Claude Code MCP Token Theft Shows Why OAuth Tokens Need Runtime Tool-Call Authorization

Teams adopting AI coding agents have to choose where trust actually lives: in long-lived OAuth tokens, or in a runtime decision point that evaluates every tool call. The Claude Code MCP token theft chain makes that decision painfully concrete. If endpoint routing can be rewritten locally, "valid token + correct scope" is not a safety model — it is just a transport detail an attacker can reuse.

How the Claude Code MCP token theft chain actually works

The attack documented by Mitiga is a clean example of control-plane compromise at the integration boundary, not just sloppy secret handling. In their scenario, a malicious npm package abuses install-time execution to tamper with Claude Code's local MCP configuration and redirect traffic to an attacker-controlled endpoint. Once routing is hijacked, OAuth bearer tokens meant for legitimate MCP-connected services can be captured through endpoint compromise and replayed. Mitiga's write-up details this MITM-style chain directly: Mitiga's Claude Code MCP token theft research. Cryptika's coverage summarizes the same pattern for broader security audiences: Cryptika's coverage of the attack.

What makes this dangerous is that the compromise point is upstream of SaaS authorization checks. The agent still "thinks" it is calling Jira, GitHub, or Confluence through configured MCP endpoints. But because ~/.claude.json (or related MCP server configuration) has been rewritten, the traffic path now includes attacker-controlled infrastructure that can read or proxy bearer tokens.

A concrete chain looks like this:

• A developer installs a malicious npm package (directly or transitively).
• The package's install hook executes and modifies local Claude/MCP configuration, including ~/.claude.json.
• MCP endpoint definitions are rewritten to attacker-controlled URLs or relay infrastructure.
• Claude Code sends OAuth bearer tokens to the rewritten endpoint during normal tool operations.
• The attacker captures tokens and can invoke SaaS APIs using those valid credentials.
• Because the flow still uses legitimate OAuth artifacts, downstream systems may see apparently normal API activity.

Why SaaS audit logs can look perfectly clean

From the SaaS provider's perspective, these requests are often indistinguishable from legitimate automation. The token is structurally valid, the scopes are expected, and the identity claims map to a real user or app integration. If calls come through normal cloud egress paths or expected geographies, nothing screams "compromise."

This is why provider-side logs alone are insufficient for agent security incidents. They can confirm what action happened but not whether the MCP routing path was tampered with at call time. In other words, SaaS logs are necessary evidence, but they are not authoritative for deciding whether the initiating tool call was policy-compliant or hijacked before execution.

The core lesson: a valid OAuth token proves authorization was granted at some point; it does not ensure the call is being made from a secure or trusted environment.

Why token rotation fails when routing is compromised

Security teams often reach for credential rotation first, and that instinct is usually good. Here, by itself, it is incomplete. If the attacker still controls the endpoint rewrite layer, the next token is intercepted the same way as the last one.

That is why this is fundamentally a routing/control-plane problem. Rotating credentials without restoring endpoint integrity is just churning secrets inside a poisoned path. The best shorthand is exactly this: changing the lock while the attacker controls the doorframe.

To break the attack chain, defenders must first reclaim the MCP routing layer and local config integrity. Only after that do rotation and scope minimization produce durable value.

The runtime authorization pattern for agent tool calls

OAuth scopes answer "what this token could do in principle." They do not answer "should this specific tool call happen right now, for this user-agent pair, under current risk and policy." Agent systems need that second decision at runtime.

The right pattern is a policy decision point (PDP) and policy engine in front of tool execution — often implemented as an MCP Gateway enforcing call-time controls. Instead of trusting bearer possession alone, each tool invocation is evaluated against identity context, action type, target resource, environment signals, and governance rules.

At minimum, mature runtime authorization includes:

• Tool-level allowlists by role, repo, environment, and data domain.
• Explicit deny rules for destructive or high-risk operations.
• Trust tiers (read-only, constrained write, privileged admin paths).
• Consent gates and human approval workflows for sensitive actions.
• Fast revocation that cuts off tool execution without waiting for token expiry.
• Audit trails that bind: human identity + agent identity + tool call + policy decision + timestamp.

This is also where you reduce prompt-injection and tool-injection blast radius. Even if the model is manipulated into attempting a dangerous call, the policy boundary can still block execution.

Detection and governance checklist for Claude Code, Cursor, and AI IDE MCP usage

Most organizations treat agent tooling as developer convenience software, then discover too late it is an identity and authorization surface. Governance has to cover the local endpoint config path, dependency execution path, and runtime execution path together. If one is missing, attackers route around the others.

A practical program combines endpoint integrity monitoring, install-hook controls, token hygiene, and cross-layer audit correlation.

Monitor ~/.claude.json and local MCP config drift

• File integrity monitoring on ~/.claude.json and any MCP server definition files.
• Alert on endpoint URL changes, protocol changes, host changes, and unexpected new MCP servers.
• Baseline approved endpoint patterns and flag deviations immediately.
• Tie file-change events to process lineage (which binary/script changed the file).

Control npm install hooks and package execution paths

• Restrict or review lifecycle scripts (preinstall, postinstall) in CI/dev environments.
• Enforce lockfile integrity and trusted registry policy where possible.
• Alert on newly introduced transitive packages that execute scripts.
• Segment dev workstations so package-install compromise has reduced lateral reach.

Enforce MCP server config integrity

• Maintain allowlisted MCP endpoint domains and certificate expectations.
• Detect local overrides that bypass centrally managed MCP settings.
• Require signed/managed config distribution for enterprise-managed agents.
• Quarantine workstations with unauthorized MCP endpoint rewrites.

Audit OAuth scopes and token lifespan

• Reduce broad, persistent scopes for coding-agent integrations.
• Prefer ephemeral or just-in-time grants over standing permissions.
• Separate read-only from write/admin tokens where architecture allows.
• Revoke and re-issue tokens after config compromise only after routing cleanup.

Correlate runtime audit logs across identity and tools

• Join agent runtime logs with endpoint config change logs and SaaS API logs.
• Track request lineage: human actor → agent session → tool call → policy result.
• Alert on policy-denied attempts followed by successful API actions from same identity.
• Build incident playbooks that start with control-plane validation, not only token reset.

Permit.io MCP Gateway as the enforcement layer at the tool-call boundary

If this incident class teaches one thing, it is that bearer tokens cannot be your only guardrail for agent operations. You need a gate that decides, in real time, whether this agent, acting for this human, may perform this call now under policy.

Permit.io positions its MCP Gateway exactly at that boundary. The value is not just access yes/no; it is policy-rich enforcement that can constrain what a leaked token can accomplish in practice. That includes tool allowlists, explicit denial of destructive actions, step-up consent or approval on sensitive calls, and rapid revocation at execution time.

In a hijack scenario, this changes the blast radius math. Even if an attacker gets bearer material or tampers with endpoint routing, they still hit runtime authorization checks tied to user-agent context and policy state. You also get auditability that links human, agent, tool, policy, and decision — exactly the chain investigators need when SaaS logs look "normal."

Frequently asked questions

How can Claude Code MCP traffic be hijacked to steal OAuth tokens?

The documented chain starts with a malicious npm package executing an install hook that rewrites local Claude MCP configuration, including ~/.claude.json. That rewrite redirects MCP endpoint traffic to attacker-controlled infrastructure, where OAuth bearer tokens can be intercepted. The attacker then reuses valid tokens against SaaS APIs. Mitiga describes this flow directly, with Cryptika echoing the same mechanism.

Why isn't rotating OAuth tokens enough after an MCP endpoint rewrite attack?

Rotation only helps once the compromised routing layer is restored. If endpoint configuration still points to attacker-controlled infrastructure, newly issued tokens are captured again. That is why defenders must first clean and lock the MCP config path, then rotate credentials. Otherwise, rotation is just replacing secrets in an actively monitored channel.

What should enterprises monitor in ~/.claude.json and MCP server settings?

Enterprises should monitor unauthorized endpoint changes, new MCP server entries, protocol and host drift, and process lineage for any config edits. They should baseline approved endpoint patterns and trigger high-priority alerts when local files diverge from managed templates. File integrity monitoring and runtime correlation with package-install events are key — without that, tampering looks like routine developer activity until after token abuse appears downstream.

How does runtime tool-call authorization reduce MCP token blast radius?

Runtime authorization inserts a policy decision at execution time, not just at token issuance time. That means dangerous tool calls can be denied even when a valid token exists. It also enables consent gates, approvals, and revocation independent of token expiry. In practice, this limits what an attacker can do with stolen credentials and improves forensic clarity when an incident needs to be reconstructed.

Why are broad persistent OAuth scopes especially risky for coding agents?

Coding agents make many automated calls at high speed and across multiple systems, so broad standing permissions create a large abuse surface. If one token is captured, the attacker inherits wide capability without needing additional compromises. Ephemeral or just-in-time grants reduce standing privilege and shorten exploit windows. Zero standing permissions is a better default for agent-heavy workflows.

What is the difference between OAuth scopes and runtime policy enforcement for AI tools?

OAuth scopes define potential capability encoded in the credential. Runtime policy enforcement evaluates contextual legitimacy per request, including user-agent pairing, action type, target, and current risk posture. You need both, but only runtime policy can consistently block bad calls that still carry valid tokens. For agent ecosystems, scope-only security is necessary but not sufficient.

How do I investigate suspicious "legitimate-looking" SaaS API activity from an AI IDE?

Start by validating local MCP routing and config integrity on the originating workstation, especially ~/.claude.json and related server definitions. Correlate endpoint-change timestamps with package installation events and agent tool-call logs. Then compare with SaaS audit logs to map the full path from human session to API action. If control-plane tampering is confirmed, remediate routing first, then rotate and re-scope credentials.