Skip to main content
Version: 18.x

MCP Access with Streamable-HTTP MCP Server

Report an issue with this page

Teleport can provide secure access to MCP servers with streamable-HTTP transport.

This guides shows you how to:

  • Enroll a MCP server with streamable-HTTP transport in your Teleport cluster.
  • Connect to the stdio MCP server via Teleport.

How it works

Users can configure their MCP clients such as Claude Desktop to start an MCP server using tsh. Once successfully authorized, tsh establishes a session with the Application Service.

Teleport proxies the MCP protocol between the client and the remote MCP server, applying additional role-based access controls such as filtering which tools are available to the user. While proxying, Teleport also logs MCP protocol requests as audit events, providing visibility into user activity.

Prerequisites

  • A running Teleport (v18.1.0 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing tctl and tsh clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

      TELEPORT_DOMAIN=teleport.example.com:443
      TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

      Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

      curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

      In Finder double-click the pkg file to begin installation.

      danger

      Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  • A host, e.g., an EC2 instance, where you will run the Teleport Application Service.
  • The endpoint of the streamable-HTTP MCP server http://my-http-server/mcp.

Step 1/3. Configure the Teleport Application Service

You can update an existing Application Service or create a new one to enable the the MCP server.

If you already have an existing Application Service running, you can add a MCP server in your YAML configuration:

app_service:
  enabled: true
  apps:
  - name: "everything"
    uri: "mcp+MCP endpoint"
    labels:
      env: dev
    description:

Step 2/3. Configure your Teleport user

In this step, you will grant your Teleport user access to all MCP servers and their MCP tools.

If you have an existing Teleport user, assign the preset role mcp-user to that user. The mcp-user role allows access to all MCP servers and their tools:

kind: role
version: v8
metadata:
  description: Access to MCP servers
  labels:
    teleport.internal/resource-type: preset
  name: mcp-user
spec:
  allow:
    app_labels:
      'teleport.internal/app-sub-kind': 'mcp'
    mcp:
      tools:
      - '*'

Alternatively, add the above allow permissions to an existing Teleport role.

tip

You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Step 3/3. Connect

Log in to Teleport with the user we've just created, my_user:

tsh login --proxy=teleport.example.com:443 --user=my_user

Now we can inspect available MCP servers:

tsh mcp ls
Name       Description           Type            Labels---------- --------------------- --------------- ----------everything everything MCP server Streamable HTTP env=dev

To show configurations for your MCP client to connect:

tsh mcp config everything
Found MCP servers:everything
Here is a sample JSON configuration for launching Teleport MCP servers:{  "mcpServers": {    "teleport-mcp-everything": {      "command": "/path/to/tsh",      "args": ["mcp", "connect", "everything"]    }  }}
Tip: You can use this command to update your MCP servers configuration file automatically.- For Claude Desktop, use --client-config=claude to update the default configuration.- For Cursor, use --client-config=cursor to update the global MCP servers configuration.In addition, you can use --client-config=<path> to specify a config file location that is compatible with the "mcpServers" mapping.For example, you can update a Cursor project using --client-config=<path-to-project>/.cursor/mcp.json

Once your MCP client configuration is updated, you will see teleport-mcp-everything MCP server with allowed tools appear in your MCP client.

Connect with streamable-HTTP client

The tsh mcp connect command demonstrated above can be used by any stdio MCP client to start a MCP session, and Teleport automatically handles the transport conversion to the remote MCP server.

However, if you wish to connect to the MCP server in streamable-HTTP transport, you can start a local proxy that creates an authenticated tunnel to the remote MCP server:

tsh proxy mcp everything -p 8888
Proxying connections to everything on 127.0.0.1:8888

Then, connect to the MCP server locally with a MCP client that supports streamable-HTTP, for example:

npx @modelcontextprotocol/inspector --transport http --cli --method tools/list http://127.0.0.1:8888

Alternatively, instead of tsh, you can use Teleport Connect which can maintain the local proxies in the background.

Next Steps

Learn more about protecting MCP servers with Teleport in the following topics: