A practical guide based on real submission experience β what the form asks, what reviewers check, and what I got wrong the first time.
I built an MCP server for QRflows β a dynamic QR code platform. After the server was live and working, I submitted it to Anthropic's official Connector Directory. The review is ongoing, but the process taught me things I couldn't find documented anywhere in one place.
This post covers the full submission process as it stands in mid-2026: what the form actually asks, the technical requirements that can silently kill your review, and how to prepare so you don't spend a week backtracking.
When your MCP server is not in the directory, users have to:
That's four steps with a copy-paste. Most non-developer users won't do it.
Once your server is in the directory, users just find you in the list, click Connect, and authorize. Same OAuth flow β but the friction disappears. The directory is also how Anthropic surfaces integrations to Claude Pro and Team users who never look at developer docs.
For a SaaS product, that's a significant distribution channel.
The directory accepts three types:
.mcpb
bundle for Claude DesktopQRflows is a remote MCP server. The form and required assets differ by type, so confirm which one you're submitting before you start.
The form is at claude.com/docs/connectors/building/submission
. It's not short.
Here's what each section covers so you can prepare everything before you open it:
1. Server basics β name, tagline, server URL, connector type (remote / desktop / MCP App), primary use cases in 2β3 sentences.
2. Connection details β transport protocol (must be Streamable HTTP, SSE is no longer accepted), auth type, read/write capabilities, whether your OAuth callback URL is registered.
3. Tools & resources β list every tool with a human-readable title, confirm annotations are in place, confirm read and write tools are separate, confirm tool names are β€ 64 chars.
4. Documentation β public docs URL (a single help page or blog post is enough), minimum 3 example prompts that exercise different tools, setup and auth steps. You can share a private staging link with Anthropic during review if docs aren't public yet.
5. Privacy & compliance β privacy policy URL, data handling summary (what you collect, how long you keep it, who you share it with), confirmation of HTTPS and Origin-header validation.
6. Test account & branding β login credentials for a test account with realistic sample data, server logo (URL or SVG), favicon. For MCP Apps only: 3β5 PNG screenshots at min 1000px wide.
Every tool needs two things: a title
and the right safety hint.
// Read-only tool
server.tool(
"list_qr_codes",
"List all QR codes in the account.",
schema,
handler,
{
title: "List QR Codes",
readOnlyHint: true,
destructiveHint: false,
}
);
// Write tool
server.tool(
"create_qr",
"Create a new dynamic QR code.",
schema,
handler,
{
title: "Create QR Code",
readOnlyHint: false,
destructiveHint: false,
}
);
// Destructive tool β be explicit
server.tool(
"delete_qr",
"Permanently delete a QR code.",
schema,
handler,
{
title: "Delete QR Code",
readOnlyHint: false,
destructiveHint: true,
}
);
Missing annotations reportedly cause around 30% of all directory rejections. The other mistake: don't bundle read and write into one generic tool. A tool called api_request
with a method
parameter accepting GET
, POST
, PATCH
, DELETE
will fail review. Split them.
For the browser-based Claude (claude.ai), register exactly this redirect URI:
https://claude.ai/api/mcp/auth_callback
Claude Code uses a loopback redirect on localhost
with an ephemeral port. If you want to support Claude Code users, your auth server needs to accept loopback redirects with the port ignored.
PKCE with S256
is required. Your authorization server metadata should declare:
{
"code_challenge_methods_supported": ["S256"]
}
Plain OAuth 2.0 without PKCE won't pass.
Your MCP server must validate the Origin
header and reject requests not coming from Claude. This is a security requirement, not optional.
// Cloudflare Workers example
const origin = request.headers.get("Origin");
if (origin !== "https://claude.ai") {
return new Response("Forbidden", { status: 403 });
}
Claude uses this to discover your authorization server. Host it at /.well-known/oauth-protected-resource
:
{
"resource": "https://mcp.qrflows.app",
"authorization_servers": ["https://qrflows.app"],
"scopes_supported": ["qr:read", "qr:write"]
}
If this endpoint is missing, Claude can't complete OAuth discovery and the connector won't authenticate.
Anthropic wants docs that let a reviewer test your connector in 10 minutes without prior knowledge of your product.
The minimum:
For QRflows I created qrflows.app/mcp as the dedicated docs page. A single well-organized page is enough.
Create a separate account β not your main production account. Load it with realistic sample data. Write down the credentials before you open the form.
For QRflows I created a test account with 6β7 QR codes of different types (URL, WiFi, vCard, Smart Rules) so reviewers could test list_qr_codes
, get_qr_stats
, and update_qr_url
with real data.
If your tools operate on empty state, reviewers can't tell if they work or are broken.
Anthropic is upfront: they can't promise to review or respond to every submission individually because of volume. The typical timeline they cite is ~2 weeks, but it can run longer.
My submission has been in review for about a month. No response yet β from what I can tell that's within the normal range given submission volume right now.
While you're waiting: your server is already usable as a custom connector. Share the URL, write about it, put it in your docs. The directory listing is a distribution multiplier, not a prerequisite.
Read the submission guide before building. Once I had the full list of requirements, I realized I was missing the Protected Resource Metadata endpoint and had to add it after the fact. Twenty minutes of reading upfront would have saved two hours.
Load the test account before submitting. I initially created a test account with no data. Reviewers testing list_qr_codes
would have seen an empty array with no way to tell if the tool worked.
Write docs first. The form asks for a public docs URL. If you don't have it ready, you have to . Write the docs page before you open the form.
https://mcp.qrflows.app/mcp
claude.com/docs/connectors/building/submission
I'll update this post when the review completes β approved or not. Happy to answer questions in the comments.