Serve POST /api/v1/mcp without trailing-slash redirect (fixes Claude Desktop connection)#64
Merged
Merged
Conversation
Claude Desktop POSTs to /api/v1/mcp — the URL the RFC 9728 metadata and README advertise — but the ninja route only existed at /api/v1/mcp/, so CommonMiddleware's APPEND_SLASH answered with a 301. Clients follow a 301 by re-issuing the request as GET, which hit the POST-only route and died with 405 before auth ever ran: the unauthenticated handshake never received the 401 + WWW-Authenticate challenge that starts the OAuth flow, and Desktop surfaced "Authorization with the MCP server failed". Register the endpoint at "" alongside "/" so both URL forms dispatch directly (the no-slash alias is hidden from the OpenAPI schema). GETs on either form now return a spec-compliant 405 with no redirect. Regression tests cover the exact production failure and red-bar without the alias. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Claude Desktop fails to connect to the Studio MCP server ("Authorization with the MCP server failed", ref
ofid_bd54e6c2d76dfd45). Production logs show the failure chain:POST /api/v1/mcp— the URL the RFC 9728 protected-resource metadata and the README advertise (no trailing slash)./api/v1/mcp/, soCommonMiddleware(APPEND_SLASH=Truedefault) answered 301 →/api/v1/mcp/.No POST ever reached the handler — including the unauthenticated one that must receive the
401 + WWW-Authenticate: Bearer resource_metadata="…"challenge that starts Desktop's OAuth flow (#61/#62). The OAuth machinery is fine; the transport URL was the blocker.Fix
Register the MCP endpoint at
""alongside"/"(validated on django-ninja 1.6.2 — produces bothmcpandmcp/URL patterns). The alias isinclude_in_schema=Falseso OpenAPI stays clean; router-levelMcpAuth, rate limits, and audit logging apply identically since it's the same view function. This mirrors the sibling repo's outcome (social-intelligence-appserves both/mcpand/mcp/with no redirect).POST /api/v1/mcpPOST /api/v1/mcp/GET /api/v1/mcp{,/}Verification
pytest apps/mcp— 63 passed; the 3 new regression tests fail without the alias (confirmed by stashing the fix) and pin the exact production failure.pytest apps/api apps/oauth_server— 124 passed.curl -X POST http://localhost:8765/api/v1/mcp→401withWWW-Authenticate: Bearer resource_metadata="…/.well-known/oauth-protected-resource/api/v1/mcp"(previously 301);GET→ 405.After deploy
curl -i -X POST https://studio.brightbean.xyz/api/v1/mcp -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","id":1,"method":"ping"}'should return 401 + WWW-Authenticate (not 301), and retrying the connector in Claude Desktop should complete:POST → 401 → OAuth → POST → 200in the Heroku logs.🤖 Generated with Claude Code