Use PostmanSend requestsOther protocolsMCP requests

Debug OAuth 2.1 for MCP servers

View as Markdown

Use the MCP OAuth Debugger to walk through the OAuth 2.1 authorization flow step by step. The debugger surfaces every request, response, and discovered metadata payload so you can identify which phase of the OAuth handshake is failing.

The OAuth Debugger tab appears in the response pane when your MCP request uses OAuth 2.0 authorization, or when the server returns a 401 Unauthorized response after a connection attempt.

The OAuth Debugger only opens after you click Connect.

Debug an OAuth 2.1 connection

Use the OAuth Debugger to step through each phase of the OAuth 2.1 handshake and identify where the connection is failing.

To debug an OAuth 2.1 connection, do the following:

  1. Choose an existing streamable HTTP MCP request or create a new one.

  2. Click Connect. If the server requires OAuth, Postman opens the OAuth Debugger tab in the response pane.

  3. Review the first step, Send request without token. This step sends an unauthenticated request to the server so Postman can observe the OAuth challenge it returns.

    Each step displays the following:

    • The HTTP method and URL.
    • Request and response headers.
    • Request and response body.
    • The HTTP status code.

  4. Click Continue to advance to the next phase:

    PhaseWhat happens
    Request protected resource metadataFetches metadata from the server’s protected resource endpoint. For more information, see RFC 9728.
    Request authorization server metadataFetches metadata from the authorization server. For more information, see RFC 8414.
    Dynamic client registrationRegisters a new OAuth client with the authorization server using RFC 7591, if the server supports it.
    Generate PKCE parametersGenerates a PKCE code verifier and challenge (S256).
    Authorization requestOpens the authorization URL in your browser. Complete the login flow, then return to Postman.
    Get access tokenExchanges the authorization code for an access token at the token endpoint.
    Authenticated MCP requestSends the initial MCP request with the access token. A successful response means the handshake is complete.

    Steps display a status indicator: running while in progress, passed on success, or failed if an error occurs. A failed step means that phase is where the OAuth handshake is breaking down.

  5. To re-run the flow from the beginning, click Restart.

Review OAuth server configuration

After Postman fetches authorization server metadata, you can go to the OAuth Config section in the OAuth Debugger tab to review the server’s discovered configuration.

The OAuth Config section includes the following:

  • Endpoints — The issuer URL, authorization endpoint, token endpoint, dynamic client registration endpoint, and protected resource endpoint. Click Copy icon Copy next to any endpoint to copy it to your clipboard.

  • Capabilities — Whether the server supports PKCE with S256, dynamic client registration, and the client ID metadata document.

  • Supported values — The grant types, response types, code challenge methods, and token endpoint authentication methods the server advertises.

Client secrets discovered during dynamic client registration are redacted in the debugger trace. They’re stored securely and used for subsequent token requests, but aren’t displayed.