V1 Catalog MCP Servers (preview)#
The V1 agent runtime consumes MCP servers as catalog-authored resources rather than per-agent tool configurations. This page is the operator reference for authoring those resources.
Note
This is the V1 surface. The legacy V0 MCP Server Tools configuration (see MCP Server Tools) is unaffected and continues to work for agents that don’t run on V1.
Activating the surface#
The capability toggle capability.mcp.enabled gates the entire
MCP surface. The default is auto — which resolves to True
when at least one MCP resource is authored, False otherwise.
Explicit false (compliance lock) hides every server even when
resources are present. Explicit true requires at least one
authored resource (publish-time validator).
Approval policy#
Each server declares a default requires_approval (default
true — fail-safe). Individual tools can opt out via
tool_approval_overrides keyed on the upstream tool name (as the
server’s tools/list advertises it, not the namespaced
mcp_<id>__<tool> form). Precedence at dispatch time:
Catalog
tool_approval_overrides[upstream]Server-advertised
_meta.requires_approvalon the tool (where the server uses Squirro’s MCP convention)Server-level
requires_approvalHard default
True
Approval gating runs as one HITL prompt per turn carrying every pending tool call; the user approves / edits / rejects each one in one resume action.
User OAuth flow#
For per_user_oauth servers:
The catalog endpoint (
GET /v1/projects/{pid}/catalog) advertises the server withrequires_oauth: true,authenticated: false, andauthorize_url: /v1/external_mcp/authorize?server_id=<id>.The FE redirects the user’s browser to
authorize_url.The platform discovers the OAuth metadata, runs PKCE, redirects to the IdP.
The IdP redirects back to
/v1/external_mcp/callback; the platform exchanges the code for tokens and stores them Fernet-encrypted under(tenant, project_id, user, server_id).The next catalog poll shows the server as
authenticated: true. The agent can now dispatch tools through it.
Disconnecting an integration#
The FE drives disconnect through
DELETE /v1/external_mcp/secrets/{project_id}/{server_id}. The
endpoint targets the calling user’s own row keyed
(tenant, project_id, user, server_id); there is no admin
override that disconnects another user’s integration.
project-read is the floor — a read-only project member can still
disconnect their own integration.
The endpoint is local-delete only: it does not call the IdP’s token-revoke endpoint. The grant on the upstream lingers until the user revokes it from their IdP account, and tokens expire naturally. This matches the per-project scope (revoking at the IdP would invalidate any sibling project issued via the same client_id). Returns 204 on success, 404 when no row exists for the target.
The redirect URI the IdP echoes must be pinned in production via
SQ_GENAI_V1_EXTERNAL_MCP_REDIRECT_URI. The value must exactly
match the URL registered with the IdP (most IdPs reject token
exchanges with mismatched redirect URIs). Without the env var, the
platform falls back to deriving the URI from the incoming request’s
X-Forwarded-Host / X-Forwarded-Proto headers — convenient
for local dev behind an honest reverse proxy, but a security risk
in any environment where those headers can be spoofed. The
platform logs a warning whenever the fallback path is used.
Token refresh is not a runtime concern. An expired token surfaces
as a structured auth_required tool error mid-turn; the user
re-authorises through the same flow. The platform does not
silently refresh.
Going further#
Plugin authors writing tools exposed through
/studio-mcp(the internal aggregator) consult the V1 internal developer guidestudio-mcp-developers-guide.mdunder the genai service docs.Resource schemas + the picker payload shape are documented in the genai_config reference under the V1
MCPandStudioMcpConfigkinds.