MCP tunnels

MCP tunnels let you connect Claude to Model Context Protocol (MCP) servers that run inside your private network. Traffic flows over an outbound-only connection, so you don't need to open inbound firewall ports, expose services to the public internet, or allowlist Anthropic's IP ranges on your origin.

How it works

A tunnel deployment is a small stack of two components that runs inside your network:

• cloudflared: the tunnel agent. It initiates outbound-only connections to the Anthropic-operated tunnel edge and carries encrypted traffic from Anthropic to your proxy.
• Proxy: Anthropic's routing component. It terminates inner TLS, validates that upstream IPs fall within an allowed range, and routes each request to the correct upstream MCP server based on hostname.

Each MCP server you expose gets a hostname under your tunnel domain (for example, docs.<your-tunnel-domain>). You attach these hostnames to a Managed Agent session in the Console, or pass them to the Messages API through the MCP connector.

Prerequisites

Before deploying, make sure you have:

• A deployment target: a Kubernetes cluster, or a VM with Docker and Docker Compose.
• A tunnel created in the Claude Console. See Create a tunnel.
• A way for your stack to authenticate to the Tunnels API. Choose one:
  • Programmatic access (recommended). Set up Workload Identity Federation when you create the tunnel. Your stack mints short-lived API tokens from your identity provider, fetches the tunnel token, and generates and registers a CA certificate automatically. Requires permission to manage federation rules, a registered OIDC issuer, and a federation rule with the org:manage_tunnels scope.
  • Manual. Supply static credentials yourself: the tunnel token from the Console and a server certificate signed by a CA you register there. See Get the connection details and Add a CA certificate.
• One or more MCP servers running in your private network.
• Outbound connectivity as listed under Network requirements.

Network requirements

Security model

Security layers

Three independent layers protect every request:

The tunnel transport runs on Cloudflare's network. Because the proxy terminates inner TLS using a certificate that only you hold, Cloudflare cannot read request or response payloads. Anthropic does not connect to a tunnel until a CA certificate is registered, so there is no configuration in which payloads cross Cloudflare unencrypted. Cloudflare does receive connection metadata; see What the transport provider can observe.

Shared responsibility model

What the transport provider can observe

Cloudflare provides the outbound transport. It cannot read MCP request or response payloads, but it does receive the following connection metadata:

• the egress IP address of the host running cloudflared
• a cloudflared host fingerprint
• connection timing and byte-volume
• the *.tunnel.anthropic.com subdomain assigned to your tunnel

Anthropic's agreement with Cloudflare restricts Cloudflare's use of this telemetry. Cloudflare acts as a subprocessor for this Research Preview and will be listed as a subprocessor in the event this service becomes generally available.

Deploy a tunnel

If you're new to MCP tunnels, start with the quickstart to get a working tunnel locally before configuring a production deployment.

Choosing between them:

• Deployment target
  • Helm when deploying to Kubernetes.
  • Docker Compose for a single host or local testing.
• Authentication for setup
  • Programmatic access (through Workload Identity Federation) when you have an OIDC identity provider such as a Kubernetes cluster, cloud IAM, or SPIFFE.
  • Manual credentials when you don't, or when you're testing.

Use the tunneled MCP servers

Once your tunnel is active (it has an active CA certificate and your stack is connected), the routed MCP servers are reachable from Claude Managed Agents and the Messages API.

In both cases, the tunnel carries encrypted traffic to your MCP server but does not authenticate to it. If the upstream server requires its own authentication (OAuth, bearer token), supply it the same way you would for any other MCP server; it is independent of the tunnel.

Managed Agents (Console)

1. In Managed Agents > Sessions, create a session and choose Create new agent so you can edit the MCP server list.
2. Click + MCP Server and open the dropdown. Tunnels in the session's workspace that have at least one active certificate appear at the top of the list, above the public connector catalog.
3. Select the tunnel and supply the Subdomain that your proxy routes to a specific MCP server, and the Path the upstream server expects. The Resolves to line shows the exact URL.

Messages API

Pass the routed server URL in the mcp_servers array, the same way as any other remote MCP server. The host is <subdomain>.<your-tunnel-domain>; the path is whatever your upstream MCP server serves at (the proxy forwards it untouched). FastMCP's streamable-http transport defaults to /mcp; other servers may serve at / or another path. The request body and anthropic-beta header follow the standard MCP connector format; only the url is tunnel-specific. Use an API key for the workspace the tunnel was created in (Console Settings > API keys).

client = anthropic.Anthropic()

response = client.beta.messages.create(
    model="claude-opus-4-7",
    max_tokens=1000,
    messages=[{"role": "user", "content": "Use the hello tool to greet tunnel."}],
    mcp_servers=[
        {
            "type": "url",
            "url": "https://echo.YOUR_TUNNEL_DOMAIN_HERE/mcp",
            "name": "echo",
        }
    ],
    tools=[{"type": "mcp_toolset", "mcp_server_name": "echo"}],
    betas=["mcp-client-2025-11-20"],
)

print(response)

Next steps