Skip to main content

Claude UI Errors

”Could not attach to MCP server”

This is the most common error in Claude Desktop and usually indicates a failure during the initial HTTP handshake. Check the Claude Logs: Run the following command to view exactly why mcp-remote failed to connect: 
tail -n 50 ~/Library/Logs/Claude/mcp*.log

Common Log Errors

Cause: You are either missing the x-thornguard-license header, your license key is invalid, or your team token has expired or been revoked.Solution: Verify your claude_desktop_config.json includes: "--header", "x-thornguard-license: Bearer THORN-YOUR_KEY_HERE"
Cause: ThornGuard’s SSRF protection blocked your request because you are trying to proxy traffic to localhost, a metadata IP, or a hostname that resolves to a private address. Solution: ThornGuard is designed to proxy publicly reachable MCP servers. Ensure your x-mcp-target-url points to a valid public HTTPS target.
Cause: Your client sent an Origin header that does not match the allowed origin list for this deployment. Solution: Make requests from an approved origin or update the deployment allowlist. This mainly affects browser-based HTTP clients.
Cause: You are trying to connect to an upstream server that requires an interactive OAuth browser login (like GitHub Copilot). Solution: Use a non-interactive upstream credential and forward it via x-upstream-auth, or complete the auth flow outside the MCP connection and use the resulting token. See the Quickstart for the exact JSON snippet.
Cause: ThornGuard successfully received your request, but the upstream server specified in your x-mcp-target-url is completely offline, firewall-blocked, or taking too long to respond.Solution: Check the status of your destination server. Ensure it is actively running and allows incoming connections from Cloudflare’s IP ranges.

Contact Support

If you are experiencing latency issues or anomalies not covered here, please reach out to [email protected] and include the relevant mcp.log outputs plus any x-thornguard-log-id or x-thornguard-trace-id values returned by the proxy.