Connect to a remote MCP server¶
Goal: a remote HTTP MCP server appears in Claude Desktop or Claude Code as if it were a local one — login handled, tokens refreshed, transport quirks absorbed.
1. Check the connection first¶
Before touching any client config, verify mcp-stdio can reach the server:
mcp-stdio --check --oauth https://mcp.example.com/mcp
--check runs the whole path once — discovery, OAuth login in your
browser, token exchange, an MCP initialize round-trip — and prints what
happened. If this succeeds, the client config below will work.
No OAuth on the server? Drop --oauth. Static token instead? Use
MCP_BEARER_TOKEN (see Variations).
2. Add it to your client¶
claude_desktop_config.json:
{
"mcpServers": {
"my-remote-server": {
"command": "mcp-stdio",
"args": ["--oauth", "https://mcp.example.com/mcp"]
}
}
}
claude mcp add my-remote-server -- mcp-stdio --oauth https://mcp.example.com/mcp
Restart the client. On the first request a browser window opens for the
server's login page; after that, tokens live in
~/.config/mcp-stdio/tokens.json (file mode 0600) and are shared by every
terminal and session — you will not log in again until the refresh token
itself expires or is revoked.
What you get without asking¶
- Automatic token refresh — reactively on
401, and proactively in the background shortly before expiry, so long sessions do not die at the access token's TTL. - Session recovery — an expired MCP session (
404) is re-initialized transparently. - Client-bug shielding — cancellation races, pagination,
Retry-After, and other cross-implementation gaps are absorbed in the middle; see WORKAROUNDS for the catalogue.
Variations¶
| You need… | Do this |
|---|---|
| Static bearer token, no OAuth | MCP_BEARER_TOKEN=… mcp-stdio https://…/mcp |
| Extra scopes | --oauth-scope "openid offline_access mcp:tools" |
| No browser on this machine (SSH box, container) | --oauth-device — see Headless login |
The server insists on the OIDC id_token (Google IAP, AWS) |
--oauth-use-id-token |
| Legacy SSE server (2024-11-05 transport) | --transport sse |
| Corporate proxy | honored via standard HTTPS_PROXY / NO_PROXY env vars |
Every flag: mcp-stdio --help, or the
README.
Troubleshooting quickies¶
- Browser never opens — the authorize URL is printed to stderr; open it manually (the client's MCP log shows it).
AADSTS9010010on Microsoft Entra ID — some Entra ID configurations reject theresourceparameter outright; add--no-resource-indicator. See Troubleshooting.- Worked yesterday,
401today — the server may have rotated its keys or revoked the grant. Delete the server's entry from~/.config/mcp-stdio/tokens.jsonand let it re-authorize.