Skip to content

MCP Server always returns "Invalid or missing API token" (code -32001), for every token, on every auth method #1010

Description

@streamevent-bg

MCP Server always returns "Invalid or missing API token" (code -32001), for every token, on every auth method

Panopticon version: 2.2.0 (Daybreak), released 2026-07-03
PHP version: 8.3.31
Server: Apache (shared hosting, SuperHosting.BG)

Summary

After enabling the MCP server (System Configuration → Security → MCP Server) and minting an API token, every request to the MCP endpoint is rejected with:

{"error":{"code":-32001,"message":"Invalid or missing API token."}}

This happens regardless of token, transport, or client — I've ruled out every client-side explanation I could think of.

What I tried (all fail identically)

  1. Three independent API tokens, created at different times, via different methods:
    • Token created via the admin UI by me (as the account owner)
    • Token created via my own browser session with zero automation involved
    • All three: same user (Super User), default "all scopes" (no scopes explicitly checked)
  2. Both documented endpoint forms:
    • https://panopticon.example.com/mcp → 404 (no mod_rewrite rule for /mcp in .htaccess, so I used the form below instead)
    • https://panopticon.example.com/index.php/mcp → reaches the MCP server correctly (confirmed by the exact JSON-RPC error shape and the WWW-Authenticate: Bearer realm="Panopticon MCP" header)
  3. Both documented authentication methods:
    • Authorization: Bearer YOUR_API_TOKEN header
    • ?_panopticon_token=YOUR_API_TOKEN query parameter (the documented fallback for clients without header support)
  4. Multiple clients, to rule out any client-specific bug:
    • Raw PHP file_get_contents() with a manual stream context (server-side, via SSH — hit an unrelated 421 Misdirected Request SNI self-loopback issue when calling the site's own hostname from itself, so this path is inconclusive on its own)
    • A real external client: browser fetch() / direct navigation from an entirely separate network (not the hosting server) — same -32001 error, both with the header and with the query parameter
    • mcp-remote bridging Claude Desktop (ran into unrelated OAuth-discovery behavior, not the root cause)
    • supergateway bridging Claude Desktop (--streamableHttp <url> --oauth2Bearer <token>) — sends a clean, correctly-headered POST request; still -32001

The last two points are the important ones: a plain external HTTP client, hitting the real public endpoint, with a token the account owner just minted and copy-pasted himself, gets the exact same rejection as every other attempt. This rules out header-stripping, SNI/proxy issues, OAuth-discovery bugs in a particular MCP client, and token transcription errors.

Request/response example

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions