Connect remote MCP servers to Glean
Glean as an MCP host enables you to connect remote Model Context Protocol (MCP) servers so end users can securely discover and invoke third‑party tools (such as Notion, Asana, Canva) directly from Glean Assistant and Glean Agents experience. Glean offers centralized control over which MCP servers and tools are available to users in your organization. With this feature, users can automate workflows, fetch live data, and complete tasks through Glean's unified interface.
Use Glean as an MCP host when:
- You already expose business workflows or data through MCP servers and want to reuse them inside Glean.
- You need to support any MCP‑compatible model provider, not just a single LLM or vendor.
- You want to keep sensitive logic or data access inside your own network or VPC, while still enabling Glean to invoke those tools.
Glean as an MCP host has the following capabilities:
- Admin‑gated connection to remote MCP servers for Glean Assistant and Glean Agents.
- Centralized control of available MCP servers and tools at the tenant level.
- Users can engage with connected MCP servers through Glean Assistant and Glean Agents, with human‑in‑the‑loop experiences for write tools.
If you primarily want to bring the knowledge graph of Glean into other MCP hosts such as Cursor, Claude, or ChatGPT, use the Glean MCP server instead. See About Glean MCP server for more information.
Glean fully supports remote MCP servers in Glean and currently offers beta support for servers in agents.
Key concepts
- Glean as an MCP host: Glean runs the assistant experience (chat, agents) and invokes tools from remote MCP servers on behalf of users.
- Your remote MCP server: Your server implements the Model Context Protocol. It exposes tools (for example,
search_tickets,run_report) that the Glean MCP host can discover and call. - MCP tools in Glean: A configuration in the Admin Console that connects Glean to a specific MCP server and publishes its tools to Glean Assistant and Glean Agents.
- Verified MCP servers: Pre‑built templates for specific third‑party MCP servers that Glean has validated for connectivity and workflow quality. These include pre‑filled URLs, scopes, and recommended tool selections to simplify setup.
- Custom MCP servers: Any MCP server you host yourself in your own VPC or infrastructure, exposed securely to Glean via allowlisted endpoints. You can register a custom MCP server in Glean by providing its URL and OAuth details.
Supported MCP servers
Glean as an MCP host supports:
-
Most compliant MCP servers, regardless of underlying model provider
-
Verified MCP servers
-
Custom MCP servers
noteGlean doesn't currently support Gemini models.
See the full list of supported remote MCP servers.
Authentication methods
Glean supports multiple authentication methods for remote MCP servers. You do not need to use Dynamic Client Registration (DCR) or CIMD — choose the method that matches your MCP server's requirements.
| Method | Description | When to use |
|---|---|---|
| None (No authentication) | The remote MCP server doesn't require any token or API key. | Internal servers on a trusted network with no auth requirement. |
| OAuth Admin | The remote MCP server requires a one-time authentication by the developer or admin to authorize the use of the action for all end users. After the one-time authorization, Glean sends the token for all requests from authorized users. | Servers where a single admin credential grants access on behalf of all users (for example, shared service accounts). |
| OAuth User | The remote MCP server requires an initial OAuth connection setup by the developer or admin. After users authorize the action on first use, Glean uses the token for subsequent requests. | Servers that require per-user authorization (for example, personal access to third-party tools). |
| API Key | You provide your own API key to Glean, and are responsible for managing usage capacity. Glean sends the key as a Bearer token in the Authorization header. | Servers that authenticate with a static API key or Bearer token, such as Dovetail. |
| OAuth Client Credentials | Glean acquires and refreshes access tokens using a client ID and client secret, without requiring interactive user authorization. This is a service-to-service (machine-to-machine) flow. | Servers that authenticate via service-to-service OAuth rather than user-authorized OAuth flows (for example, enterprise gateways or internal APIs). |
If your MCP server uses Bearer token authentication (for example, Authorization: Bearer <token>), select the API Key method and provide the token value. Glean passes the key in the Authorization header as a Bearer token, which is compatible with most token-based MCP server implementations.
Glean offers PKCE (Proof Key for Code Exchange) for all MCP server OAuth flows. If you choose an OAuth method where the authorization client is public and doesn't provide a client secret, Glean uses PKCE to complete the token exchange. Glean sends PKCE parameters for all OAuth flows regardless of the authentication method.
Prerequisites
Before you connect a remote MCP server to Glean, meet the following prerequisites:
- Admin access to Glean:
- You must be able to open the Glean Admin Console and access Platform → Tools.
- A running MCP server that:
- Implements the Model Context Protocol.
- Exposes an HTTPS URL reachable from Glean directly or via allowed proxy.
- Supports OAuth 2.0 with authorization code flow or client credentials flow.
- OAuth details for the MCP server. The details you need depend on the authentication method:
- For authorization code flow: Authorization URL, Token URL, Client ID, client secret (not required for public authorization clients, Glean uses PKCE to complete the token exchange), and scopes.
- For client credentials flow: Token endpoint URL, Client ID, client secret, and scopes.
- Private network or VPC deployments
- If your MCP server is hosted in a private network or VPC, you must add it to the allowlist so that Glean can reach it.
- Coordinate with your Glean Solutions Engineer or account team to:
- Confirm the proxy endpoints and IP ranges to allowlist.
- Validate connectivity and TLS requirements.
- (Optional) Role-based access to actions
- If you plan to restrict who can add or configure MCP‑backed tools in agents, familiarize yourself with role‑based access to tools in the Admin Console. See Role-based access to tools for more information.
Steps to configure a remote MCP server as tools
Here's how to connect a remote MCP server in the Glean Admin Console and publish its tools.
Step 1: Open the Tools configuration
- In Glean, open the Admin Console.
- Go to Platform → Tools.
Step 2: Add an MCP tools
- On the Tools page, click Add.
- You can either choose to add the MCP from the pre-filled templates available in MCP servers under Add pre-set tools or you can add the server from scratch using the Import tools from MCP server option.
Step 3: Test the connection
Complete the following steps to validate that your MCP server is wired correctly:
From Agent Builder:
- Create a test agent.
- Add a plan and Execute step and use one of the available MCP servers.
- Run the agent with a sample query and confirm the MCP tool is invoked and returns expected output.
From the Glean:
- Ask a query that should use the MCP tool (for example, “Use the [MCP tool name] tool to …”).
- Verify the assistant calls the tool and that results look correct.
If calls fail, check your internal MCP logs and any dedicated troubleshooting articles for MCP hosts, or contact your Glean account team.
Use MCP-backed atools in agents
After an MCP tools are configured and published, agent creators can:
- Open Agent Builder and add MCP tools as steps in their workflows in the Plan + Execute step, just like any other tool.
- Chain MCP tools with other Glean tools, for example, use an MCP tool to fetch data, then pass results to another tool for summarization.
MCP servers are only available in Plan and execute steps and in autonomous agents. MCP servers are not available in single step selections.
You can set up access controls for MCP-backed tools in agents. Role‑based access ensures only approved creators can wire certain MCP tools into agents. End users running agents still experience permission‑aware behavior based on downstream app permissions and credentials. See Role-based access to tools for more information.
This lets you reuse your existing MCP capabilities inside complex, multi‑step agent workflows without duplicating integration logic.
Use MCP-backed atools in Assistant
If you publish MCP tools to Glean, users can invoke them using natural language, for example:
- “Use the [MCP server name] tool to run the monthly usage report for ACME.”
- “Ask the internal ticketing MCP server for open Sev-1 incidents this week.”
Glean chooses MCP tools similarly to other tools, based on the tool schema exposed by your MCP server and the user’s query and context.
All calls respect the underlying authentication and permissions defined by your MCP server and any downstream systems.
Security and hosting considerations for MCP servers
Note the following security and hosting considerations for MCP servers:
- Any model provider: Glean as an MCP host is compatible with any MCP‑compliant server regardless of which LLM or provider it uses internally.
- Customer‑hosted servers: You control where the MCP server runs (cloud, on‑prem, or VPC). Glean only needs network access to the server endpoint (directly or via an allowlisted proxy).
Best practices
- Least‑privilege OAuth: Use the smallest necessary scopes when configuring OAuth, whether you use authorization code flow or client credentials. Rotate client secrets according to your internal policies.
- Auditing and observability: Use your MCP server’s logs to monitor tool invocations and troubleshoot failures. Use Glean’s existing audit and insights capabilities to understand Glean Assistant and Glean Agents usage patterns where relevant.
- Start with a narrow server: Begin with a small set of high‑value tools so that LLMs can reliably pick the right tool.
- Align naming with jobs-to-be-done: Name MCP tools and tools after clear outcomes, for example, “Run billing report”, “Lookup internal user” to improve tool selection.
- Coordinate with Glean SEs for VPC setups: Involve your Glean Solutions Engineer early when you plan to expose MCP servers from private networks, so they can help design and validate the allowlist/proxy configuration.