Skip to content

Document API key privileges for MCP server access #3781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 3, 2025
Merged

Document API key privileges for MCP server access #3781

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5ef31db
Document API key privileges for MCP server access
leemthompo Nov 3, 2025
8ddf090
add links
leemthompo Nov 3, 2025
f247ee4
use real syntax
leemthompo Nov 3, 2025
770583e
Merge branch 'main' into leemthompo-patch-2
leemthompo Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 61 additions & 2 deletions solutions/search/agent-builder/mcp-server.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,13 @@ Most MCP clients (such as Claude Desktop, Cursor, VS Code, etc.) have similar co
],
"env": {
"KIBANA_URL": "${KIBANA_URL}",
"AUTH_HEADER": "ApiKey ${API_KEY}"
"AUTH_HEADER": "ApiKey ${API_KEY}" <1>
}
}
}
}
```
1. Refer to [](#api-key-application-privileges)

:::{note}
Set the following environment variables:
Expand All @@ -57,5 +58,63 @@ export API_KEY="your-api-key"

For information on generating API keys, refer to [API keys](https://www.elastic.co/docs/solutions/search/search-connection-details).

Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server.
Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. To learn more, refer to [](#api-key-application-privileges).
:::

## API key application privileges

To access the MCP server endpoint, your API key must include {{kib}} application privileges.

### Development and testing

For development and testing purposes, you can create an unrestricted API key with full access:

```json
POST /_security/api_key
{
"name": "my-mcp-api-key",
"expiration": "1d",
"role_descriptors": {
"unrestricted": {
"cluster": ["all"],
"indices": [
{
"names": ["*"],
"privileges": ["all"]
}
]
}
}
}
```

### Production

For production environments, use a restricted API key with specific application privileges:

```json
POST /_security/api_key
{
"name": "my-mcp-api-key",
"expiration": "1d",
"role_descriptors": {
"mcp-access": {
"cluster": ["all"],
"indices": [
{
"names": ["*"],
"privileges": ["read", "view_index_metadata"]
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": ["read_onechat", "space_read"], <1>
"resources": ["space:default"]
}
]
}
}
}
```
1. The `read_onechat` and `space_read` application privileges are required to authorize access to the MCP endpoint. Without these privileges, you'll receive a 403 Forbidden error.