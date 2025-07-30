Version: 19.x (unreleased)

On this page

Dynamic MCP Server Registration Report an issue with this page

Dynamic MCP server registration allows Teleport administrators to register new MCP servers (or update/unregister existing ones) without having to update the static configuration files read by Teleport Application Service instances.

The MCP server resources are registered as app resources in the Teleport backend. Application Service instances periodically query the Teleport Auth Service for app resources, each of which includes the information that the Application Service needs to proxy an application.

In order to interact with dynamically registered applications, a user must have a Teleport role with permissions to manage app resources.

In the following example, a role allows a user to perform all possible operations against app resources:

allow: rules: - resources: - app verbs: [ list , create , read , update , delete ]

To enable dynamic registration, include a resources section in your Application Service configuration with a list of resource label selectors you'd like this service to monitor for registering:

app_service: enabled: true resources: - labels: "*": "*"

You can use a wildcard selector to register all dynamic app resources in the cluster on the Application Service or provide a specific set of labels for a subset:

resources: - labels: "env": "prod" - labels: "env": "test"

The following example configures Teleport to proxy the "Everything" MCP server by launching it through docker:

kind: app version: v3 metadata: name: everything description: The Everything MCP server labels: env: dev spec: mcp: command: "docker" args: [ "run" , "-i" , "--rm" , "mcp/everything" ] run_as_host_user: "docker"

See the full resource spec reference.

To create the resource, run:

tsh login --proxy=teleport.example.com --user=myuser tctl create mcp_server.yaml

After the resource has been created, it will appear among the list of available MCP servers (in tsh mcp ls or UI) as long as at least one Application Service instance picks it up according to its label selectors.

To update an existing application resource, run:

tctl create -f mcp_server.yaml

If the updated resource's labels no longer match a particular app agent, it will unregister and stop proxying it.

To delete the resource, run: