Access Token Expiry Not Triggering Refresh in Atlassian MCP Server

[amirejaz]

After the access token expires, the Atlassian MCP server fails to refresh it using the refresh_token. Instead, it continues to send API requests with the expired access_token, resulting in 401 Unauthorized responses from the upstream service.

Current Behavior

• The server successfully authenticates and receives a valid access_token and refresh_token.
• Once the access token reaches its expiry (as per the Expiry field in the token struct), subsequent API calls return 401 Unauthorized.
• No refresh request appears to be made using the refresh_token.

---

Expected Behavior

When the access token expires, the MCP server should automatically use the refresh_token to obtain a new access_token and retry the failed request seamlessly.

---

Steps to Reproduce

1. Start the Atlassian MCP server and authenticate successfully.
2. Allow 1 hour to pass (or force token expiry).
3. Observe API calls made by the MCP server to Atlassian APIs.
4. After expiry, responses become 401 Unauthorized.
5. No refresh request is observed in logs or network traces.

[Joc007]

I can confirm I am experiencing this issue while using the Atlassian MCP server with the Gemini CLI. In addition to the 401 Unauthorized errors, I am also seeing ETIMEDOUT errors, which I believe are a consequence of the expired token.

This issue requires frequent manual re-authentication and disrupts the workflow. Looking forward to a fix.

ℹ Refreshing expired token for MCP server: atlassian-rovo-mcp-server
✖ Failed to refresh token: Token refresh failed: 400 - {"error":"invalid_grant","error_description":"Grant not found"} 
ℹ Authenticated via "oauth-personal".
✖ Error during discovery for server 'atlassian-rovo-mcp-server': 401 error received for SSE server 'atlassian-rovo-mcp-server' without OAuth configuration. Please authenticate using: /mcp auth atlassian-rovo-mcp-server

[jontsai]

Root Cause Analysis & Proposed Fix

I've been investigating this issue and wanted to share my findings along with a potential fix.

Architecture Context

This repository contains documentation and skills—the actual authentication logic is handled by:

1. Atlassian's backend at mcp.atlassian.com
2. The MCP client (e.g., mcp-remote for desktop clients, or Claude's built-in MCP client)

Why This Happens

Atlassian implements rotating refresh tokens (OAuth 2.0 3LO docs). Each token refresh issues a NEW refresh token and invalidates the old one. The invalid_grant error occurs when:

1. Multiple processes (or a process restart) read the same refresh_token from disk
2. First refresh succeeds → Atlassian issues new token RT_v2, invalidating RT_v1
3. Second attempt uses stale RT_v1 → invalid_grant

Additionally, mcp-remote stores expires_in (relative seconds) rather than an absolute timestamp, so tokens read from disk appear valid when they've actually expired.

Note: This primarily affects multiple MCP clients on the same machine sharing the same token file (e.g., VS Code + Claude Desktop both using mcp-remote). Different machines maintain separate OAuth sessions and shouldn't interfere with each other.

Proposed Fix

I've submitted a PR to mcp-remote that addresses these issues:

geelen/mcp-remote#209

The fix includes:

1. invalid_grant handling - Detect this error and trigger fresh authentication instead of failing
2. Absolute expiration timestamps - Store expires_at for accurate expiry checks
3. Atomic file writes - Prevent race conditions with temp file + rename pattern

Workaround (Until Fix is Merged)

Simply re-authenticate with Atlassian when you encounter the error. In my experience, this works without needing to remove/re-add the MCP server or delete any token files.

[likaiacorns]

Hi, any updates on this?

[Lumca]

I have to delete mcp token and then run auth command again to make it work

[ccmcbeck]

I'm using the Rovo MCP with the Claude Code's VS Code extension, which also has the OP's issue.

I often have multiple tabs with multiple Claude sessions. When Rovo finally decides to re-authenticate, I get an OAuth web popup per session. That may be a different issue (on the Claude or VSCode side), but it's a very annoying side effect of the OP's issue.

[iosamaatlassian]

We released API Tokens auth, this should make desktop apps and clis more reliable. Please check this thread for more details and let us know your feedback. Plus we fixed few issues that was leading to re-auth for long running sessions.

#75 (comment)

[iosamaatlassian]

Please let us know your feedback

[otteydw]

@iosamaatlassian so far the API auth token access has been very stable. Thank you.

[ccmcbeck]

You guys are awesome. I've switched to Rovo Token based auth and my world is back in order

[ccmcbeck]

Now if you could just add Bitbucket...

[iosamaatlassian]

We will share some updates soon on Bitbucket :)