Skip to content

ToolHive MCP proxy endpoint does not support CORS #4297

Description

@milichev

Description

The ToolHive MCP HTTP proxy (/mcp) lacks CORS support, blocking web-based clients (e.g., MCP Inspector). The server returns 405 Method Not Allowed on OPTIONS preflight and misses Access-Control-Allow-Origin.

Steps to Reproduce

  1. Add an MCP to thv.
  2. Configure a client, e.g. OpenCode.
  3. Get the proxy MCP URL from the client config, e.g. http://localhost:43969/mcp and paste it in MCP inspector.
  4. Attempt to connect.
  5. Connection fails due to 405 error and CORS.
Request URL http://localhost:43969/mcp
Request Method OPTIONS
Status Code 405 Method Not Allowed
Remote Address 127.0.0.1:43969
Referrer Policy strict-origin-when-cross-origin

GET http://localhost:43969/mcp net::ERR_FAILED
Access to fetch at 'http://localhost:43969/mcp' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Expected Behavior

  • OPTIONS handles preflight with 200/204.
  • Proper Access-Control-Allow-* headers present on the /mcp route.

Actual Behavior

  • OPTIONS request: 405 Method Not Allowed.
  • Console error: net::ERR_FAILED (missing Access-Control-Allow-Origin).

Environment

  • OS: macOS M4.
  • ToolHive: Version 0.24.0 (0.24.0)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingproxy

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions