Skip to main content
Ankra exposes a remote Model Context Protocol server at:
Use it to inspect clusters, workloads, logs, alerts, and related platform data from an MCP client. Write access can also apply changes through Ankra’s agent tools.

Choose an Access Scope

mcp:write implies read access. When creating a write token in the portal, Ankra selects both scopes.
MCP clients own the confirmation experience. Ankra does not show a second server-side confirmation prompt before a write tool runs. Only grant mcp:write to clients you trust.

Create an MCP Token

1

Open API Tokens

Open your profile, select API Tokens, then select Add Token.
2

Choose MCP access

Enter a descriptive name and select mcp:read. Select mcp:write only if the client needs to change resources.
3

Copy the token

Copy the generated token immediately and store it securely. Ankra only shows it once.
MCP-scoped tokens work only with the MCP endpoint and stay bound to the organisation selected when the token was created. They cannot call Ankra’s REST API or override their organisation.

Connect Cursor

Add Ankra to your Cursor MCP configuration:
Restart or refresh MCP servers in Cursor after saving the configuration. Ankra then appears as an available MCP server with tools filtered by the token’s scopes.
Keep personal tokens out of shared project configuration. Use a user-level MCP configuration or a local file that is excluded from version control.

Connect Claude with OAuth

Claude clients that support remote MCP connectors can connect without a manually copied token.
1

Add the connector

Add a custom MCP connector in Claude and use https://platform.ankra.app/api/v1/mcp as the server URL.
2

Sign in to Ankra

Claude opens Ankra’s OAuth consent flow. Sign in if needed.
3

Choose the organisation and scope

Select the organisation, review the requested mcp:read or mcp:write access, then approve the connection.
By default, Ankra issues a seven-day MCP-only token to the client. The flow uses OAuth 2.1 authorization code with PKCE. No client secret or refresh token is issued, so reconnect when the grant expires.

How Tool Access Works

  • tools/list only returns tools allowed by the token.
  • Cluster-scoped tools require a cluster_id. Call list_clusters to discover IDs.
  • Ankra verifies that the cluster belongs to the token’s organisation before dispatch.
  • Draft-only chat tools are not available over MCP.
  • Parameters containing literal secrets are refused before a mutating tool runs.
  • Tool calls are rate limited per token. Write calls also use a fail-closed platform write limit.
  • Every resolved tool call, including refused calls, is written to the organisation audit log.

Troubleshooting

401 Invalid or missing bearer token

The token is missing, expired, revoked, or copied incorrectly. Create a new MCP token and update the client.

403 Token has no MCP scope

The token is REST-only. Recreate it with mcp:read or mcp:read,mcp:write.

403 Origin not allowed

A browser-based client is calling from an origin that Ankra does not allow. Contact your Ankra administrator to review the configured origins.

A tool reports that it needs mcp:write

The requested tool changes state and is outside the read surface. Use a write-scoped token only if the client should make that change.

A tool reports a rate limit

Wait one minute and retry. If normal usage regularly reaches the limit, ask your Ankra administrator to review the MCP rate limits.