Unable to Configure MCP With Claude

​@tdikun This sounds like it might be a mismatch between the OAuth client permissions and what Claude is requesting. Does the error clear if you restrict the permissions in Claude to match what the OAuth client specifies, as described in this section? I know this seems redundant and the team will need to think through a more elegant way of handling this, but I suspect that might be what’s going on.

https://dev.frontapp.com/docs/mcp-server#2-connect-your-ai-assistant

Claude doesn’t allow you to configure MCP servers via JSON like that in the web tool (which is what makes it available org-wide). That only works for Claude Desktop or Code, which is not where this will really be used. However, even when trying to configure it for use with Claude Desktop just to test it, it didn’t work. I got the following warning when debugging with Claude Code:

Heads up: Claude Desktop's native MCP schema typically expects either command/args (stdio) or just url (remote with interactive OAuth). The transport: "streamable-http" + inline oauth.client_id/client_secret shape isn't standard

And even if I try to set it up just as a Claude-Code only thing, I am at least able to get to the Front Auth page, but after logging into Front, I get:

Even with the scopes locked in to just read/write, which is what i have set up for resources in the OAuth application.

Hey ​@tdikun, one of our engineers is investigating. Hopefully, we can provide you a fix for this configuration issue.

I was having the same problem as ​@tdikun until I enabled Send permissions in the OAuth settings of the Front App. I only had Read and Write permissions enabled at first. After enabling Send also I was able to add the Front MCP at the org level and connect via my account. This was in Claude.

Hi there,

I have another issue related to the OAuth App configuration at

“Enable MCP Server under Feature Access.”
I just don’t have the option : 
 

Is there any limitations due to a specific plan ?

​@Henry D. Can you try now?

​@Javier - Developer Relations Thanks it is working now.
But i encounter the same issue as ​@jeremy: not able to configure a “read-only” app with claude, it’s working with write and send permissions though !

Encountering the same - we’re keen to trial this with the team in Claude Desktop as Read only (for now). Not being able to configure this as Read only is somewhat prohibitive. 

Adding myself to the list — same invalid_scope error post-sign-in, identical UI state to @Henry G and @triton.

Confirmed config:

• OAuth feature added, redirect URLs include both https://claude.ai/api/mcp/auth_callback and http://localhost:8123/callback
• Resource permissions match the 16 scopes Claude Code requests (incl. Messages Send)
• Server entry pointing at https://mcp.frontapp.com, Scope field includes all 16 scopes with feature:mcp first
• Feature Access section only shows "Access resources" and "Auto-provisioning" — no "MCP Server" checkbox to enable

Probed externally: Front's pre-login authorize endpoint accepts every scope (individually and combined) for this client; the rejection only fires post-login. Suggests the same server-side enablement gate that Henry G hit.

​@Javier - Developer Relations  could you check if our app needs the same fix you applied for @Henry G?

As an echo, same here, worked only after allowing write and send permissions. 

I updated this to have full R/W/D/S permissions and I still can’t connect in Claude Desktop or Claude.AI. Get the same error even after removing/re-installing it. Not gonna bother with Claude Code because I don’t want to use this with Claude Code. This is by far the most convoluted MCP integration I’ve seen. The one I vibed up by pointing Claude Code at the Front API docs and deployed on Railway actually works and was simpler to create than this. 

Hi everyone, I’m Eric, an engineer at Front working with ​@Javier - Developer Relations. We appreciate the timely feedback on this feature and have been working to address these issues.

We’ve now released two fixes which should 1.) allow you to connect your MCP client without granting full permission scope, and 2.) resolve connection issues that were affecting a subset of customers.

Please give the connection setup another try and let us know if you encounter any other issues. Thank you!

​@eric.neto working well for me now! Appreciate the quick turn here. 

Thanks @eric.neto / @Javier - Developer Relations — after the fixes, the 30s connection timeout is gone. 🎉

But connecting via Claude Code (latest 2.1.156, streamable HTTP) I still get a 403 on every MCP call:

{"error":"This token cannot access the MCP Server."}

What I'm seeing:

• OAuth + token exchange succeed — the token is accepted past auth.
• It fails only at the actual MCP call, even with Read + Write + Send all enabled on the app.
• Same as @Henry D.: my OAuth app's Feature access only shows "Access resources" and "Auto-provisioning" — there's no "Enable MCP Server" toggle from the Developer Portal article.
• Already tried a hard refresh + full sign-out/in (per @Bennett) and a fresh re-auth — still the same 403.

Could you enable MCP Server access for my app "Claude Code MCP" (under my account here)? Happy to share the client_id / app id by DM. Thanks!

​@anatole can you do a hard refresh / log out and log back in? Was not appearing for me earlier until I reauthed

Yes, I just did that and re- authenticated again and it still does not work

​@Javier - Developer Relations  -  / ​@eric.neto — quick update after the two fixes. The 30s timeout is resolved, but Claude Code still returns 403 {"error":"This token cannot access the MCP Server."} on every MCP call (OAuth + token exchange succeed; it fails only at the MCP call).

I dug into my OAuth app config directly and confirmed the cause: the "Enable MCP Server" option under Feature Access does not exist for my app. I checked all three tabs:

• Features → OAuth → Feature access: only shows "Access resources" and "Auto-provisioning" — no MCP Server option (with Read+Write+Send all enabled under Resource permissions).
• Servers tab: "No servers yet" — and the Create server form is for registering an external remote origin (API Key/Bearer/OAuth2), not Front's MCP.
• Settings tab: app metadata only.

This is exactly @Henry D.'s case, which you resolved server-side ("Can you try now?"). A hard refresh + full sign-out/in + fresh re-auth did not surface the toggle for me. Could you enable MCP Server access for my app? App ID 441383 ("Claude Code MCP", client_id dbe66d630d7858e4b3bc). Thank you!

​@anatole Because we’re still in beta, this feature is only available if you request access. I’ve gone ahead and added you to the beta, so you should see it now!

For any other people in the same boat, please request access using this form. Thanks!

Hello ​@Javier - Developer Relations, I have the same issue as Anatole, I’m not seeing the “Enable MCP Server” option yet (I’ve already filled the form to request access).

Thank you for your help! 🙏 

I'm trying to connect Front's MCP server to Claude Desktop and running into repeated issues. Here's what I've tried so far:

Attempt 1: Front's provided config format
Using the config block Front provided, which included a transport: streamable-http  and an oauth block with client-id and client secret. Result: Claude Desktop threw an error and wiped my entire MCP config.

Attempt 2: mcp-remote proxy
Tried wrapping the connection through mcp-remote with --static-oath-client-info. Result: persistent 403 authorization errors. Front support subsequently advised against using mcp-remote entirely, noting it requires a different OAuth setup than their server expects and is more proof-of-concept than production-ready.

Open questions:

1. Where does the client_id go in a Claude Desktop config for a remote OAuth MCP server? It's a public identifier, not a secret, it presumably needs to be passed somewhere for the OAuth flow to initiate correctly.
2. Does Claude Desktop's native OAuth support require Dynamic Client Registration, PKCE, or something else specific that Front's OAuth server needs to accommodate?
3. Has anyone successfully connected Front's MCP server to Claude Desktop? What does your working config look like?

Front's OAuth app is set up. The missing piece seems to be the correct Claude Desktop config syntax to use them. Thank you!

I’d be curious if anyone has a JSON config to share for Claude Desktop. Did you need to make changes compared to our recommended config? 

FWIW, I was able to get this to connect today in Claude Desktop as an org-level MCP, without having to configure JSON. Looking forward to using it!

Hello - I am also getting the 403 Unauthorized Client when i try to sign in from Codex CLI or Claude Code CLI. The Front login flow triggers, but after logging in, i get the Unauthorized Client error. 
 

Claude Code mcp.json

"front": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp.frontapp.com/mcp",
        "--static-oauth-client-info",
        "{\"client_id\":\"xx\",\"client_secret\":\"${FRONT_CLIENT_SECRET}\"}"
      ],
      "env": {
        "FRONT_CLIENT_SECRET": "xxx"
      }
    }

Codex CLI config.toml

[mcp_servers.front]
url = "https://mcp.frontapp.com/mcp"
transport = "streamable-http"

[mcp_servers.front.oauth]
client_id = "xxx"
client_secret = "xxx"
scopes = ["read"]

Other details:

• we use SSO for front, via Rippling

Hi everyone,

We pushed another small fix, including for some customer instances that were misconfigured to be on the beta. For anyone having issues, could you please try again now?

If your problem is not resolved, could you please post a reply with the following 5 items:

​​​​

1. The exact AI agent you’re connecting to (Claude Web, Claude Code, Claude Desktop, etc.)
2. Mac or Windows
3. Confirm you’re following the recommendations in the newest setup guide, including pointing to https://mcp.frontapp.com/mcp and avoiding the use of mcp-remote.
   1. If you are deviating from the setup guide, please tell us how and why
4. The errors you’re seeing
5. The content of your configuration file (with sensitive details anonymized)

Thank you!

Same error for me