You click “Connect Google Drive” / “Connect Notion” / “Connect Salesforce” in Claude. The OAuth popup either returns “permission denied” outright, or you complete the flow and Claude reports “connected” — but every query returns empty. You’ve hit at least one of the three permission locks: the Anthropic Workspace policy, the OAuth scope you granted, or the target app’s admin policy.
Clicking “Allow” only flips one lock. All three have to be open before data flows. So 90% of fixing connector issues is figuring out who to ask for what, not changing settings on your side.
Common causes
Ordered by hit rate, highest first.
1. Your Anthropic Workspace admin disabled that connector
On Team / Enterprise plans, workspace admins can disable specific connectors (e.g., compliance bans Salesforce). Members either see the connector greyed out or get “not enabled for this workspace” on click.
How to spot it: Claude → Settings → Connectors — if it’s greyed or shows “Contact admin to enable,” this is it.
2. You missed a scope during OAuth
The auth page lists multiple permissions (“read mail,” “read calendar,” “read drive”) and they aren’t always all pre-checked. Grant Calendar but miss Drive, and Claude returns zero results on file queries — silently, not as an error.
How to spot it: Visit the target app’s “Authorized third-party apps” page (Google: myaccount.google.com/permissions; Notion: Settings → My Connections) and check what scopes Claude actually has.
3. Target-app admin (your Google Workspace / Notion Enterprise / etc.) blocked third-party OAuth
Google Workspace, Microsoft 365, and Notion Enterprise all have “App access control.” Admins can default-deny all third-party apps or maintain an allowlist. Personal consent doesn’t override — the OAuth flow gets rejected at the server.
How to spot it: The error contains “blocked by your organization’s policy” or “admin has restricted access.”
4. Token expired, refresh failed
OAuth refresh tokens have varying lifetimes: Google’s expire after 6 months of disuse; Notion’s never expire but die on password change. Claude shows the connection as live, but every request returns 401.
How to spot it: Disconnect → Connect — if re-authorization fixes it, your token expired.
5. Account is personal but the resource is in a workspace (or vice versa)
You sign into Claude with user@gmail.com, but the doc you want lives in your company’s user@company.com Drive. The OAuth token only sees the personal account, never the workspace.
How to spot it: Switch accounts in Google Drive and check which account owns the target file.
6. Region / data residency policy
Some Enterprise plans enforce data residency (e.g., EU-only). Cross-region connector data can be blocked.
How to spot it: The error mentions “data residency” / “region not allowed,” or only certain files fail.
Shortest path to fix
Step 1: Identify which lock is closed
Claude → Settings → Connectors, look at the target connector:
| Display | Means |
|---|---|
| Greyed / “Contact admin” | Anthropic Workspace layer blocked |
| Connectable but errors on click | OAuth scope or target-app layer |
| Connected but queries return empty | Missing scopes or account/resource mismatch |
| Connected but “401 unauthorized” | Token expired — re-authorize |
Wrong diagnosis = ask the wrong person = days lost.
Step 2: Re-run OAuth and check every scope
Disconnect → Connect → on the OAuth screen read every checkbox and check them all. After completing:
Google: visit myaccount.google.com/permissions
→ find "Claude" → confirm scope list
Notion: Settings → My Connections → Claude
→ check workspace and page access scopeIf a scope is missing, re-auth.
Step 3: Send the admin a specific request
If it’s a workspace or target-app block, email the admin with a template (not just “please give me access”):
Subject: Claude Connector approval request — [Notion / Drive / ...]
Hi [admin],
I need to connect Anthropic Claude to [target app] for [business reason].
Specifically, please enable:
- Connector class: [Google Drive / Notion / Salesforce]
- Required scopes: [read files / read pages / read account data]
- For user: [my email]
- Or scope to: [team / specific folder]
Compliance reference: Anthropic SOC 2 Type II, GDPR DPA available at
https://www.anthropic.com/legal
Test plan: I'll connect, run one read-only query, screenshot success,
then send confirmation.Specific scope + business reason cuts approval time dramatically.
Step 4: Account-match check
Confirm the account you logged into Claude with, the OAuth account, and the account that owns the target resource are all the same. Most common gotcha: personal Gmail logs into Claude, OAuths to a Workspace, and can’t see Workspace docs.
Resolutions:
- personal account + personal resource → match, done
- work account + work resource → match, done
- cross-account: share the resource into the account you can authenticate withStep 5: Refresh the token
When something that worked yesterday breaks today: Disconnect → Connect → re-authorize. If the first query post-auth still fails, wait 30 seconds (token propagation) and retry.
Step 6: Get the raw error and file support
Claude usually swallows technical errors and shows a polite message. Ask explicitly: “Print the full raw error response from the last connector attempt, including HTTP status and error code.” File the error at support.anthropic.com.
Prevention
- Put requests in writing (email or ticket) — admins often need a paper trail to approve
- Validate the full flow on one file or one page before expanding to “all resources”
- Use personal accounts for personal projects, work for work — never mix
- Document your workspace admin list on the internal wiki so the next person doesn’t have to dig
- Audit Google / Notion “Authorized apps” every 3-6 months; refresh tokens before they expire
Related
- Claude GitHub connection failed
- Claude usage limit
- Claude beginner guide
- Claude prompt best practices
- Claude Projects
Tags: #Claude #Debug #Troubleshooting