Loading

Create an OAuth client in Elastic Agent Builder

Register a new OAuth client in Elastic Agent Builder to generate the credentials that an MCP host, such as Claude Desktop, needs to connect over OAuth 2.1. This is a one-time step you complete before connecting any host to Elastic Agent Builder.

Each OAuth client is scoped to a single Serverless project. Creating a client gives you a client ID and the MCP server URL for that project. For confidential clients, you also get a client secret that is shown only once and can't be retrieved later.

Note

In the Kibana UI, OAuth clients are labeled MCP clients. The button and menu labels in these steps, such as Add MCP client, refer to the OAuth client you're creating.

Before you create an OAuth client:

  1. Open the MCP client management page

    1. Find Agents in the navigation menu. You can also search for Agent Builder in the global search bar.
    2. Click Manage components at the bottom of the left sidebar, then select Tools.
    3. On the tools library page, click Manage MCP, and then select Manage MCP clients (OAuth).
    4. Click Add MCP client.

    You can also get to this page from Admin and settingsApplication connectionsManage MCP clients.

  2. Name the client

    Enter a Client name. The name is visible to users during the authorization flow, so use something that clearly identifies the application (for example, Claude Desktop — Engineering).

  3. Optionally set a Client logo to identify the application in the list. Use Select logo to choose from provided options, or select Upload logo to use a custom image.

    Selecting a logo is cosmetic, and does not pre-configure any settings.

  4. Set the redirect URI

    The redirect URI tells the authorization server where to return the user after they authorize the connection. Select the redirect URI type:

    • Local — For applications running on your local machine. The redirect URIs are pre-populated with http://localhost/callback and http://localhost/oauth/callback. Replace or supplement these values to match your Agent's expected callback URL. The authorization server accepts any localhost port, but the path must match exactly. Common values:
      • Claude Desktop (mcp-remote): http://localhost/oauth/callback
      • Claude Code CLI (native HTTP): http://localhost/callback
    • Remote — For hosted or cloud-based applications. Enter a single https:// URL. Plain HTTP is not accepted.

    For local clients that need more than one redirect URI, click Add local URL to add additional URLs.

  5. Optional: Generate a client secret

    You can optionally select Generate confidential MCP client to add a client secret for extra security. This is most useful when your MCP host can store a secret securely, such as a server-side service.

    The client secret is displayed after you create the client. The secret is only displayed once and can't be retrieved later.

  6. Save the client

    Click Create client. The Copy server details for [client name] dialog displays the values your MCP host (AI agent) needs to authenticate:

    • Client ID: The identifier for this client.
    • MCP server URL: The endpoint your MCP host uses to reach this project's Elastic Agent Builder tools.
    • Client secret: Appears for confidential clients only. This value is displayed only once and can't be retrieved later, so copy or download it before you close the dialog.

    You'll use these values to connect an MCP host.

    The client ID and MCP server URL can be retrieved at any time from the MCP clients page.

Note

OAuth clients can also be created through the Kibana API. To create a client through the API, you must use an Elastic Cloud API key with Cloud, Elasticsearch, and Kibana API access. Creating a client with an API key created directly in Elasticsearch is not supported.

Clients created through the API are not visible in the Agent Builder client list in Kibana, because they are not owned by a specific user. They appear only in the organization-level Application connections view in the Elastic Cloud Console.

Now that you have the client ID and MCP server URL for your OAuth client, configure your MCP host to use them.

You can also share these values so that other people connect the same client in their own MCP hosts. Each person authorizes access separately and gets their own connection.