Royal Plugins
Forum Replies Created
-
π Great intel, thanks for sharing!
Diagnosis: edge cache poisoning of /register, /token, and /authorize. This is a Royal MCP bug, but the practical impact is amplified by aggressive caches in front of WordPress β in your case, o2switch’s PowerBoost-v3, visible in your “server:” response header. It will be fixed in 1.4.13.
What’s happening: Royal MCP’s OAuth error responses (the 405 you’re seeing) ship without a Cache-Control header. When an aggressive edge cache sees that, it falls back to default heuristics and stores the response keyed by URL only β not by HTTP method. Once a single GET probe of /register returns the legitimate 405 β which can come from a security scanner, a stale Claude.ai discovery probe, a link checker, or even your own browser opening the URL once β the cache stores it. Every subsequent POST to the same URL gets served the same cached 405 and never reaches PHP. That’s why your Royal MCP Activity Log is empty during the failing requests, why the response body is byte-identical every time, and why your Cloudflare DNS-only test didn’t help (PowerBoost runs inside the o2switch stack, downstream of Cloudflare).
The cf-cache-status: DYNAMIC and x-litespeed-cache-control: no-cache headers you saw are correct but misleading β they describe Cloudflare and LiteSpeed’s view of the response, not what PowerBoost is doing.Confirm with this test:
curl -v -X POST “https://yourdomain.com/register?_=$(date +%s)” -H “Content-Type: application/json” -H “Cache-Control: no-cache” -d ‘{“client_name”:”Test”,”redirect_uris”:[“https://claude.ai/api/mcp/auth_callback”%5D,”grant_types”:[“authorization_code”],”response_types”:[“code”],”token_endpoint_auth_method”:”none“}’
The unique query string and Cache-Control: no-cache request header should bypass the cache. If you get a 201 with a client_id in the response body, the diagnosis is confirmed and you can move to the workaround. If you still get a 405, please share the verbose curl output and we’ll dig deeper.
Workaround on 1.4.8 / 1.4.12 today: if you have the LiteSpeed Cache plugin active, go to Settings β Cache β Excludes β URI Excludes and add three lines: /register, /token, /authorize. For PowerBoost specifically, open a ticket with o2switch and ask them to exclude /register, /token, and /authorize from PowerBoost edge caching on your domain β these are dynamic OAuth endpoints from a plugin and must not be cached. The same idea applies to any other proxy in front of WP (Varnish, Cloudflare APO, custom CDN).
Once the cache is bypassed for those three URLs, the Claude.ai connector OAuth flow should complete normally on your current 1.4.8 install β no need to wait for the patch.
Permanent fix in 1.4.13: all OAuth endpoint responses (success and error) will send Cache-Control: no-store, no-cache, must-revalidate and Pragma: no-cache. This is what RFC 6749Β§5.1 already requires for token responses, and we should have been doing it on the registration and authorize endpoints from the start. Once shipped, no edge cache β regardless of vendor or aggressiveness β will be able to store these responses.
Thanks for the level of detail in the report β the empty Activity Log observation pointed straight at the cache layer and saved us a lot of guessing.
β Royal Plugins team
Feature shipped in 1.4.11
Thanks for all your feedback and support, ya we are waiting to hear back from several mcp server listing sites on how to handle docker file in a WP plugin like this, so its in motion.
Heads up: Ollama itself does NOT have native MCP client support, it’s an LLM runtime, not an MCP host.
LM Studio (mcp.json)
LM Studio supports both transport patterns. Try the direct HTTP form first (works in LM Studio 0.3.x+):
{
“mcpServers”: {
“royal-mcp”: {
“url”: “https://YOUR_SITE.com/wp-json/royal-mcp/v1/mcp”,
“headers”: {
“X-Royal-MCP-API-Key”: “YOUR_API_KEY_HERE”
}
}
}
}If that fails (older LM Studio, or “stdio only” build), use the mcp-remote bridge form (this is what works for sure on every MCP client because it tunnels stdio β HTTP for you):
{
“mcpServers”: {
“royal-mcp”: {
“command”: “npx”,
“args”: [
“-y”,
“mcp-remote”,
“https://YOUR_SITE.com/wp-json/royal-mcp/v1/mcp”,
“–header”,
“X-Royal-MCP-API-Key:YOUR_API_KEY_HERE”
]
}
}
}Where to put the file:
- macOS: ~/.lmstudio/mcp.json
- Windows: %USERPROFILE%.lmstudio\mcp.json
- Linux: ~/.lmstudio/mcp.json After saving: restart LM Studio (or use the “Reload MCP servers” button in newer versions). Royal MCP’s tools should appear in the model’s available-tools list.
Added this to our support documentation as well, with what to do with Ollama so you can bookmark https://royalplugins.com/support/royal-mcp/#ai-ide-compat
Theme tools/options are addressed in V1.4.9 live now- you can update to test these new settings
Done, we integrated into V1.4.7 that just got pushed- enjoy and thanks for using our tool!
Hey Micheal, thank you for the feedback and great suggestion, I will work on that!
Thanks for testing on a second server β that rules out hosting/network as the cause, which is genuinely useful.
Before we dig further, one quick question so we test the exact same thing you’re seeing:
When you say “adding more than one custom connector to Royal MCP” and “the second site,” which of these are you doing?
(A) Two different WordPress sites, each with Royal MCP installed, added to Claude Desktop as two separate custom connectors (one per site).
(B) One WordPress site with Royal MCP, added to Claude Desktop as two separate custom connectors pointing at the same URL.
(C) Something else β please describe.
The reason I’m asking: scenario (B) is a configuration we’ve genuinely never tested at scale, and if that’s what you’re doing it’s likely a real bug we need to fix. Scenario (A) should work β every site is fully independent on our side β so if that’s failing it points to a different cause, and we’ll want to look at Claude Desktop’s logs.
If you can grab the Claude Desktop log from a failed connection attempt, that would also help a lot:
- Windows: %APPDATA%\Claude\logs\ (look for files starting with mcp-server- or
main) - macOS: ~/Library/Logs/Claude/
The relevant lines are usually anything mentioning oauth, register, discovery, or your second site’s hostname. Feel free to redact tokens before pasting.
We’re going to try to reproduce both scenarios on our end in parallel.
It’s not a “two sites” limitation β Royal MCP is fine running on any number of sites, each is fully independent (separate DB tables, separate OAuth secrets, separate client registrations). The difference you’re describing between the two sites is actually the clue to your problem.
Your working site connects via Claude Desktop. Your failing one uses claude.ai in the browser. Those are very different network paths:
Claude Desktop connects from your own computer’s IP directly to the WordPress site. No Anthropic server is in the middle.
claude.ai (web) does NOT connect directly. The browser tells Anthropic’s backend to connect. Anthropic’s servers then hit your site’s /register, /token, and /mcp endpoints. Those requests come from Anthropic’s network (AS 399358).
If the failing site is behind Cloudflare, this is almost always the culprit. Cloudflare’s “Block AI Bots” / “Verified Bots” settings (Security β Settings β Bots) block Anthropic’s AS by default. Your site sees the block, not Royal MCP. Symptoms match exactly:
Default token mode: no /authorize step, so Anthropic goes straight to /mcp β blocked β “Couldn’t reach MCP server”
OAuth mode: /authorize happens in YOUR browser (not blocked), you click Authorize, then Anthropic’s backend calls /token β blocked β “Authorization failed”
Empty DB tables: /register is also blocked, so no client row ever gets written
To confirm it’s this: open your WordPress site’s access log (or Cloudflare β Security β Events) during a failed connection attempt. Look for 403s on /register, /token, or /wp-json/royal-mcp/v1/mcp from IPs not yours. If you see those 403s, it’s Cloudflare.
The ofid_ references in your error messages are Anthropic’s internal trace IDs, not ours. If Cloudflare isn’t the answer and you want Anthropic to check what their end saw, you can send those references to Anthropic support. We can’t decode them.A couple more things worth checking:
On the failing site, visit https://YOURSITE.com/.well-known/oauth-authorization-server directly in your browser. It should return JSON. If you get a 404, your rewrite rules aren’t flushed β go to Settings β Permalinks β Save Changes (no need to change anything).
Is the failing site on any host that strips the Authorization header before it reaches PHP? Some shared hosts do this on LiteSpeed. If so, /mcp will always 401.Let us know what you find and we’ll go from there.
Sorry to hear you are having issues, judging by what you said and by what we changed from 1.4.2-1.4.3…
Most likely causes (ranked)
- Plugin activated but not enabled in settings
Activation only creates the option royal_mcp_settings[‘enabled’ => false] (royal-mcp.php:111). Nothing works until you toggle Enabled in Royal MCP β Settings. All requests return 403/503 with “Royal MCP is currently disabled” (Server.php:106-114, royal-mcp.php:194-202). This matches “no DB records” perfectly β requests die before anything gets written.
But you said OAuth showed the authorize screen β which would NOT happen if disabled (royal-mcp.php:196 returns 503 for non-metadata actions when disabled). So either it IS enabled, OR something I’m missing. Worth double-checking first.
- Cloudflare “Block AI Bots” / “Block AI Crawlers” Your own settings page warns about this (settings.php:434). Claude.ai‘s backend (not the user’s browser) makes the server-to-server calls for /register, /token, and /mcp. Cloudflare blocks Anthropic’s ASN by default on new zones. Symptoms match exactly:
- Default token: Anthropic backend POSTs /mcp β blocked β “Couldn’t reach MCP server”
- OAuth: browser loads /authorize (user’s IP, not blocked) β Authorize β redirect β Anthropic backend POSTs /token β blocked β “Authorization failed”
- Also explains empty tables β /register blocked β no client row written
- Rewrite rules not flushed after upgrade /authorize, /token, /register live at domain root via rewrite rules (royal-mcp.php:168-174). If you upgraded in place (not deactivateβreactivate), flush may not have run. Go to Settings β Permalinks β Save to force flush.
- Apache/LiteSpeed stripping Authorization header Common on shared hosting. validate_auth reads Authorization: Bearer β¦ (Server.php:117). If the server drops that header before PHP sees it, every request 401s regardless of what Claude sends.
- Is the Enabled toggle on in Royal MCP β Settings?
- Is the site behind Cloudflare? If yes, turn off “Block AI Bots” (Security β Settings).
Go from there
Awesome thanks for using our tool! If you could take a second and leave us a review, it really helps us!
Thank you for using our plugin, testing it and of course giving us this great report/feedback. We just pushed update fixing this issue- tested up to 7.0 RC.