MCP Servers
Learn how to connect and manage MCP servers in Hanzo KMS.
Concept
MCP Servers are external services that expose tools and capabilities through the Model Context Protocol. By connecting MCP servers to Hanzo KMS, you can centrally manage access to tools like Notion, GitHub, Slack, and more.
When you add an MCP server to Hanzo KMS, the platform discovers all available tools from that server and allows you to make them accessible through MCP Endpoints.
Supported MCP Servers
Hanzo KMS supports connecting to any remote MCP server that implements the Model Context Protocol over HTTP with OAuth or Bearer Token authentication. Popular MCP servers include:
- Notion - Search, create, and manage Notion pages and databases
- GitHub - Manage repositories, issues, pull requests, and more
- Slack - Send messages, manage channels, and interact with workspaces
- Google Drive - Access and manage files and documents
- Linear - Manage issues and projects
Hanzo KMS connects to MCP servers over HTTP using the standard remote MCP protocol.
Authentication
MCP servers require authentication to access their tools. Hanzo KMS supports two authentication methods:
The server uses OAuth 2.0 for authentication. Users are redirected to the service to authorize access.
Best for: Services with full OAuth support like Notion, GitHub, Google.
Users provide their own API token or access token directly.
Best for: Services where users have existing API tokens, or services without OAuth support.
Some MCP servers with OAuth support Dynamic Client Registration, which means Hanzo KMS can automatically register as an OAuth client. For servers that don't support this (like GitHub), you'll need to manually create an OAuth application and provide the client credentials.
Credential Modes
When adding an MCP server, you choose how credentials are managed:
You (the administrator) authorize the MCP server once, and all users who access tools through this server use your credentials.
Best for: Shared service accounts, servers without per-user permissions, simplified management.
Each user must authenticate with the MCP server individually before using its tools. Their credentials are stored securely by Hanzo KMS.
Best for: Per-user audit trails, user-specific permissions, compliance requirements.
When using Personal Credentials mode, the administrator setting up the MCP server must still authenticate during setup. This initial authentication is required to fetch and discover the available tools from the server.
Gateway Support
By default, Hanzo KMS connects directly to MCP servers over the internet. For MCP servers hosted on private networks (internal APIs, self-hosted services), you can route connections through a Gateway.
OAuth is not supported when using a gateway. Only Bearer Token authentication is available.
Gateways enable you to:
- Connect to MCP servers on private networks without exposing them to the internet
- Access self-hosted MCP servers within VPCs or on-premises infrastructure
- Maintain network isolation while enabling AI tool access
Guide to Adding an MCP Server
In the following steps, we explore how to add an MCP server to your Agent Sentinel project.
Head to your Agent Sentinel project and select MCP Servers from the sidebar, then click Add MCP Server.
Enter the following details for your MCP server:
- Name: A friendly name to identify this server (e.g., "Notion", "GitHub")
- URL: The MCP server endpoint URL (e.g.,
https://mcp.notion.com/mcp) - Gateway (optional): Select a gateway to route connections through a private network. Leave as "Internet Gateway" for public MCP servers
- Credential Mode: Choose between Shared Credentials or Personal Credentials
Choose the authentication method for your MCP server:
- For servers with Dynamic Client Registration (e.g., Notion): Click Authorize to complete the OAuth flow
- For servers without Dynamic Client Registration (e.g., GitHub): Enter the Client ID and Client Secret, then click Authorize
- Select Bearer Token as the authentication method
- Users will be prompted to enter their personal access token when connecting to endpoints that include this server
After authorization, Hanzo KMS discovers and displays all tools available from the MCP server.
You can view each tool's name and description. These tools can now be enabled in MCP Endpoints.
FAQ
Each MCP server provider publishes their endpoint URL. Common examples:
- Notion:
https://mcp.notion.com/mcp - GitHub:
https://api.githubcopilot.com/mcp/
Check the service's MCP documentation for the correct URL.
- Go to GitHub Settings → Developer settings → OAuth Apps
- Click "New OAuth App"
- Set the Authorization callback URL to your Hanzo KMS instance
- Copy the Client ID and generate a Client Secret
- Use these credentials when adding the GitHub MCP server
Yes, you can update the credential mode by editing the MCP server configuration. Note that changing from shared to personal credentials will require users to re-authenticate.
If an MCP server becomes unavailable, tool invocations through endpoints connected to that server will fail. The Activity Logs will capture these failures for troubleshooting.
Use OAuth when:
- The MCP server supports OAuth 2.0
- You want automatic token refresh
- The service has a native OAuth integration
Use Bearer Token when:
- Users already have API tokens they want to use
- The MCP server doesn't support OAuth
- You need a simpler authentication flow
Use a gateway when your MCP server is:
- Hosted on a private network (VPC, on-premises)
- Not accessible from the public internet
- A self-hosted service that should not be exposed externally
For public MCP servers like Notion or GitHub, use the default "Internet Gateway" option.
No, only Bearer Token authentication is supported when using a gateway. If you choose Personal Credentials mode, each user can provide their own token when connecting to an MCP endpoint.
How is this guide?
Last updated on