Creating and Managing Abilities
To create connected abilities in Alan and thus, for example, access organization-specific data and services, you can add MCP servers as connected abilities in Alan.
This enables Alan to access external services, allowing for data exchange. MCP servers offer a standardized way for Alan to communicate with various services, enabling their abilities and information to be utilized within Alan.
MCP stands for Model Context Protocol and describes a protocol through which servers — known as MCP servers — can provide context information to large language models (LLMs) like Alan. MCP was developed and popularized by the company Anthropic and has become an industry standard. Many software providers offer MCP servers for their products. Additionally, there are development tools that allow companies to create their own MCP servers and integrate them into their LLM solutions.
A connected ability can be created and managed in Alan in the settings under "Abilities".
There you will find an overview of all available abilities.
By clicking on an ability, you can see all further information about this ability, e.g., a description as well as, if available, the included tools or the technical configuration. If you have the appropriate permissions, you can also edit the ability on this detail page.
Creating
To create a new connected ability, click the "New" button in the abilities overview. Here you enter all required information for the configuration of the ability.
Finally, click "Save" to create the ability.
Editing
After creating a connected ability, you can continuously edit it and optimize its configuration.
For example, you can adjust the description of the ability or change the authentication method.
Once you have created the ability, you can also share it.
Note
Administrators of your organization can see and use all connected abilities and, if desired, enforce the approval behavior for abilities.
Deleting
To delete a connected ability in Alan, scroll down on the ability's detail page and click "Delete ability".
Note that you can only delete abilities that you have created yourself or for which you have the delete permission, and that deleted abilities cannot be restored.
Configuration
When creating or editing a connected ability, you define the appearance of the ability. In addition, you need to set up the technical configuration of the ability so that Alan can access the MCP server that should be connected via the MCP protocol.
Title and Description
First, you assign a meaningful title and description for the ability. The title and description help you manage abilities and assist users in selecting abilities in their chats. These descriptions are not forwarded to the LLM itself. The description of the MCP server and the tools it provides is solely the responsibility of the MCP server.
Protection Status
The protection status provides users with guidance on whether they can use sensitive, internal company information in a chat with this ability. If it is a secure data connection, users can "chat securely"; otherwise, they will see a notice indicating that "external services" are used to generate chat responses and they should handle sensitive information with care.
The protection status also determines whether a manual usage approval for this ability is required by default. For secure data connections, automatic usage approval is granted by default; otherwise, manual usage approval is required by default.
URL
The URL field requires you to specify the URL of the MCP server. It must be an HTTPS URL that is accessible to the Alan backend. The MCP standard has historically supported several communication protocols: WebSockets, Server-Sent Events (SSE), and Streamable HTTP. Alan only supports MCP servers using the more modern Streamable HTTP protocol. The other communication protocols are no longer included in the current MCP standard.
Authentication
If your MCP server does not allow public (anonymous) access, you can choose between two authentication methods. Only one method can be active at a time: authentication is either done via OAuth2 or a static API key is used.
OAuth2
Alan supports the Authorization Code Grant from OAuth2 for authentication to MCP servers. For this, a client with the corresponding secret must be created in the authorization server (e.g., Entra ID, Keycloak, etc.). Additionally, the authorization URL and token URL are required.
Important: Alan manages the access tokens for each user and ensures that an access token with sufficient lifespan is created before each chat request with MCP servers. For this, the authorization server must issue refresh tokens; otherwise, permanent authentication of users on the MCP server is not possible, and unexpected authentication errors may occur.
If authentication is to be done via OAuth2, you must fill in the following fields:
- Client ID: Name or identifier of the client
- Client Secret: Secret associated with the client
- Authorization URL: URL for the authorization request, e.g., for Entra ID
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize - Token URL: URL for token retrieval, e.g., for Entra ID
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Normally, a valid redirect URL must be stored in the authorization server. The redirect URL of a connected ability is displayed in Alan after the above settings have been made and the ability has been created in Alan. If your authorization server does not allow creating a client without a redirect URL (e.g., GitHub), temporarily enter a URL like https://example.com and update it after the ability has been created in Alan.
When an ability with OAuth2 authentication has been created in Alan, all users with whom the ability has been shared can use it in their chats with Alan. To do this, your users must authenticate by clicking on Login before use. If your users regularly use the MCP server within the lifespan of the refresh token, this authentication is not required again. Your users can log out or re-authenticate at any time if the refresh token has expired.
Through the use of OAuth2, all interactions with the MCP server are henceforth restricted to the logged-in user. This method is therefore ideal for making certain information available only to selected user groups or for accessing user-specific resources.
API Key
If authentication is to be done via API key, set a key for the connection to the MCP server. It is not possible to read the API key after it has been saved, but it can be reset or deleted.
The key is included in the request headers for every call to the MCP server using the two common formats:
Authorization: Bearer <API_KEY>X-API-Key: <API_KEY>
This ensures compatibility with servers that expect either format.
The key applies to all users of the ability. This means that users do not need to authenticate individually (unlike OAuth2), and all users have access to the same data.