diff --git a/extensions/cli/src/services/MCPService.ts b/extensions/cli/src/services/MCPService.ts
index 3860259aec0..fdf995b0b5f 100644
--- a/extensions/cli/src/services/MCPService.ts
+++ b/extensions/cli/src/services/MCPService.ts
@@ -503,11 +503,33 @@ Org-level secrets can only be used for MCP by Background Agents (https://docs.co
       } catch (error: unknown) {
         // If token refresh didn't work and it's a 401, fall back to mcp-remote
         if (isAuthError(error) && !this.isHeadless) {
+          // Build mcp-remote args with Supabase-specific OAuth scopes if needed
+          const mcpRemoteArgs = ["-y", "mcp-remote", serverConfig.url];
+
+          // Detect Supabase MCP and add custom OAuth scopes
+          if (serverConfig.url.includes("mcp.supabase.com")) {
+            const supabaseScopes = [
+              "organizations:read",
+              "projects:read",
+              "database:read",
+              "analytics:read",
+              "secrets:read",
+              "edge_functions:read",
+              "environment:read",
+              "storage:read",
+            ].join(" ");
+
+            mcpRemoteArgs.push(
+              "--static-oauth-client-metadata",
+              JSON.stringify({ scope: supabaseScopes }),
+            );
+          }
+
           const transport = this.constructStdioTransport(
             {
               name: serverConfig.name,
               command: "npx",
-              args: ["-y", "mcp-remote", serverConfig.url],
+              args: mcpRemoteArgs,
             },
             connection,
           );