coming from our own MCP server, not from Inspector sending a bad Accept header.

Root cause was on the server: an Express MCP server using @modelcontextprotocol/sdk's Node Express transport, running under serverless-http in AWS Lambda, lost the Accept header when the SDK passed the request through @hono/node-server's getRequestListener. The SDK's webRequest.headers.get('accept') returned a different value than the Express req.headers.accept we'd verified, so the line-380 check in webStandardStreamableHttp.js rejected with 406 even when the client (Inspector or Anthropic's Connectors broker) was sending the spec-required Accept: application/json, text/event-stream.

The fix was to bypass the Express transport entirely and use WebStandardStreamableHTTPServerTransport directly with a manually-constructed Request (so the Accept header survives). After that, both Inspector and Anthropic's hosted MCP connectors work fine against the same server.

Closing as not-a-bug. Apologies for the noise — leaving this here so the next person who hits "406 Not Acceptable after OAuth, despite a correct Accept header" can find what was actually broken.