MCP Pre-Flight
Know in 15 seconds, not 30 days.
OAuth 2.1 + PKCE
Dynamic client registration, auto-approve flow, token exchange, refresh
CORS headers
Cross-origin requests from Claude and OpenAI connectors
MCP protocol
initialize, tools/list, and tools/call via Streamable HTTP
Domain verification
OpenAI .well-known challenge file
Token refresh
Access tokens can be renewed without re-auth
Anonymous fallback
Whether the server works without authentication
The HTTPS endpoint of your deployed MCP server (Streamable HTTP transport). It should respond to JSON-RPC tools/list. If your server has OAuth, we'll also test the full auth flow.
Pre-flight only probes your live endpoint — we don't touch any code. If you afterwards index your MCP on the M8ven Trust Index, we clone the repo in an isolated sandbox, analyze, and delete. Source is never stored or used for training. Full policy at /verified/source-handling.
The most common cause: your authorize endpoint redirects to a login page. MCP clients are machines — they can't log into a browser. Auto-approve registered clients instead.
Check that your token endpoint accepts application/x-www-form-urlencoded (OAuth standard). Some servers only accept JSON, which breaks OpenAI's connector.
Claude and OpenAI directories require it for listed MCPs. Anonymous-only servers can still work via direct connection, but won't get listed in their directories.
OpenAI requires a file at /.well-known/openai-apps-challenge that returns a verification token. You get the token from the OpenAI developer dashboard when you submit.
OpenAI: 2-4 weeks. Claude: varies. That's why you should test here first — a rejection means starting the wait over.