Setup
Connect Claude Desktop, Claude Code, Cursor, or any MCP client to PodWarden
This page covers direct connections to your PodWarden instance. If your instance isn't directly reachable (behind NAT/firewall), see Hub MCP Proxy instead — your AI client connects to Hub, which routes commands through a secure tunnel.
Prerequisites
- A running PodWarden instance accessible via HTTPS
- An MCP token (create one in Settings → MCP → Create Token)
The MCP endpoint is at https://your-podwarden.example/mcp.
Claude Desktop
Claude Desktop does not support url + headers configs for remote MCP servers. Instead, it uses the mcp-remote package as a stdio-to-HTTP bridge.
Requirements: Node.js (provides npx)
- Open Claude Desktop → Settings → Developer → Edit Config
- Add the
"podwarden"entry inside your existingmcpServers. If the file already has content, merge it — don't paste as a separate JSON block. - Save and restart Claude Desktop.
{
"mcpServers": {
"podwarden": {
"command": "npx",
"args": [
"mcp-remote",
"https://your-podwarden.example/mcp",
"--header",
"Authorization:${PODWARDEN_TOKEN}"
],
"env": {
"PODWARDEN_TOKEN": "Bearer pwm_YOUR_TOKEN_HERE"
}
}
}
}The token is placed in env rather than inline in args to avoid a Windows escaping bug where spaces in args get mangled.
The "Add connector" UI dialog in Claude Desktop only supports OAuth — use the config file for Bearer token auth.
Claude Code
Run this command in your terminal:
claude mcp add --transport http podwarden https://your-podwarden.example/mcp \
--header "Authorization: Bearer pwm_YOUR_TOKEN_HERE"The server will be available immediately in your next Claude Code session.
Cursor
- Open Cursor Settings → MCP → "Add new global MCP server"
- Paste the following config:
{
"mcpServers": {
"podwarden": {
"url": "https://your-podwarden.example/mcp",
"headers": {
"Authorization": "Bearer pwm_YOUR_TOKEN_HERE"
}
}
}
}Other clients
Any MCP-compatible client can connect using the Streamable HTTP transport.
| Setting | Value |
|---|---|
| Endpoint | https://your-podwarden.example/mcp |
| Transport | Streamable HTTP |
| Method | POST |
| Auth header | Authorization: Bearer pwm_YOUR_TOKEN_HERE |
| Accept header | application/json, text/event-stream |
| Content-Type | application/json |
Manual test with curl
curl -X POST https://your-podwarden.example/mcp \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-H "Authorization: Bearer pwm_YOUR_TOKEN_HERE" \
-d '{
"jsonrpc": "2.0",
"method": "initialize",
"params": {
"protocolVersion": "2025-03-26",
"capabilities": {},
"clientInfo": {"name": "test", "version": "1.0"}
},
"id": 1
}'A successful response looks like:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"protocolVersion": "2025-03-26",
"capabilities": {
"tools": {"listChanged": false}
},
"serverInfo": {
"name": "podwarden",
"version": "1.26.0"
}
}
}Auto-generated configs in the UI
PodWarden Settings → MCP shows ready-to-copy config snippets with your actual token pre-filled. After creating or reissuing a token, the config snippet updates automatically — just copy and paste.
Access level
PodWarden has a global MCP access level (Settings → MCP → MCP Access Level):
| Level | Available tools |
|---|---|
| Read Only (default) | 44 read-only tools: list, get, view, logs |
| Full Access | All 112 tools: read, create, update, deploy, delete |
This applies to both direct connections and Hub tunnel connections. Changing the level takes effect immediately — if the Hub tunnel is active, it automatically reconnects to update the tool list. Individual token roles provide additional restrictions within the allowed level.
Troubleshooting
"Server disconnected" in Claude Desktop
- Verify Node.js is installed:
node --version - Test the endpoint manually with curl (see above)
- Check Claude Desktop logs: click "View Logs" on the failed server entry
401 Unauthorized
- Token may be expired or revoked — check Settings → MCP
- Verify the token starts with
pwm_ - Ensure there's a space between
Bearerand the token
404 Not Found
- The
/mcpendpoint must be routed to the PodWarden backend by your reverse proxy - If using Caddy/nginx, add a rule to proxy
/mcpto the backend (same upstream as/api/*)
421 Invalid Host header
- This happens if the MCP SDK's DNS rebinding protection rejects your hostname
- PodWarden disables this by default since it has its own auth layer
- If you see this after upgrading, rebuild the backend container