Skip to content

MCP Server for AI Agents

The Centrali MCP (Model Context Protocol) server lets AI assistants like Claude, Cursor, Windsurf, and other MCP-compatible clients interact with your Centrali workspace. It exposes your collections, records, compute functions, orchestrations, pages, and IAM configuration as callable tools — so an AI agent can query data, create records, invoke functions, build pages, and manage access without writing any integration code.

Built on the @centrali-io/centrali-sdk and the Model Context Protocol standard.

Two ways to connect

Method Best for Auth
Hosted MCP server (recommended) Interactive use — Claude Desktop, Claude Code, Cursor Browser OAuth login
Stdio package CI pipelines, automation, headless environments Service account credentials

The easiest way to connect. Add a single URL — authentication happens in the browser.

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "centrali": {
      "type": "url",
      "url": "https://mcp.centrali.io"
    }
  }
}

claude mcp add centrali --transport http https://mcp.centrali.io

Add to your .cursor/mcp.json:

{
  "mcpServers": {
    "centrali": {
      "type": "url",
      "url": "https://mcp.centrali.io"
    }
  }
}

How it works

  1. Add the URL — paste the configuration snippet into your AI client
  2. Authenticate — your client opens a browser window for you to log in with your Centrali account
  3. Select workspace — choose which workspace the agent operates in (auto-selected if you only have one)
  4. Start using — ask the agent to call describe_centrali and explore from there

No API keys, client IDs, or environment variables required. The token carries your user identity, so audit logs show you performed the action.

Option 2: Stdio with Service Account (CI/automation)

For headless environments where browser login isn't possible. Uses service account credentials with RBAC permissions.

npm install -g @centrali-io/centrali-mcp

Or run directly with npx:

npx @centrali-io/centrali-mcp

{
  "mcpServers": {
    "centrali": {
      "command": "npx",
      "args": ["@centrali-io/centrali-mcp"],
      "env": {
        "CENTRALI_URL": "https://centrali.io",
        "CENTRALI_CLIENT_ID": "<service-account-client-id>",
        "CENTRALI_CLIENT_SECRET": "<service-account-secret>",
        "CENTRALI_WORKSPACE": "my-workspace"
      }
    }
  }
}

claude mcp add centrali \
  -e CENTRALI_URL=https://centrali.io \
  -e CENTRALI_CLIENT_ID=<service-account-client-id> \
  -e CENTRALI_CLIENT_SECRET=<service-account-secret> \
  -e CENTRALI_WORKSPACE=my-workspace \
  -- npx @centrali-io/centrali-mcp

Environment Variables (stdio mode)

Variable Required Description
CENTRALI_URL Yes Your Centrali instance URL (e.g., https://centrali.io)
CENTRALI_WORKSPACE Yes Workspace slug to operate in
CENTRALI_CLIENT_ID Yes Service account client ID
CENTRALI_CLIENT_SECRET Yes Service account client secret

Service Account Setup

A freshly created service account has no permissions by default. You must assign it a role before the MCP server can do anything useful, otherwise every tool call will return 403 Forbidden.

Quickest setup — full admin access:

  1. In the Console, go to Settings > Service Accounts
  2. Create a service account and save the credentials
  3. Open the service account, go to the Groups tab
  4. Add it to the workspace_administrators group

Least-privilege setup: Create a custom group with a policy scoped to the specific resources the MCP agent needs. See Policies and Permissions for details.

Store credentials securely

Never commit secrets to source control. Use environment variables or a secrets manager.

Migrating from OAuth stdio to hosted

If you were previously using CENTRALI_OAUTH_CLIENT_ID or CENTRALI_OAUTH_CLIENT_SECRET with the stdio package, those auth modes have moved to the hosted MCP server.

Step-by-step migration

  1. Remove the old configuration — delete the command, args, and env block from your MCP client config
  2. Add the hosted URL — replace with { "type": "url", "url": "https://mcp.centrali.io" }
  3. Restart your AI client — on next connection, authenticate in the browser
  4. Delete the old OAuth app (optional) — the OAuth app in Settings > OAuth Apps is no longer needed for this use case

Before and after

Before (stdio + OAuth): 

{
  "mcpServers": {
    "centrali": {
      "command": "npx",
      "args": ["@centrali-io/centrali-mcp"],
      "env": {
        "CENTRALI_URL": "https://centrali.io",
        "CENTRALI_OAUTH_CLIENT_ID": "oc_your_client_id",
        "CENTRALI_OAUTH_CLIENT_SECRET": "os_your_client_secret",
        "CENTRALI_WORKSPACE": "my-workspace"
      }
    }
  }
}

After (hosted): 

{
  "mcpServers": {
    "centrali": {
      "type": "url",
      "url": "https://mcp.centrali.io"
    }
  }
}

FAQ

Q: What about my existing service account configuration? A: Service accounts still work with the stdio package. No migration needed — only browser OAuth users need to switch.

Q: Will the old OAuth env vars cause errors? A: The stdio package will detect CENTRALI_OAUTH_CLIENT_ID and print a migration message with instructions. It will not start the MCP server.

Q: Can I use the hosted server for CI/automation? A: The hosted server requires browser-based login, so it's not suitable for headless environments. Use the stdio package with a service account for CI/automation.

Getting Started

Once connected, instruct your AI agent to call describe_centrali first. This returns a full capability map with all available tools grouped by domain. From there, the agent can call domain-specific describe_* tools for detailed schema references before taking action.

A typical agent workflow looks like:

  1. Discover — call describe_centrali to see what is available
  2. Explore — call list_collections or describe_records to understand the data model
  3. Act — create records, invoke triggers, build pages, etc.

Available Tools

The MCP server exposes 100+ tools across these domains:

Discovery

Call these first to understand the workspace schema and API shapes.

Tool Description
describe_centrali Platform overview, feature matrix, and full tool list
describe_collections Collection schema reference (field types, constraints)
describe_records Record operations reference (filters, sorting, pagination, expand)
describe_search Full-text search reference
describe_compute Compute function reference (input contract, secrets, async execution)
describe_smart_queries Parameterized query reference
describe_orchestrations Multi-step workflow reference
describe_insights Anomaly detection reference
describe_validation Data validation reference
describe_pages Pages builder reference
describe_page_definition Page definition schema (blocks, layouts)
describe_page_blocks Available block types for pages
describe_page_actions Page action system reference
describe_navigation Navigation configuration reference
describe_auth_providers External auth provider reference (BYOT setup, claim mappings)
describe_service_accounts Service account and IAM reference

Collections

Tool Description
list_collections List all data collections in the workspace
get_collection Get full schema for a collection by slug
create_collection Create a new collection with typed properties
update_collection Update an existing collection
delete_collection Delete a collection and all its records

Records

Tool Description
query_records Query records with filters, sorting, pagination
get_record Get a single record by ID
get_records_by_ids Get multiple records by IDs
create_record Create a new record
update_record Update an existing record
upsert_record Create or update a record
delete_record Soft or hard delete a record
restore_record Restore a soft-deleted record
Tool Description
search_records Full-text search across workspace records

Compute

Tool Description
list_functions List compute functions
get_function Get a function by ID (includes code)
create_function / update_function / delete_function Manage functions
test_function Test-execute code without saving
list_triggers / get_trigger / create_trigger / update_trigger / delete_trigger Manage triggers
invoke_trigger Invoke an on-demand trigger (returns job ID — async)
pause_trigger / resume_trigger Control trigger state
get_function_run / list_function_runs Inspect execution results
get_compute_job_status Poll async job status
invoke_endpoint Call a sync compute endpoint by path (returns response inline)
list_allowed_domains / add_allowed_domain / remove_allowed_domain Manage outbound HTTP allowlist

Smart Queries

Tool Description
list_smart_queries / get_smart_query Browse saved queries
create_smart_query / update_smart_query / delete_smart_query Manage queries
execute_smart_query Execute with optional variables
test_smart_query Test a query definition without saving

Orchestrations

Tool Description
list_orchestrations / get_orchestration Browse workflows
create_orchestration / update_orchestration / delete_orchestration Manage workflows
activate_orchestration / pause_orchestration Control workflow state
trigger_orchestration Start a run with optional input
list_orchestration_runs / get_orchestration_run Inspect run history and step details

AI Features

Tool Description
trigger_anomaly_analysis / list_insights / get_insight Anomaly detection
acknowledge_insight / dismiss_insight / get_insights_summary Manage insights
trigger_validation_scan / list_validation_suggestions Data validation
accept_validation_suggestion / reject_validation_suggestion / get_validation_summary Act on suggestions

Pages

Tool Description
list_pages / get_page / create_page / update_page / delete_page Manage pages
save_page_draft / get_page_draft / validate_page Draft workflow
publish_page / unpublish_page Publishing
list_page_versions Version history
set_page_access_policy Access control (public, authenticated, role-gated)
get_page_theme / set_page_theme Workspace theming
get_navigation / set_navigation / delete_navigation Navigation config
generate_starter_pages / accept_page_proposal AI-assisted page generation

Service Accounts and IAM

Tool Description
list_service_accounts / get_service_account / create_service_account Manage SAs
rotate_service_account_secret / revoke_service_account Credential lifecycle
generate_dev_token Generate a short-lived dev token for testing
scan_service_account_permissions Full access matrix audit
simulate_service_account_permission Simulate an auth check with evaluation trace
generate_remediation / preview_remediation / apply_remediation Fix missing permissions
list_roles / get_role / create_role / update_role / delete_role Manage roles
list_groups / get_group / create_group / update_group / delete_group Manage groups

Publishable Keys

Tool Description
list_publishable_keys / get_publishable_key Browse keys
create_publishable_key / update_publishable_key / revoke_publishable_key Manage frontend keys

Identity

Tool Description
get_current_identity Get the current authenticated MCP identity (service account or OAuth user)

Resources

The MCP server also exposes MCP resources that clients can read:

URI Description
centrali://collections List of all collections with name, slug, and description
centrali://collections/{slug} Full schema for a specific collection

MCP vs SDK vs Console

Capability MCP Server SDK Console UI
AI agent integration Yes No No
Programmatic access (Node.js, scripts) No Yes No
Visual management No No Yes
Collections CRUD Yes Yes Yes
Records CRUD Yes Yes Yes
Compute functions Yes Yes Yes
Orchestrations Yes Yes Yes
Pages builder Yes Partial Yes
IAM management Yes No Yes
Full-text search Yes Yes Yes
Real-time events (SSE) No Yes Yes
File uploads No Yes Yes

The MCP server wraps the SDK, so any operation available via MCP is also available programmatically through the SDK. The MCP server adds discovery tools (describe_*) and IAM management that the SDK does not expose directly.

Common Failure Modes

When an AI agent is not getting expected results, check these common issues:

Wrong host in CENTRALI_URL

Set CENTRALI_URL to your root domain (e.g., https://centrali.io or https://dev.centrali.io). The SDK automatically derives the API host (api.centrali.io) and auth host (auth.centrali.io) from this value. Do not pass https://api.centrali.io or https://auth.centrali.io directly.

This only applies to stdio mode. The hosted MCP server handles routing automatically.

Workspace slug mismatch

The CENTRALI_WORKSPACE value must be the workspace slug (e.g., acme-corp), not the display name or UUID. You can find it in the Console URL: https://console.centrali.io/acme-corp/....

This only applies to stdio mode. The hosted MCP server shows a workspace picker during authentication.

Insufficient permissions

A freshly created service account has no permissions by default. If every tool call returns 403 Forbidden, the service account has not been assigned a role.

Fix — assign a role in the Console:

  1. Open the service account in Settings > Service Accounts
  2. Go to the Groups tab and add it to the workspace_administrators group (or a custom group with the permissions you need)
  3. Retry the MCP tool call

For least-privilege setups, create a custom group with a policy scoped to the specific resources the MCP agent needs. See Policies and Permissions for details.

Diagnosing specific permission issues:

If the service account has a role but a specific operation fails, use the IAM tools built into the MCP server:

1. Call scan_service_account_permissions to see the full access matrix
2. Call simulate_service_account_permission for the specific resource + action
3. Call generate_remediation to get fix options
4. Call apply_remediation to grant the missing access

Plan-gated features

Some features (AI insights, anomaly detection, advanced orchestration options) are only available on certain workspace plans. If a tool returns a plan-related error, the workspace needs to be upgraded. The error message will indicate which plan is required.

Async compute execution

invoke_trigger returns a job ID, not the result. The agent must poll get_compute_job_status or get_function_run until the job completes. For synchronous execution, use invoke_endpoint with an HTTP trigger instead.

Rate limits

Service accounts are subject to API rate limits. If the agent is making many rapid requests, it may hit 429 Too Many Requests. Back off and retry.

Local Development

For local development with Centrali services running on your machine, configure the stdio MCP server to point at your local Traefik gateway:

{
  "mcpServers": {
    "centrali-local": {
      "command": "npx",
      "args": ["@centrali-io/centrali-mcp"],
      "env": {
        "CENTRALI_URL": "http://centrali.localhost",
        "CENTRALI_CLIENT_ID": "<local-sa-client-id>",
        "CENTRALI_CLIENT_SECRET": "<local-sa-client-secret>",
        "CENTRALI_WORKSPACE": "your-workspace-slug"
      }
    }
  }
}

Local routing (via Traefik):

URL Routes to
http://api.centrali.localhost API gateway (data, compute, storage, etc.)
http://auth.centrali.localhost IAM service (authentication, tokens)
http://console.centrali.localhost Console UI

See the local development guide for setting up the full stack.

Testing with the MCP Inspector

The MCP Inspector is a visual debugging tool for MCP servers. Use it to test tools interactively:

CENTRALI_URL=https://dev.centrali.io \
CENTRALI_CLIENT_ID=your-client-id \
CENTRALI_CLIENT_SECRET=your-client-secret \
CENTRALI_WORKSPACE=your-workspace \
npx @modelcontextprotocol/inspector node node_modules/@centrali-io/centrali-mcp/dist/index.js

This opens a browser UI where you can call any tool, inspect responses, and debug issues before connecting a real AI agent.