https://hevy.chrisdoc.dev/mcp as a Cloudflare Worker. It requires no local installation, keeps nothing running on your machine, and exposes the same 25 tools as the npm package and Docker image. Send your Hevy API key as a bearer token on every request and you’re connected.
Connection details
Production URL
https://hevy.chrisdoc.dev/mcpProtocol
Streamable HTTP (stateless POST)
Auth
Bearer token — your Hevy API key
Generic client configuration
Clients that accept a remote MCP URL and fixed request headers use this shape:OAuth for Claude.ai
Claude.ai custom connectors — and other remote MCP clients that cannot attach a fixedAuthorization header — use an OAuth 2.1 layer built into the Worker. When the OAUTH_KV KV namespace binding is present on the deployed Worker, the following additional endpoints are active:
1
Add the connector in Claude.ai
Open Claude.ai → Settings → Integrations → Add custom connector. Enter
https://hevy.chrisdoc.dev/mcp as the server URL. Claude.ai discovers the
OAuth metadata automatically via /.well-known/.2
Dynamic client registration
Claude.ai registers itself with the Worker at
/register and receives a
client_id. No manual registration is required.3
Authorize with PKCE
Claude.ai redirects your browser to
/authorize with a PKCE S256 code
challenge. The authorization page prompts you to paste your Hevy API key.
The Worker validates it with Hevy, stores it encrypted inside the OAuth
grant, and issues an authorization code.4
Token exchange
Claude.ai exchanges the code at
/token for an access token. Subsequent
MCP requests carry this token; the Worker decrypts the stored Hevy API key
from the grant and forwards it to Hevy as the required api-key header.The OAuth layer is purely additive. Direct
Authorization: Bearer <hevy-api-key> requests continue to work unchanged. Clients that require
OAuth discovery, dynamic registration, or token refresh are supported through
the OAuth flow; clients that support fixed headers do not need it.Security notes
The Cloudflare Worker is designed so your Hevy API key is never stored in plain text or logged:- Per-request validation: The Worker calls the Hevy API to validate your key on every incoming MCP request. A revoked or expired key is rejected immediately.
- No key storage (direct mode): When you send the key as a bearer token in the
Authorizationheader, it exists only in memory for the duration of that request. - Encrypted grant storage (OAuth mode): In the OAuth flow, the key is stored encrypted inside the OAuth grant in the
OAUTH_KVKV namespace. It is decrypted per-request and never written to logs. - Upstream forwarding only: The Worker forwards your key to Hevy exclusively as the required
api-keyheader. It is never echoed back in responses or included in any log output.
Client-specific setup
Claude Desktop
Configure hevy-mcp in Claude Desktop on macOS or Windows using npx or the
hosted endpoint.
Codex
Add the hosted endpoint or a local stdio server to Codex CLI, desktop app,
or IDE extension.
Docker
Pull the official image and run hevy-mcp as a local stdio server with any
MCP client.
Security guide
Best practices for keeping your Hevy API key safe across all clients.