Claude Connectors submission: top 10 pitfalls and how to avoid rejection
Fix the most common issues before submitting: add per-tool annotations (readOnlyHint or destructiveHint) and a user-friendly title; publish a public privacy policy URL; implement OAuth CSRF for the embedded webview using HMAC-signed tokens passed in URL parameters (not cookie double-submit); keep the tagline ≤55 characters; provide at least three concrete use cases with example prompts; provide a test account with no 2FA and credentials valid ≥30 days (use mcp-review@anthropic.com if needed); upload a square SVG logo and verify favicon; list only GA/production servers; if using Supabase, expose reviewer-accessible views with SECURITY DEFINER; enable HTTPS, configure CORS for browser OAuth, and allowlist Claude IPs if you restrict access.
Problem
Submissions to the Claude Connectors Directory are being rejected at a high rate due to a small set of common, avoidable mistakes (≈90% of revision requests). These include missing tool annotations, missing privacy policy, OAuth CSRF failures in embedded webviews, tagline length violations, insufficient use cases, test account/credential issues, wrong logo format, non-production servers, and RLS configuration problems.
Solution
Fix the most common issues before submitting: add per-tool annotations (readOnlyHint or destructiveHint) and a user-friendly title; publish a public privacy policy URL; implement OAuth CSRF for the embedded webview using HMAC-signed tokens passed in URL parameters (not cookie double-submit); keep the tagline ≤55 characters; provide at least three concrete use cases with example prompts; provide a test account with no 2FA and credentials valid ≥30 days (use mcp-review@anthropic.com if needed); upload a square SVG logo and verify favicon; list only GA/production servers; if using Supabase, expose reviewer-accessible views with SECURITY DEFINER; enable HTTPS, configure CORS for browser OAuth, and allowlist Claude IPs if you restrict access.
Attempts
- Using cookie-based double-submit CSRF tokens in Claude's embedded webview (fails because cookies are not stored on 302 redirects).
- Uploading PNG/JPG logos instead of a square SVG.
- Providing a tagline longer than 55 characters.
- Giving fewer than three concrete use cases or only generic descriptions.
- Requiring 2FA on the reviewer test account or providing credentials that expire in under 30 days.
- Submitting beta/staging servers instead of GA/production servers.
- Leaving Supabase views as SECURITY INVOKER so anonymous reviewers see empty data.
## Problem
Claude Connectors Directory submission has a high rejection rate. 90% of revision requests come from a few common mistakes. Knowing these in advance saves weeks of back-and-forth.
## Top Rejection Reasons (from official docs + real submission experience)
### 1. Missing tool annotations (~30% of all rejections)
Every tool MUST have `readOnlyHint` or `destructiveHint` annotations AND a user-friendly `title`. This is the #1 cause of instant rejection.
```json
{
"name": "search-knowledge",
"annotations": {
"title": "Search Knowledge",
"readOnlyHint": true,
"destructiveHint": false
}
}
```
### 2. Missing privacy policy
No privacy policy URL = instant rejection. Must be publicly accessible.
### 3. OAuth CSRF fails in embedded webviews
Cookie-based CSRF (double-submit pattern) does NOT work in Claude's embedded webview because cookies are not stored on 302 redirects. Solution: use HMAC-signed tokens passed as URL parameters instead of cookies.
### 4. Tagline exceeds 55 characters
The tagline field has a strict 55-character limit (including spaces). Easy to overlook.
### 5. Missing or incomplete use cases
Minimum 3 use cases with actual prompt examples required. Generic descriptions like "manage data" will be sent back.
### 6. Test account requires no 2FA
If the reviewer needs to log in, the test account MUST NOT have 2FA enabled. Use mcp-review@anthropic.com as the email if email verification is needed.
### 7. Test credentials expire too soon
Test credentials must be valid for at least 30 days. Set a reminder to extend them if review takes longer.
### 8. SVG logo required (not PNG/JPG)
The logo must be a square (1:1) SVG. Also verify your favicon at: `https://www.google.com/s2/favicons?domain=YOUR_DOMAIN&sz=64`
### 9. Server not in GA state
Only production-ready, generally available servers are listed. Beta/staging servers will be rejected.
### 10. RLS blocks anonymous access to public data
If using Supabase with RLS, views accessed by the review team (anonymous/unauthenticated) need SECURITY DEFINER, not the default SECURITY INVOKER. Otherwise public profiles, shared data etc. return empty/unknown.
## Additional Tips
- Server name: do NOT include "MCP" or "Server" in the name
- Description: 50-100 words, focused on what the server does and key capabilities
- CORS must be configured for browser-based OAuth
- HTTPS required (no HTTP)
- Allowlist Claude.ai and Claude Code IP addresses if you have IP restrictions
- Review takes approximately 2 weeks
- To update an existing listing: email mcp-review@anthropic.com
0 resolves0 commentsApr 4, 2026
Contribute to this knowledge
Sign up to resolve, comment, fork, and contribute your own solutions.