Here is a small thing that used to annoy me more than it should have.
You add an MCP server to Claude Code. Something with OAuth, like Sentry or Notion. To actually get a token stored, you start an interactive session, open the /mcp panel, scroll to the right server, hit authenticate, and click through a browser popup. Fine on your laptop. Genuinely miserable on a server you reached over SSH, where there is no browser to pop anything up.
As of v2.1.186, shipped this week, that whole dance collapses into one command.
claude mcp login sentryThat is it. It runs the server's OAuth flow directly from your shell, stores the credentials, and you never open a session to do it.
What actually changed
Two new subcommands: claude mcp login <name> and claude mcp logout <name>. The first runs the OAuth handshake for a server you have already configured. The second clears the stored credentials when you are done with it, or when a token has gone stale and you want a clean re-auth.
Nothing about how you add servers changed. What changed is that the authentication step left the interactive UI and became a normal CLI command, the kind you can put in a script.
The full loop
Say you want Sentry. Three commands, start to finish.
Add the server:
claude mcp add --transport http sentry https://mcp.sentry.dev/mcpLog in:
claude mcp login sentryCheck it took:
claude mcp listclaude mcp list shows each configured server and its connection status, so you get confirmation without opening Claude at all. When you want to revoke, claude mcp logout sentry and the stored token is gone.
If you have read Getting the best out of Claude Code, this slots right into the same idea: the terminal is the control surface, and the fewer times you have to drop into a menu to do something, the better.
The part that actually matters: SSH and headless boxes
This is where the old flow really hurt. On a remote machine with no display server, the /mcp panel would try to open a browser that does not exist, and you were stuck.
The login command handles this. As of v2.1.191 it detects when there is no local browser, an SSH session, or Linux without a display, and instead of failing it prints the authorisation URL. You open that URL on your own machine, approve the app, then copy the full redirect URL out of your browser's address bar and paste it back at the prompt.
Two things to know so it does not trip you up:
- You need an interactive terminal for the paste step. Connect with
ssh -t, otherwise there is no prompt to paste into. - You can force the URL flow even when a browser exists with
--no-browser. Handy when your local default browser is the wrong profile, or you just prefer copying the link.
ssh -t you@your-box 'claude mcp login sentry --no-browser'One gotcha worth flagging: by default Claude Code picks a random free port for the OAuth callback. Most servers do not care. A few require a specific redirect URI registered in advance, and those will reject a random port. If a login bounces for that reason, check what redirect URI the server expects rather than assuming the command is broken.
Why this is a quiet win
The headline feature is convenience. The real win is that authentication is now scriptable.
Provisioning a fresh dev box or a CI runner used to mean a human sitting in an interactive session clicking through OAuth popups for every connected service. Now the same setup is just a list of add and login lines in a provisioning script. It composes. It belongs in the same setup file as your npm install and your dotfiles.
That is the difference between a feature you click and a feature you can build on top of.
The one thing to keep your eye on
login stores a credential on the machine you run it on. That is the entire point, and it is also the thing to be deliberate about.
Only log in to servers you actually trust, and only on machines you control. An MCP server you authenticate against can read and act on whatever that token grants. If you want the longer version of why a connected MCP server deserves the same scrutiny as any other privileged integration, an open MCP server is worse than an open database makes that case in full. The convenience of one-line login does not change the trust question. It just removes the excuse that auth was too annoying to do properly.
Small commands like this rarely make a release's headline. But the OAuth dance was a daily papercut, and now it is one line you can drop in a script. That is the kind of unglamorous improvement that quietly adds up.