Welcome to Intric Support Center
Tools and Integrations
MCP Servers
Connecting your own MCP server to Intric

Connecting your own MCP server to Intric

Intric supports the Model Context Protocol (MCP), an open standard that lets AI assistants use external tools and data sources. By connecting your own MCP server, you can extend Intric’s assistants with custom tools, resources, and prompts specific to your workflows.

Prerequisites

Before connecting an MCP server, ensure the following:

  • The MCP module is enabled for your tenant. Contact your system administrator if it is not available.
  • You have Admin permissions in your Intric tenant. Only admins can create and configure MCP servers.
  • Your MCP server is accessible over HTTPS at a publicly reachable URL. Private or non-HTTPS URLs are blocked by default for security reasons.
  • You know which authentication method your MCP server requires: none, API key, or OAuth 2.0.

Step 1: Create the MCP server record

Navigate to the MCP servers section in Intric.

Click Create and provide a name for the server (e.g. “Internal CRM Tools” or “Document Search API”).

The server record is created. You can now configure it with a URL and authentication.

Step 2: Configure the server URL and authentication

Edit the newly created server and provide the following:

  • URL — The HTTPS endpoint of your MCP server (e.g. https://mcp.yourcompany.com/mcp).

  • Authentication type — Choose one of:

    • None — No authentication required. Suitable for servers on trusted internal networks (if private URLs are enabled by your system administrator).
    • API key — Provide a secret API key that Intric will send as a bearer token when calling your server. The key is encrypted at rest.
    • OAuth 2.0 — For servers that require user-level authentication via OAuth. See the OAuth section below for details.

  • Description (optional) — A human-readable description of what this server provides. This may also be populated automatically from the server’s metadata.

When you save the URL, Intric will automatically discover the server’s capabilities — its available tools, resources, resource templates, and prompts. You can also trigger this manually at any time using the Refresh capabilities action.

Step 3: Enable the MCP server as a tool

Once the server is connected and its capabilities have been discovered, you need to enable it as a tool for your tenant:

  1. Go to the Tools section.
  2. Find the MCP server (listed by name).
  3. Enable it for your tenant.

Step 4: Attach the tool to an assistant

  1. Open or create an assistant (either in a Space or as a personal assistant).
  2. In the assistant’s tool configuration, add the MCP server tool.
  3. The assistant now has access to all tools, resources, and prompts exposed by your MCP server.

When users interact with the assistant in a conversation, it can call the MCP server’s tools as needed. Tool calls are routed through Intric to your server, with the configured authentication applied automatically.

Connecting with OAuth 2.0

If your MCP server uses OAuth 2.0 for authentication, Intric supports the full authorization code flow with PKCE. This means each user authenticates individually with the external service.

How it works:

Set the authentication type to OAuth 2.0 on the MCP server record.

Automatic discovery — When possible, Intric will automatically discover the OAuth endpoints (authorization URL, token URL, supported scopes) from your MCP server’s metadata. If your server advertises support for Client ID Metadata Documents (CIMD), Intric will configure itself as a public client automatically.

Manual configuration — If automatic discovery is not available, you will need to provide:

  • OAuth 2.0 Client ID
  • OAuth 2.0 Client Secret (if required)
  • Authorization URL
  • Token URL
  • Revocation URL (optional)
  • Scopes (optional)

User authentication — Each user who wants to use the MCP server must complete the OAuth flow individually. They will be redirected to the external service’s login page, grant access, and be redirected back to Intric. The status indicator on the server record shows whether the current user is connected.

Token management — Intric handles access token caching and automatic refresh using refresh tokens. Users can disconnect from an OAuth server at any time, which revokes their stored tokens.

Validating a connection

After configuring a server, use the Validate action to check whether Intric can reach it and authenticate successfully. Possible outcomes:

StatusMeaning
OKServer is reachable and authentication is working.
UnauthorizedServer is reachable but the provided credentials were rejected. Check your API key or OAuth configuration.
User not authenticatedThe server uses OAuth and the current user has not completed the OAuth flow yet.
Server URL not setNo URL has been configured on the server record.
FailedThe server could not be reached. Verify the URL is correct and publicly accessible.

Security considerations

  • URL restrictions — By default, Intric only allows HTTPS URLs that resolve to publicly routable IP addresses. This prevents server-side request forgery (SSRF) attacks. Private/internal URLs are blocked unless explicitly permitted by the system administrator.

  • Encrypted secrets — API keys and OAuth client secrets are encrypted at rest and never exposed in API responses. The API only indicates whether an API key is set, not its value.

  • Security classification — MCP tools participate in the same security classification rules as other tools in Intric. An assistant can only use an MCP tool if it meets the security classification requirements of the Space it belongs to.

  • Per-user OAuth — When using OAuth 2.0, each user has their own token. Users can only access external resources they have individually authorized.

  • Tenant-scoped — MCP server records are scoped to your tenant. They are not shared across tenants.

Troubleshooting

IssueSolution
"Server URL is not set"Edit the MCP server and provide a valid HTTPS URL.
Tools are not appearing on the serverClick Refresh capabilities to re-fetch tools from the server. Ensure the URL points to the correct MCP endpoint.
OAuth flow fails or redirects incorrectlyVerify the authorization and token URLs are correct. Ensure the redirect URI registered with your OAuth provider matches Intric's callback URL.
"Unauthorized" after providing an API keyConfirm the API key is valid and has the necessary permissions on your MCP server.
Server was reachable but now failsThe server may be temporarily unavailable. Check your server logs and try validating again.
File or resource access errors during tool useIf a tool call returns a 401, Intric will attempt to refresh the OAuth token automatically. If this persists, the user may need to disconnect and re-authenticate.
Updated on