Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Issue: Cursor Cloud agents throw [401] Failed to validate Cognito JWT: JWT string does not consist of exactly 3 parts when connecting to the Braintrust MCP server. Cause: Cursor Cloud runs in a remote environment with no interactive browser session, so the default OAuth flow cannot complete — resulting in a malformed token that fails all validation checks, including Cognito JWT verification. Resolution: Configure .cursor/mcp.json with an explicit Authorization header using a Braintrust API key to bypass OAuth entirely.

Resolution steps

Configure explicit API key auth in .cursor/mcp.json

Step 1: Create or update .cursor/mcp.json

Add the headers field with your Braintrust API key. Place this file at the project root for project-level config, or in your home directory for global config. 
{
  "mcpServers": {
    "braintrust": {
      "url": "https://api.braintrust.dev/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_BRAINTRUST_API_KEY"
      }
    }
  }
}
Replace YOUR_BRAINTRUST_API_KEY with a key from Settings > API keys in the Braintrust app.

Step 2: Verify the connection

Restart Cursor and confirm the MCP server connects without a 401 error.
Note: BRAINTRUST_API_KEY set in your local environment does not carry over to Cursor Cloud agents. The explicit headers config is required.

Alternative: use the Braintrust CLI

If you need read/write access (running evals, modifying prompts, updating datasets), the Braintrust CLI works in cloud environments and has a simpler auth setup.

Step 1: Install the CLI

curl -fsSL https://bt.dev/cli/install.sh | sh

Step 2: Configure MCP via the CLI

bt setup mcp
This handles authentication and MCP configuration without requiring a browser session.