Strixa AI
TopicsSearchPricing
Sign inStart tracking

Signal Detail

Loading signal detail

Reading this signal card's judgment, risks, and evidence.

Strixa AI
TopicsSearchPricing
Sign inStart tracking
Back to Signal Feed
CodeTracked since May 20, 2026

LibreChat now triggers OAuth before MCP connect when tokens are missing

This PR changes MCP startup flow so a server configured with `requiresOAuth: true` no longer waits for a later auth error to start OAuth; `MCPConnectionFactory.createConnection()` now checks for stored tokens and, if absent, proactively runs the OAuth flow before calling `attemptToConnect()`. The flow emits `oauthRequired`, awaits `oauthHandled` or `oauthFailed`, and uses the parsed server URL to fail fast when mandatory connection metadata is missing.

LibreChatMCPOAuthMCPConnectionFactory

Signal Intelligence

Confidence Level94%
Worth Continued TrackingFinal score 81% with 1 evidence item.
Primary Impact Areas
LibreChatMCPOAuth

What Happened

  • This PR changes MCP startup flow so a server configured with `requiresOAuth: true` no longer waits for a later auth error to start OAuth; `MCPConnectionFactory.createConnection()` now checks for stored tokens and, if absent, proactively runs the OAuth flow before calling `attemptToConnect()`. The flow emits `oauthRequired`, awaits `oauthHandled` or `oauthFailed`, and uses the parsed server URL to fail fast when mandatory connection metadata is missing.
  • This PR changes MCP startup flow so a server configured with `requiresOAuth: true` no longer waits for a later auth error to start OAuth; `MCPConnectionFactory.createConnection()` now checks for stored tokens and, if absent, proactively runs the OAuth flow before calling `attemptToConnect()`. The flow emits `oauthRequired`, awaits `oauthHandled` or `oauthFailed`, and uses the parsed server URL to fail fast when mandatory connection metadata is missing.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Implemented a proactive authentication gate in `MCPConnectionFactory.createConnection()` for explicitly OAuth-required MCP servers, so missing-token sessions trigger OAuth before connection establishment and use the existing `handleOAuthEvents` path to coordinate `oauthHandled`/`oauthFailed` outcomes.

Why Track This

Why It Matters

For operators and users of OAuth-protected MCP integrations in LibreChat (such as Google BigQuery MCP), connections now require user authorization before the server is considered usable, which prevents the misleading state where a server appears connected but tool calls still fail with authentication errors. This materially reduces failed tool executions after connect and shortens the time to detect credential/setup problems. Implementation-wise, teams should monitor OAuth callback reliability, token persistence/load failures, and malformed `ParsedServerConfig.url` values because these conditions now directly decide whether connection proceeds or returns early with an auth URL.

Impact

For operators and users of OAuth-protected MCP integrations in LibreChat (such as Google BigQuery MCP), connections now require user authorization before the server is considered usable, which prevents the misleading state where a server appears connected but tool calls still fail with authentication errors. This materially reduces failed tool executions after connect and shortens the time to detect credential/setup problems. Implementation-wise, teams should monitor OAuth callback reliability, token persistence/load failures, and malformed `ParsedServerConfig.url` values because these conditions now directly decide whether connection proceeds or returns early with an auth URL.

What To Watch Next

  • Watch whether LibreChat becomes a repeated pattern.
  • Track follow-up changes around Model Context Protocol.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: oauth_callback_failures, stored_token_edge_cases.
Open Topic TimelineOpen Technical EventOpen Original Sourceoauth_callback_failures / stored_token_edge_cases / missing_or_invalid_server_url / premature_connection_blocking_on_reused_tokens

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

danny-avila/LibreChat PR #12759: Implement proactive OAuth flow for connections without tokens

Fixes MCP servers that accept unauthenticated handshake calls but require OAuth for tool execution, which previously appeared connected while tool calls later failed with authentication errors.