Authorization header not properly sending access token after OAuth authentication (v0.16.8+) #826
Description
Describe the bug
After successfully completing OAuth authentication in MCP Inspector v0.16.8 and v0.16.9, the Authorization header sent to the MCP server contains only "Bearer" without the access token appended. This causes authenticated requests to fail with 401 Unauthorized errors despite successful OAuth flow completion.
To Reproduce
Steps to reproduce the behavior:
- Configure an MCP server with OAuth authentication using DCR (Dynamic Client Registration)
- Start MCP Inspector v0.16.8 or v0.16.9 with the server configuration
- Complete the OAuth authentication flow successfully (receive "Authentication Complete" message)
- Attempt to make any request to the MCP server (e.g., list tools, resources)
- Observe that the server receives Authorization header with value "Bearer" (missing the token)
Expected behavior
The Authorization header should contain "Bearer [access_token]" where [access_token] is the OAuth access token obtained during authentication.
Screenshots
N/A - Issue is in HTTP headers not visible in UI
Logs
Server logs showing the malformed Authorization header:
Authorization header received: "Bearer"
Expected format: "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
Context
MCP Inspector version: v0.16.8, v0.16.9
MCP SDK version: 1.18.1
Node version: v22.x
Operating system: macOS
Additional context
- The issue appears to be a regression introduced in v0.16.8
- Downgrading to MCP Inspector v0.16.7 resolves the issue completely
- The OAuth flow itself completes successfully - the issue is only with how the token is sent in subsequent requests
- This affects any MCP server using OAuth authentication with token validation
Workaround
Downgrade to MCP Inspector v0.16.7:
"@modelcontextprotocol/inspector": "0.16.7"