Claude.ai MCP Connector Failing to connect to my self-hosted n8n

GeoffS · March 24, 2026, 11:00am

I’m trying to connect Claude.ai to my self-hosted n8n via Instance-level MCP (OAuth). The OAuth flow appears to complete — I get redirected to n8n, I authorize, and n8n shows Claude as a Connected client. But Claude always returns “Authorization with the MCP server failed.”

I also tried creating a separate workflow with an MCP Server Trigger node (no auth) and using that Production URL as a custom connector in Claude. Same error.

My setup

n8n version: 2.12.3
Database: SQLite (default)
n8n EXECUTIONS_PROCESS setting: default
Running n8n via: npm (global install, Node.js v22.21.1 via nvm)
Operating system: macOS 14.2.1 (Apple Silicon)

n8n runs as a macOS LaunchAgent and is exposed to the internet via Cloudflare Tunnel (cloudflared 2025.11.1) routing n8n.jeffzeb.com → http://127.0.0.1:5678.

What I’ve tried

Confirmed endpoint is reachable: curl -I returns HTTP 401 with Bearer auth as expected
Added N8N_PROXY_HOPS=1 and N8N_TRUST_PROXY=true (fixed an ERR_ERL_UNEXPECTED_X_FORWARDED_FOR error in the MCP SDK)
Created a Cloudflare Transform Rule to set Origin: https://n8n.jeffzeb.com (known issue with tunnels stripping the scheme)
Revoked old Connected clients and re-added the connector fresh
Tested in both Safari and Chrome
Tested both Instance-level MCP (OAuth) and MCP Server Trigger (no auth) — both fail with the same error
Workflows are enabled for MCP access and active

Key observation

OAuth completes on n8n’s side (Connected clients tab confirms it), but Claude doesn’t recognize the connection as successful. This happens with both the instance-level MCP URL and a standalone MCP Server Trigger URL.

Has anyone successfully connected Claude.ai (not Claude Desktop) to a self-hosted n8n behind a Cloudflare Tunnel? Any ideas what could be failing after the OAuth callback? Also possible issue is on the Claude side, so I’ve reached out to their help support as well.

tamy.santos · March 24, 2026, 2:15pm

Hi @GeoffS , welcome to the n8n community

What stands out to me is that both the OAuth connector and the no-auth MCP Server Trigger fail the same way, so I’d be cautious about blaming OAuth itself, to me that points more toward a reverse-proxy / transport issue after the callback, especially since n8n behind a proxy needs the original forwarded host/proto headers and usually a fixed WEBHOOK_URL, plus Cloudflare can sometimes interfere with streaming/compression behavior.

could you please share the response headers and body you get from the MCP endpoint with curl -i, and whether Cloudflare has compression, caching, Access, or any other edge features enabled on that hostname/path?

Benjamin_Behrens · March 24, 2026, 4:10pm

the OAuth callback completing on n8n’s side but failing in Claude suggests the MCP endpoint isn’t properly exposing its capabilities schema after auth. since both OAuth and no-auth fail identically, check whether your Cloudflare Tunnel is preserving the Content-Type: application/json response headers and not buffering the streaming MCP discovery response — some reverse proxies strip or delay these. also worth verifying the MCP endpoint returns the correct resources and tools blocks in its initialize response, since Claude validates the schema before marking the connection live. if curl -i to the MCP endpoint shows chunked/gzipped responses, that’s often the culprit with Claude’s MCP client parser.

pvdyck · March 24, 2026, 4:54pm

Cloudflare Tunnel buffers streaming responses by default, which breaks the MCP transport even though the OAuth redirect works fine. Add disableChunkedEncoding: true to your cloudflared config for that ingress rule. Also make sure WebSockets are enabled in the Cloudflare dashboard under Network for your domain.

Benjamin_Behrens · March 24, 2026, 5:07pm

@pvdyck’s disableChunkedEncoding: true is exactly the right fix for the streaming issue I mentioned — that’s the specific cloudflared setting that prevents response buffering. @GeoffS once you’ve updated your config and restarted cloudflared, let us know if the MCP handshake goes through.

GeoffS · March 25, 2026, 2:45am

Thanks everyone for the quick responses! Here’s what I found after working through them:

@pvdyck

disableChunkedEncoding: true Added this to my cloudflared config and restarted the tunnel. This was a good call and may have fixed the streaming issue, but the auth error persists.

@tamy.santos

Here’s what curl -i shows for the instance-level MCP endpoint:

GET returns HTTP 200 with the n8n editor HTML (falls through to frontend)
POST with MCP initialize payload returns: {"message":"Unauthorized: Authorization header not sent"}— so the endpoint is alive and correctly requiring auth

For the MCP Server Trigger endpoint (no auth), POST with MCP initialize returns a proper response:

event: message
data: {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"MCP_Server_Trigger","version":"0.1.0"},"jsonrpc":"2.0","id":1}

Response headers include content-type: text/html; charset=utf-8, access-control-allow-origin: ``https://n8n.xxxxxxxx.com, cache-control: no-cache, no-store, cf-cache-status: DYNAMIC. No compression or caching issues visible.

BenB

As shown above, the MCP Server Trigger returns a valid initialize response with correct tools capability and protocol version. Transport is working fine — the disableChunkedEncoding fix plus WebSockets enabled in Cloudflare means streaming isn’t being buffered.

Both endpoints work correctly at the transport level when tested with curl. The OAuth flow also completes — n8n shows Claude as a Connected client after I authorize. But Claude.ai still returns “Authorization with the MCP server failed” every time.

Even the no-auth MCP Server Trigger fails with the same error, which suggests Claude.ai’s custom connector is attempting OAuth regardless and something in that exchange isn’t completing on Claude’s side.

I also fixed an ERR_ERL_UNEXPECTED_X_FORWARDED_FOR error earlier by adding N8N_TRUST_PROXY=true — the error log is clean now.

Has anyone gotten Claude.ai (not Claude Desktop) working with a self-hosted n8n behind Cloudflare Tunnel specifically? Starting to wonder if this is a Claude-side issue with the OAuth callback.

GeoffS · March 25, 2026, 2:58am

Also, @tamy.santos here’s what you asked for.

curl -i against the instance-level MCP endpoint (POST):

HTTP/2 401
content-type: application/json; charset=utf-8
content-length: 57
access-control-allow-credentials: true
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, push-ref, browser-id, anonymousid, authorization, x-authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
access-control-allow-origin: https://n8n.xxxxxxx.com
etag: W/"39-2hSNeRgbNg6crq17Q/2hLPX4gMU"
vary: Accept-Encoding
www-authenticate: Bearer realm="n8n MCP Server"
cf-cache-status: DYNAMIC

{"message":"Unauthorized: Authorization header not sent"}

curl -i against the MCP Server Trigger endpoint (no auth, POST):

HTTP/2 200
content-type: text/event-stream
content-length: 178
access-control-allow-methods: OPTIONS, DELETE, GET, POST
access-control-allow-origin: https://n8n.xxxxxxx.com
cache-control: no-cache
mcp-session-id: 9bcea911-251c-4dd2-ab03-d8c28c93fc9a
vary: Accept-Encoding
cf-cache-status: DYNAMIC

event: message
data: {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"MCP_Server_Trigger","version":"0.1.0"},"jsonrpc":"2.0","id":1}

Cloudflare edge features:

No custom caching, compression, or Access policies on this hostname
WebSockets enabled
One active rule: Modify Request Header setting Origin: https://n8n.xxxxxxx.com
Tunnel config has disableChunkedEncoding: true per @pvdyck’s suggestion

Benjamin_Behrens · March 25, 2026, 3:05am

the Authorization header not sent in the 401 is the smoking gun — Claude isn’t forwarding the OAuth token it received to the actual MCP requests, even though the OAuth flow completed. thats not a tunnel or n8n problem, that’s Claude.ai’s MCP client failing to attach the Bearer token after auth. for the no-auth trigger: Claude.ai might also be attempting an OAuth discovery fetch to /.well-known/oauth-authorization-server before connecting, and if that returns HTML or 404 it might bail early. check your cloudflared access logs to see what paths Claude actually requests on connect. pretty sure at this point the issue is on Anthropic’s side — worth reporting to their support with your curl evidence.

unstableentity · March 25, 2026, 3:08am

Hey @GeoffS — I run a self-hosted n8n instance behind a reverse proxy and have dealt with similar streaming/SSE issues. A few things that might help:

1. The core problem: Cloudflare Tunnel buffers SSE responses

MCP uses Server-Sent Events (SSE) for its transport layer. Cloudflare Tunnels buffer chunked responses by default, which breaks the SSE stream. Even with disableChunkedEncoding: true, the tunnel may still interfere with the Transfer-Encoding and Connection headers that SSE requires.

2. Try bypassing the tunnel for the MCP endpoint

If possible, expose just the MCP endpoint directly (or through a different proxy that supports SSE pass-through). Nginx with proxy_buffering off and proxy_cache off works reliably:

location /mcp {
    proxy_pass http://localhost:5678;
    proxy_buffering off;
    proxy_cache off;
    proxy_set_header Connection '';
    proxy_http_version 1.1;
    chunked_transfer_encoding off;
}

3. Verify the OAuth token is actually being forwarded

After the OAuth dance completes, Claude sends requests with a Bearer token in the Authorization header. Cloudflare Tunnel can strip or modify auth headers depending on your Access policy settings. Check your Cloudflare Zero Trust dashboard — if you have an Access Application configured for this hostname, it may be intercepting the Bearer token before it reaches n8n.

You can test this by curling the MCP endpoint directly through the tunnel with the token:

curl -H "Authorization: Bearer YOUR_TOKEN" https://your-tunnel/mcp

If that returns a 403 or redirect to Cloudflare Access login, that is your issue.

4. Check n8n MCP transport version

n8n 2.12.x uses the newer “Streamable HTTP” MCP transport (not legacy SSE). Make sure Claude’s MCP connector supports this — some clients still expect the older SSE-only transport at /.well-known/mcp. You can check what n8n exposes at your /mcp endpoint by sending a GET request and inspecting the response headers.

Hope one of these helps narrow it down!

Benjamin_Behrens · March 25, 2026, 3:34am

@unstableentity good catch on the Access policy angle — if thats configured on the hostname, it strips the auth header before n8n ever sees it, which would explain the 401 exactly. @GeoffS worth checking Zero Trust before concluding Anthropic’s at fault.