MCP Inspector Not Using Refresh Token for Token Validation

[rinormaloku]

The MCP Inspector should utilize the refresh_token to properly validate the token refresh flow.

Steps to Reproduce:

• Use a short-lived access token
• Log in and wait for the token to expire
• Send a request (e.g., list/tools)

Expected Behavior:
The token should be automatically refreshed when expired.

Actual Behavior:
The request fails with the following error:

MCP error -32001: Error POSTing to endpoint (HTTP 401): {"message":"Invalid or expired access token","error":"Unauthorized","statusCode":401}

Additional Issues:

• Clicking "reconnect" also fails to use the refresh_token
• A code search confirms that refresh_token is not implemented anywhere in the codebase

Impact:
This prevents proper evaluation of the Authorization specification, as the refresh token flow cannot be tested.

[olaservo]

Closing as duplicate of #665 which tracks the token refresh flow implementation.

[rendyfebry]

Hi @olaservo

I don't think this is really duplicate issue.

The #665 expect refresh token flow to works when you intentionally click "Guided OAuth Flow" or "Quick OAuth Flow" in inspector Auth menu.

While this one is one step above that, the client should automatically trigger refresh token when it call the server with access token, but got token expiry error.

[Ayushlm10]

I was testing this with v0.16.0 where at least after clicking reconnect it works. But yeah, still does not refresh automatically.