MessagesMCP tunnels

MCP tunnels quickstart

Connect Claude to a private MCP server using a local Docker Compose deployment.

MCP tunnels is a Research Preview feature. Request access to try it.

This quickstart takes you from zero to Claude calling a private MCP server through a tunnel. It uses Docker Compose with manually supplied credentials, which is the shortest path for local testing. For production deployments, see Deploy with Helm or Deploy with Docker Compose.

What you'll build

A three-container stack on your machine: a sample MCP server, the tunnel proxy, and the outbound connector. When it's running, the sample server is reachable from Claude at https://echo.<your-tunnel-domain>/mcp even though nothing is listening on a public port.

What you need

Docker and Docker Compose on a machine with outbound internet access.
A role in the Claude Console that can manage MCP tunnels. See the Console guide prerequisites.
OpenSSL 1.1.1 or later. Preinstalled on macOS and most Linux distributions; on Windows, install it separately (the openssl binary must be on your PATH).

Create a tunnel
In the Claude Console sidebar, go to Manage > MCP tunnels and click New tunnel. Give it a name. Leave Set up programmatic access off; this quickstart uses manually supplied credentials.
After it's created, open the tunnel. Copy two values from the Connection section:
- Domain (looks like abcd1234.tunnel.anthropic.com)
- Token (click the eye icon, then copy)
Set up the deployment directory
Generate a CA and server certificate
The proxy terminates an inner TLS handshake using a certificate signed by a CA you control. Generate both:
Back in the Console, on the tunnel detail page, click Add certificate and upload data/ca.crt (or paste its contents). The tunnel status flips to Active.
Write the sample MCP server
Write the proxy config and compose file
Start it
You should see one route configured line for echo and four Registered tunnel connection lines. The containers take a few seconds to start; rerun the log commands if they come back empty.
Call it from Claude
In the Console, go to Managed Agents > Sessions and create a session. In the agent picker choose Create new agent, then click + MCP Server, select your tunnel, set Subdomain to echo and Path to mcp. Then ask:

Use the hello tool to greet tunnel.

You should see a tool call followed by its result.

Next steps

The tunnel is verified end to end. For production deployments:

Deploy with Docker Compose

Hardened single-host deployment, with or without programmatic access.

Deploy with Helm

Kubernetes deployment with automatic credential management.

Was this page helpful?

What you need

Docker and Docker Compose on a machine with outbound internet access.

A role in the Claude Console that can manage MCP tunnels. See the Console guide prerequisites.

OpenSSL 1.1.1 or later. Preinstalled on macOS and most Linux distributions; on Windows, install it separately (the openssl binary must be on your PATH).

Create a tunnel
In the Claude Console sidebar, go to Manage > MCP tunnels and click New tunnel. Give it a name. Leave Set up programmatic access off; this quickstart uses manually supplied credentials.
After it's created, open the tunnel. Copy two values from the Connection section:
- Domain (looks like abcd1234.tunnel.anthropic.com)
- Token (click the eye icon, then copy)
Set up the deployment directory
Generate a CA and server certificate
The proxy terminates an inner TLS handshake using a certificate signed by a CA you control. Generate both:
Back in the Console, on the tunnel detail page, click Add certificate and upload data/ca.crt (or paste its contents). The tunnel status flips to Active.
Write the sample MCP server
Write the proxy config and compose file
Start it
You should see one route configured line for echo and four Registered tunnel connection lines. The containers take a few seconds to start; rerun the log commands if they come back empty.
Call it from Claude
In the Console, go to Managed Agents > Sessions and create a session. In the agent picker choose Create new agent, then click + MCP Server, select your tunnel, set Subdomain to echo and Path to mcp. Then ask:

Use the hello tool to greet tunnel.

You should see a tool call followed by its result.