Firecrawl MCP on Windows is lying about your API key (and the 5-min fix)

Detailed Analysis

A Windows-specific bug in the Firecrawl MCP local installation causes environment variables to be silently dropped during the process spawn chain when using Claude Desktop, resulting in misleading "Unauthorized: API key is required" errors even when the configuration file contains a valid API key. The failure occurs because Claude Desktop launches the MCP server through a multi-step chain — cmd → npx → node — and the `FIRECRAWL_API_KEY` value set in the `env` block of `claude_desktop_config.json` does not reliably propagate through that handoff on Windows. The symptom is particularly deceptive: the server starts successfully, all tools appear in the interface, and the key in the config is syntactically correct, yet every actual tool call returns an authentication failure. The key is never the problem; it simply never reaches the running process.

The author identifies and documents a reliable workaround: replacing the local npx-based installation with Firecrawl's hosted remote connector, accessible through Claude Desktop's Settings → Connectors interface. By supplying the URL `https://mcp.firecrawl.dev/YOUR-API-KEY/v2/mcp` — with the API key embedded directly in the URL path rather than in an OAuth field — users bypass the Windows environment variable propagation issue entirely. The connector communicates over HTTPS, eliminating the local spawn chain problem. An alternate query-parameter format (`?key=YOUR-KEY`) is noted as a fallback. Several common troubleshooting attempts are explicitly ruled out, including wrapping the command in `cmd /c`, setting the key as a Windows user environment variable, rotating the API key, and restarting Claude Desktop via Task Manager — none of which address the underlying process inheritance failure.

This issue sits at the intersection of Windows process environment handling and Claude Desktop's architecture for MCP server management. The Model Context Protocol, which Anthropic introduced to allow Claude to interface with external tools and data sources through standardized connectors, relies on spawning local processes or connecting to remote endpoints. On Unix-like systems, environment variable inheritance across process chains is generally predictable, but Windows CMD introduces additional indirection that can silently strip variables during subprocess spawning — a known edge case in Node.js tooling on Windows that has historically affected other CLI-based developer workflows as well. The fact that the tools load successfully but calls fail makes the bug especially difficult to diagnose without knowledge of the underlying spawn architecture.

The broader implication is that Claude Desktop's local MCP server paradigm, while powerful for developers on macOS and Linux, carries meaningful friction on Windows due to platform-specific process behavior. The hosted connector approach — essentially shifting the execution environment to a remote HTTPS endpoint rather than a locally spawned process — represents an architectural pattern that sidesteps an entire category of Windows compatibility problems. As MCP adoption grows and more third-party services publish connectors, the distinction between local and remote connector architectures will become increasingly relevant for Windows users and for developers publishing MCP integrations who need to account for cross-platform reliability. This incident underscores a gap in Claude Desktop's Windows documentation and potentially in its configuration validation, since a more robust implementation might warn users when environment variables fail to reach spawned processes rather than surfacing a misleading authentication error.