Troubleshooting
The symptoms people hit most, with the fix. More get added as they come up.
OAuth discovery returns 403 or 404
Section titled “OAuth discovery returns 403 or 404”When OAuth is enabled, clients find your site by fetching two documents under
/.well-known/: /.well-known/oauth-protected-resource and
/.well-known/oauth-authorization-server. WordPress serves both, but the request
has to actually reach WordPress. Some servers deny anything that starts with a
dot before PHP runs, and that blocks discovery.
On nginx the usual cause is a dotfile deny rule (location ~ /\. { deny all; }).
Add a more specific block ahead of it so /.well-known/ falls through to
WordPress:
location ^~ /.well-known/ { try_files $uri $uri/ /index.php?$args;}The ^~ prefix tells nginx to prefer this block over the dotfile deny. Other
hidden files stay denied.
Apache usually works as-is, because the WordPress .htaccess sends anything that
is not a real file to index.php, /.well-known/ included. If a host or
security plugin is blocking dotfiles, look for that rule (often in the vhost or a
hardening snippet, not WordPress itself) and let /.well-known/ through.
To check, request https://your-site/.well-known/oauth-protected-resource. A
working setup returns a JSON document instead of a 403 or 404.
A Windows client will not start
Section titled “A Windows client will not start”Windows MCP clients cannot launch the npx shim by name. Wrap it in cmd: set
command to cmd and put /c, npx at the front of args. The Connection tab
has a Windows tab that generates this for you.
Cannot connect to a local or staging site
Section titled “Cannot connect to a local or staging site”Local stacks like DDEV, Local, and Valet serve a self-signed certificate that
Node rejects, so the proxy never reaches WordPress. For local testing only, add
NODE_TLS_REJECT_UNAUTHORIZED set to 0 to the env block (the Connection tab
adds it automatically when it detects a local site).
Next steps
Section titled “Next steps”- Connecting a client: the two connection methods.
- FAQ: more answers on access, data, and clients.