fix(code): proxy MCP requests locally to keep OAuth tokens fresh#1713
Merged
Conversation
tatoalo
approved these changes
Apr 17, 2026
No longer needed — the MCP proxy fetches a fresh token per request via authenticatedFetch, so proactive refresh ahead of expiry doesn't add value. Drop the timer, blocker/pending mechanism, the "Schedule refresh" menu item, and the session-idle flush wiring. Also strip two debug logs left from the investigation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
MCP transports bake Authorization headers at construction time. When the OAuth access token rotates during a long-running agent session, every subsequent MCP call against the PostHog MCP server (and other authed installations) keeps sending the stale bearer and gets rejected. Tearing the transport down on every rotation is expensive and racy.
Changes
McpProxyService: local loopback HTTP server that forwards MCP requests to their real targets, injecting a fresh token viaAuthService.authenticatedFetchon every hop. Handles buffered JSON responses and SSE streams, and retries once with a force-refreshed token when the MCP body encodes an auth failure as a JSON-RPC error (200 OK +authentication_failed).AgentAuthAdapterroutes the built-inposthogserver and every authed installation through the proxy instead of embedding the bearer in the MCP config.AuthServiceproactively schedules a refresh 30 min before expiry, butAgentServiceregisters a blocker so refreshes are deferred while any agent turn is in flight and flushed once all sessions go idle. Debug menu gains "Schedule refresh" and "Force refresh" items._posthog/refresh_mcpACP extension reserved for client-driven reconnect flows.How did you test this code?
McpProxyServicedependency inAgentAuthAdapterandAgentService(pnpm --filter code test).Publish to changelog?
no
cc @PostHog/team-posthog-ai