Skip to content
Sourcegraph Help Center home
Sourcegraph Help Center home

Fix: OAuth invalid_scope 'user:all' when adding Sourcegraph MCP in OpenAI Codex

Overview

This article explains why you see an "invalid_scope" error when adding Sourcegraph as an MCP in OpenAI Codex and how to fix it.

Problem

When Codex (0.120.0 and below at time of writing) attempts to register via Dynamic Client Registration, the OAuth provider rejects requests that include the user:all (or other non-mcp) scopes and returns:

OAuth provider returned `invalid_scope`: The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'user:all'.

Why this happens

  • Dynamic Client Registration for MCP limits clients to the mcp scope only.

  • Clients that request additional scopes (for example user:all, openid, or offline_access) are rejected by the OAuth provider.

Solutions

Short-term workarounds

  • Use an access token scoped to mcp and configure your client to use token-based auth instead of OAuth client registration.

Recommended fix

  • If the client needs additional scopes beyond mcp, create a manual OAuth app on the Sourcegraph instance and configure it with the required scopes (for example user:all, openid, or offline_access).

  • If you only need MCP access, ensure the client requests only the mcp scope or use an access token limited to mcp.

Example MCP config for token-based access

[mcp_servers.sourcegraph]
url = "https://your_private_instance.com/.api/mcp"
scopes = ["mcp"]

Notes

  • Some clients (like Codex) may retry the OAuth flow without scopes and succeed; others will fail. If a client cannot be configured to avoid requesting extra scopes, use a manually created OAuth app or token.

  • Contact support if you need help creating an OAuth app or generating an MCP-scoped token.

Powered by Plain