diff --git a/guides/ai-agents/mcp-servers.mdx b/guides/ai-agents/mcp-servers.mdx index fdacb4f8..3c9de5ce 100644 --- a/guides/ai-agents/mcp-servers.mdx +++ b/guides/ai-agents/mcp-servers.mdx @@ -53,10 +53,12 @@ MCP servers are configured per project and can be attached to one or more agents - **OAuth** — every user clicks **Connect** under the MCP server to start the OAuth flow with their own account. If **Allow shared OAuth credential** is on, a manager can also click **Connect shared account** to set up a fallback credential. Lightdash handles token storage and refresh in both cases. Under **More options**, you can also configure: - - **Client ID** and **Client secret** (optional) — only needed if the MCP provider doesn't support Dynamic Client Registration (DCR). To get them, go to the MCP provider and register a new OAuth client, provide the callback URL below as the redirect URI, and copy the client ID and client secret the provider gives you back into Lightdash. Leave both blank if the provider supports DCR — Lightdash will register a client automatically. + - **OAuth client ID** and **OAuth client secret** (optional, personal OAuth only) — only needed if the MCP provider doesn't support Dynamic Client Registration (DCR). Register a new OAuth client with the MCP provider, use the callback URL below as the redirect URI, and paste the client ID and secret the provider returns. When provided, every personal OAuth connection reuses these credentials instead of running DCR — user tokens are still stored per user, but the shared client ID and secret are encrypted alongside the MCP server (not duplicated into each user's credential row). Leave both blank if the provider supports DCR — Lightdash will register a client automatically. **Callback URL:** `https://.lightdash.cloud/api/v1/aiAgents/mcp/oauth/callback` - - **Allow shared OAuth credential** — turn this on if you want a manager to connect a single shared account that everyone can fall back to. Leave it off to require each user to connect their own account. + + For example, if you're wiring up a `example-tools` MCP server whose provider requires a pre-registered app, create the OAuth client in that provider's developer portal, set the redirect URI to your callback URL, then paste values like `example-tools-lightdash` (client ID) and the generated secret into Lightdash. + - **Allow shared OAuth credential** — turn this on if you want a manager to connect a single shared account that everyone can fall back to. Leave it off to require each user to connect their own account. Enabling shared credentials clears the OAuth client ID and secret above — those fields apply to personal OAuth only. - **None** — no credentials required. @@ -147,7 +149,7 @@ The agent searches Confluence for the canonical definition, then answers using b ## Security -- All credentials (bearer tokens and OAuth tokens) are encrypted at rest. +- All credentials (bearer tokens, OAuth tokens, and any OAuth client ID and secret you configure on the MCP server) are encrypted at rest. - OAuth refresh is handled automatically; expired tokens trigger a re-authorization prompt. - MCP servers are configured at the project level and only available to agents in that project. - Personal OAuth credentials are scoped to the user who connected them — no other user can use, view, or impersonate them through the agent.