Skip to content
Effloow
← Back to article
EFFLOOW LAB LAB-RUN

Claude Mcp Tunnels Research Preview Developer Guide 2026

Evidence notes document the bounded local or source-based checks behind an Effloow article. They are not product endorsements, legal advice, or benchmark claims.

Date: 2026-05-26 Track: sandbox-poc Article slug: claude-mcp-tunnels-research-preview-developer-guide-2026

Scope

This lab run tested the smallest local concept behind MCP tunnels: a gateway routes requests by hostname to a private MCP-like HTTP server and rejects unconfigured hostnames.

It did not create a live Anthropic MCP tunnel, did not call Claude Managed Agents, did not use Anthropic API credentials, did not test Cloudflare transport, did not validate TLS certificates, and did not measure latency, uptime, pricing, or security properties of the research preview.

Environment

  • Host: macOS workspace
  • Runtime: Node.js v25.9.0
  • Sandbox directory: /tmp/effloow-claude-mcp-tunnel-poc
  • Network: loopback only (127.0.0.1)
  • External services: none
  • Secrets: none

Commands

SANDBOX=/tmp/effloow-claude-mcp-tunnel-poc
rm -rf "$SANDBOX"
mkdir -p "$SANDBOX"
node - <<'NODE'
# writes /tmp/effloow-claude-mcp-tunnel-poc/poc.js
NODE
node "$SANDBOX/poc.js"

First Failure

The first generated script failed before writing poc.js because a nested JavaScript template string was not escaped:

Expression expected
SyntaxError: Unexpected identifier 'hello'
Error: Cannot find module '/tmp/effloow-claude-mcp-tunnel-poc/poc.js'
Node.js v25.9.0

The script was rewritten with plain string concatenation.

Second Failure

The second run started the private MCP-like server and gateway, but Node's fetch client kept the loopback Host header. The gateway rejected every request:

node=v25.9.0
private_mcp=http://127.0.0.1:52720/mcp
gateway=http://127.0.0.1:52721/mcp
allowed_host=echo.local-tunnel.test
blocked_host=admin.local-tunnel.test
tools_list_status=403
tools_list_body={"error":"host_not_allowed","host":"127.0.0.1"}
tool_call_status=403
tool_call_body={"error":"host_not_allowed","host":"127.0.0.1"}
blocked_status=403
blocked_body={"error":"host_not_allowed","host":"127.0.0.1"}

The client was changed to use http.request so the Host header could be set explicitly for the local routing test.

Successful Output

node=v25.9.0
private_mcp=http://127.0.0.1:52725/mcp
gateway=http://127.0.0.1:52726/mcp
allowed_host=echo.local-tunnel.test
blocked_host=admin.local-tunnel.test
tools_list_status=200
tools_list_body={"jsonrpc":"2.0","id":1,"result":{"tools":[{"name":"hello","description":"Return a deterministic greeting"}]}}
tool_call_status=200
tool_call_body={"jsonrpc":"2.0","id":2,"result":{"content":[{"type":"text","text":"hello private-mcp"}]}}
blocked_status=403
blocked_body={"error":"host_not_allowed","host":"admin.local-tunnel.test"}

What Worked

  • A private MCP-like HTTP endpoint listened only on loopback.
  • A local gateway accepted an allowed tunnel-style hostname and proxied tools/list.
  • The same gateway proxied a deterministic tools/call.
  • An unconfigured hostname was denied with 403.

What Failed or Was Not Tested

  • No real Anthropic tunnel was created because MCP tunnels require research-preview access and console setup.
  • No Docker Compose quickstart was run because it requires tunnel domain, token, and certificate setup from the Claude Console.
  • No TLS, mTLS, Cloudflare transport, certificate rotation, OAuth, Workload Identity Federation, or Anthropic Tunnels API behavior was tested.
  • The local proxy used loopback instead of Anthropic's documented default RFC1918 private ranges; this is acceptable only for this local simulation.
  • The PoC does not prove production security. It only validates the routing and deny-by-default shape developers should understand before using the real feature.

Source Claims Used in Article

  • Anthropic announced self-hosted sandboxes and MCP tunnels for Claude Managed Agents on May 19, 2026.
  • MCP tunnels are research preview and require access request.
  • The tunnel stack includes cloudflared and Anthropic's proxy component.
  • The documented quickstart uses a three-container stack: sample MCP server, tunnel proxy, and outbound connector.
  • Anthropic docs recommend OAuth on every MCP server, narrow upstream.allowed_ips, log monitoring, credential rotation, and limited network reach.

Read the article

This note supports the public article and records what was actually checked.

Open article →