Skip to content

OAuth MCP Servers

Alpha Feature

OAuth MCP server support is a new feature and will experience rapid improvements. Configuration and behavior may change between releases.

Some MCP servers support OAuth-based authentication natively — you only need to set oauth.enabled: true and Holmes handles the rest. When Holmes connects to an OAuth-enabled MCP server, it automatically discovers the server's OAuth endpoints, opens a browser for login, and persists the token for future use.

Setup

To add an OAuth MCP server, set mode: streamable-http and oauth.enabled: true in the server's config:

Set the CUSTOM_TOOLSET_LOCATION environment variable pointing to a YAML file with your MCP server configuration:

export CUSTOM_TOOLSET_LOCATION=/Users/.../custom_toolset.yaml

In that file, define your OAuth MCP servers:

toolsets:
  # ... your toolsets

mcp_servers:
  my-server:
    description: "Description of the MCP server"
    config:
      mode: streamable-http
      url: https://example.com/mcp
      oauth:
        enabled: true

Add the MCP servers to your generated_values.yaml. Make sure enableHolmesGPT is set to true and SaaS is enabled:

holmes:
  mcp_servers:
    my-server:
      description: "Description of the MCP server"
      config:
        mode: streamable-http
        url: https://example.com/mcp
        oauth:
          enabled: true

helm upgrade robusta robusta/robusta --values=generated_values.yaml --set clusterName=<YOUR_CLUSTER_NAME>

Example: Atlassian

mcp_servers:
  atlassian:
    description: "Atlassian Jira + Confluence MCP server"
    config:
      mode: streamable-http
      url: https://mcp.atlassian.com/v1/mcp
      oauth:
        enabled: true

holmes:
  mcp_servers:
    atlassian:
      config:
        mode: streamable-http
        url: https://mcp.atlassian.com/v1/mcp
        oauth:
          enabled: true

How It Works

  1. Holmes detects that the MCP server has oauth.enabled: true
  2. Holmes discovers the server's OAuth configuration automatically via the MCP protocol
  3. The user is prompted to authenticate via their browser
  4. After login, Holmes exchanges the authorization code for an access token
  5. The token is persisted and refreshed automatically — users only need to authenticate once