> For clean Markdown content of this page, append .md to this URL. For the complete documentation index, see https://learning.postman.com/llms.txt. For full content including API reference and SDK examples, see https://learning.postman.com/llms-full.txt. # Debug OAuth 2.1 for MCP servers Use the MCP OAuth Debugger to walk through the [OAuth 2.1](https://oauth.net/2.1/) authorization flow step by step. The debugger surfaces every request, response, and discovered metadata payload so you can identify which phase of the OAuth handshake is failing. The **OAuth Debugger** tab appears in the response pane when your MCP request uses OAuth 2.0 authorization, or when the server returns a `401 Unauthorized` response after a connection attempt. The OAuth Debugger only opens after you click **Connect**. ## Debug an OAuth 2.1 connection Use the OAuth Debugger to step through each phase of the OAuth 2.1 handshake and identify where the connection is failing. To debug an OAuth 2.1 connection, do the following: 1. Choose an existing streamable HTTP MCP request or [create a new one](/docs/use/send-requests/protocols/mcp-requests/create/). 2. Click **Connect**. If the server requires OAuth, Postman opens the **OAuth Debugger** tab in the response pane. 3. Review the first step, **Send request without token**. This step sends an unauthenticated request to the server so Postman can observe the OAuth challenge it returns. Each step displays the following: * The HTTP method and URL. * Request and response headers. * Request and response body. * The HTTP status code. 4. Click **Continue** to advance to the next phase: | Phase | What happens | | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | | **Request protected resource metadata** | Fetches metadata from the server's protected resource endpoint. For more information, see [RFC 9728](https://www.rfc-editor.org/rfc/rfc9728). | | **Request authorization server metadata** | Fetches metadata from the authorization server. For more information, see [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414). | | **Dynamic client registration** | Registers a new OAuth client with the authorization server using [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591), if the server supports it. | | **Generate PKCE parameters** | Generates a [PKCE](https://www.rfc-editor.org/rfc/rfc7636) code verifier and challenge (S256). | | **Authorization request** | Opens the authorization URL in your browser. Complete the login flow, then return to Postman. | | **Get access token** | Exchanges the authorization code for an access token at the token endpoint. | | **Authenticated MCP request** | Sends the initial MCP request with the access token. A successful response means the handshake is complete. | Steps display a status indicator: **running** while in progress, **passed** on success, or **failed** if an error occurs. A failed step means that phase is where the OAuth handshake is breaking down. 5. To re-run the flow from the beginning, click **Restart**. ## Review OAuth server configuration After Postman fetches authorization server metadata, you can go to the **OAuth Config** section in the **OAuth Debugger** tab to review the server's discovered configuration. The **OAuth Config** section includes the following: * **Endpoints** — The issuer URL, authorization endpoint, token endpoint, dynamic client registration endpoint, and protected resource endpoint. Click Copy icon **Copy** next to any endpoint to copy it to your clipboard. * **Capabilities** — Whether the server supports PKCE with S256, dynamic client registration, and the client ID metadata document. * **Supported values** — The grant types, response types, code challenge methods, and token endpoint authentication methods the server advertises. Client secrets discovered during dynamic client registration are redacted in the debugger trace. They're stored securely and used for subsequent token requests, but aren't displayed.