Auth & OAuth Issues

Scrubby uses GitHub OAuth for both dashboard sign-in and MCP server authentication. When the OAuth flow goes wrong, here are the most common failure modes and what to do about each.

Symptom: GitHub redirect goes nowhere

You click “Sign in with GitHub” and nothing happens.

• Check you don’t have a popup blocker on scrubby.ai.
• Check JavaScript is enabled (rare, but it happens).
• Try a different browser. Some restrictive privacy browsers block third-party cookies in ways that break the OAuth state cookie.

Symptom: redirect succeeds but lands on an error page

You authorize on GitHub, get redirected back to Scrubby, and see an OAuth error.

Error	Likely cause	Fix
state_mismatch	The OAuth state cookie was lost between starting and completing the flow. Often caused by aggressive privacy plugins.	Try again from the same browser tab. If it keeps failing, switch browsers temporarily.
code_expired	You took longer than 10 minutes between authorizing and Scrubby exchanging the code.	Start the flow over.
access_denied	You declined the GitHub consent screen.	Approve the requested scopes; Scrubby needs read:user, user:email, and read:org.

Symptom: MCP OAuth flow hangs

You started a tool call, the editor opened a browser tab for OAuth, you signed in — and nothing happens. The editor still says “not authenticated.”

• The OAuth callback might be reaching a different process (e.g. multiple editors fighting over the callback port). Close other editor windows that might also be listening for OAuth callbacks and retry.
• Check the editor’s MCP log for an error message. Most editors expose this in their developer tools.
• If you’re behind a corporate proxy that intercepts HTTPS, the OAuth flow may be failing silently. Test from a non-proxied network.

For Claude Code specifically, run /mcp to force a fresh connection.

Symptom: session expires constantly

Sessions are usually 14 days for the dashboard and survive much longer for MCP. If you’re being kicked out repeatedly:

• Check that your browser isn’t clearing cookies for scrubby.ai (often a privacy-extension setting).
• Check you aren’t switching between two GitHub accounts on the same machine — that creates two Scrubby identities and can look like session loss.
• Revoke all sessions from your Account page and sign in again. If the new session also drops quickly, contact support.

Symptom: “wrong account” / accidentally signed up twice

If you have two Scrubby accounts (different GitHub identities, different work emails), you can:

• Merge them: from the Account page, choose Merge accounts and follow the prompts. Indexes and findings transfer to the surviving account.
• Delete the unused one: from the Account page, choose Delete account on the one you don’t want.

If the merge flow fails (e.g. one account has an active subscription that needs migrating), contact support.

Symptom: “this user is not authorized for this organization”

You’re signing in to a Scrubby org you’re a GitHub member of, but Scrubby says you don’t have access.

• The org may not have a Team or Enterprise plan. An admin needs to set one up.
• The org admin may not have invited you yet. Ask them to invite from the Team page. See Inviting Teammates.
• GitHub’s read:org scope must have been granted — that’s what lets Scrubby see your membership. Re-authenticate to re-grant scopes if needed.

Symptom: 401 from the REST API with a token

Tokens generated from the Account page are long-lived but revocable. A 401 means:

• The token was revoked (check the token list on the Account page).
• The token was generated for a different environment (production tokens don’t work on staging).
• The token wasn’t sent as Authorization: Bearer <token> — check the header format.

Revoking tokens and sessions

Both are listed on the Account page:

• Tokens — click “revoke” next to any API token.
• Sessions — click “revoke” next to any active session (web or MCP).

Revocation is immediate. Any running tool call using a revoked token will fail on the next request.