Can't connect to Stripe MCP server

[JoaquinGimenez1]

Describe the bug
Stripe's MCP server only accepts Bearer tokens, when trying to connect is not working.

Currently, this remote server only supports bearer token authentication. OAuth isn’t supported. To avoid phishing attacks, verify that you only use trusted MCP clients, and that the URL you’re using is the official https://mcp.stripe.com/ server.

Stripe docs: https://docs.stripe.com/building-with-llms#mcp-remote

To Reproduce
Steps to reproduce the behavior:

1. Go to https://playground.ai.cloudflare.com/
2. Set MCP server to https://mcp.stripe.com/
3. Set bearer token from stripe

Expected behavior
Should connect and interact to Stripe's MCP server using Bearer Tokens

Logs
Logs from https://playground.ai.cloudflare.com/ debug console

[debug] Auth callback message listener added.
[debug] useMcp mounted, initiating connection.
[debug] BrowserOAuthClientProvider initialized/updated on mount/option change.
[info] Connecting attempt #1 to https://mcp.stripe.com/...
[debug] MCP Client initialized in connect.
[info] Attempting connection with HTTP transport...
[debug] HTTP transport created.
[info] Connecting client via HTTP...
[debug] Client connect error via HTTP: {}
[warn] HTTP transport failed (CORS). Will attempt fallback to SSE.
[info] Attempting connection with SSE transport...
[debug] SSE transport created.
[info] Connecting client via SSE...
[debug] Client connect error via SSE: {"event":{"isTrusted":false,"message":"Failed to fetch"}}
[error] Failed to connect via SSE: SSE error: Failed to fetch {"event":{"isTrusted":false,"message":"Failed to fetch"}}
[debug] Connection sequence finished with status: fallback

[matv-stripe]

(I work on mcp.stripe.com) - thanks for testing! I wonder if this is just a CORS issue? We have CORS turned off on mcp.stripe.com to avoid phishing attacks

[geelen]

Yeah I need to add a section to the readme for CORS. It's going to be an issue for anyone trying to talk MCP from a browser.

This was me adding the mcp-session-id header (required for streamable HTTP servers) to Cloudflare's Agents, which is what powers all of https://github.com/cloudflare/mcp-server-cloudflare which is why they work out of the box.

I wonder if you'd consider adding CORS support on mcp.stripe.com in some way that would allow people to build with this package? Maybe there's a way you could do so that doesn't lead so easily to phishing risks?

The other option is to add a use-mcp/server component that can proxy the requests to the MCP servers without checking for CORS.

[geelen]

I'm actually working on a better idea: making a really simple chat UI (BYO LLM) that you can host on mcp.stripe.com so it can call your MCP server same-origin. Maybe you'll never offer CORS on your MCP server but that doesn't mean you can't let people use their browsers to do stuff.