Teleport can provide secure connections to your MCP (Model Context Protocol) servers while improving both access control and visibility.

This guides shows you how to:

Enroll the Teleport demo MCP server in your Teleport cluster.

Connect to the MCP server via Teleport.

The Teleport Application Service includes a built-in demo MCP server designed to showcase how MCP access works.

Users can configure their MCP clients such as Claude Desktop to start an MCP server using tsh . Once successfully authorized, tsh establishes a session with the Application Service.

Once the session is established, the Application Service starts the in-memory demo MCP server. Teleport then proxies the connection between the client and the remote MCP server, applying additional role-based access controls such as filtering which tools are available to the user. While proxying, Teleport also logs MCP protocol requests as audit events, providing visibility into user activity.

A running Teleport cluster version 19.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-19.0.0-dev.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v19.0.0-dev-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v19.0.0-dev-linux-amd64-bin.tar.gz tar -xzf teleport-v19.0.0-dev-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 19.0.0-dev



A host, e.g., an EC2 instance, where you will run the Teleport Applications Service.

The Application Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Application Service:

tctl tokens add --type=app --format=text abcd123-insecure-do-not-use-this

Install Teleport on the host where you will run the Teleport Application Service:

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://). Run your cluster's install script: curl "https:// teleport.example.com:443 /scripts/install.sh" | sudo bash

On older Teleport versions:

Assign edition to one of the following, depending on your Teleport edition: Edition Value Teleport Enterprise Cloud cloud Teleport Enterprise (Self-Hosted) enterprise Teleport Community Edition oss Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')" Otherwise, get the version of your Teleport cluster: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" Install Teleport on your Linux server: curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

On the host where you will run the Teleport Application Service, create a configuration file:

sudo teleport configure \ -o file \ --roles=app \ --proxy= teleport.example.com:443 \ --token=/tmp/token \ --mcp-demo-server

The command will generate an Application Service configuration to proxy the demo MCP server and save the configuration to /etc/teleport.yaml .

Configure the Application Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Application Service.

Package Manager

TAR Archive On the host where you will run the Application Service, enable and start Teleport: sudo systemctl enable teleport sudo systemctl start teleport On the host where you will run the Application Service, create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport: sudo teleport install systemd -o /etc/systemd/system/teleport.service sudo systemctl enable teleport sudo systemctl start teleport

You can check the status of the Application Service with systemctl status teleport and view its logs with journalctl -fu teleport .

Create a user that grants access to all MCP servers and all available tools provided by those servers:

tctl users add my_user --roles=access --mcp-tools "*"

Log in to Teleport with the user we've just created.

tsh login --proxy= teleport.example.com:443 --user= my_user

Now we can inspect available MCP servers:

tsh mcp ls Name Description Type Labels ----------------- ----------------------------------------------------------------- ----- ------ teleport-mcp-demo A demo MCP server that shows current user and session information stdio

To show configurations for your MCP client to connect:

tsh mcp config Found MCP servers: teleport-mcp-demo

Here is a sample JSON configuration for launching Teleport MCP servers: { "mcpServers": { "teleport-mcp-teleport-mcp-demo": { "command": "/path/to/tsh", "args": ["mcp", "connect", "teleport-mcp-demo"] } } }

Tip: You can use this command to update your MCP servers configuration file automatically. - For Claude Desktop, use --client-config=claude to update the default configuration. - For Cursor, use --client-config=cursor to update the global MCP servers configuration. In addition, you can use --client-config=<path> to specify a config file location that is compatible with the "mcpServers" mapping. For example, you can update a Cursor project using --client-config=<path-to-project>/.cursor/mcp.json

Once your MCP client configuration is updated, you will find the Teleport demo MCP server in your MCP client. The demo MCP server consists of several tools that provide basic information on this demo, your Teleport user, and the MCP session. You can interact with it using sample questions like "can you show some details on this teleport demo?":

