`MCPX_OAUTH_REFRESH_403`

Severity: error Domain: OAuth

What happened

mcpproxy presented a refresh token to the provider's token endpoint and got an HTTP 403 (or invalid_grant) back. The token was technically still in our store, but the provider considers it unusable.

Common causes

The user revoked the OAuth grant from their account settings.
The OAuth client (client_id) was deleted or rotated provider-side.
Refresh-token rotation: the provider already issued a successor and now refuses the older one.
The redirect URI / scopes registered for the client changed.
Conditional-access / device-trust policy (Microsoft Entra) revoked the session.

How to fix

1. Re-authenticate

mcpproxy upstream login <server-name>

Or click Log in again on the server's web UI page. This is the only deterministic recovery — silent retry will keep failing.

2. Verify the client is still valid

If re-login still 403s, the OAuth client itself may be misconfigured:

Confirm client_id / client_secret in the upstream config still exist on the provider side.
Verify the redirect URI matches exactly what the provider has registered (mcpproxy persists a per-server callback — see MCPX_OAUTH_CALLBACK_MISMATCH).

3. Check provider-side audit log

Many providers expose a sign-in / token audit log that says exactly why the refresh was denied (revoked, scope changed, conditional access, etc.).

MCPX_OAUTH_REFRESH_EXPIRED — natural expiry
MCPX_OAUTH_CALLBACK_MISMATCH — wrong redirect URI
OAuth Authentication

What happened​

Common causes​

How to fix​

1. Re-authenticate​

2. Verify the client is still valid​

3. Check provider-side audit log​

Related​