diff --git a/apps/mcp/package.json b/apps/mcp/package.json
index c48055b794..599b0258b5 100644
--- a/apps/mcp/package.json
+++ b/apps/mcp/package.json
@@ -39,5 +39,5 @@
     "test:unit": "test-unit"
   },
   "type": "module",
-  "version": "0.1.0"
+  "version": "0.2.0"
 }
diff --git a/apps/mcp/src/http.ts b/apps/mcp/src/http.ts
index 49f0fa7664..a0ec9b49a4 100644
--- a/apps/mcp/src/http.ts
+++ b/apps/mcp/src/http.ts
@@ -13,6 +13,21 @@ const port = Number(process.env.PORT) || 8080;
 const MAX_BODY_BYTES = 1024 * 1024; // 1 MB
 const DRAIN_TIMEOUT_MS = 10_000;
 
+const CORS_HEADERS: Record<string, string> = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers":
+    "Content-Type, Accept, Authorization, Mcp-Session-Id",
+  "Access-Control-Expose-Headers": "Mcp-Session-Id",
+  "Access-Control-Max-Age": "86400",
+};
+
+function setCorsHeaders(res: import("node:http").ServerResponse): void {
+  for (const [key, value] of Object.entries(CORS_HEADERS)) {
+    res.setHeader(key, value);
+  }
+}
+
 const httpServer = createHttpServer(async (req, res) => {
   const method = req.method ?? "UNKNOWN";
   const url = req.url ?? "/";
@@ -39,8 +54,18 @@ const httpServer = createHttpServer(async (req, res) => {
       return;
     }
 
+    // CORS preflight for MCP endpoint
+    if (method === "OPTIONS" && url === "/mcp") {
+      setCorsHeaders(res);
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+
     // MCP endpoint — only POST is supported in stateless mode
     if (url === "/mcp") {
+      setCorsHeaders(res);
+
       if (method !== "POST") {
         res.writeHead(405, { Allow: "POST" });
         res.end("Method Not Allowed");