Skip to main content

MCP — Authentication failed (401)

Your AI client (ChatGPT, Claude Desktop, Claude.ai, Claude Code, Cursor, …) is returning 401 Unauthorized on every aprity tool call. This page walks through the most common causes and the fix.

The aprity Remote MCP Server authenticates with OAuth 2.1 + PKCE backed by Salesforce SSO. There is no token to copy or paste by hand: your AI client runs a browser sign-in once, then holds a short-lived token it refreshes automatically. A 401 means that token is missing, expired, or no longer accepted.

What it looks like

Symptoms vary by AI client but you typically see one of these:

  • 401 Unauthorized or invalid_token on every tool call.
  • "The aprity connector is not authorized -- sign in again."
  • Tool calls that used to work silently return no results.
  • The aprity connector appears in the client's MCP server list but every tool call fails.

Why this happens

Common causes:

  1. You are not signed in yet. The connector was added but the OAuth sign-in was never completed (or was cancelled). The first tool call has no token.
  2. The session was revoked. You (or an admin) revoked the connection, or the Salesforce user who authorized it was deactivated, so the refresh token is no longer valid and the client cannot get a new access token.
  3. The token expired and could not refresh. Access tokens are short-lived; if the client cannot reach the refresh endpoint (network, proxy, or a revoked refresh token), calls fall back to 401.
  4. You signed in with the wrong Salesforce identity — one that does not map to your aprity-scanned org, so aprity cannot resolve a tenant.
  5. The plan was downgraded to Documentation, which does not include the Remote MCP Server.
  6. Your tenant's MCP feature was disabled by an admin, or the Remote MCP Server is not enabled for your tenant.

Fix sequence

1. Re-run the OAuth sign-in

The single most reliable fix is to disconnect and reconnect aprity in your AI client so it runs a fresh OAuth sign-in:

  1. Remove the aprity connector / MCP server entry from your AI client.

  2. Add it again, pointing at the endpoint:

    https://mcp.aprity.ai/v1/mcp

  3. When the browser window opens, sign in with Salesforce SSO — the same identity you use for your aprity-scanned org — and approve the connection.

  4. Restart the AI client and retry a tool call.

The per-client setup pages show exactly where the connector lives:

2. Check the Salesforce identity

If the sign-in completes but tool calls still 401, confirm you signed in with a Salesforce user that belongs to your aprity-scanned org (and carries the Aprity_User or Aprity_Admin permission set). Signing in with an unrelated Salesforce account means aprity cannot resolve your tenant. Sign out of Salesforce in that browser, retry the connector sign-in, and pick the correct identity.

3. Plan and feature check

If repeated reconnects keep failing with 401 even after a clean sign-in:

  • Open the Usage & Quotas page in the aprity managed app and confirm your plan still includes the Remote MCP Server (Intelligence or Trial — it is not part of Documentation).
  • Ask your aprity admin to confirm the Remote MCP Server is enabled for your tenant.

If both look right, open a support ticket.

Open a support ticket

If none of the above resolves it, contact support@aprity.ai with:

  • Your aprity tenant ID (visible in the Usage & Quotas page).
  • The AI client and version (e.g. "Claude Desktop 0.7.3 on macOS 14.5").
  • The Salesforce identity (username) you signed in with.
  • A redacted screenshot of the AI client error if available.

For anything else, contact support@aprity.ai.