diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index 581e069a1e..be1c86996a 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -559,6 +559,7 @@ toc: children: - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md + - file: users-roles/cloud-organization/manage-mcp-client-connections.md - file: users-roles/cloud-enterprise-orchestrator.md children: - file: users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md diff --git a/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md b/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md new file mode 100644 index 0000000000..b8cc9ff1e7 --- /dev/null +++ b/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md @@ -0,0 +1,120 @@ +--- +navigation_title: "Application connections" +description: "Audit and revoke MCP client connections across an Elastic Cloud organization's serverless projects from a single organization-level view." +type: how-to +applies_to: + serverless: preview +products: + - id: cloud-serverless +--- + +# Manage MCP client connections [manage-mcp-client-connections] + +The **Application connections** page in the Elastic Cloud Console gives organization administrators a single place to audit and revoke [MCP client](/explore-analyze/ai-features/agent-builder/mcp-client-oauth.md) connections that members of your organization have authorized across their {{serverless-short}} projects. + +:::{note} +During technical preview, application connections cover **MCP clients only**, and connected applications get **read-only** access through Elasticsearch Query Language (ES|QL)-based tools. Support is limited to {{serverless-short}} projects. +::: + +To create an MCP client or connect an MCP host such as **Claude Desktop**, see [Connect an MCP host to an MCP client](/explore-analyze/ai-features/agent-builder/mcp-client-connect.md) in the Agent Builder documentation. This page covers organization-level management only. + +## Before you begin [manage-mcp-client-connections-before-you-begin] + +To access this page, open **Organization → Security settings → Application connections** in the Elastic Cloud Console. What you can see and revoke depends on your role: + +* **Organization owners** see every application connection in the organization. +* **Other users** see connections for the projects they administer, plus any connections they authorized themselves. + + + + +The page offers two views, toggled by the **Group by client** and **List view** buttons: + +* **Group by client** (default for organization owners) — lists each MCP client with a count of its connections. Expand a client row to see individual connections. +* **List view** — shows all connections in a flat, sortable table. + +## View application connections + +The **Application connections** page shows each MCP client and its connections. In grouped view, expand a client to see its individual connections. Each connection row shows the following details: + +| Column | Description | +| --- | --- | +| Connection name | The name of the connection, derived from the MCP client name. | +| Authorization date | When the user authorized the connection. | +| Connected by | The email address of the user who authorized the connection. | +| Status | The current state of the connection. See [Connection statuses](#connection-statuses). | + + + +:::{note} +This page shows all MCP clients for your organization, including clients created through the {{kib}} API using an {{ecloud}} API key. Those clients are not visible in the Agent Builder client list in {{kib}} — the organization-level view here is the only place to manage them. +::: + +To narrow the list, use the search box to filter by name, or use the **Status** filter. + +If no project in your organization has any MCP client connections yet, the page shows an empty state. Open a {{serverless-short}} project to begin. Connections appear here once users start authorizing MCP clients. + +### Connection statuses + +A connection has one of the following statuses: + +* **Active** — the connection is authorized. The session may have expired if unused for 30 or more days. +* **Expired** — the connection's refresh window lapsed after 30 days of inactivity. The user must re-authorize to use it again. +* **Revoked** — the connection was revoked and can no longer be used. + + + + +Revoked connections remain visible for 3 months and revoked clients for 1 year (use the status filter to show them). Expired connections remain visible until re-authorized or removed. + +## View MCP client details + +Select a client to open its details panel. The panel shows the connection details a user needs to configure an MCP host, for reference: + +* **Client ID** — the unique identifier for the MCP client. +* **MCP server URLs** — the redirect URIs configured for this client (the callback URLs used during the OAuth consent flow). +* A reminder that the **client secret** is required for confidential clients and is shown only once, when the client is created. + + + + +To create or edit a client, click **Manage MCP client** to open the project's Agent Builder client management in Kibana. + + + +## Revoke connections + +Revoking removes the selected connections only. The MCP client stays registered and can accept new connections, and an application can be reconnected at any time. + +To revoke a single connection, click **Revoke** in its row. + +To revoke several connections at once: + +1. Select the checkbox for each connection you want to revoke. In grouped view, use **Select all connections for this client** to select every connection under a client, or **Clear selection** to start over. +2. Click **Revoke *N* connections**. +3. Review the connections in the confirmation dialog, then click **Revoke access**. + +You can revoke up to 100 connections at a time. + +:::{tip} +Removing a user from your identity provider does **not** automatically revoke that user's connections. When a user leaves, revoke their connections here to cut off access. +::: + +To revoke an entire MCP client and all its connections, the client's creator removes it from the project's Agent Builder client management in Kibana. See [Revoke an MCP client or connection](/explore-analyze/ai-features/agent-builder/mcp-client-revoke.md). + +## Next steps + +- To restore access after revoking a client, [create a new MCP client](/explore-analyze/ai-features/agent-builder/mcp-client-create.md) and distribute the credentials to users. + +## Related pages + +* [Create an MCP client](/explore-analyze/ai-features/agent-builder/mcp-client-create.md) (Agent Builder) +* [Connect an MCP host to an MCP client](/explore-analyze/ai-features/agent-builder/mcp-client-connect.md) (Agent Builder) +* [Revoke an MCP client or connection](/explore-analyze/ai-features/agent-builder/mcp-client-revoke.md) (Agent Builder) +* [Authenticate MCP clients with OAuth](/explore-analyze/ai-features/agent-builder/mcp-client-oauth.md) diff --git a/explore-analyze/ai-features/agent-builder/mcp-client-connect.md b/explore-analyze/ai-features/agent-builder/mcp-client-connect.md new file mode 100644 index 0000000000..b94470c506 --- /dev/null +++ b/explore-analyze/ai-features/agent-builder/mcp-client-connect.md @@ -0,0 +1,162 @@ +--- +navigation_title: "Connect an MCP host" +description: "Configure an MCP host to use an OAuth MCP client and complete the user consent flow to establish a connection to Agent Builder." +type: how-to +applies_to: + serverless: preview +products: + - id: elasticsearch + - id: kibana + - id: observability + - id: security + - id: cloud-serverless +--- + +# Connect an MCP host to an MCP client [mcp-client-connect] + +After [creating an MCP client](mcp-client-create.md), configure your MCP host with the client ID and MCP server URL, then complete the OAuth consent flow to establish the connection. + +This page covers two common MCP hosts: the **Claude Code CLI** (which has native OAuth support) and **Claude Desktop** (which uses the `mcp-remote` adapter). Other hosts that support OAuth 2.1 with PKCE follow the same general pattern — consult your host's documentation for the specific configuration format. + +## Before you begin [mcp-client-connect-before-you-begin] + +- You have a client ID and MCP server URL from [creating an MCP client](mcp-client-create.md). +- You have access to the {{serverless-short}} project that the MCP client is scoped to. + +## Step 1: Configure your MCP host + +Choose the instructions for your host. + +### Claude Code CLI + +**Option 1: Native HTTP transport (recommended)** + +The Claude Code CLI supports OAuth natively — no additional adapter is required. When you created the client, the redirect URI `http://localhost:3000/callback` should be in your redirect URI list. + +Run the following command, replacing `{CLIENT_ID}` and `{MCP_SERVER_URL}` with the values from your client's details page in {{kib}}: + +```bash +claude mcp add --transport http --client-id {CLIENT_ID} kibana-mcp {MCP_SERVER_URL} +``` + +:::{note} +Confidential clients also require `--client-secret {CLIENT_SECRET}` in the preceding command. + + +::: + +**Option 2: mcp-remote adapter** + +Use this option if your version of Claude Code doesn't support native HTTP OAuth transport. When you created the client, the redirect URI `http://localhost:3000/oauth/callback` should be in your redirect URI list. + +```bash +claude mcp add --transport stdio kibana-mcp -- \ + npx mcp-remote \ + "{MCP_SERVER_URL}" \ + --static-oauth-client-info \ + "{\"client_id\":\"{CLIENT_ID}\"}" +``` + +Replace `{MCP_SERVER_URL}` and `{CLIENT_ID}` with the values from your client's details page in {{kib}}. + +:::{note} +Confidential clients must include the client secret in the `--static-oauth-client-info` JSON: `{"client_id":"{CLIENT_ID}","client_secret":"{CLIENT_SECRET}"}`. +::: + + + +The server is now configured. Start a Claude Code session — the OAuth consent flow triggers automatically on the first use of the server. + +### Claude Desktop + +Claude Desktop uses the [mcp-remote](https://www.npmjs.com/package/mcp-remote) adapter to handle OAuth connections. When you created the client, the redirect URI `http://localhost:3000/oauth/callback` should be in your client's redirect URI list. + +1. In Claude Desktop, open **Settings → Developer → Edit Config**. This opens `claude_desktop_config.json` in your text editor. +2. Add your MCP client to the `mcpServers` object: + + ```json + { + "mcpServers": { + "kibana-mcp": { + "command": "npx", + "args": [ + "mcp-remote", + "{MCP_SERVER_URL}", + "--static-oauth-client-info", + "{\"client_id\":\"{CLIENT_ID}\"}" + ] + } + } + } + ``` + + Replace `{MCP_SERVER_URL}` and `{CLIENT_ID}` with the values from your client's details page in {{kib}}. + + :::{note} + Confidential clients also require a `client_secret` in the `--static-oauth-client-info` JSON. Include it as `"client_secret":"{CLIENT_SECRET}"` alongside the `client_id`. + ::: + +3. Save the file and restart Claude Desktop to load the new configuration. + +**Other MCP hosts** — most hosts that support OAuth 2.1 with PKCE accept a similar configuration. Provide the `{MCP_SERVER_URL}` and `{CLIENT_ID}` in the format your host requires. + +## Step 2: Authorize the connection + +The first time your MCP host tries to use the configured server, it opens a browser window and starts the OAuth consent flow. + +1. Your browser opens to an {{ecloud}} sign-in page. Sign in with your {{ecloud}} credentials, even if you already have an active session — authentication is always required before you can grant consent. +2. The **Connect and authorize** page opens, showing which project the MCP client is requesting access to. Click **Authorize** to grant access. +3. The browser confirms the authorization is complete. Close the tab and return to your MCP host. + +A new **app connection** is created in {{kib}}, scoped to your account and the project the MCP client was registered for. The connection name is auto-generated in the format `#`. + +:::{note} +If you click **Deny**, no connection is created. The host retries the flow the next time you use a tool, or you can restart the host to trigger a fresh attempt. +::: + +## Verify the connection + +In {{kib}}, go to **Agent Builder → Tools library**, click **Manage MCP**, and select **Manage MCP clients (OAuth)** to confirm the connection count for your client has increased. If you don't see it within a minute of authorizing, refresh the page. + +You can also check your connection in the Cloud Console at **Organization → Security settings → Application connections**. + +## Troubleshoot + +**The host shows an error and doesn't open a browser.** + +Confirm the `{MCP_SERVER_URL}` in your config matches exactly what {{kib}} displays. The correct URL ends with `/api/agent_builder/mcp`. A typo, extra slash, or doubled path segment will prevent the OAuth discovery step from completing. + +**Authorization completed but no connection appears in {{kib}}.** + +Confirm you have access to the {{serverless-short}} project the client was registered for. If your account doesn't have project access, the consent step fails silently. + +**The host shows a new sign-in prompt after a period of inactivity.** + +Connections expire after 30 days without use. Complete the authorization flow again to re-establish the connection. + +**The authorization flow fails after you wait on the consent page.** + +The MCP host's local callback server times out if the **Connect and authorize** page is left open too long before you click **Authorize**. Start the flow again and click **Authorize** promptly without leaving the consent page open. + +**You need to start fresh with a new connection.** + +Consult your MCP host's documentation for how to clear cached OAuth credentials and force a new authorization. Most hosts maintain only one connection per MCP server URL, so reconfiguring with the same URL will reuse the existing connection unless the cached credentials are cleared. + + + +## Next steps + +- [Revoke an MCP client or connection](mcp-client-revoke.md) when access is no longer needed. + +## Related pages + +- [Authenticate MCP clients with OAuth](mcp-client-oauth.md) +- [Create an MCP client](mcp-client-create.md) +- [Manage application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md) diff --git a/explore-analyze/ai-features/agent-builder/mcp-client-create.md b/explore-analyze/ai-features/agent-builder/mcp-client-create.md new file mode 100644 index 0000000000..4b4c29576f --- /dev/null +++ b/explore-analyze/ai-features/agent-builder/mcp-client-create.md @@ -0,0 +1,93 @@ +--- +navigation_title: "Create an MCP client" +description: "Register an MCP client in Agent Builder to get the credentials and server URL needed to connect an MCP host over OAuth." +type: how-to +applies_to: + serverless: preview +products: + - id: elasticsearch + - id: kibana + - id: observability + - id: security + - id: cloud-serverless +--- + +# Create an MCP client in Agent Builder [mcp-client-create] + +Register a new MCP client in {{agent-builder}} to generate the credentials that an MCP host (such as **Claude Desktop**) needs to connect over OAuth 2.1. + +Each MCP client is scoped to a single {{serverless-short}} project. Creating a client gives you a client ID, the MCP server URL for that project, and — for confidential clients — a client secret that is shown only once. + +## Before you begin [mcp-client-create-before-you-begin] + +- You need access to a {{serverless-short}} project with {{agent-builder}} enabled. +- [Understand OAuth for MCP clients](mcp-client-oauth.md) before choosing client type and redirect URIs. + +## Create the client + +:::::{stepper} + +::::{step} +Open the MCP client management page. + +In {{kib}}, go to **Agent Builder → Tools library**, then click **Manage MCP** and select **Manage MCP clients (OAuth)**. Click **Add MCP client**. +:::: + +::::{step} +Name the client. + +Enter a **Client name**. The name is visible to users during the authorization consent flow, so use something that clearly identifies the application (for example, `Claude Desktop — Engineering`). +:::: + +::::{step} +Select a client logo. + +Optionally set a **Client logo** to identify the application in the list. Toggle between **Select logo** (choose from provided options) or **Upload logo** (use a custom image). Available logos: MCP client logo (default), Claude desktop, Open AI, Azure Open AI, Google AI Studio, Azure AI studio. + +Selecting a logo is cosmetic — it does not pre-configure redirect URIs. +:::: + +::::{step} +Set the redirect URI. + +The redirect URI tells the authorization server where to return the user after they grant consent. Select the redirect URI type: + +- **Local** — for applications running on your local machine. The field is pre-populated with `http://localhost:3000/callback`. Replace or supplement this value to match your host's expected path. The authorization server accepts any localhost port, but the path must match exactly. Common values: + - Claude Desktop (mcp-remote): `http://localhost:3000/oauth/callback` + - Claude Code CLI (native HTTP): `http://localhost:3000/callback` +- **Remote** — for hosted or cloud-based applications. Enter a single `https://` URI. Plain HTTP is not accepted. + +For local clients that need more than one redirect URI, click **Add local URL**. +:::: + +::::{step} +Save the client. + +Click **Create client**. The **Copy server details for [client name]** dialog displays: + +- **Client ID** — copy this; you'll need it when configuring the MCP host. +- **MCP server URL** — the endpoint your MCP host uses to reach this project's Agent Builder tools. Copy this alongside the client ID. Verify that the URL ends with `/api/agent_builder/mcp` and does not contain a doubled path segment. +- **Client secret** (confidential clients only) — the secret is shown **once** and cannot be retrieved later. Copy or download it immediately and store it securely. + +Copy the new Client ID and the Server URL into the application config file, and save your changes. To apply the new configuration, restart the application. +:::: + +::::: + +:::{note} +MCP clients can also be created through the {{kib}} API, authenticated with an {{ecloud}} API key. ES API keys are not accepted and are rejected early with a 400 error. Clients created this way are not visible in the Agent Builder client list — they appear only in the organization-level [Application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md) view in the {{ecloud}} Console. +::: + + + +## What's next + +Now that you have a client ID and MCP server URL, configure your MCP host to use them: + +- [Connect an MCP host to an MCP client](mcp-client-connect.md) + +## Related pages + +- [Authenticate MCP clients with OAuth](mcp-client-oauth.md) +- [Revoke an MCP client or connection](mcp-client-revoke.md) +- [Manage application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md) diff --git a/explore-analyze/ai-features/agent-builder/mcp-client-oauth.md b/explore-analyze/ai-features/agent-builder/mcp-client-oauth.md new file mode 100644 index 0000000000..d3dfaa59ce --- /dev/null +++ b/explore-analyze/ai-features/agent-builder/mcp-client-oauth.md @@ -0,0 +1,75 @@ +--- +navigation_title: "MCP client OAuth" +description: "OAuth 2.1 lets MCP clients authenticate to the Agent Builder MCP server on behalf of a user, using short-lived tokens instead of static API keys." +type: overview +applies_to: + serverless: preview +products: + - id: elasticsearch + - id: kibana + - id: observability + - id: security + - id: cloud-serverless +--- + +# Authenticate MCP clients with OAuth [mcp-client-oauth] + +The [{{agent-builder}} MCP server](mcp-server.md) supports OAuth 2.1 as a way for MCP clients to authenticate on behalf of a user, alongside [API keys](mcp-server.md#api-key-application-privileges). + +OAuth suits interactive, agentic use cases: instead of configuring a static, long-lived API key, a user connects an MCP host such as Claude Desktop and consents in the browser. The MCP client then acts with that user's permissions, using short-lived tokens that the user, a project administrator, or an organization owner can revoke at any time. + +:::{note} +During technical preview, OAuth for the MCP server is available on {{serverless-short}} projects only. To register a client, you provide a single {{serverless-short}} project, so each client is scoped to one project. +::: + +## OAuth or API keys? + +Both methods let an MCP client reach the {{agent-builder}} MCP server. Choose based on how the client runs and who acts through it. + +| | OAuth | API key | +|---|---|---| +| Best for | Interactive agents acting on behalf of a person (Claude Desktop, Cursor) | Automation and static, machine-to-machine access | + +| Identity | The consenting user; permissions are the user's live permissions | The key's snapshotted permissions | +| Credential lifetime | Short-lived tokens, refreshed automatically | Long-lived until it expires or is revoked | +| Setup | Register an MCP client, then consent in the browser | Generate a key and add it to the client configuration | + +For API key configuration, refer to [](mcp-server.md). The rest of this page covers the OAuth path. + +## Key concepts + +Understanding these terms makes the setup and management pages easier to follow. + +- **MCP host**: The application a user runs that contains MCP clients, such as Claude Desktop or Cursor. Users connect hosts; hosts use clients. + +- **MCP client**: The registered application that holds the credentials (a client ID, and a client secret for confidential clients). You create one in {{kib}} before connecting a host. +- **MCP server**: The interface that exposes {{agent-builder}} tools to MCP hosts. The MCP server is the only resource the OAuth tokens grant access to. This is separate from [MCP tools](tools/mcp-tools.md), which let your agents call external MCP servers — the reverse direction. +- **App connection**: The record created when a user consents, linking that user, the MCP client, and the {{serverless-short}} project. A connection is the unit of access and revocation. If two people use the same client ID, each consent creates a separate connection. + +## How it works + +1. A user [creates an MCP client](mcp-client-create.md) in {{kib}}, scoped to one {{serverless-short}} project, and copies the generated configuration into their MCP host. +2. The first time the host needs access, it opens a browser for the user to authenticate and consent. Authentication is always required for consent, even if the user already has an active {{ecloud}} session. +3. On consent, an app connection is created and the client receives tokens. The MCP client presents these to the MCP server, which exchanges them internally to access {{es}} with the user's current permissions. +4. The user, a project administrator, or an organization owner can [revoke](mcp-client-revoke.md) the connection or the whole client at any time. + +OAuth tokens are accepted only by the {{agent-builder}} MCP server. They don't grant direct access to {{kib}} or {{es}} APIs. + +### About tokens + +Access tokens are short-lived and refreshed automatically in the background, so an active connection keeps working without user action. Refresh is inactivity-based: after 30 days without use, a connection expires and the user must consent again. Because expiry is detected only when a connection is next used, a connection that shows as connected might be idle and not yet revalidated. + +### Permissions + +A connected client inherits the consenting user's permissions in the project. When a user's permissions change, the change applies on the next token refresh; changes to a custom role apply immediately. + +## Next steps + +- [Create an MCP client](mcp-client-create.md) +- [Connect an MCP host to an MCP client](mcp-client-connect.md) + +## Related pages + +- [Revoke an MCP client or connection](mcp-client-revoke.md) +- [Manage application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md) at the organization level +- [{{agent-builder}} MCP server](mcp-server.md) diff --git a/explore-analyze/ai-features/agent-builder/mcp-client-revoke.md b/explore-analyze/ai-features/agent-builder/mcp-client-revoke.md new file mode 100644 index 0000000000..4fab8d94e6 --- /dev/null +++ b/explore-analyze/ai-features/agent-builder/mcp-client-revoke.md @@ -0,0 +1,70 @@ +--- +navigation_title: "Revoke an MCP client or connection" +description: "Remove an individual connection or an entire MCP client from Agent Builder to cut off OAuth access for a user or application." +type: how-to +applies_to: + serverless: preview +products: + - id: elasticsearch + - id: kibana + - id: observability + - id: security + - id: cloud-serverless +--- + +# Revoke an MCP client or connection [mcp-client-revoke] + +Revoking OAuth access in {{agent-builder}} immediately cuts off an MCP host's ability to use the Agent Builder tools. You can revoke at two granularities: a single user's connection, or the entire MCP client and all its connections. + +- **Revoke a connection** — removes one user's authorized session for an MCP client, while leaving the client registered. The user can reconnect by going through the consent flow again. +- **Revoke an MCP client** — revokes the entire client and all its connections. Users whose connections are removed can no longer connect until a new client is created. + +There is no OAuth `/revoke` endpoint. All revocation is through the {{kib}} and {{ecloud}} interfaces. + +:::{tip} +Organization owners and project administrators can also revoke connections from the Cloud Console. See [Manage application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md). +::: + +## Revoke a connection + +Any user with access to the project can revoke connections from the **Application connections** page in Security Management. + +1. In {{kib}}, go to **Agent Builder → Tools library**, click **Manage MCP**, and select **Manage MCP clients (OAuth)**. Then click **Manage application connections**. Alternatively, go to **Admin and settings → Application connections**. +2. Find the connection. In **Group by client** view, expand a client row to see its connections. Switch to **List view** to see all connections in a flat list. +3. Click **Revoke** in the connection's row. +4. Review the details in the confirmation dialog, then click **Revoke**. + +The connection is revoked immediately. The MCP client stays registered and can accept new connections. Applications can be reconnected at any time by going through the consent flow again. + +## Revoke multiple connections + +1. In {{kib}}, go to **Admin and settings → Application connections** (or click **Manage application connections** from **Agent Builder → Tools library → Manage MCP → Manage MCP clients (OAuth)**). +2. Select the checkbox next to each connection you want to revoke. To select all connections for a client, select the checkbox in the client's row. +3. Click **Revoke *N* connections**. +4. Review the list in the confirmation dialog, then click **Revoke**. + +## Revoke an MCP client + +Revoking a client immediately terminates all its connections. The client is no longer listed in Agent Builder, and existing OAuth tokens for those connections stop working at the next validation. + +1. In {{kib}}, go to **Agent Builder → Tools library**, click **Manage MCP**, and select **Manage MCP clients (OAuth)**. +2. Find the client and click **Revoke** in its row. +3. In the **Revoke [client name]?** dialog, review the number of active connections that will be affected. +4. In the **MCP client name** field, type the client name exactly as shown to confirm, then click **Revoke**. + +After revocation, users can no longer connect with that client until a new MCP client is created. + +:::{note} +Removing a user from your identity provider does **not** automatically revoke that user's connections. Revoke their connections manually when offboarding. +::: + +## Next steps + +- If you revoked a client and want to restore access, [create a new MCP client](mcp-client-create.md) and distribute the new credentials to users. + +## Related pages + +- [Authenticate MCP clients with OAuth](mcp-client-oauth.md) +- [Create an MCP client](mcp-client-create.md) +- [Connect an MCP host to an MCP client](mcp-client-connect.md) +- [Manage application connections](/deploy-manage/users-roles/cloud-organization/manage-mcp-client-connections.md) (org-level, Cloud Console) diff --git a/explore-analyze/ai-features/agent-builder/mcp-in-agent-builder.md b/explore-analyze/ai-features/agent-builder/mcp-in-agent-builder.md new file mode 100644 index 0000000000..52de4cdfa2 --- /dev/null +++ b/explore-analyze/ai-features/agent-builder/mcp-in-agent-builder.md @@ -0,0 +1,58 @@ +--- +navigation_title: "MCP in Agent Builder" +description: "Agent Builder uses MCP in two distinct ways: as a server that external tools can connect to, and as a client that can call external MCP servers." +type: overview +applies_to: + stack: ga + serverless: ga +products: + - id: kibana +--- + + + +# MCP in Agent Builder [mcp-in-agent-builder] + +{{agent-builder}} has two distinct, complementary uses of the Model Context Protocol (MCP). Understanding the difference helps you navigate the relevant documentation. + +## Two directions + +| | What it does | Who initiates | Where to configure | +|---|---|---|---| +| **{{agent-builder}} as an MCP server** | Exposes your agents and their tools to external MCP hosts (Claude Desktop, Cursor, Claude Code) | External host connects to Kibana | [{{agent-builder}} MCP server](mcp-server.md) | +| **{{agent-builder}} as an MCP client** | Lets your agents call tools on external MCP servers | Kibana connects out to an external server | [MCP tools](tools/mcp-tools.md) | + +These are independent features. You can use one, both, or neither. + +## Agent Builder as an MCP server + +The {{agent-builder}} [MCP server](mcp-server.md) lets external MCP hosts connect to Kibana and invoke your agent's tools directly — for example, running an {{esql}} query from Claude Desktop without opening the Kibana UI. + +External clients authenticate using either: + +- **OAuth 2.1** — for interactive, user-consented access. An MCP host such as Claude Desktop opens a browser for the user to authenticate, then acts with that user's permissions. See [Authenticate MCP clients with OAuth](mcp-client-oauth.md). +- **API keys** — for static, machine-to-machine access. See [{{agent-builder}} MCP server](mcp-server.md). + +## Agent Builder as an MCP client + +[MCP tools](tools/mcp-tools.md) let you extend your agents by pointing them at external MCP servers. You configure an MCP connector (the connection details for the remote server), then import individual tools from that server into your agent's tool catalog. The agent can then call those tools during a conversation. + +This direction is unrelated to authentication on the Kibana side — it's about what your agents can reach outward. + +## Terminology quick reference + + + +| Term | Meaning in Agent Builder | +|---|---| +| MCP server | The Kibana interface that external hosts connect to | +| MCP client | An OAuth-registered application allowed to connect to the Kibana MCP server | +| MCP host | The application a user runs (Claude Desktop, Cursor); contains one or more MCP clients | +| MCP connector | Configuration in Agent Builder for reaching an external MCP server | +| MCP tool | A specific callable function imported from an external MCP server into an agent | + +## Related pages + +- [{{agent-builder}} MCP server](mcp-server.md) +- [Authenticate MCP clients with OAuth](mcp-client-oauth.md) +- [MCP tools](tools/mcp-tools.md) diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 46aad620e1..9ce3bf0c9f 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -234,7 +234,13 @@ toc: children: - file: ai-features/agent-builder/agent-builder-api-tutorial.md - file: ai-features/agent-builder/a2a-server.md + - file: ai-features/agent-builder/mcp-in-agent-builder.md - file: ai-features/agent-builder/mcp-server.md + - file: ai-features/agent-builder/mcp-client-oauth.md + children: + - file: ai-features/agent-builder/mcp-client-create.md + - file: ai-features/agent-builder/mcp-client-connect.md + - file: ai-features/agent-builder/mcp-client-revoke.md - file: ai-features/agent-builder/monitor-usage.md - file: ai-features/agent-builder/permissions.md - file: ai-features/agent-builder/troubleshooting.md