MCP Abilities

As admin, you can provide MCP servers as abilities in Alan. This enables Alan to access external services, allowing for data exchange. MCP servers offer a standardized way for Alan to communicate with various services, enabling their abilities and information to be utilized within Alan.

MCP stands for Model Context Protocol and describes a protocol through which servers — known as MCP servers — can provide context information to large language models (LLMs) like Alan. MCP was developed and popularized by the company Anthropic and has become an industry standard. Many software providers offer MCP servers for their products. Additionally, there are development tools that allow companies to create their own MCP servers and integrate them into their LLM solutions.

Important:

Only admins can create and manage MCP abilities. The use of these abilities is then available to all users in the tenant. This means that once you, as an admin, have created an MCP ability, all users in your tenant can use this ability in their chats.

Managing MCP Abilities

To manage MCP abilities in Alan, navigate to the "MCP Servers" menu in the admin area. Here you will find an overview of all existing MCP abilities in Alan. You can edit or delete existing MCP abilities here.

Creating MCP Abilities

You can add MCP servers as abilities using the "New" button. The title and description help you manage MCPs and assist users in selecting abilities in their chats. These descriptions are not forwarded to the LLM itself. The description of the MCP server and the tools it provides is solely the responsibility of the MCP server.

Protection Status

The protection status provides users with guidance on whether they can use sensitive, internal company information in a chat with this ability. If it is a secure data connection, users can "chat securely"; otherwise, they will see a notice indicating that "external services" are used to generate chat responses and they should handle sensitive information with care.

The protection status also determines whether a manual usage approval for this ability is required by default. For secure data connections, automatic usage approval is granted by default; otherwise, manual usage approval is required by default.

URL

The URL field requires you to specify the URL of the MCP server. It must be an HTTPS URL that is accessible to the Alan backend. The MCP standard has historically supported several communication protocols: WebSockets, Server-Sent Events (SSE), and Streamable HTTP. Alan only supports MCP servers using the more modern Streamable HTTP protocol. The other communication protocols are no longer included in the current MCP standard.

Authentication

If your MCP server does not allow public (anonymous) access, you can choose between two authentication methods. Only one method can be active at a time: authentication is either done via OAuth2 or a static API key is used.

OAuth2

Alan supports the Authorization Code Grant from OAuth2 for authentication to MCP servers. For this, a client with the corresponding secret must be created in the authorization server (e.g., Entra ID, Keycloak, etc.). Additionally, the authorization URL and token URL are required.

Important: Alan manages the access tokens for each user and ensures that an access token with sufficient lifespan is created before each chat request with MCP servers. For this, the authorization server must issue refresh tokens; otherwise, permanent authentication of users on the MCP server is not possible, and unexpected authentication errors may occur.

If authentication is to be done via OAuth2, you must fill in the following fields:

• Client ID: Name or identifier of the client
• Client Secret: Secret associated with the client
• Authorization URL: URL for the authorization request, e.g., for Entra ID https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
• Token URL: URL for token retrieval, e.g., for Entra ID https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Normally, a valid redirect URL must be stored in the authorization server. The redirect URL of an MCP ability is displayed in Alan after the above settings have been made and the MCP ability has been created in Alan. If your authorization server does not allow creating a client without a redirect URL (e.g., GitHub), temporarily enter a URL like https://example.com and update it after the MCP ability has been created in Alan.

When an MCP ability with OAuth2 authentication has been created in Alan, all users in your tenant can use it in their chats with Alan. To do this, your users must authenticate by clicking on Login before use. If your users regularly use the MCP server within the lifespan of the refresh token, this authentication is not required again. Your users can log out or re-authenticate at any time if the refresh token has expired.

Through the use of OAuth2, all interactions with the MCP server are henceforth restricted to the logged-in user. This method is therefore ideal for making certain information available only to selected user groups or for accessing user-specific resources.

API Key

If authentication is to be done via API key, set a key for the connection to the MCP server. This allows all users in your tenant to access the MCP server without further authentication. Unlike OAuth2 authentication, all users thus have access to the same data and do not need to authenticate individually.

It is not possible to read the API key after it has been saved, but it can be reset or deleted.