Skip to content

Cursor MCP: OAuth or bearer token (and fix 401 errors)

How to connect Cursor to a remote MCP server. Use OAuth where the server supports it. Use a bearer header when you have to, without committing the token by accident.

The symptom

Cursor talks to a remote MCP server. The server returns 401 Unauthorized. Or Cursor shows the server in the MCP panel but no tools appear.

The cause is almost always that Cursor is not sending the credential the server expects.

Try OAuth first

If the server supports OAuth, this is the right answer. No token in your config. No accidental commits. Set only the URL:

{
  "mcpServers": {
    "hjarni": {
      "url": "https://hjarni.com/mcp"
    }
  }
}

Cursor opens a browser tab for the OAuth flow on first run. The token is stored and refreshed for you. Hjarni works this way. So do most current remote MCP servers.

If you have to use a bearer header

Some servers only accept long-lived API tokens. In that case, add a headers block on the server entry.

Do not commit tokens. Cursor reads ~/.cursor/mcp.json globally and .cursor/mcp.json per project. The project file lives inside the repo, so a token pasted there is one git add away from a public commit. Use the global file, or add .cursor/mcp.json to .gitignore first. 
{
  "mcpServers": {
    "hjarni": {
      "url": "https://hjarni.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN"
      }
    }
  }
}

Restart Cursor after editing the file. The MCP panel reloads server entries on launch, not on file change.

Still 401?

  • Token expired or was rotated. Generate a fresh one and paste it back into mcp.json.
  • Whitespace in the token. JSON parsers preserve it. A trailing newline from a paste turns into Authorization: Bearer abc\n, which most servers reject.
  • Bearer prefix capitalisation. RFC 6750 says case-insensitive. Some middlewares still require literal Bearer with a capital B.
  • Env var that did not interpolate. A bare "Bearer $TOKEN" is sent literally. Use Cursor's documented interpolation syntax instead, for example "Bearer ${env:TOKEN}", or paste the resolved value.
  • Wrong endpoint. If the server publishes /mcp and you pointed at /api, you will get a 401 from the wrong auth layer. Check the URL.