From 9928a4a09766d994a7497d3a6152315c52fece90 Mon Sep 17 00:00:00 2001 From: Tom Flux Date: Tue, 23 Jun 2026 21:40:02 +0100 Subject: nginx: 404 the .well-known/ OAuth probes for the MCP connector claude.ai's custom-connector flow probes /.well-known/oauth-* during setup. The catch-all 301 -> /app/ made those return the Kitchen login page (200), so claude.ai mistook it for an OAuth sign-in service, tried Dynamic Client Registration, and failed. Returning 404 makes it treat the server as authless and connect. Co-Authored-By: Claude Opus 4.8 --- deploy/food.tomflux.xyz.nginx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/deploy/food.tomflux.xyz.nginx b/deploy/food.tomflux.xyz.nginx index 0d4a357..87172cc 100644 --- a/deploy/food.tomflux.xyz.nginx +++ b/deploy/food.tomflux.xyz.nginx @@ -44,6 +44,13 @@ server { proxy_read_timeout 3600s; } + # OAuth-discovery probes MUST 404, not fall through to the /app/ login + # redirect. Otherwise claude.ai's connector flow sees the login page at + # /.well-known/oauth-* , thinks the server has an OAuth sign-in service, + # tries Dynamic Client Registration, and fails ("Couldn't register with + # ... sign-in service"). A 404 here makes it treat the server as authless. + location /.well-known/ { return 404; } + location / { return 301 /app/; } -- cgit v1.2.3