Anthropic MCP Tunnels

Overview

Anthropic MCP Tunnels let Claude reach MCP servers that are not directly reachable from Anthropic’s backend. Use this when your Runlayer tenant or upstream MCP servers sit behind private networking, VPN access, or strict inbound firewall rules. With this setup, Claude connects through an Anthropic-managed tunnel hostname. The tunnel forwards traffic to Runlayer, and Runlayer continues to enforce connector auth, policies, ToolGuard scanning, and audit logs.

Anthropic MCP Tunnels are an Anthropic feature. Follow Anthropic’s tunnel documentation for their current beta status, supported deployment methods, and required network destinations.

The tunnel provides network reachability. Runlayer still enforces application-layer authentication, connector permissions, policies, and audit logging.

What You Need

Before starting, make sure you have:

A Runlayer single-tenant deployment with the connectors you want to expose to Claude, where Runlayer can deploy the tunnel components.
Claude organization admin access with MCP Tunnels enabled.
Outbound network access from the tunnel deployment to Anthropic’s API, Cloudflare tunnel edge, and your Runlayer tenant URL. Anthropic’s guide currently calls for setup access to api.anthropic.com:443 and runtime cloudflared access to Cloudflare edge on port 7844 TCP/UDP. Use Cloudflare’s current tunnel firewall documentation as the source of truth for IP allowlists.
A secure channel for sharing the short-lived Claude Tunnels API token with Runlayer.

Shared Responsibilities

Customer team

Your team owns the Claude organization and approves the tunnel setup:

Enable MCP Tunnels in Claude and create a short-lived Tunnels API token.
Confirm that Runlayer should deploy cloudflared and the Anthropic MCP Gateway in your Runlayer-operated single-tenant account.
Allow outbound traffic required by Anthropic’s tunnel guide.
Share the short-lived Tunnels API token with Runlayer through an approved secure channel.
Register Runlayer connector URLs in Claude once Runlayer provides the tunnel hostname and connector URLs.
Revoke the Tunnels API token after provisioning is complete.

Runlayer team

Runlayer owns the tenant-side tunnel deployment:

Deploy cloudflared and the Anthropic MCP Gateway in the Runlayer-operated single-tenant account.
Configure the gateway to forward tunnel traffic to your Runlayer tenant.
Store and protect generated tunnel credentials, CA keys, TLS private keys, and tunnel data in the tenant account.
Set MCP_TUNNEL_BASE_URL on the Runlayer deployment so OAuth discovery works through the tunnel.
Provide Claude connector URLs for the Runlayer connectors you want to expose.
Help validate OAuth, connector discovery, and end-to-end tool calls from Claude.

Create a Claude Tunnels API Token

Runlayer needs a short-lived Anthropic Tunnels API token during initial tunnel provisioning. The token is not needed at runtime.

Open Claude tunnel settings

As a Claude organization admin, open Claude tunnel settings, or go to Admin Settings → Connectors → Tunnels in Claude.

Create a Tunnels API token

Click the option to create or generate an API token for MCP Tunnels. Copy the token immediately; Claude may only show it once.

Share the token securely with Runlayer

Send the token through your approved secure channel. Do not paste it into email, Slack, tickets, or documents.

Revoke the token after provisioning

After Runlayer confirms tunnel provisioning is complete, revoke the token in Claude. The deployed tunnel uses generated tunnel credentials, not the short-lived API token.

Deployment Shape

Anthropic’s tunnel deployment has two runtime components:

cloudflared opens an outbound-only tunnel to Cloudflare. No inbound listener is required.
Anthropic MCP Gateway terminates the inner TLS layer and forwards requests to Runlayer.

For Runlayer-operated single-tenant deployments, Runlayer deploys these components inside the tenant account. The tunnel compute can stay private because cloudflared dials out to Cloudflare. The transport is protected in layers: Anthropic controls access to the tunnel, the gateway terminates the inner TLS connection, and Runlayer/OAuth controls user-level connector access. Runlayer recommends one gateway route to the Runlayer tenant and path-based Claude connector URLs. You should not need one tunnel route per connector. Example gateway route shape:

tunnel_domain: <tunnel-id>.tunnel.anthropic.com
routes:
  runlayer: https://<your-runlayer-tenant-domain>:443
upstream:
  tls:
    include_system_cas: true

Do not include connector paths in the gateway upstream route; paths belong in Claude connector URLs. If your Runlayer tenant is reached through a public DNS name, Runlayer configures the gateway’s upstream validation for that public Runlayer endpoint. This typically includes an explicit :443 port and system CA trust.

Runlayer Configuration

Runlayer must know the tunnel origin so its OAuth metadata points Claude to the right backend-to-backend endpoints. Set:

MCP_TUNNEL_BASE_URL=https://runlayer.<tunnel-id>.tunnel.anthropic.com

Use only the origin. Do not include a connector path. This setting makes Runlayer return tunnel-aware OAuth metadata for proxied MCP connectors while keeping browser-facing authorization on the normal Runlayer tenant URL. The origin must match the hostname used in Claude connector URLs. Without this setting, Claude may fail OAuth discovery or report a missing resource parameter during authorization.

Add Runlayer Connectors to Claude

After the tunnel is running, add each Runlayer connector as a custom web connector in Claude.

Get the connector server ID

In Runlayer, identify the connector you want to expose. Runlayer support can provide the server ID, or you can derive it from the connector’s Runlayer MCP URL.

Build the Claude connector URL

Use the tunnel host and the normal Runlayer proxy path:

https://runlayer.<tunnel-id>.tunnel.anthropic.com/api/v1/proxy/<server_id>/mcp

The runlayer subdomain must match the gateway route key. The path identifies the specific Runlayer connector.

In Claude, go to Organization Settings → Connectors → Add → Custom → Web and enter the connector URL.

Have users connect

Users go to Settings → Connectors in Claude and click Connect for each connector they are allowed to use.

Adding another Runlayer connector later usually only requires registering another Claude connector URL with a different <server_id>. It should not require changing tunnel infrastructure.

Validation Checklist

Use this checklist before rolling out to users:

Tunnel containers or pods are healthy.
cloudflared is connected to Cloudflare.
Anthropic MCP Gateway logs show requests reaching the Runlayer tenant.
MCP_TUNNEL_BASE_URL matches the tunnel origin used in Claude connector URLs.
Claude can discover the connector tools.
A test user can complete OAuth and run a low-risk tool call.
Runlayer audit logs show the Claude-originated MCP request.

Direct curl requests to the tunnel hostname may return a Cloudflare or Anthropic access error. Validate through Claude connector traffic and tunnel logs.

Operations

Token handling

The Tunnels API token is only needed for provisioning and some rotation operations. Revoke it after setup. Do not store it in long-lived Runlayer configuration. If Runlayer needs to rotate the tunnel token or archive/recreate a tunnel later, we may ask a Claude organization admin to create a fresh short-lived Tunnels API token.

Certificate renewal

Anthropic’s setup tooling generates 90-day server certificates. Renew before expiry using the deployment method from Anthropic’s guide. The gateway can reload renewed certificates without recreating the tunnel.

Connector changes

Normal connector additions or removals happen in Claude and Runlayer. Keep the gateway route pointed at Runlayer and use path-based connector URLs.

Security practices

Require SSO for Claude organization admins who can create Tunnels API tokens.
Keep connector scope minimal; expose only the Runlayer connectors and tools needed by Claude users.
Keep OAuth required for Runlayer connectors. The tunnel secures transport, not end-user authorization.
Monitor Runlayer audit logs and tunnel runtime logs for warnings, errors, and unusual traffic.
Rotate tunnel credentials immediately if compromise is suspected.

Incident response

If tunnel credentials or TLS keys may be compromised:

Stop the tunnel deployment.
Remove affected custom connectors from Claude.
Archive or rotate the tunnel through Anthropic’s Tunnels API.
Rotate affected Runlayer and upstream MCP credentials.
Review Runlayer audit logs and tunnel logs before restoring service.

Troubleshooting

The Claude Tunnels API token page is missing

Confirm MCP Tunnels are enabled for your Claude organization. If the Tunnels settings page or token creation option is not visible at Claude tunnel settings, contact Anthropic support or your Anthropic account team.

Direct curl or local client testing returns 403

This is expected for many tunnel deployments. Anthropic and Cloudflare may block arbitrary public requests to the tunnel hostname. Validate through Claude.ai connector traffic and Runlayer/tunnel logs instead of local curl or Claude Code.

Claude OAuth fails with a missing resource parameter

Confirm MCP_TUNNEL_BASE_URL is set to the tunnel origin used in Claude, for example https://runlayer.<tunnel-id>.tunnel.anthropic.com. The value must not include /api/v1/proxy/....

Gateway rejects the upstream URL

Use an explicit port in the upstream route, such as https://<your-runlayer-tenant-domain>:443.

Gateway blocks the Runlayer upstream IP

Anthropic MCP Gateway validates upstream IP ranges. If your Runlayer tenant is reached through a public DNS name, configure the allowed upstream IPs or public-upstream setting according to Anthropic’s guide and your security policy.

The tunnel is not connecting

Check whether cloudflared can reach Cloudflare edge on port 7844 TCP/UDP, and confirm the tunnel token has not been rotated or revoked. Runlayer handles this check for Runlayer-operated single-tenant deployments.

cloudflared logs UDP buffer warnings

cloudflared can log UDP receive buffer warnings when using QUIC. This is usually host/network tuning rather than a Runlayer connector issue. Runlayer can tune the host if the tunnel is otherwise unstable.

TLS errors occur between the gateway and Runlayer

If the Runlayer tenant uses a public certificate authority, enable system CA trust in the gateway upstream TLS settings. If it uses a private CA, mount the CA bundle and configure the gateway to use it.

Users can see the connector but cannot run tools

Check Runlayer connector permissions, policies, OAuth connection status, and audit logs. The tunnel only provides network reachability; Runlayer still enforces access control.

Connectors

Manage connector setup, auth, permissions, and policies in Runlayer.

OAuth Broker

Learn how Runlayer handles OAuth for supported connectors.

MCP Security Best Practices

Review security guidance for enterprise MCP deployments.

Read Anthropic’s official tunnel deployment guide.

Documentation Index

​Overview

​What You Need

​Shared Responsibilities

​Customer team

​Runlayer team

​Create a Claude Tunnels API Token

​Deployment Shape

​Runlayer Configuration

​Add Runlayer Connectors to Claude

​Validation Checklist

​Operations

​Token handling

​Certificate renewal

​Connector changes

​Security practices

​Incident response

​Troubleshooting

​Related Resources

Connectors

OAuth Broker

MCP Security Best Practices