Back to Details

cloudflare-mcp-server

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cloudflare MCP Server Skill

Cloudflare MCP Server 技能指南

Build and deploy Model Context Protocol (MCP) servers on Cloudflare Workers with TypeScript.
Status: Production Ready ✅ Last Updated: 2026-01-21 Latest Versions: @modelcontextprotocol/sdk@1.25.3, @cloudflare/workers-oauth-provider@0.2.2, agents@0.3.6
Recent Updates (2025):
  • September 2025: Code Mode (agents write code vs calling tools, auto-generated TypeScript API from schema)
  • August 2025: MCP Elicitation (interactive workflows, user input during execution), Task Queues, Email Integration
  • July 2025: MCPClientManager (connection management, OAuth flow, hibernation)
  • April 2025: HTTP Streamable Transport (single endpoint, recommended over SSE), Python MCP support
  • May 2025: Claude.ai remote MCP support, use-mcp React library, major partnerships
使用TypeScript在Cloudflare Workers上构建并部署Model Context Protocol (MCP)服务器
状态:已就绪可用于生产环境 ✅ 最后更新:2026-01-21 最新版本:@modelcontextprotocol/sdk@1.25.3, @cloudflare/workers-oauth-provider@0.2.2, agents@0.3.6
2025年更新内容
  • 2025年9月:代码模式(Agent编写代码而非调用工具,从Schema自动生成TypeScript API)
  • 2025年8月:MCP交互功能(执行期间支持用户输入的交互式工作流)、任务队列、邮件集成
  • 2025年7月:MCPClientManager(连接管理、OAuth流程、休眠处理)
  • 2025年4月:HTTP流式传输(单端点,推荐替代SSE)、Python MCP支持
  • 2025年5月:Claude.ai远程MCP支持、use-mcp React库、重大合作

What is This Skill?

什么是本技能?

This skill teaches you to build remote MCP servers on Cloudflare - the ONLY platform with official remote MCP support.
Use when: Avoiding 24+ common MCP + Cloudflare errors (especially URL path mismatches - the #1 failure cause)
本技能将教你在Cloudflare上构建远程MCP服务器——这是唯一支持官方远程MCP的平台。
适用场景:避免24+种常见的MCP + Cloudflare错误(尤其是URL路径不匹配——这是导致失败的头号原因)

🚀 Quick Start (5 Minutes)

🚀 快速开始(5分钟)

Start with Cloudflare's official template:
bash
npm create cloudflare@latest -- my-mcp-server \
  --template=cloudflare/ai/demos/remote-mcp-authless
cd my-mcp-server && npm install && npm run dev
Choose template based on auth needs:
  • remote-mcp-authless
    - No auth (recommended for most)
  • remote-mcp-github-oauth
    - GitHub OAuth
  • remote-mcp-google-oauth
    - Google OAuth
  • remote-mcp-auth0
    / 
    remote-mcp-authkit
    - Enterprise SSO
  • mcp-server-bearer-auth
    - Custom auth
All templates: https://github.com/cloudflare/ai/tree/main/demos
Production examples: https://github.com/cloudflare/mcp-server-cloudflare (15 servers with real integrations)
从Cloudflare官方模板开始:
bash
npm create cloudflare@latest -- my-mcp-server \
  --template=cloudflare/ai/demos/remote-mcp-authless
cd my-mcp-server && npm install && npm run dev
根据认证需求选择模板:
  • remote-mcp-authless
    - 无认证(大多数场景推荐)
  • remote-mcp-github-oauth
    - GitHub OAuth
  • remote-mcp-google-oauth
    - Google OAuth
  • remote-mcp-auth0
    / 
    remote-mcp-authkit
    - 企业级SSO
  • mcp-server-bearer-auth
    - 自定义认证
所有模板地址https://github.com/cloudflare/ai/tree/main/demos
生产环境示例https://github.com/cloudflare/mcp-server-cloudflare(包含15个带真实集成的服务器)

Deployment Workflow

部署流程

bash
undefined
bash
undefined

1. Create from template

1. 从模板创建项目

npm create cloudflare@latest -- my-mcp --template=cloudflare/ai/demos/remote-mcp-authless cd my-mcp && npm install && npm run dev
npm create cloudflare@latest -- my-mcp --template=cloudflare/ai/demos/remote-mcp-authless cd my-mcp && npm install && npm run dev

2. Deploy

2. 部署

npx wrangler deploy
npx wrangler deploy

Note the output URL: https://my-mcp.YOUR_ACCOUNT.workers.dev

记录输出的URL:https://my-mcp.YOUR_ACCOUNT.workers.dev

3. Test (PREVENTS 80% OF ERRORS!)

3. 测试(可避免80%的错误!)

curl https://my-mcp.YOUR_ACCOUNT.workers.dev/sse
curl https://my-mcp.YOUR_ACCOUNT.workers.dev/sse

Expected: {"name":"My MCP Server","version":"1.0.0","transports":["/sse","/mcp"]}

预期返回:{"name":"My MCP Server","version":"1.0.0","transports":["/sse","/mcp"]}

Got 404? See "HTTP Transport Fundamentals" below

返回404?请查看下方的「HTTP传输基础」部分

4. Configure client (~/.config/claude/claude_desktop_config.json)

4. 配置客户端(~/.config/claude/claude_desktop_config.json)

{ "mcpServers": { "my-mcp": { "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse" // Must match curl URL! } } }
{ "mcpServers": { "my-mcp": { "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse" // 必须与curl测试的URL完全一致! } } }

5. Restart Claude Desktop (config only loads at startup)

5. 重启Claude Desktop(配置仅在启动时加载)


**Post-Deployment Checklist:**
- [ ] curl returns server info (not 404)
- [ ] Client URL matches curl URL exactly
- [ ] Claude Desktop restarted
- [ ] Tools visible in Claude Desktop
- [ ] Test tool call succeeds

---

**部署后检查清单:**
- [ ] curl命令返回服务器信息(而非404)
- [ ] 客户端URL与curl测试的URL完全匹配
- [ ] 已重启Claude Desktop
- [ ] Claude Desktop中可见工具
- [ ] 工具调用测试成功

---

⚠️ CRITICAL: HTTP Transport Fundamentals

⚠️ 关键:HTTP传输基础

The #1 reason MCP servers fail to connect is URL path configuration mistakes.
MCP服务器连接失败的头号原因是URL路径配置错误。

URL Path Configuration Deep-Dive

URL路径配置深入解析

When you serve an MCP server at a specific path, the client URL must match exactly.
Example 1: Serving at 
/sse
typescript
// src/index.ts
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    if (pathname.startsWith("/sse")) {
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);  // ← Base path is "/sse"
    }

    return new Response("Not Found", { status: 404 });
  }
};
Client configuration MUST include 
/sse
:
json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.workers.dev/sse"  // ✅ Correct
    }
  }
}
❌ WRONG client configurations:
json
"url": "https://my-mcp.workers.dev"      // Missing /sse → 404
"url": "https://my-mcp.workers.dev/"     // Missing /sse → 404
"url": "http://localhost:8788"           // Wrong after deploy
Example 2: Serving at 
/
(root)
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    return MyMCP.serveSSE("/").fetch(request, env, ctx);  // ← Base path is "/"
  }
};
Client configuration:
json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.workers.dev"  // ✅ Correct (no /sse)
    }
  }
}
当你在特定路径下部署MCP服务器时,客户端URL必须与该路径完全匹配
示例1:在
/sse
路径下部署
typescript
// src/index.ts
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    if (pathname.startsWith("/sse")) {
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);  // ← 基础路径为"/sse"
    }

    return new Response("Not Found", { status: 404 });
  }
};
客户端配置必须包含
/sse
json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.workers.dev/sse"  // ✅ 正确
    }
  }
}
❌ 错误的客户端配置
json
"url": "https://my-mcp.workers.dev"      // 缺少/sse → 404
"url": "https://my-mcp.workers.dev/"     // 缺少/sse → 404
"url": "http://localhost:8788"           // 部署后未更新为线上URL
示例2:在根路径
/
下部署
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    return MyMCP.serveSSE("/").fetch(request, env, ctx);  // ← 基础路径为"/"
  }
};
客户端配置
json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.workers.dev"  // ✅ 正确(无需/sse)
    }
  }
}

How Base Path Affects Tool URLs

基础路径对工具URL的影响

When you call 
serveSSE("/sse")
, MCP tools are served at:
https://my-mcp.workers.dev/sse/tools/list
https://my-mcp.workers.dev/sse/tools/call
https://my-mcp.workers.dev/sse/resources/list
When you call 
serveSSE("/")
, MCP tools are served at:
https://my-mcp.workers.dev/tools/list
https://my-mcp.workers.dev/tools/call
https://my-mcp.workers.dev/resources/list
The base path is prepended to all MCP endpoints automatically.
当你调用
serveSSE("/sse")
,MCP工具的访问路径为:
https://my-mcp.workers.dev/sse/tools/list
https://my-mcp.workers.dev/sse/tools/call
https://my-mcp.workers.dev/sse/resources/list
当你调用
serveSSE("/")
,MCP工具的访问路径为:
https://my-mcp.workers.dev/tools/list
https://my-mcp.workers.dev/tools/call
https://my-mcp.workers.dev/resources/list
基础路径会自动添加到所有MCP端点前。

Request/Response Lifecycle

请求/响应生命周期

1. Client connects to: https://my-mcp.workers.dev/sse
2. Worker receives request: { url: "https://my-mcp.workers.dev/sse", ... }
3. Your fetch handler: const { pathname } = new URL(request.url)
4. pathname === "/sse" → Check passes
5. MyMCP.serveSSE("/sse").fetch() → MCP server handles request
6. Tool calls routed to: /sse/tools/call
If client connects to 
https://my-mcp.workers.dev
 (missing 
/sse
):
pathname === "/" → Check fails → 404 Not Found
1. 客户端连接到:https://my-mcp.workers.dev/sse
2. Worker接收请求:{ url: "https://my-mcp.workers.dev/sse", ... }
3. 你的fetch处理器:const { pathname } = new URL(request.url)
4. pathname === "/sse" → 检查通过
5. MyMCP.serveSSE("/sse").fetch() → MCP服务器处理请求
6. 工具调用路由到:/sse/tools/call
如果客户端连接到
https://my-mcp.workers.dev
(缺少
/sse
):
pathname === "/" → 检查失败 → 返回404 Not Found

Testing Your URL Configuration

测试你的URL配置

Step 1: Deploy your MCP server
bash
npx wrangler deploy
步骤1:部署MCP服务器
bash
npx wrangler deploy

Output: Deployed to https://my-mcp.YOUR_ACCOUNT.workers.dev

输出:Deployed to https://my-mcp.YOUR_ACCOUNT.workers.dev


**Step 2: Test the base path with curl**
```bash

**步骤2:使用curl测试基础路径**
```bash

If serving at /sse, test this URL:

如果部署在/sse路径下,测试以下URL:

curl https://my-mcp.YOUR_ACCOUNT.workers.dev/sse
curl https://my-mcp.YOUR_ACCOUNT.workers.dev/sse

Should return MCP server info (not 404)

应返回MCP服务器信息(而非404)


**Step 3: Update client config with the EXACT URL you tested**
```json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"  // Match curl URL
    }
  }
}
Step 4: Restart Claude Desktop

**步骤3:使用测试通过的精确URL更新客户端配置**
```json
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"  // 与curl测试的URL完全匹配
    }
  }
}
步骤4:重启Claude Desktop

Post-Deployment Checklist

部署后检查清单

After deploying, verify:
  • curl https://worker.dev/sse
    returns MCP server info (not 404)
  • Client config URL matches deployed URL exactly
  • No typos in URL (common: 
    workes.dev
    instead of 
    workers.dev
    )
  • Using 
    https://
    (not 
    http://
    ) for deployed Workers
  • If using OAuth, redirect URI also updated
部署完成后,请验证:
  • curl https://worker.dev/sse
    返回MCP服务器信息(而非404)
  • 客户端配置URL与部署后的URL完全匹配
  • URL中无拼写错误(常见错误:
    workes.dev
    而非
    workers.dev
  • 使用
    https://
    (部署后的Workers不支持
    http://
  • 如果使用OAuth,重定向URI也已更新

Transport Selection

传输方式选择

Two transports available:
  1. SSE (Server-Sent Events) - Legacy, wide compatibility
    typescript
    MyMCP.serveSSE("/sse").fetch(request, env, ctx)
  2. Streamable HTTP - 2025 standard (recommended), single endpoint
    typescript
    MyMCP.serve("/mcp").fetch(request, env, ctx)
Support both for maximum compatibility:
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    if (pathname.startsWith("/sse")) {
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    }
    if (pathname.startsWith("/mcp")) {
      return MyMCP.serve("/mcp").fetch(request, env, ctx);
    }

    return new Response("Not Found", { status: 404 });
  }
};
CRITICAL: Use 
pathname.startsWith()
to match paths correctly!
提供两种传输方式:
  1. SSE(Server-Sent Events) - 传统方式,兼容性广
    typescript
    MyMCP.serveSSE("/sse").fetch(request, env, ctx)
  2. 流式HTTP - 2025年标准(推荐使用),单端点
    typescript
    MyMCP.serve("/mcp").fetch(request, env, ctx)
同时支持两种方式以获得最大兼容性:
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    if (pathname.startsWith("/sse")) {
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    }
    if (pathname.startsWith("/mcp")) {
      return MyMCP.serve("/mcp").fetch(request, env, ctx);
    }

    return new Response("Not Found", { status: 404 });
  }
};
关键注意事项:必须使用
pathname.startsWith()
来正确匹配路径!

2025 Knowledge Gaps

2025年新增功能说明

MCP Elicitation (August 2025)

MCP交互功能(2025年8月)

MCP servers can now request user input during tool execution:
typescript
// Request user input during tool execution
const result = await this.elicit({
  prompt: "Enter your API key:",
  type: "password"
});

// Interactive workflows with Durable Objects state
await this.state.storage.put("api_key", result);
Use cases: Confirmations, forms, multi-step workflows State: Preserved during agent hibernation
MCP服务器现在可在工具执行期间请求用户输入:
typescript
// 在工具执行期间请求用户输入
const result = await this.elicit({
  prompt: "请输入你的API密钥:",
  type: "password"
});

// 使用Durable Objects状态保存交互式工作流
await this.state.storage.put("api_key", result);
适用场景:确认操作、表单填写、多步骤工作流 状态:在Agent休眠期间会被保留

Code Mode (September 2025)

代码模式(2025年9月)

Agents SDK converts MCP schema → TypeScript API:
typescript
// Old: Direct tool calls
await server.callTool("get_user", { id: "123" });

// New: Type-safe generated API
const user = await api.getUser("123");
Benefits: Auto-generated doc comments, type safety, code completion
Agents SDK可将MCP Schema转换为TypeScript API:
typescript
// 旧方式:直接调用工具
await server.callTool("get_user", { id: "123" });

// 新方式:类型安全的自动生成API
const user = await api.getUser("123");
优势:自动生成文档注释、类型安全、代码补全

MCPClientManager (July 2025)

MCPClientManager(2025年7月)

New class for MCP client capabilities:
typescript
import { MCPClientManager } from "agents/mcp";

const manager = new MCPClientManager(env);
await manager.connect("https://external-mcp.com/sse");
// Auto-discovers tools, resources, prompts
// Handles reconnection, OAuth flow, hibernation
用于MCP客户端功能的新类:
typescript
import { MCPClientManager } from "agents/mcp";

const manager = new MCPClientManager(env);
await manager.connect("https://external-mcp.com/sse");
// 自动发现工具、资源、提示词
// 处理重连、OAuth流程、休眠

Task Queues & Email (August 2025)

任务队列与邮件集成(2025年8月)

typescript
// Task queues for background jobs
await this.queue.send({ task: "process_data", data });

// Email integration
async onEmail(message: Email) {
  // Process incoming email
  const response = await this.generateReply(message);
  await this.sendEmail(response);
}
typescript
// 任务队列用于后台作业
await this.queue.send({ task: "process_data", data });

// 邮件集成
async onEmail(message: Email) {
  // 处理收到的邮件
  const response = await this.generateReply(message);
  await this.sendEmail(response);
}

HTTP Streamable Transport Details (April 2025)

流式HTTP传输细节(2025年4月)

Single endpoint replaces separate connection/messaging endpoints:
typescript
// Old: Separate endpoints
/connect  // Initialize connection
/message  // Send/receive messages

// New: Single streamable endpoint
/mcp      // All communication via HTTP streaming
Benefit: Simplified architecture, better performance
单端点替代了独立的连接/消息端点:
typescript
// 旧方式:独立端点
/connect  // 初始化连接
/message  // 发送/接收消息

// 新方式:单流式端点
/mcp      // 所有通信通过HTTP流式传输完成
优势:架构简化、性能提升

Security Considerations

安全注意事项

PKCE Bypass Vulnerability (CRITICAL)

PKCE绕过漏洞(严重)

CVE: GHSA-qgp8-v765-qxx9 Severity: Critical Fixed in: @cloudflare/workers-oauth-provider@0.0.5
Problem: Earlier versions of the OAuth provider library had a critical vulnerability that completely bypassed PKCE protection, potentially allowing attackers to intercept authorization codes.
Action Required:
bash
undefined
CVE编号GHSA-qgp8-v765-qxx9 严重程度:严重 修复版本:@cloudflare/workers-oauth-provider@0.0.5及以上
问题描述:早期版本的OAuth Provider库存在严重漏洞,完全绕过了PKCE保护,可能导致攻击者拦截授权码。
修复操作
bash
undefined

Check current version

检查当前版本

npm list @cloudflare/workers-oauth-provider
npm list @cloudflare/workers-oauth-provider

Update if < 0.0.5

如果版本<0.0.5则更新

npm install @cloudflare/workers-oauth-provider@latest

**Minimum Safe Version**: `@cloudflare/workers-oauth-provider@0.0.5` or later
npm install @cloudflare/workers-oauth-provider@latest

**最低安全版本**:`@cloudflare/workers-oauth-provider@0.0.5`或更高

Token Storage Best Practices

Token存储最佳实践

Always use encrypted storage for OAuth tokens:
typescript
// ✅ GOOD: workers-oauth-provider handles encryption automatically
export default new OAuthProvider({
  kv: (env) => env.OAUTH_KV,  // Tokens stored encrypted
  // ...
});

// ❌ BAD: Storing tokens in plain text
await env.KV.put("access_token", token);  // Security risk!
User-scoped KV keys prevent data leakage between users:
typescript
// ✅ GOOD: Namespace by user ID
await env.KV.put(`user:${userId}:todos`, data);

// ❌ BAD: Global namespace
await env.KV.put(`todos`, data);  // Data visible to all users!
始终使用加密存储来保存OAuth Token:
typescript
// ✅ 推荐:workers-oauth-provider自动处理加密
export default new OAuthProvider({
  kv: (env) => env.OAUTH_KV,  // Token将被加密存储
  // ...
});

// ❌ 不推荐:明文存储Token
await env.KV.put("access_token", token);  // 存在安全风险!
按用户划分的KV键可防止用户间的数据泄露:
typescript
// ✅ 推荐:按用户ID划分命名空间
await env.KV.put(`user:${userId}:todos`, data);

// ❌ 不推荐:全局命名空间
await env.KV.put(`todos`, data);  // 所有用户都能看到数据!

Authentication Patterns

认证模式

Choose auth based on use case:
  1. No Auth - Internal tools, dev (Template: 
    remote-mcp-authless
    )
  2. Bearer Token - Custom auth (Template: 
    mcp-server-bearer-auth
    )
    typescript
    // Validate Authorization: Bearer <token>
const token = request.headers.get("Authorization")?.replace("Bearer ", "");
if (!await validateToken(token, env)) {
  return new Response("Unauthorized", { status: 401 });
}
  3. OAuth Proxy - GitHub/Google (Template: 
    remote-mcp-github-oauth
    )
    typescript
    import { OAuthProvider, GitHubHandler } from "@cloudflare/workers-oauth-provider";

export default new OAuthProvider({
  authorizeEndpoint: "/authorize",
  tokenEndpoint: "/token",
  defaultHandler: new GitHubHandler({
    clientId: (env) => env.GITHUB_CLIENT_ID,
    clientSecret: (env) => env.GITHUB_CLIENT_SECRET,
    scopes: ["repo", "user:email"]
  }),
  kv: (env) => env.OAUTH_KV,
  apiHandlers: { "/sse": MyMCP.serveSSE("/sse") }
});
    ⚠️ CRITICAL: All OAuth URLs (url, authorizationUrl, tokenUrl) must use same domain
  4. Remote OAuth with DCR - Full OAuth provider (Template: 
    remote-mcp-authkit
    )
Security levels: No Auth (⚠️) < Bearer (✅) < OAuth Proxy (✅✅) < Remote OAuth (✅✅✅)
根据使用场景选择认证方式:
  1. 无认证 - 内部工具、开发环境(模板:
    remote-mcp-authless
  2. Bearer Token - 自定义认证(模板:
    mcp-server-bearer-auth
    typescript
    // 验证Authorization: Bearer <token>
const token = request.headers.get("Authorization")?.replace("Bearer ", "");
if (!await validateToken(token, env)) {
  return new Response("Unauthorized", { status: 401 });
}
  3. OAuth代理 - GitHub/Google认证(模板:
    remote-mcp-github-oauth
    typescript
    import { OAuthProvider, GitHubHandler } from "@cloudflare/workers-oauth-provider";

export default new OAuthProvider({
  authorizeEndpoint: "/authorize",
  tokenEndpoint: "/token",
  defaultHandler: new GitHubHandler({
    clientId: (env) => env.GITHUB_CLIENT_ID,
    clientSecret: (env) => env.GITHUB_CLIENT_SECRET,
    scopes: ["repo", "user:email"]
  }),
  kv: (env) => env.OAUTH_KV,
  apiHandlers: { "/sse": MyMCP.serveSSE("/sse") }
});
    ⚠️ 关键注意事项:所有OAuth URL(url、authorizationUrl、tokenUrl)必须使用同一域名
  4. 带DCR的远程OAuth - 完整OAuth提供商(模板:
    remote-mcp-authkit
安全等级:无认证(⚠️) < Bearer Token(✅) < OAuth代理(✅✅) < 远程OAuth(✅✅✅)

Stateful MCP Servers (Durable Objects)

有状态MCP服务器(Durable Objects)

McpAgent extends Durable Objects for per-session state:
typescript
// Storage API
await this.state.storage.put("key", "value");
const value = await this.state.storage.get<string>("key");

// Required wrangler.jsonc
{
  "durable_objects": {
    "bindings": [{ "name": "MY_MCP", "class_name": "MyMCP" }]
  },
  "migrations": [{ "tag": "v1", "new_classes": ["MyMCP"] }]  // Required on first deploy!
}
Critical: Migrations required on first deployment
Cost: Durable Objects now included in free tier (2025)
McpAgent继承自Durable Objects以实现会话级状态管理:
typescript
// 存储API
await this.state.storage.put("key", "value");
const value = await this.state.storage.get<string>("key");

// 必需的wrangler.jsonc配置
{
  "durable_objects": {
    "bindings": [{ "name": "MY_MCP", "class_name": "MyMCP" }]
  },
  "migrations": [{ "tag": "v1", "new_classes": ["MyMCP"] }]  // 首次部署时必需!
}
关键注意事项:首次部署Durable Objects时必须配置迁移
成本:Durable Objects现已包含在免费套餐中(2025年更新)

Architecture: Internal vs External Transports

架构:内部与外部传输方式

Important: McpAgent uses different transports for client-facing vs internal communication.
Source: GitHub Issue #172
重要说明:McpAgent在面向客户端和内部通信时使用不同的传输方式。
来源GitHub Issue #172

Transport Architecture

传输架构

Client --- (SSE or HTTP) --> Worker --- (WebSocket) --> Durable Object
Client → Worker (External):
  • SSE transport: 
    /sse
    endpoint
  • HTTP Streamable: 
    /mcp
    endpoint
  • Client chooses transport
Worker → Durable Object (Internal):
  • Always WebSocket
  • Required by PartyServer (McpAgent's internal dependency)
  • Automatic upgrade, invisible to client
客户端 --- (SSE或HTTP) --> Worker --- (WebSocket) --> Durable Object
客户端 → Worker(外部)
  • SSE传输:
    /sse
    端点
  • 流式HTTP:
    /mcp
    端点
  • 由客户端选择传输方式
Worker → Durable Object(内部)
  • 始终使用WebSocket
  • 是PartyServer(McpAgent的内部依赖)的强制要求
  • 自动升级,对客户端不可见

What This Means

实际意义

  1. SSE clients are fully supported - External interface can be SSE
  2. WebSocket is mandatory for DO - Internal Worker-DO communication always uses WebSocket
  3. This is not a limitation - It's an implementation detail of McpAgent's architecture
  1. 完全支持SSE客户端 - 外部接口可以是SSE
  2. Durable Object强制使用WebSocket - Worker与Durable Object的内部通信始终使用WebSocket
  3. 这并非限制 - 这是McpAgent架构的实现细节

Example

示例

typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    // Client uses SSE
    if (pathname.startsWith("/sse")) {
      // ✅ Client → Worker: SSE
      // ✅ Worker → DO: WebSocket (automatic)
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    }

    return new Response("Not Found", { status: 404 });
  }
};
Key Takeaway: You can serve SSE to clients without worrying about the internal WebSocket requirement.
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const { pathname } = new URL(request.url);

    // 客户端使用SSE
    if (pathname.startsWith("/sse")) {
      // ✅ 客户端 → Worker:SSE
      // ✅ Worker → DO:WebSocket(自动处理)
      return MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    }

    return new Response("Not Found", { status: 404 });
  }
};
核心结论:你可以为客户端提供SSE服务,无需担心内部WebSocket的强制要求。

Common Patterns

常见模式

Tool Return Format (CRITICAL)

工具返回格式(关键)

Source: Stytch Blog - Building MCP Server with OAuth
All MCP tools must return this exact format:
typescript
this.server.tool(
  "my_tool",
  { /* schema */ },
  async (params) => {
    // ✅ CORRECT: Return object with content array
    return {
      content: [
        { type: "text", text: "Your result here" }
      ]
    };

    // ❌ WRONG: Raw string
    return "Your result here";

    // ❌ WRONG: Plain object
    return { result: "Your result here" };
  }
);
Common mistake: Returning raw strings or plain objects instead of proper MCP content format. This causes client parsing errors.
来源Stytch博客 - 使用OAuth构建MCP服务器
所有MCP工具必须返回以下精确格式:
typescript
this.server.tool(
  "my_tool",
  { /* schema */ },
  async (params) => {
    // ✅ 正确:返回包含content数组的对象
    return {
      content: [
        { type: "text", text: "你的结果内容" }
      ]
    };

    // ❌ 错误:直接返回字符串
    return "你的结果内容";

    // ❌ 错误:返回普通对象
    return { result: "你的结果内容" };
  }
);
常见错误:返回原始字符串或普通对象,而非标准MCP内容格式,这会导致客户端解析错误。

Conditional Tool Registration

条件式工具注册

Source: Cloudflare Blog - Building AI Agents
Dynamically add tools based on authenticated user:
typescript
export class MyMCP extends McpAgent<Env> {
  async init() {
    this.server = new McpServer({ name: "My MCP" });

    // Base tools for all users
    this.server.tool("public_tool", { /* schema */ }, async (params) => {
      // Available to everyone
    });

    // Conditional tools based on user
    const userId = this.props?.userId;
    if (await this.isAdmin(userId)) {
      this.server.tool("admin_tool", { /* schema */ }, async (params) => {
        // Only available to admins
      });
    }

    // Premium features
    if (await this.isPremiumUser(userId)) {
      this.server.tool("premium_feature", { /* schema */ }, async (params) => {
        // Only for premium users
      });
    }
  }

  private async isAdmin(userId?: string): Promise<boolean> {
    if (!userId) return false;
    const userRole = await this.state.storage.get<string>(`user:${userId}:role`);
    return userRole === "admin";
  }
}
Use cases:
  • Feature flags per user
  • Premium vs free tier tools
  • Role-based access control (RBAC)
  • A/B testing new tools
来源Cloudflare博客 - 构建AI Agent
根据认证用户动态添加工具:
typescript
export class MyMCP extends McpAgent<Env> {
  async init() {
    this.server = new McpServer({ name: "My MCP" });

    // 所有用户都能使用的基础工具
    this.server.tool("public_tool", { /* schema */ }, async (params) => {
      // 对所有用户可见
    });

    // 根据用户角色条件注册工具
    const userId = this.props?.userId;
    if (await this.isAdmin(userId)) {
      this.server.tool("admin_tool", { /* schema */ }, async (params) => {
        // 仅管理员可见
      });
    }

    // 高级功能
    if (await this.isPremiumUser(userId)) {
      this.server.tool("premium_feature", { /* schema */ }, async (params) => {
        // 仅付费用户可见
      });
    }
  }

  private async isAdmin(userId?: string): Promise<boolean> {
    if (!userId) return false;
    const userRole = await this.state.storage.get<string>(`user:${userId}:role`);
    return userRole === "admin";
  }
}
适用场景
  • 按用户划分功能开关
  • 付费与免费版工具区分
  • 基于角色的访问控制(RBAC)
  • 工具的A/B测试

Caching with DO Storage

使用DO存储实现缓存

typescript
async getCached<T>(key: string, ttlMs: number, fetchFn: () => Promise<T>): Promise<T> {
  const cached = await this.state.storage.get<{ data: T, timestamp: number }>(key);
  if (cached && Date.now() - cached.timestamp < ttlMs) {
    return cached.data;
  }
  const data = await fetchFn();
  await this.state.storage.put(key, { data, timestamp: Date.now() });
  return data;
}
typescript
async getCached<T>(key: string, ttlMs: number, fetchFn: () => Promise<T>): Promise<T> {
  const cached = await this.state.storage.get<{ data: T, timestamp: number }>(key);
  if (cached && Date.now() - cached.timestamp < ttlMs) {
    return cached.data;
  }
  const data = await fetchFn();
  await this.state.storage.put(key, { data, timestamp: Date.now() });
  return data;
}

Rate Limiting

速率限制

typescript
async rateLimit(key: string, maxRequests: number, windowMs: number): Promise<boolean> {
  const requests = await this.state.storage.get<number[]>(`ratelimit:${key}`) || [];
  const recentRequests = requests.filter(ts => Date.now() - ts < windowMs);
  if (recentRequests.length >= maxRequests) return false;
  recentRequests.push(Date.now());
  await this.state.storage.put(`ratelimit:${key}`, recentRequests);
  return true;
}
typescript
async rateLimit(key: string, maxRequests: number, windowMs: number): Promise<boolean> {
  const requests = await this.state.storage.get<number[]>(`ratelimit:${key}`) || [];
  const recentRequests = requests.filter(ts => Date.now() - ts < windowMs);
  if (recentRequests.length >= maxRequests) return false;
  recentRequests.push(Date.now());
  await this.state.storage.put(`ratelimit:${key}`, recentRequests);
  return true;
}

24 Known Errors (With Solutions)

24种已知错误及解决方案

1. McpAgent Class Not Exported

1. McpAgent类未导出

Error: 
TypeError: Cannot read properties of undefined (reading 'serve')
Cause: Forgot to export McpAgent class
Solution:
typescript
export class MyMCP extends McpAgent { ... }  // ✅ Must export
export default { fetch() { ... } }
错误信息
TypeError: Cannot read properties of undefined (reading 'serve')
原因:忘记导出McpAgent类
解决方案
typescript
export class MyMCP extends McpAgent { ... }  // ✅ 必须导出
export default { fetch() { ... } }

2. Base Path Configuration Mismatch (Most Common!)

2. 基础路径配置不匹配(最常见!)

Error: 
404 Not Found
or 
Connection failed
Cause: 
serveSSE("/sse")
but client configured with 
https://worker.dev
(missing 
/sse
)
Solution: Match base paths exactly
typescript
// Server serves at /sse
MyMCP.serveSSE("/sse").fetch(...)

// Client MUST include /sse
{ "url": "https://worker.dev/sse" }  // ✅ Correct
{ "url": "https://worker.dev" }      // ❌ Wrong - 404
Debug steps:
  1. Check what path your server uses: 
    serveSSE("/sse")
    vs 
    serveSSE("/")
  2. Test with curl: 
    curl https://worker.dev/sse
  3. Update client config to match curl URL
错误信息
404 Not Found
Connection failed
原因:服务器使用
serveSSE("/sse")
但客户端配置的URL为
https://worker.dev
(缺少
/sse
解决方案:确保基础路径完全匹配
typescript
// 服务器部署在/sse路径
MyMCP.serveSSE("/sse").fetch(...)

// 客户端URL必须包含/sse
{ "url": "https://worker.dev/sse" }  // ✅ 正确
{ "url": "https://worker.dev" }      // ❌ 错误 - 返回404
调试步骤
  1. 检查服务器使用的路径:
    serveSSE("/sse")
    还是
    serveSSE("/")
  2. 使用curl测试:
    curl https://worker.dev/sse
  3. 更新客户端配置以匹配curl测试的URL

3. Transport Type Confusion

3. 传输类型混淆

Error: 
Connection failed: Unexpected response format
Cause: Client expects SSE but connects to HTTP endpoint (or vice versa)
Solution: Match transport types
typescript
// SSE transport
MyMCP.serveSSE("/sse")  // Client URL: https://worker.dev/sse

// HTTP transport
MyMCP.serve("/mcp")     // Client URL: https://worker.dev/mcp
Best practice: Support both transports (see Transport Selection Guide)
错误信息
Connection failed: Unexpected response format
原因:客户端期望SSE但连接到了HTTP端点(反之亦然)
解决方案:匹配传输类型
typescript
// SSE传输
MyMCP.serveSSE("/sse")  // 客户端URL:https://worker.dev/sse

// HTTP传输
MyMCP.serve("/mcp")     // 客户端URL:https://worker.dev/mcp
最佳实践:同时支持两种传输方式(请参考「传输方式选择」指南)

4. pathname.startsWith() Logic Error

4. pathname.startsWith()逻辑错误

Error: Both 
/sse
and 
/mcp
routes fail or conflict
Cause: Incorrect path matching logic
Solution: Use 
startsWith()
correctly
typescript
// ✅ CORRECT
if (pathname.startsWith("/sse")) {
  return MyMCP.serveSSE("/sse").fetch(...);
}
if (pathname.startsWith("/mcp")) {
  return MyMCP.serve("/mcp").fetch(...);
}

// ❌ WRONG: Exact match breaks sub-paths
if (pathname === "/sse") {  // Breaks /sse/tools/list
  return MyMCP.serveSSE("/sse").fetch(...);
}
错误信息
/sse
/mcp
路由均失败或冲突
原因:路径匹配逻辑错误
解决方案:正确使用
startsWith()
typescript
// ✅ 正确
if (pathname.startsWith("/sse")) {
  return MyMCP.serveSSE("/sse").fetch(...);
}
if (pathname.startsWith("/mcp")) {
  return MyMCP.serve("/mcp").fetch(...);
}

// ❌ 错误:精确匹配会破坏子路径
if (pathname === "/sse") {  // 会导致/sse/tools/list无法访问
  return MyMCP.serveSSE("/sse").fetch(...);
}

5. Local vs Deployed URL Mismatch

5. 本地与部署后URL不匹配

Error: Works in dev, fails after deployment
Cause: Client still configured with localhost URL
Solution: Update client config after deployment
json
// Development
{ "url": "http://localhost:8788/sse" }

// ⚠️ MUST UPDATE after npx wrangler deploy
{ "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse" }
Post-deployment checklist:
  • Run 
    npx wrangler deploy
    and note output URL
  • Update client config with deployed URL
  • Test with curl
  • Restart Claude Desktop
错误信息:开发环境正常,部署后失败
原因:客户端仍配置为本地localhost URL
解决方案:部署后更新客户端配置
json
// 开发环境
{ "url": "http://localhost:8788/sse" }

// ⚠️ 执行npx wrangler deploy后必须更新
{ "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse" }
部署后检查清单
  • 执行
    npx wrangler deploy
    并记录输出的URL
  • 使用部署后的URL更新客户端配置
  • 使用curl测试
  • 重启Claude Desktop

6. OAuth Redirect URI Mismatch

6. OAuth重定向URI不匹配

Error: 
OAuth error: redirect_uri does not match
Cause: OAuth redirect URI doesn't match deployed URL
Solution: Update ALL OAuth URLs after deployment
json
{
  "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse",
  "auth": {
    "type": "oauth",
    "authorizationUrl": "https://my-mcp.YOUR_ACCOUNT.workers.dev/authorize",  // Must match deployed domain
    "tokenUrl": "https://my-mcp.YOUR_ACCOUNT.workers.dev/token"
  }
}
CRITICAL: All URLs must use the same protocol and domain!
错误信息
OAuth error: redirect_uri does not match
原因:OAuth重定向URI与部署后的URL不匹配
解决方案:部署后更新所有OAuth URL
json
{
  "url": "https://my-mcp.YOUR_ACCOUNT.workers.dev/sse",
  "auth": {
    "type": "oauth",
    "authorizationUrl": "https://my-mcp.YOUR_ACCOUNT.workers.dev/authorize",  // 必须与部署后的域名匹配
    "tokenUrl": "https://my-mcp.YOUR_ACCOUNT.workers.dev/token"
  }
}
关键注意事项:所有URL必须使用相同的协议和域名!

7. Missing OPTIONS Handler (CORS Preflight)

7. 缺少OPTIONS处理器(CORS预检)

Error: 
Access to fetch at '...' blocked by CORS policy
or 
Method Not Allowed
Cause: Browser clients send OPTIONS requests for CORS preflight, but server doesn't handle them
Solution: Add OPTIONS handler
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    // Handle CORS preflight
    if (request.method === "OPTIONS") {
      return new Response(null, {
        status: 204,
        headers: {
          "Access-Control-Allow-Origin": "*",
          "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
          "Access-Control-Allow-Headers": "Content-Type, Authorization",
          "Access-Control-Max-Age": "86400"
        }
      });
    }

    // ... rest of your fetch handler
  }
};
When needed: Browser-based MCP clients (like MCP Inspector in browser)
错误信息
Access to fetch at '...' blocked by CORS policy
Method Not Allowed
原因:浏览器客户端会发送OPTIONS请求进行CORS预检,但服务器未处理该请求
解决方案:添加OPTIONS处理器
typescript
export default {
  fetch(request: Request, env: Env, ctx: ExecutionContext) {
    // 处理CORS预检
    if (request.method === "OPTIONS") {
      return new Response(null, {
        status: 204,
        headers: {
          "Access-Control-Allow-Origin": "*",
          "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
          "Access-Control-Allow-Headers": "Content-Type, Authorization",
          "Access-Control-Max-Age": "86400"
        }
      });
    }

    // ... 其余的fetch处理器逻辑
  }
};
适用场景:基于浏览器的MCP客户端(如浏览器版MCP Inspector)

8. Request Body Validation Missing

8. 缺少请求体验证

Error: 
TypeError: Cannot read properties of undefined
or 
Unexpected token
in JSON parsing
Cause: Client sends malformed JSON, server doesn't validate before parsing
Solution: Wrap request handling in try/catch
typescript
export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
    try {
      // Your MCP server logic
      return await MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    } catch (error) {
      console.error("Request handling error:", error);
      return new Response(
        JSON.stringify({
          error: "Invalid request",
          details: error.message
        }),
        {
          status: 400,
          headers: { "Content-Type": "application/json" }
        }
      );
    }
  }
};
错误信息
TypeError: Cannot read properties of undefined
或JSON解析时出现
Unexpected token
原因:客户端发送了格式错误的JSON,服务器未在解析前进行验证
解决方案:将请求处理逻辑包裹在try/catch中
typescript
export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
    try {
      // 你的MCP服务器逻辑
      return await MyMCP.serveSSE("/sse").fetch(request, env, ctx);
    } catch (error) {
      console.error("请求处理错误:", error);
      return new Response(
        JSON.stringify({
          error: "无效请求",
          details: error.message
        }),
        {
          status: 400,
          headers: { "Content-Type": "application/json" }
        }
      );
    }
  }
};

9. Environment Variable Validation Missing

9. 缺少环境变量验证

Error: 
TypeError: env.API_KEY is undefined
or silent failures (tools return empty data)
Cause: Required environment variables not configured or missing at runtime
Solution: Add startup validation
typescript
export class MyMCP extends McpAgent<Env> {
  async init() {
    // Validate required environment variables
    if (!this.env.API_KEY) {
      throw new Error("API_KEY environment variable not configured");
    }
    if (!this.env.DATABASE_URL) {
      throw new Error("DATABASE_URL environment variable not configured");
    }

    // Continue with tool registration
    this.server.tool(...);
  }
}
Configuration checklist:
  • Development: Add to 
    .dev.vars
    (local only, gitignored)
  • Production: Add to 
    wrangler.jsonc
    vars
    (public) or use 
    wrangler secret
    (sensitive)
Best practices:
bash
undefined
错误信息
TypeError: env.API_KEY is undefined
或静默失败(工具返回空数据)
原因:必需的环境变量未配置或运行时缺失
解决方案:添加启动时验证
typescript
export class MyMCP extends McpAgent<Env> {
  async init() {
    // 验证必需的环境变量
    if (!this.env.API_KEY) {
      throw new Error("未配置API_KEY环境变量");
    }
    if (!this.env.DATABASE_URL) {
      throw new Error("未配置DATABASE_URL环境变量");
    }

    // 继续注册工具
    this.server.tool(...);
  }
}
配置检查清单
  • 开发环境:添加到
    .dev.vars
    (仅本地使用,已加入git忽略)
  • 生产环境:添加到
    wrangler.jsonc
    vars
    (公开配置)或使用
    wrangler secret
    (敏感信息)
最佳实践
bash
undefined

.dev.vars (local development, gitignored)

.dev.vars(本地开发,git忽略)

API_KEY=dev-key-123 DATABASE_URL=http://localhost:3000
API_KEY=dev-key-123 DATABASE_URL=http://localhost:3000

wrangler.jsonc (public config)

wrangler.jsonc(公开配置)

{ "vars": { "ENVIRONMENT": "production", "LOG_LEVEL": "info" } }
{ "vars": { "ENVIRONMENT": "production", "LOG_LEVEL": "info" } }

wrangler secret (production secrets)

wrangler secret(生产环境敏感信息)

npx wrangler secret put API_KEY npx wrangler secret put DATABASE_URL

---
npx wrangler secret put API_KEY npx wrangler secret put DATABASE_URL

---

10. McpAgent vs McpServer Confusion

10. McpAgent与McpServer混淆

Error: 
TypeError: server.registerTool is not a function
or 
this.server is undefined
Cause: Trying to use standalone SDK patterns with McpAgent class
Solution: Use McpAgent's 
this.server.tool()
pattern
typescript
// ❌ WRONG: Mixing standalone SDK with McpAgent
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";

const server = new McpServer({ name: "My Server" });
server.registerTool(...);  // Not compatible with McpAgent!

export class MyMCP extends McpAgent { /* no server property */ }

// ✅ CORRECT: McpAgent pattern
export class MyMCP extends McpAgent<Env> {
  server = new McpServer({
    name: "My MCP Server",
    version: "1.0.0"
  });

  async init() {
    this.server.tool("tool_name", ...);  // Use this.server
  }
}
Key difference: McpAgent provides 
this.server
property, standalone SDK doesn't.
错误信息
TypeError: server.registerTool is not a function
this.server is undefined
原因:尝试将独立SDK的模式与McpAgent类一起使用
解决方案:使用McpAgent的
this.server.tool()
模式
typescript
// ❌ 错误:将独立SDK与McpAgent混合使用
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";

const server = new McpServer({ name: "My Server" });
server.registerTool(...);  // 与McpAgent不兼容!

export class MyMCP extends McpAgent { /* 无server属性 */ }

// ✅ 正确:McpAgent模式
export class MyMCP extends McpAgent<Env> {
  server = new McpServer({
    name: "My MCP Server",
    version: "1.0.0"
  });

  async init() {
    this.server.tool("tool_name", ...);  // 使用this.server
  }
}
核心区别:McpAgent提供
this.server
属性,而独立SDK不提供。

11. WebSocket Hibernation State Loss

11. WebSocket休眠时状态丢失

Error: Tool calls fail after reconnect with "state not found"
Cause: In-memory state cleared on hibernation
Solution: Use 
this.state.storage
instead of instance properties
typescript
// ❌ DON'T: Lost on hibernation
this.userId = "123";

// ✅ DO: Persists through hibernation
await this.state.storage.put("userId", "123");
错误信息:重连后工具调用失败,提示"state not found"
原因:内存中的状态在休眠时被清除
解决方案:使用
this.state.storage
而非实例属性
typescript
// ❌ 不推荐:休眠时会丢失
this.userId = "123";

// ✅ 推荐:休眠时会保留
await this.state.storage.put("userId", "123");

12. Durable Objects Binding Missing

12. 缺少Durable Objects绑定

Error: 
TypeError: Cannot read properties of undefined (reading 'idFromName')
Cause: Forgot DO binding in wrangler.jsonc
Solution: Add binding (see Stateful MCP Servers section)
jsonc
{
  "durable_objects": {
    "bindings": [
      {
        "name": "MY_MCP",
        "class_name": "MyMCP",
        "script_name": "my-mcp-server"
      }
    ]
  }
}
错误信息
TypeError: Cannot read properties of undefined (reading 'idFromName')
原因:忘记在wrangler.jsonc中配置DO绑定
解决方案:添加绑定(请参考「有状态MCP服务器」部分)
jsonc
{
  "durable_objects": {
    "bindings": [
      {
        "name": "MY_MCP",
        "class_name": "MyMCP",
        "script_name": "my-mcp-server"
      }
    ]
  }
}

13. Migration Not Defined

13. 未定义迁移

Error: 
Error: Durable Object class MyMCP has no migration defined
Cause: First DO deployment requires migration
Solution:
jsonc
{
  "migrations": [
    { "tag": "v1", "new_classes": ["MyMCP"] }
  ]
}
错误信息
Error: Durable Object class MyMCP has no migration defined
原因:首次部署Durable Objects时必须配置迁移
解决方案
jsonc
{
  "migrations": [
    { "tag": "v1", "new_classes": ["MyMCP"] }
  ]
}

14. serializeAttachment() Not Used

14. 未使用serializeAttachment()

Error: WebSocket metadata lost on hibernation wake
Cause: Not using 
serializeAttachment()
to preserve connection metadata
Solution: See WebSocket Hibernation section
错误信息:WebSocket元数据在休眠唤醒后丢失
原因:未使用
serializeAttachment()
保存连接元数据
解决方案:请参考WebSocket休眠部分

15. OAuth Consent Screen Disabled

15. OAuth同意屏幕被禁用

Security risk: Users don't see what permissions they're granting
Cause: 
allowConsentScreen: false
in production
Solution: Always enable in production
typescript
export default new OAuthProvider({
  allowConsentScreen: true,  // ✅ Always true in production
  // ...
});
安全风险:用户无法看到正在授予的权限
原因:生产环境中设置了
allowConsentScreen: false
解决方案:生产环境中始终启用
typescript
export default new OAuthProvider({
  allowConsentScreen: true,  // ✅ 生产环境中必须设为true
  // ...
});

16. JWT Signing Key Missing

16. 缺少JWT签名密钥

Error: 
Error: JWT_SIGNING_KEY environment variable not set
Cause: OAuth Provider requires signing key for tokens
Solution:
bash
undefined
错误信息
Error: JWT_SIGNING_KEY environment variable not set
原因:OAuth Provider需要签名密钥来生成Token
解决方案
bash
undefined

Generate secure key

生成安全密钥

openssl rand -base64 32
openssl rand -base64 32

Add to wrangler secret

添加到wrangler secret

npx wrangler secret put JWT_SIGNING_KEY

---
npx wrangler secret put JWT_SIGNING_KEY

---

17. Tool Schema Validation Error

17. 工具Schema验证错误

Error: 
ZodError: Invalid input type
Cause: Client sends string, schema expects number (or vice versa)
Solution: Use Zod transforms
typescript
// Accept string, convert to number
param: z.string().transform(val => parseInt(val, 10))

// Or: Accept both types
param: z.union([z.string(), z.number()]).transform(val =>
  typeof val === "string" ? parseInt(val, 10) : val
)
错误信息
ZodError: Invalid input type
原因:客户端发送字符串,但Schema期望数字(反之亦然)
解决方案:使用Zod转换
typescript
// 接受字符串,转换为数字
param: z.string().transform(val => parseInt(val, 10))

// 或者:同时接受两种类型
param: z.union([z.string(), z.number()]).transform(val =>
  typeof val === "string" ? parseInt(val, 10) : val
)

18. Multiple Transport Endpoints Conflicting

18. 多个传输端点冲突

Error: 
/sse
returns 404 after adding 
/mcp
Cause: Incorrect path matching (missing 
startsWith()
)
Solution: Use 
startsWith()
or exact matches correctly (see Error #4)
错误信息:添加
/mcp
/sse
返回404
原因:路径匹配错误(未使用
startsWith()
解决方案:正确使用
startsWith()
或精确匹配(请参考错误#4)

19. Local Testing with Miniflare Limitations

19. 使用Miniflare进行本地测试的限制

Error: OAuth flow fails in local dev, or Durable Objects behave differently
Cause: Miniflare doesn't support all DO features
Solution: Use 
npx wrangler dev --remote
for full DO support
bash
undefined
错误信息:本地开发中OAuth流程失败,或Durable Objects行为异常
原因:Miniflare不支持所有DO功能
解决方案:使用
npx wrangler dev --remote
以获得完整的DO支持
bash
undefined

Local simulation (faster but limited)

本地模拟(速度快但功能有限)

npm run dev
npm run dev

Remote DOs (slower but accurate)

远程DO(速度慢但准确)

npx wrangler dev --remote

---
npx wrangler dev --remote

---

20. Client Configuration Format Error

20. 客户端配置格式错误

Error: Claude Desktop doesn't recognize server
Cause: Wrong JSON format in 
claude_desktop_config.json
Solution: See "Connect Claude Desktop" section for correct format
Common mistakes:
json
// ❌ WRONG: Missing "mcpServers" wrapper
{
  "my-mcp": {
    "url": "https://worker.dev/sse"
  }
}

// ❌ WRONG: Trailing comma
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://worker.dev/sse",  // ← Remove comma
    }
  }
}

// ✅ CORRECT
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://worker.dev/sse"
    }
  }
}
错误信息:Claude Desktop无法识别服务器
原因
claude_desktop_config.json
中的JSON格式错误
解决方案:请参考「连接Claude Desktop」部分获取正确格式
常见错误
json
// ❌ 错误:缺少"mcpServers"外层
{
  "my-mcp": {
    "url": "https://worker.dev/sse"
  }
}

// ❌ 错误:多余的尾随逗号
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://worker.dev/sse",  // ← 移除逗号
    }
  }
}

// ✅ 正确
{
  "mcpServers": {
    "my-mcp": {
      "url": "https://worker.dev/sse"
    }
  }
}

21. Health Check Endpoint Missing

21. 缺少健康检查端点

Issue: Can't tell if Worker is running or if URL is correct
Impact: Debugging connection issues takes longer
Solution: Add health check endpoint (see Transport Selection Guide)
Test:
bash
curl https://my-mcp.workers.dev/health
问题:无法判断Worker是否在运行或URL是否正确
影响:排查连接问题的时间变长
解决方案:添加健康检查端点(请参考传输方式选择指南)
测试
bash
curl https://my-mcp.workers.dev/health

Should return: {"status":"ok","transports":{...}}

应返回:{"status":"ok","transports":{...}}


---

---

22. CORS Headers Missing

22. 缺少CORS头

Error: 
Access to fetch at '...' blocked by CORS policy
Cause: MCP server doesn't return CORS headers for cross-origin requests
Solution: Add CORS headers to all responses
typescript
// Manual CORS (if not using OAuthProvider)
const corsHeaders = {
  "Access-Control-Allow-Origin": "*",  // Or specific origin
  "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type, Authorization"
};

// Add to responses
return new Response(body, {
  headers: {
    ...corsHeaders,
    "Content-Type": "application/json"
  }
});
Note: OAuthProvider handles CORS automatically!
错误信息
Access to fetch at '...' blocked by CORS policy
原因:MCP服务器未为跨域请求返回CORS头
解决方案:为所有响应添加CORS头
typescript
// 手动添加CORS(如果未使用OAuthProvider)
const corsHeaders = {
  "Access-Control-Allow-Origin": "*",  // 或指定特定域名
  "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type, Authorization"
};

// 添加到响应中
return new Response(body, {
  headers: {
    ...corsHeaders,
    "Content-Type": "application/json"
  }
});
注意:OAuthProvider会自动处理CORS!

23. IoContext Timeout During MCP Initialization

23. MCP初始化期间IoContext超时

Error: 
IoContext timed out due to inactivity, waitUntil tasks were cancelled
Source: GitHub Issue #640
Cause: When implementing MCP servers using 
McpAgent
with custom Bearer authentication, the IoContext times out during the MCP protocol initialization handshake (before any tools are called).
Symptoms:
  • Timeout occurs before any tools are called
  • ~2 minute gap between initial request and agent initialization
  • Internal methods work (setInitializeRequest, getInitializeRequest, updateProps)
  • Both GET and POST to 
    /mcp
    are canceled
  • Error: "IoContext timed out due to inactivity, waitUntil tasks were cancelled"
Affected Code Pattern:
typescript
// Custom Bearer auth without OAuthProvider wrapper
export default {
  fetch: async (req, env, ctx) => {
    const authHeader = req.headers.get("Authorization");
    if (!authHeader?.startsWith("Bearer ")) {
      return new Response("Unauthorized", { status: 401 });
    }

    if (url.pathname === "/sse") {
      return MyMCP.serveSSE("/sse")(req, env, ctx);  // ← Timeout here
    }
    return new Response("Not found", { status: 404 });
  }
};
Root Cause Hypothesis:
  • May require 
    OAuthProvider
    wrapper even for custom Bearer auth
  • Possible missing timeout configuration for Durable Object IoContext
  • May need 
    CloudflareMCPServer
    instead of standard 
    McpServer
Workaround: Use official templates with OAuthProvider pattern instead of custom Bearer auth:
typescript
// Use OAuthProvider wrapper (recommended)
import { OAuthProvider } from "@cloudflare/workers-oauth-provider";

export default new OAuthProvider({
  authorizeEndpoint: "/authorize",
  tokenEndpoint: "/token",
  // ... OAuth config
  apiHandlers: { "/sse": MyMCP.serveSSE("/sse") }
});
Status: Investigation ongoing (issue open as of 2026-01-21)
错误信息
IoContext timed out due to inactivity, waitUntil tasks were cancelled
来源GitHub Issue #640
原因:当使用
McpAgent
结合自定义Bearer认证实现MCP服务器时,IoContext会在MCP协议初始化握手期间超时(在调用任何工具之前)。
症状
  • 超时发生在调用任何工具之前
  • 初始请求与Agent初始化之间有约2分钟的间隔
  • 内部方法正常工作(setInitializeRequest、getInitializeRequest、updateProps)
  • /mcp
    的GET和POST请求均被取消
  • 错误信息:"IoContext timed out due to inactivity, waitUntil tasks were cancelled"
受影响的代码模式
typescript
// 未使用OAuthProvider包装的自定义Bearer认证
export default {
  fetch: async (req, env, ctx) => {
    const authHeader = req.headers.get("Authorization");
    if (!authHeader?.startsWith("Bearer ")) {
      return new Response("Unauthorized", { status: 401 });
    }

    if (url.pathname === "/sse") {
      return MyMCP.serveSSE("/sse")(req, env, ctx);  // ← 此处超时
    }
    return new Response("Not found", { status: 404 });
  }
};
根本原因假设
  • 即使使用自定义Bearer认证,也可能需要
    OAuthProvider
    包装
  • 可能缺少Durable Object IoContext的超时配置
  • 可能需要使用
    CloudflareMCPServer
    而非标准
    McpServer
临时解决方案:使用官方模板中的OAuthProvider模式,而非自定义Bearer认证:
typescript
// 使用OAuthProvider包装(推荐)
import { OAuthProvider } from "@cloudflare/workers-oauth-provider";

export default new OAuthProvider({
  authorizeEndpoint: "/authorize",
  tokenEndpoint: "/token",
  // ... OAuth配置
  apiHandlers: { "/sse": MyMCP.serveSSE("/sse") }
});
状态:调查中(截至2026-01-21问题仍未关闭)

24. OAuth Remote Connection Failures

24. OAuth远程连接失败

Error: Connection to remote MCP server fails when using OAuth (works locally but fails when deployed)
Source: GitHub Issue #444
Cause: When deploying MCP client from Cloudflare Agents repository to Workers, client fails to connect to MCP servers secured with OAuth.
Symptoms:
  • Works perfectly in local development
  • Fails after deployment to Workers
  • OAuth handshake never completes
  • Client can't establish connection
Troubleshooting Steps:
  1. Verify OAuth tokens are handled correctly during remote connection attempts
    typescript
    // Check token is being passed to remote server
console.log("Connecting with token:", token ? "present" : "missing");
  2. Check network permissions to access OAuth provider
    typescript
    // Ensure Worker can reach OAuth endpoints
const response = await fetch("https://oauth-provider.com/token");
  3. Verify CORS configuration on OAuth provider
    typescript
    // OAuth provider must allow Worker origin
headers: {
  "Access-Control-Allow-Origin": "https://your-worker.workers.dev",
  "Access-Control-Allow-Methods": "POST, OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type, Authorization"
}
  4. Check redirect URIs match deployed URLs
    json
    {
  "url": "https://mcp.workers.dev/sse",
  "auth": {
    "authorizationUrl": "https://mcp.workers.dev/authorize",  // Must match deployed domain
    "tokenUrl": "https://mcp.workers.dev/token"
  }
}
Deployment Checklist:
  • All OAuth URLs use deployed domain (not localhost)
  • CORS headers configured on OAuth provider
  • Network requests to OAuth provider allowed in Worker
  • Redirect URIs registered with OAuth provider
  • Environment variables set in production (
    wrangler secret
    )
Related: Issue #640 (both involve OAuth/auth in remote deployments)
错误信息:使用OAuth时无法连接到远程MCP服务器(本地正常但部署后失败)
来源GitHub Issue #444
原因:将Cloudflare Agents仓库中的MCP客户端部署到Workers后,客户端无法连接到受OAuth保护的MCP服务器。
症状
  • 本地开发中完全正常
  • 部署到Workers后失败
  • OAuth握手从未完成
  • 客户端无法建立连接
排查步骤
  1. 验证OAuth Token在远程连接尝试中是否被正确处理
    typescript
    // 检查Token是否被传递到远程服务器
console.log("使用Token连接:", token ? "已提供" : "缺失");
  2. 检查网络权限以访问OAuth提供商
    typescript
    // 确保Worker可以访问OAuth端点
const response = await fetch("https://oauth-provider.com/token");
  3. 验证OAuth提供商的CORS配置
    typescript
    // OAuth提供商必须允许Worker的源
headers: {
  "Access-Control-Allow-Origin": "https://your-worker.workers.dev",
  "Access-Control-Allow-Methods": "POST, OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type, Authorization"
}
  4. 验证重定向URI与部署后的URL匹配
    json
    {
  "url": "https://mcp.workers.dev/sse",
  "auth": {
    "authorizationUrl": "https://mcp.workers.dev/authorize",  // 必须与部署后的域名匹配
    "tokenUrl": "https://mcp.workers.dev/token"
  }
}
部署检查清单
  • 所有OAuth URL使用部署后的域名(而非localhost)
  • OAuth提供商已配置CORS头
  • Worker允许向OAuth提供商发起网络请求
  • 重定向URI已在OAuth提供商处注册
  • 生产环境中已设置环境变量(使用
    wrangler secret
相关问题:Issue #640(均涉及远程部署中的OAuth/认证问题)

Testing & Deployment

测试与部署

bash
undefined
bash
undefined

Local dev

本地开发

npm run dev # Miniflare (fast) npx wrangler dev --remote # Remote DOs (accurate)
npm run dev # Miniflare(速度快) npx wrangler dev --remote # 远程DO(准确)

Test with MCP Inspector

使用MCP Inspector测试

npx @modelcontextprotocol/inspector@latest
npx @modelcontextprotocol/inspector@latest

Open http://localhost:5173, enter http://localhost:8788/sse

打开http://localhost:5173,输入http://localhost:8788/sse

Deploy

部署

npx wrangler login # First time only npx wrangler deploy
npx wrangler login # 首次部署时需要 npx wrangler deploy

⚠️ CRITICAL: Update client config with deployed URL!

⚠️ 关键:使用部署后的URL更新客户端配置!

Monitor logs

监控日志

npx wrangler tail

---
npx wrangler tail

---

Official Documentation

官方文档

Package Versions: @modelcontextprotocol/sdk@1.25.3, @cloudflare/workers-oauth-provider@0.2.2, agents@0.3.6 Last Verified: 2026-01-21 Errors Prevented: 24 documented issues (100% prevention rate) Skill Version: 3.1.0 | Changes: Added IoContext timeout (#23), OAuth remote failures (#24), Security section (PKCE vulnerability), Architecture clarification (internal WebSocket), Tool return format pattern, Conditional tool registration
包版本:@modelcontextprotocol/sdk@1.25.3, @cloudflare/workers-oauth-provider@0.2.2, agents@0.3.6 最后验证日期:2026-01-21 已避免错误数量:24种已记录问题(100%避免率) 技能版本:3.1.0 | 更新内容:新增IoContext超时(#23)、OAuth远程连接失败(#24)、安全章节(PKCE漏洞)、架构说明(内部WebSocket)、工具返回格式模式、条件式工具注册