OAuth Support and Authentication Flows
Claude Code handles the full OAuth flow for services like GitHub, Slack, Linear, and Google Workspace — browser-based authentication, automatic token refresh, and clean revocation via /mcp.
Quick Reference
- →OAuth-enabled MCP servers: GitHub, Slack, Linear, Notion, Google Calendar, Gmail, Google Drive, Figma
- →Flow: Claude Code opens your browser → you authenticate → token stored locally and refreshed automatically
- →RFC 9728 compliant OAuth — industry-standard flow, not a proprietary workaround
- →Token storage: local to your machine, never sent to Anthropic servers
- →Revoke access: claude mcp revoke <server> or via /mcp in session
- →Non-OAuth services: inject API keys via env block in .mcp.json
How OAuth Works in Claude Code
Several MCP servers connect to services that use OAuth for authentication — GitHub, Slack, Linear, Notion, and the Google Workspace suite. Rather than requiring you to manually obtain and rotate tokens, Claude Code implements RFC 9728, the standard OAuth flow for MCP servers.
First connection
When you first use an OAuth-enabled MCP server, Claude Code opens your browser and takes you to the service's authentication page.
You authenticate
You log in with your account credentials on the service's own website — Claude Code never sees your password.
Token stored locally
After authentication, the OAuth token is stored locally on your machine. It is not sent to Anthropic.
Automatic refresh
Claude Code handles token refresh automatically. You authenticate once and the connection stays active.
Claude Code's OAuth implementation follows RFC 9728 — the official IETF standard for OAuth 2.0 in MCP. This means the flow is interoperable with any RFC 9728-compliant MCP server, including ones you build yourself.