MessagesMCP tunnels

MCP tunnels quickstart

Connect Claude to a private MCP server using a local Docker Compose deployment.

MCP tunnels are in research preview. Request access to try them.

This quickstart takes you from zero to Claude calling a private MCP server through a tunnel. It uses Docker Compose with manual credential provisioning, which is the shortest path for local testing. For production deployments, see Deploy with Helm or Deploy with Docker Compose.

What you'll build

A two-container tunnel stack (the proxy and cloudflared) plus a sample MCP server running alongside it. When everything is running, the sample server is reachable from Claude at https://echo.<your-tunnel-domain>/mcp even though nothing is listening on a public port.

What you need

Docker and Docker Compose on a machine with outbound internet access.
A role in the Claude Console that can manage MCP tunnels. See the Console guide prerequisites.
OpenSSL 1.1.1 or later. Preinstalled on macOS and most Linux distributions; on Windows, install it separately (the openssl binary must be on your PATH).

Create a tunnel
In the Claude Console sidebar, go to Manage > MCP tunnels and click New tunnel. Give it a name. Leave Set up programmatic access off; this quickstart uses manual credential provisioning.
After it's created, open the tunnel. Copy two values from the Connection section:
- Domain (looks like abcd1234.tunnel.anthropic.com)
- Token (click the eye icon, then copy)
Set up the deployment directory
Generate a CA and server certificate
The proxy terminates inner TLS using a certificate signed by a CA you control. Generate both:
Back in the Console, on the tunnel detail page, click Add certificate and upload data/ca.crt (or paste its contents). The tunnel status flips to Active.
Write the sample MCP server
Write the proxy config and compose file
Start it
You should see one route configured line for echo and four Registered tunnel connection lines. The containers take a few seconds to start; rerun the log commands if they come back empty.
Call it from Claude
In the Console, go to Managed Agents > Sessions and create a session. In the agent picker choose Create new agent, give the agent a name, and keep the pre-filled model. Click + MCP Server, select your tunnel, set Subdomain to echo and Path to mcp. Then ask:

Use the hello tool to greet tunnel.

You should see a tool call followed by its result.

Next steps

The tunnel is verified end to end. To swap in your own MCP server, add it to docker-compose.yaml (or run it on the same Docker network), add a route for it in config/mcp-proxy.yaml, then restart the proxy (docker compose restart mcp-proxy).

For production deployments:

Deploy with Docker Compose

Hardened single-host deployment, with or without programmatic access.

Deploy with Helm

Kubernetes deployment with automatic credential management.

Was this page helpful?

What you need

Docker and Docker Compose on a machine with outbound internet access.

A role in the Claude Console that can manage MCP tunnels. See the Console guide prerequisites.

OpenSSL 1.1.1 or later. Preinstalled on macOS and most Linux distributions; on Windows, install it separately (the openssl binary must be on your PATH).

Create a tunnel
In the Claude Console sidebar, go to Manage > MCP tunnels and click New tunnel. Give it a name. Leave Set up programmatic access off; this quickstart uses manual credential provisioning.
After it's created, open the tunnel. Copy two values from the Connection section:
- Domain (looks like abcd1234.tunnel.anthropic.com)
- Token (click the eye icon, then copy)
Set up the deployment directory
Generate a CA and server certificate
The proxy terminates inner TLS using a certificate signed by a CA you control. Generate both:
Back in the Console, on the tunnel detail page, click Add certificate and upload data/ca.crt (or paste its contents). The tunnel status flips to Active.
Write the sample MCP server
Write the proxy config and compose file
Start it
You should see one route configured line for echo and four Registered tunnel connection lines. The containers take a few seconds to start; rerun the log commands if they come back empty.
Call it from Claude
In the Console, go to Managed Agents > Sessions and create a session. In the agent picker choose Create new agent, give the agent a name, and keep the pre-filled model. Click + MCP Server, select your tunnel, set Subdomain to echo and Path to mcp. Then ask:

Use the hello tool to greet tunnel.

You should see a tool call followed by its result.

Next steps

For production deployments:

Was this page helpful?

What you'll build

What you need

Next steps

What you'll build

What you need

Next steps

What you'll build

What you need

Next steps

What you'll build

What you need

Next steps