Configuring MCP Server Abilities

MCP server abilities allow you to connect MCP servers as abilities in Alan. This enables Alan to access external services, allowing for data exchange.

MCP stands for Model Context Protocol and describes a protocol through which servers — known as MCP servers — can provide context information to large language models (LLMs) like Alan. MCP was developed and popularized by the company Anthropic and has become an industry standard. Many software providers offer MCP servers for their products. Additionally, there are development tools that allow companies to create their own MCP servers and integrate them into their LLM solutions.

To configure an MCP server ability in Alan, the following settings are available to you:

Title

Assign a descriptive title for the ability. The title helps you manage abilities and assists users in selecting abilities in their chats.

Note

The title and description of an MCP server ability are not forwarded to the LLM itself. The description of the MCP server and the tools it provides is solely the responsibility of the MCP server.

Description

The description of the ability provides users with additional information about the purpose and functionality of the ability. The description helps you manage abilities and assists users in selecting abilities in their chats.

Protection Status

The protection status provides users with guidance on whether they can use sensitive, internal company information in a chat with this ability. If it is a secure data connection, users can "chat securely"; otherwise, they will see a notice indicating that "external services" are used to generate chat responses and they should handle sensitive information with care.

The protection status also determines whether a manual usage approval for this ability is required by default. For secure data connections, automatic usage approval is granted by default; otherwise, manual usage approval is required by default.

For MCP server abilities, you set the protection status manually.

URL

The URL field requires you to specify the URL of the MCP server. It must be an HTTPS URL that is accessible to the Alan backend. The MCP standard has historically supported several communication protocols: WebSockets, Server-Sent Events (SSE), and Streamable HTTP. Alan only supports MCP servers using the more modern Streamable HTTP protocol. The other communication protocols are no longer included in the current MCP standard.

Authentication

If your MCP server does not allow public (anonymous) access, you can choose between two authentication methods. Only one method can be active at a time: authentication is either done via OAuth2 or a static API key is used.

OAuth2

Alan supports the Authorization Code Grant from OAuth2 for authentication to MCP servers. For this, a client with the corresponding secret must be created in the authorization server (e.g., Entra ID, Keycloak, etc.). Additionally, the authorization URL and token URL are required.

Important: Alan manages the access tokens for each user and ensures that an access token with sufficient lifespan is created before each chat request with MCP servers. For this, the authorization server must issue refresh tokens; otherwise, permanent authentication of users on the MCP server is not possible, and unexpected authentication errors may occur.

If authentication is to be done via OAuth2, you must fill in the following fields:

• Client ID: Name or identifier of the client
• Client Secret: Secret associated with the client
• Authorization URL: URL for the authorization request, e.g., for Entra ID https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
• Token URL: URL for token retrieval, e.g., for Entra ID https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Normally, a valid redirect URL must be stored in the authorization server. The redirect URL of an MCP server ability is displayed in Alan after the above settings have been made and the ability has been created in Alan. If your authorization server does not allow creating a client without a redirect URL (e.g., GitHub), temporarily enter a URL like https://example.com and update it after the ability has been created in Alan.

When an ability with OAuth2 authentication has been created in Alan, all users with whom the ability has been shared can use it in their chats with Alan. To do this, your users must authenticate by clicking on Login before use. If your users regularly use the MCP server within the lifespan of the refresh token, this authentication is not required again. Your users can log out or re-authenticate at any time if the refresh token has expired.

Through the use of OAuth2, all interactions with the MCP server are henceforth restricted to the logged-in user. This method is therefore ideal for making certain information available only to selected user groups or for accessing user-specific resources.

API Key

If authentication is to be done via API key, set a key for the connection to the MCP server. It is not possible to read the API key after it has been saved, but it can be reset or deleted.

The key is included in the request headers for every call to the MCP server using the two common formats:

• Authorization: Bearer <API_KEY>
• X-API-Key: <API_KEY>

This ensures compatibility with servers that expect either format.

The key applies to all users of the ability. This means that users do not need to authenticate individually (unlike OAuth2), and all users have access to the same data.