After deploying the R2 MCP Worker, a short verification sequence confirms that the TypeScript project compiles cleanly, the Worker can reach its R2 bucket, and the MCP endpoint exposes the expected set of tools. Work through the checks in order — each layer builds on the one before it.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/cloudflare-r2-remote-mcp-worker/llms.txt
Use this file to discover all available pages before exploring further.
Static checks
These checks run entirely offline against the local source tree and confirm the project is well-formed before any Worker is started.type-check compiles the TypeScript project with tsc --noEmit and exits non-zero on any type error. smoke verifies that all expected source files are present, the package.json scripts exist, and key reference URLs appear in docs/references.md.
Expected output:
smoke reports a missing file, ensure you have not accidentally deleted any source or documentation file tracked by the check. If type-check fails, fix the type errors before proceeding.
Health check
The/healthz endpoint is the fastest way to confirm that the deployed (or locally running) Worker can load its configuration and reach the bound R2 bucket.
Local:
curl:
npm run deploy):
Expected response
A healthy Worker returns HTTP 200 with all configuration fields reflected back:| Field | Type | Meaning |
|---|---|---|
ok | boolean | true when the bucket probe succeeded |
bucketAccessible | boolean | true when R2 responded to a list probe |
authMode | "github" | "none" | Active authentication mode |
accountToolsEnabled | boolean | Whether account tools are registered |
presignToolsEnabled | boolean | Whether presign tools are registered |
rootPrefix | string | Active root prefix (empty string = no scoping) |
maxInlineTextBytes | number | Inline content size limit in bytes |
maxListLimit | number | Maximum objects per list call |
maxTransferBytes | number | Maximum upload/download size in bytes |
MCP tools/list verification
tools/list confirms that the MCP endpoint is reachable and returns the expected tool set. The easiest way to run it interactively is with MCP Inspector.
Launch MCP Inspector:
AUTH_MODE=none:
AUTH_MODE=github:
- MCP Inspector opens a browser window for OAuth.
- Complete the GitHub login flow.
- Ensure your GitHub login appears in
ALLOWED_GITHUB_LOGINS. - After a successful login,
tools/listis available in the Inspector UI.
Expected default tools
With default feature flags (ENABLE_ACCOUNT_TOOLS=false, ENABLE_PRESIGN_TOOLS=false), tools/list should return exactly these tools:
SDK tools/list smoke test
For automated verification in local development withAUTH_MODE=none, you can query the MCP endpoint directly using the MCP TypeScript SDK.
Start the Worker:
Failure modes
/healthz returns 503 or 'bucketAccessible: false'
/healthz returns 503 or 'bucketAccessible: false'
The Worker started successfully but could not execute a list probe against the R2 bucket. Common causes:
- The
R2_BUCKETbinding is missing or not saved inwrangler.jsonc. r2_buckets[0].bucket_name(for production) orpreview_bucket_name(for local) does not match an existing bucket.- You deployed with a
wrangler.jsoncthat still contains the placeholder bucket name from the example file.
wrangler.jsonc contains the correct bucket names, then redeploy or restart npm run dev.OAuth flow fails or does not redirect
OAuth flow fails or does not redirect
The GitHub OAuth callback URL does not match the Worker URL, or required OAuth secrets are missing.
- Check that the Authorization callback URL in your GitHub OAuth App settings matches
https://<worker-url>/callbackexactly. - Confirm that
GITHUB_CLIENT_ID,GITHUB_CLIENT_SECRET, andCOOKIE_ENCRYPTION_KEYare all set viawrangler secret put. - Confirm that the
OAUTH_KVbinding inwrangler.jsonchas a valid namespace ID (not the placeholder00000000...).
wrangler secret put for any missing secrets, and redeploy.Login succeeds but access is denied (403)
Login succeeds but access is denied (403)
The GitHub OAuth flow completed successfully, but the authenticated username is not in the allow-list.
- Open
wrangler.jsoncand checkvars.ALLOWED_GITHUB_LOGINS. - The value must be a comma-separated list of exact GitHub usernames (case-insensitive matching depends on the OAuth handler — use the exact casing from your GitHub profile to be safe).
ALLOWED_GITHUB_LOGINS in wrangler.jsonc and redeploy.tools/list returns fewer tools than expected
tools/list returns fewer tools than expected
The MCP endpoint is reachable but some tools are missing from the list.
- Account tools (
r2_bucket_list, etc.) only appear whenENABLE_ACCOUNT_TOOLS=trueandCLOUDFLARE_ACCOUNT_ID,CLOUDFLARE_API_TOKEN, andR2_BUCKET_NAMEare all set. - Presign tools only appear when
ENABLE_PRESIGN_TOOLS=trueandR2_ACCESS_KEY_ID,R2_SECRET_ACCESS_KEY, andR2_BUCKET_NAMEare all set. - If your MCP client cached the tool list before a server change, disconnect and reconnect to force a refresh.
- Confirm the client is connected to the correct Worker URL — a mismatch with a different deployment or a stale local server is a common source of confusion.
wrangler.jsonc, set all required variables and secrets, redeploy, and reconnect your client.