Claude.ai MCP Connector Failing to connect to my self-hosted n8n

I’m trying to connect Claude.ai to my self-hosted n8n via Instance-level MCP (OAuth). The OAuth flow appears to complete — I get redirected to n8n, I authorize, and n8n shows Claude as a Connected client. But Claude always returns “Authorization with the MCP server failed.”

I also tried creating a separate workflow with an MCP Server Trigger node (no auth) and using that Production URL as a custom connector in Claude. Same error.

My setup

  • n8n version: 2.12.3

  • Database: SQLite (default)

  • n8n EXECUTIONS_PROCESS setting: default

  • Running n8n via: npm (global install, Node.js v22.21.1 via nvm)

  • Operating system: macOS 14.2.1 (Apple Silicon)

n8n runs as a macOS LaunchAgent and is exposed to the internet via Cloudflare Tunnel (cloudflared 2025.11.1) routing n8n.jeffzeb.comhttp://127.0.0.1:5678.

What I’ve tried

  • Confirmed endpoint is reachable: curl -I returns HTTP 401 with Bearer auth as expected

  • Added N8N_PROXY_HOPS=1 and N8N_TRUST_PROXY=true (fixed an ERR_ERL_UNEXPECTED_X_FORWARDED_FOR error in the MCP SDK)

  • Created a Cloudflare Transform Rule to set Origin: https://n8n.jeffzeb.com (known issue with tunnels stripping the scheme)

  • Revoked old Connected clients and re-added the connector fresh

  • Tested in both Safari and Chrome

  • Tested both Instance-level MCP (OAuth) and MCP Server Trigger (no auth) — both fail with the same error

  • Workflows are enabled for MCP access and active

Key observation

OAuth completes on n8n’s side (Connected clients tab confirms it), but Claude doesn’t recognize the connection as successful. This happens with both the instance-level MCP URL and a standalone MCP Server Trigger URL.

Has anyone successfully connected Claude.ai (not Claude Desktop) to a self-hosted n8n behind a Cloudflare Tunnel? Any ideas what could be failing after the OAuth callback? Also possible issue is on the Claude side, so I’ve reached out to their help support as well.

Hi @GeoffS , welcome to the n8n community :tada:

What stands out to me is that both the OAuth connector and the no-auth MCP Server Trigger fail the same way, so I’d be cautious about blaming OAuth itself, to me that points more toward a reverse-proxy / transport issue after the callback, especially since n8n behind a proxy needs the original forwarded host/proto headers and usually a fixed WEBHOOK_URL, plus Cloudflare can sometimes interfere with streaming/compression behavior.

could you please share the response headers and body you get from the MCP endpoint with curl -i, and whether Cloudflare has compression, caching, Access, or any other edge features enabled on that hostname/path?

Cloudflare Tunnel buffers streaming responses by default, which breaks the MCP transport even though the OAuth redirect works fine. Add disableChunkedEncoding: true to your cloudflared config for that ingress rule. Also make sure WebSockets are enabled in the Cloudflare dashboard under Network for your domain.

Thanks everyone for the quick responses! Here’s what I found after working through them:

@pvdyck

disableChunkedEncoding: true Added this to my cloudflared config and restarted the tunnel. This was a good call and may have fixed the streaming issue, but the auth error persists.

@tamy.santos

Here’s what curl -i shows for the instance-level MCP endpoint:

  • GET returns HTTP 200 with the n8n editor HTML (falls through to frontend)

  • POST with MCP initialize payload returns: {"message":"Unauthorized: Authorization header not sent"}— so the endpoint is alive and correctly requiring auth

For the MCP Server Trigger endpoint (no auth), POST with MCP initialize returns a proper response:

event: message
data: {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"MCP_Server_Trigger","version":"0.1.0"},"jsonrpc":"2.0","id":1}

Response headers include content-type: text/html; charset=utf-8, access-control-allow-origin: ``https://n8n.xxxxxxxx.com, cache-control: no-cache, no-store, cf-cache-status: DYNAMIC. No compression or caching issues visible.

BenB

As shown above, the MCP Server Trigger returns a valid initialize response with correct tools capability and protocol version. Transport is working fine — the disableChunkedEncoding fix plus WebSockets enabled in Cloudflare means streaming isn’t being buffered.

Both endpoints work correctly at the transport level when tested with curl. The OAuth flow also completes — n8n shows Claude as a Connected client after I authorize. But Claude.ai still returns “Authorization with the MCP server failed” every time.

Even the no-auth MCP Server Trigger fails with the same error, which suggests Claude.ai’s custom connector is attempting OAuth regardless and something in that exchange isn’t completing on Claude’s side.

I also fixed an ERR_ERL_UNEXPECTED_X_FORWARDED_FOR error earlier by adding N8N_TRUST_PROXY=true — the error log is clean now.

Has anyone gotten Claude.ai (not Claude Desktop) working with a self-hosted n8n behind Cloudflare Tunnel specifically? Starting to wonder if this is a Claude-side issue with the OAuth callback.

Also, @tamy.santos here’s what you asked for.

curl -i against the instance-level MCP endpoint (POST):

HTTP/2 401
content-type: application/json; charset=utf-8
content-length: 57
access-control-allow-credentials: true
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, push-ref, browser-id, anonymousid, authorization, x-authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
access-control-allow-origin: https://n8n.xxxxxxx.com
etag: W/"39-2hSNeRgbNg6crq17Q/2hLPX4gMU"
vary: Accept-Encoding
www-authenticate: Bearer realm="n8n MCP Server"
cf-cache-status: DYNAMIC

{"message":"Unauthorized: Authorization header not sent"}

curl -i against the MCP Server Trigger endpoint (no auth, POST):

HTTP/2 200
content-type: text/event-stream
content-length: 178
access-control-allow-methods: OPTIONS, DELETE, GET, POST
access-control-allow-origin: https://n8n.xxxxxxx.com
cache-control: no-cache
mcp-session-id: 9bcea911-251c-4dd2-ab03-d8c28c93fc9a
vary: Accept-Encoding
cf-cache-status: DYNAMIC

event: message
data: {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"MCP_Server_Trigger","version":"0.1.0"},"jsonrpc":"2.0","id":1}

Cloudflare edge features:

  • No custom caching, compression, or Access policies on this hostname

  • WebSockets enabled

  • One active rule: Modify Request Header setting Origin: https://n8n.xxxxxxx.com

  • Tunnel config has disableChunkedEncoding: true per @pvdyck’s suggestion

@GeoffS If you’re open to using Claude Desktop or Claude Code CLI instead of Claude.ai web, there’s an approach that avoids the OAuth issue entirely. I built a Python MCP server that connects over stdio using the n8n REST API directly; no Cloudflare tunneling complications, no OAuth handshake. Might be worth a try: https://github.com/DerJams/n8n-mcp-server-python

thanks for the information @GeoffS

so, I’m sorry to say but it looks like the issue is the difference between claude desktop and claude ai. The doc talks about the mcp trigger in reference to claude desktop only, I couldn’t find anything about the Claude.ai Custom Connector, and the fact that the endpoint without auth fails with the same error suggests that it may be applying its own authorization flow or not accepting this type of endpoint. the practical workaround would be to test with Claude Desktop or another supported/documented MCP. If Claude.ai is mandatory, I would temporarily use a proxy/adapter between Claude.ai and n8n.

here are docs to support
MCP connector - Claude API Docs
MCP Server Trigger node documentation | n8n Docs
Set up and use n8n MCP server | n8n Docs

Thanks @tamy.santos. I’ve had this project on the backburner for a bit, but I’ll revisit with your docs. Unfortunately, I haven’t had any luck with Claude Desktop either.

aw :frowning:
that’s a shame.

Update: got it working.

The OAuth connector flow still doesn’t work — that appears to be a Claude-side bug where it completes the OAuth handshake but never attaches the Bearer token to subsequent MCP requests. I’ve reported it to Anthropic support and they acknowledged it as a known issue.

What worked: bypassing OAuth entirely using Claude Desktop’s config file with a Bearer token.

  1. Get your Access Token from n8n Settings → Instance-level MCP → Connection details → Access Token tab

  2. Edit ~/Library/Application Support/Claude/claude_desktop_config.json

  3. Add an mcpServers block:

{
  "mcpServers": {
    "n8n": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://your-n8n-domain.com/mcp-server/http",
        "--header",
        "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE"
      ]
    }
  }
}

  1. Restart Claude Desktop

This uses mcp-remote to bridge Claude Desktop’s stdio transport to n8n’s HTTP endpoint with the token passed directly. No OAuth dance needed.

Note: this only works in Claude Desktop, not claude.ai in the browser. The token can also expire, so you may need to refresh it periodically.

Other fixes that were necessary along the way (if you’re running n8n behind a Cloudflare Tunnel):

  • disableChunkedEncoding: true in cloudflared config (prevents SSE buffering)

  • N8N_TRUST_PROXY=true env var (fixes ERR_ERL_UNEXPECTED_X_FORWARDED_FOR in the MCP SDK)

  • Cloudflare Transform Rule to set Origin: https://your-domain.com (fixes the scheme-stripping issue)

  • WebSockets enabled in Cloudflare Network settings

Thanks @tamy.santos, BenB , pvdyck, unstableentity, and @syed_noor for all the help narrowing this down.

Great thread! One thing worth noting:

MCP servers work best with stdio transport

for local Claude Desktop setups, and SSE

for remote/server deployments.

I’ve been running a custom Flowmatic MCP

server connecting Claude to live market data

and portfolio management — happy to share

the architecture if useful.