MCP Server always returns "Invalid or missing API token" (code -32001), for every token, on every auth method
Panopticon version: 2.2.0 (Daybreak), released 2026-07-03
PHP version: 8.3.31
Server: Apache (shared hosting, SuperHosting.BG)
Summary
After enabling the MCP server (System Configuration → Security → MCP Server) and minting an API token, every request to the MCP endpoint is rejected with:
{"error":{"code":-32001,"message":"Invalid or missing API token."}}
This happens regardless of token, transport, or client — I've ruled out every client-side explanation I could think of.
What I tried (all fail identically)
- Three independent API tokens, created at different times, via different methods:
- Token created via the admin UI by me (as the account owner)
- Token created via my own browser session with zero automation involved
- All three: same user (Super User), default "all scopes" (no scopes explicitly checked)
- Both documented endpoint forms:
https://panopticon.example.com/mcp → 404 (no mod_rewrite rule for /mcp in .htaccess, so I used the form below instead)
https://panopticon.example.com/index.php/mcp → reaches the MCP server correctly (confirmed by the exact JSON-RPC error shape and the WWW-Authenticate: Bearer realm="Panopticon MCP" header)
- Both documented authentication methods:
Authorization: Bearer YOUR_API_TOKEN header
?_panopticon_token=YOUR_API_TOKEN query parameter (the documented fallback for clients without header support)
- Multiple clients, to rule out any client-specific bug:
- Raw PHP
file_get_contents() with a manual stream context (server-side, via SSH — hit an unrelated 421 Misdirected Request SNI self-loopback issue when calling the site's own hostname from itself, so this path is inconclusive on its own)
- A real external client: browser
fetch() / direct navigation from an entirely separate network (not the hosting server) — same -32001 error, both with the header and with the query parameter
mcp-remote bridging Claude Desktop (ran into unrelated OAuth-discovery behavior, not the root cause)
supergateway bridging Claude Desktop (--streamableHttp <url> --oauth2Bearer <token>) — sends a clean, correctly-headered POST request; still -32001
The last two points are the important ones: a plain external HTTP client, hitting the real public endpoint, with a token the account owner just minted and copy-pasted himself, gets the exact same rejection as every other attempt. This rules out header-stripping, SNI/proxy issues, OAuth-discovery bugs in a particular MCP client, and token transcription errors.
Request/response example
MCP Server always returns "Invalid or missing API token" (code -32001), for every token, on every auth method
Panopticon version: 2.2.0 (Daybreak), released 2026-07-03
PHP version: 8.3.31
Server: Apache (shared hosting, SuperHosting.BG)
Summary
After enabling the MCP server (System Configuration → Security → MCP Server) and minting an API token, every request to the MCP endpoint is rejected with:
{"error":{"code":-32001,"message":"Invalid or missing API token."}}This happens regardless of token, transport, or client — I've ruled out every client-side explanation I could think of.
What I tried (all fail identically)
https://panopticon.example.com/mcp→ 404 (nomod_rewriterule for/mcpin.htaccess, so I used the form below instead)https://panopticon.example.com/index.php/mcp→ reaches the MCP server correctly (confirmed by the exact JSON-RPC error shape and theWWW-Authenticate: Bearer realm="Panopticon MCP"header)Authorization: Bearer YOUR_API_TOKENheader?_panopticon_token=YOUR_API_TOKENquery parameter (the documented fallback for clients without header support)file_get_contents()with a manual stream context (server-side, via SSH — hit an unrelated421 Misdirected RequestSNI self-loopback issue when calling the site's own hostname from itself, so this path is inconclusive on its own)fetch()/ direct navigation from an entirely separate network (not the hosting server) — same-32001error, both with the header and with the query parametermcp-remotebridging Claude Desktop (ran into unrelated OAuth-discovery behavior, not the root cause)supergatewaybridging Claude Desktop (--streamableHttp <url> --oauth2Bearer <token>) — sends a clean, correctly-headered POST request; still-32001The last two points are the important ones: a plain external HTTP client, hitting the real public endpoint, with a token the account owner just minted and copy-pasted himself, gets the exact same rejection as every other attempt. This rules out header-stripping, SNI/proxy issues, OAuth-discovery bugs in a particular MCP client, and token transcription errors.
Request/response example