Bug Description
When Claude Desktop launches mcp-remote, it spawns two processes simultaneously for the same MCP server. Both processes race through the OAuth DCR + PKCE flow, corrupting each other's state by writing to the same cache files.
Steps to Reproduce
- Configure
claude_desktop_config.json:
{
"mcpServers": {
"my-server": {
"command": "C:\nvm4w\nodejs\npx.cmd",
"args": ["mcp-remote", "https://my-mcp-server.com/mcp", "--debug"]
}
}
}
- Clear auth cache:
rm -rf ~/.mcp-auth/
- Restart Claude Desktop
- Observe two processes spawned with different PIDs
Debug Log Evidence
From --debug output, two processes [2568] and [59228] run simultaneously:
[2568] Saving client info {"client_id":"2ea74177-3488-4163-848d-01c90e1f60ee"}
[59228] Saving client info {"client_id":"0ffd08e1-343e-43f2-be65-c6530ef06bdc"}
[2568] Saving code verifier
[59228] Saving code verifier <-- overwrites [2568]'s verifier
[2568] Auth code received, resolving promise
[2568] Code verifier found: true <-- reads [59228]'s verifier
[2568] Authorization error: Invalid code_verifier
Root Cause
- Process A registers OAuth client via DCR → gets
client_id_A, generates code_verifier_A, saves to ~/.mcp-auth/.../code_verifier.txt
- Process B registers a different client → gets
client_id_B, generates code_verifier_B, overwrites the same file
- Process A's browser auth completes → reads
code_verifier_B from file (not its own code_verifier_A)
- Token exchange sends
code_verifier_B for code_challenge_A → Frontegg rejects: {"errors":["Invalid code_verifier"]}
Workaround
Pre-authenticate manually before starting Claude Desktop:
rm -rf ~/.mcp-auth/
npx mcp-remote https://my-mcp-server.com/mcp
# Complete login → wait for "Proxy established" → Ctrl+C
# Then restart Claude Desktop (reuses cached token)
Running manually spawns only one process, so PKCE state is consistent and auth succeeds.
Environment
- Windows 11 Pro
- Node.js v24.8.0
- mcp-remote 0.1.37
- Claude Desktop (latest as of April 2026)
- OAuth provider: Frontegg (with DCR + PKCE S256)
Suggested Fix
The file-based PKCE cache should be keyed per-process or use a lock to prevent concurrent writes. Alternatively, mcp-remote could detect an existing auth flow in progress and defer to it instead of starting a parallel flow.
Bug Description
When Claude Desktop launches
mcp-remote, it spawns two processes simultaneously for the same MCP server. Both processes race through the OAuth DCR + PKCE flow, corrupting each other's state by writing to the same cache files.Steps to Reproduce
claude_desktop_config.json:{ "mcpServers": { "my-server": { "command": "C:\nvm4w\nodejs\npx.cmd", "args": ["mcp-remote", "https://my-mcp-server.com/mcp", "--debug"] } } }rm -rf ~/.mcp-auth/Debug Log Evidence
From
--debugoutput, two processes [2568] and [59228] run simultaneously:Root Cause
client_id_A, generatescode_verifier_A, saves to~/.mcp-auth/.../code_verifier.txtclient_id_B, generatescode_verifier_B, overwrites the same filecode_verifier_Bfrom file (not its owncode_verifier_A)code_verifier_Bforcode_challenge_A→ Frontegg rejects:{"errors":["Invalid code_verifier"]}Workaround
Pre-authenticate manually before starting Claude Desktop:
Running manually spawns only one process, so PKCE state is consistent and auth succeeds.
Environment
Suggested Fix
The file-based PKCE cache should be keyed per-process or use a lock to prevent concurrent writes. Alternatively, mcp-remote could detect an existing auth flow in progress and defer to it instead of starting a parallel flow.