Make.com has an MCP endpoint now. The auth token goes in the URL — and 3 other walls the docs skip

I already let my AI agent read and repair my self-hosted n8n workflows. So when a client's Make.com scenario started misfiring — duplicate WhatsApp order notifications, fired in bursts — my first instinct wasn't to log into the web UI. It was: can I give the agent the same remote access to Make that it has to n8n?

Make.com shipped both a REST API and an MCP endpoint. So yes. But getting from "they have an API" to "my agent is connected and patching a live scenario blueprint" meant walking into four undocumented walls. Here they are, in the order they hit me.

Wall 1: The API is behind Cloudflare, and it hates your User-Agent

My first call was a throwaway Python script — urllib.request to GET /api/v2/users/me. It came back 403.

Not 401 (bad auth). 403. The token was fine. The request never reached Make's application layer — Cloudflare's WAF bounced it on the User-Agent. The default Python-urllib/3.x UA is on a block list.