Skip to main content
Version: 18.x

MCP Access with SSE MCP Server

Report an issue with this page

Teleport can provide secure access to MCP servers with SSE transport.

This guides shows you how to:

  • Enroll a MCP server with SSE transport in your Teleport cluster.
  • Connect to the SSE MCP server via Teleport.

How it works

Users can configure their MCP clients such as Claude Desktop to start an MCP server using tsh. Once successfully authorized, tsh establishes a session with the Application Service.

The Teleport Application Service first starts an SSE connection to the remote MCP server defined in the application definition. Teleport then proxies the MCP protocol between the client and the remote MCP server, applying additional role-based access controls such as filtering which tools are available to the user. While proxying, Teleport also logs MCP protocol requests as audit events, providing visibility into user activity.

warning

HTTP with SSE transport has been deprecated in MCP specification version 2025-03-26. It is recommended to update your MCP server to use the streamable-HTTP transport instead.

Prerequisites

  • A running Teleport (v18.1.0 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing tctl and tsh clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

      TELEPORT_DOMAIN=teleport.example.com:443
      TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

      Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

      curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

      In Finder double-click the pkg file to begin installation.

      danger

      Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  • A host, e.g., an EC2 instance, where you will run the Teleport Application Service.
  • The endpoint of the SSE MCP server http://my-sse-server/sse.

Step 1/3. Configure the Teleport Application Service

You can update an existing Application Service or create a new one to enable the the MCP server.

If you already have an existing Application Service running, you can add a MCP server in your YAML configuration:

app_service:
  enabled: true
  apps:
  - name: "everything"
    uri: "mcp+sse+MCP endpoint"
    labels:
      env: dev
    description:

Step 2/3. Configure your Teleport user

In this step, you will grant your Teleport user access to all MCP servers and their MCP tools.

If you have an existing Teleport user, assign the preset role mcp-user to that user. The mcp-user role allows access to all MCP servers and their tools:

kind: role
version: v8
metadata:
  description: Access to MCP servers
  labels:
    teleport.internal/resource-type: preset
  name: mcp-user
spec:
  allow:
    app_labels:
      'teleport.internal/app-sub-kind': 'mcp'
    mcp:
      tools:
      - '*'

Alternatively, add the above allow permissions to an existing Teleport role.

tip

You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Step 3/3. Connect

Log in to Teleport with the user we've just created, my_user:

tsh login --proxy=teleport.example.com:443 --user=my_user

Now we can inspect available MCP servers:

tsh mcp ls
Name       Description           Type  Labels---------- --------------------- ----- ----------everything everything MCP server SSE   env=dev

To show configurations for your MCP client to connect:

tsh mcp config everything
Found MCP servers:everything
Here is a sample JSON configuration for launching Teleport MCP servers:{  "mcpServers": {    "teleport-mcp-everything": {      "command": "/path/to/tsh",      "args": ["mcp", "connect", "everything"]    }  }}
Tip: You can use this command to update your MCP servers configuration file automatically.- For Claude Desktop, use --client-config=claude to update the default configuration.- For Cursor, use --client-config=cursor to update the global MCP servers configuration.In addition, you can use --client-config=<path> to specify a config file location that is compatible with the "mcpServers" mapping.For example, you can update a Cursor project using --client-config=<path-to-project>/.cursor/mcp.json

Once your MCP client configuration is updated, you will see teleport-mcp-everything MCP server with allowed tools appear in your MCP client.

Next Steps

Learn more about protecting MCP servers with Teleport in the following topics: