Skip to main content
Version: 18.x

MCP Access with Stdio MCP Server

Report an issue with this page

Teleport can provide secure access to MCP servers with stdio transport.

This guides shows you how to:

  • Enroll a MCP server with stdio transport in your Teleport cluster.
  • Connect to the stdio MCP server via Teleport.

How it works

Users can configure their MCP clients such as Claude Desktop to start an MCP server using tsh. Once successfully authorized, tsh establishes a session with the Application Service.

The Application Service starts the MCP server using the command and arguments defined by Teleport administrators in the app definition. Teleport then proxies the connection between the client and the remote MCP server, applying additional role-based access controls such as filtering which tools are available to the user. While proxying, Teleport also logs MCP protocol requests as audit events, providing visibility into user activity.

Prerequisites

  • A running Teleport cluster version 18.0.2 or above. If you do not have one, read Get Started with Teleport or set up a demo environment.

  • The tctl and tsh clients.

    Installing tctl and tsh clients

    Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

    curl -O https://cdn.teleport.dev/teleport-18.0.2.pkg

    In Finder double-click the pkg file to begin installation.

    danger

    Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

    The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version:

    curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'
    18.0.2
  • A host, e.g., an EC2 instance, where you will run the Teleport Applications Service.
  • Tools on the same host that can launch stdio-based MCP servers like npx or docker.

Step 1/3. Configure the Teleport Application Service

Get a join token

The Application Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Application Service:

tctl tokens add --type=app --format=text
abcd123-insecure-do-not-use-this
Alternative methods

For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:

Install the Teleport Application Service

Install Teleport on the host where you will run the Teleport Application Service:

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

  1. Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://).

  2. Run your cluster's install script:

    curl "https://teleport.example.com:443/scripts/install.sh" | sudo bash

On older Teleport versions:

  1. Assign edition to one of the following, depending on your Teleport edition:

    EditionValue
    Teleport Enterprise Cloudcloud
    Teleport Enterprise (Self-Hosted)enterprise
    Teleport Community Editionoss

  2. Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:

    TELEPORT_DOMAIN=example.teleport.com:443
    TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"

    Otherwise, get the version of your Teleport cluster:

    TELEPORT_DOMAIN=example.teleport.com:443
    TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')"

  3. Install Teleport on your Linux server:

    curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition

    The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

Configure the Teleport Application service

On the host where you will run the Teleport Application Service, create a file at /etc/teleport.yaml with the following content:

version: v3
teleport:
  join_params:
    token_name: "/tmp/token"
    method: token
  proxy_server: "teleport.example.com:443"
auth_service:
  enabled: false
proxy_service:
  enabled: false
ssh_service:
  enabled: false
app_service:
  enabled: true
  apps:
  - name: "everything"
    labels:
      env: dev
    description:
    mcp:
      # Command to launch stdio-based MCP servers.
      command: "docker"
      # Args to execute with the command.
      args: ["run", "-i", "--rm", "mcp/everything"]
      # Name of the host user account under which the command will be
      # executed. Required for stdio-based MCP servers.
      run_as_host_user: "docker"

Replace teleport.example.com:443 with the host and port of your Teleport Proxy Service or Teleport Cloud tenant.

Start the Teleport Application Service

Configure the Application Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Application Service.

On the host where you will run the Application Service, enable and start Teleport:

sudo systemctl enable teleport
sudo systemctl start teleport

You can check the status of the Application Service with systemctl status teleport and view its logs with journalctl -fu teleport.

Step 2/3. Create a user and role

Create a role that will allow a user to connect to MCP servers with label env=dev and allow the user to use the echo tool or any tool starts with get:

tctl create <<EOFkind: roleversion: v8metadata:  name: access-mcpspec:  allow:    app_labels:      'env': 'dev'    description: "Everything MCP server"    mcp:      tools:      - echo      - get*EOF
tip

You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Create the Teleport user assigned the access-mcp role we've just created:

tctl users add --roles=access-mcp my_user

Step 3/3. Connect

Log in to Teleport with the user we've just created.

tsh login --proxy=teleport.example.com:443 --user=my_user

Now we can inspect available MCP servers:

tsh mcp ls
Name       Description           Type  Labels---------- --------------------- ----- ----------everything everything MCP server stdio env=dev

To show configurations for your MCP client to connect:

tsh mcp config
Found MCP servers:everything
Here is a sample JSON configuration for launching Teleport MCP servers:{  "mcpServers": {    "teleport-mcp-everything": {      "command": "/path/to/tsh",      "args": ["mcp", "connect", "everything"]    }  }}
Tip: You can use this command to update your MCP servers configuration file automatically.- For Claude Desktop, use --client-config=claude to update the default configuration.- For Cursor, use --client-config=cursor to update the global MCP servers configuration.In addition, you can use --client-config=<path> to specify a config file location that is compatible with the "mcpServers" mapping.For example, you can update a Cursor project using --client-config=<path-to-project>/.cursor/mcp.json

Once your MCP client configuration is updated, you will see teleport-mcp-everything MCP server with allowed tools appear in your MCP client.

Next Steps

Learn more about protecting MCP servers with Teleport in the following topics: