MCP Servers
Integrate external tools and services via the Model Context Protocol (MCP). Register MCP servers to extend agent capabilities with CRM integrations, database access, file operations, and more.
What is MCP?
The Model Context Protocol (MCP) is an open standard developed by Anthropic that enables AI applications to connect with external data sources and tools. MCP servers expose tools, resources, and prompts that agents can use during conversations.
M3 Forge supports MCP through a dual-path architecture:
| Path | Used By | Description |
|---|---|---|
| Agent Direct | marie-ai agents at runtime | Low-latency direct connection for tool execution |
| Gateway HTTP API | Studio UI, n8n workflows, webhooks | HTTP proxy for management and external integrations |
Getting Started
Accessing MCP Settings
Navigate to Settings → AI → MCP Servers to manage your MCP server registrations.
Registering an MCP Server
Choose transport type
MCP supports three transport mechanisms:
| Transport | Use Case | Example |
|---|---|---|
| stdio | Local command-line tools | npx @playwright/mcp@latest |
| Streamable HTTP | Remote web services | https://api.example.com/mcp |
| SSE | Server-sent events (legacy) | https://legacy.example.com/sse |
Configure connection
stdio
stdio servers run as local processes spawned by the MCPExecutor.
| Field | Description | Example |
|---|---|---|
| Command | Executable to run | npx, uvx, python |
| Arguments | Command-line args | ["-y", "@playwright/mcp@latest"] |
| Environment | Environment variables | {"NODE_ENV": "production"} |
{
"transport": "stdio",
"command": "npx",
"args": ["-y", "@playwright/mcp@latest"]
}Test the connection
Click Test Connection to verify connectivity. A successful test shows:
- Protocol version negotiated
- Server name and version
- Capabilities (tools, resources, prompts)
Discover tools
Click Discover Tools to fetch available tools from the server. Discovered tools are automatically synced to your Tool Library.
Server Configuration
Basic Settings
| Field | Description | Default |
|---|---|---|
| Display Name | Human-readable name | Required |
| Name/Slug | Unique identifier (auto-generated) | From display name |
| Description | Optional notes | - |
| Enabled | Whether server is active | true |
| Timeout | Connection timeout (ms) | 30000 |
| Auto-start | Connect on system startup | false |
| Gateway | Which gateway’s MCPExecutor handles this server | Default gateway |
Authentication
For remote servers (Streamable HTTP, SSE):
| Auth Type | Configuration |
|---|---|
| None | No authentication |
| API Key | Sent as x-api-key header |
| Bearer Token | Sent as Authorization: Bearer <token> |
| Static Headers | Custom key-value headers |
Secrets are stored securely using the configured SecretProvider. Values are shown as {{$secrets.KEY}} references in the UI.
Environment Variables (stdio)
For stdio servers, you can pass environment variables:
{
"env": {
"OPENAI_API_KEY": "{{$secrets.OPENAI_API_KEY}}",
"DATABASE_URL": "postgres://..."
}
}Security: PATH, HOME, LD_PRELOAD, and similar sensitive variables are stripped before passing to the subprocess.
Tool Library Integration
Discovered MCP tools are synced to the Tool Library as type: mcp tools:
- Automatic sync: Tools are created/updated on discovery
- Soft disable: Tools removed from server are disabled, not deleted
- Read-only: Synced tools cannot be edited directly — modify the MCP server instead
- Unique slugs: Format
mcp--{server}--{tool}--{hash}
Assigning to Agents
MCP tools appear in the tool picker when configuring agents:
- Navigate to Agents → [Your Agent] → Tools
- Search for the MCP tool by name
- Toggle to enable for this agent
Testing & Debugging
MCP Inspector
Before registering a server in M3 Forge, validate it with the official MCP Inspector :
# Test stdio server
npx @modelcontextprotocol/inspector npx @playwright/mcp@latest
# Test with arguments
npx @modelcontextprotocol/inspector npx @modelcontextprotocol/server-filesystem /path/to/dir
# Test Python MCP server
npx @modelcontextprotocol/inspector uvx mcp-server-git --repository ~/code/repoThe Inspector provides:
- Tools tab: List tools, test with inputs, view results
- Resources tab: Browse available data sources
- Prompts tab: Test prompt templates
- Notifications: Server logs and events
Connection Status
Each registered server shows connection status:
| Status | Meaning |
|---|---|
| 🟢 Connected | Last test/discover succeeded |
| 🔵 Connecting | Operation in progress |
| 🔴 Error | Connection failed — see error message |
| ⚪ Disconnected | Never tested or stale |
Common Issues
stdio
Command not found
- Verify
npx/uvx/pythonis in PATH on the MCPExecutor host - Use absolute paths if needed:
/usr/bin/npx
Permission denied
- Check file permissions on the command
- Ensure MCPExecutor runs with appropriate user
Timeout
- Increase timeout in server settings
- Check if the command hangs waiting for input
Debug Endpoints
Test MCP operations directly via the Gateway API:
# Test connection
curl -X POST http://localhost:51000/api/mcp/test \
-H "Content-Type: application/json" \
-d '{
"transport": "stdio",
"command": "npx",
"args": ["-y", "@playwright/mcp@latest"],
"timeout": 30
}'
# Discover tools
curl -X POST http://localhost:51000/api/mcp/discover \
-H "Content-Type: application/json" \
-d '{
"transport": "stdio",
"command": "npx",
"args": ["-y", "@playwright/mcp@latest"],
"timeout": 30
}'
# Call a tool
curl -X POST http://localhost:51000/api/mcp/call \
-H "Content-Type: application/json" \
-d '{
"transport": "stdio",
"command": "npx",
"args": ["-y", "@playwright/mcp@latest"],
"timeout": 30,
"toolName": "browser_navigate",
"toolArguments": {"url": "https://example.com"}
}'Security Considerations
Access Control
- Admin-only registration: Only administrators can register MCP servers
- Tool execution: Authenticated users can execute tools assigned to their agents
- Secret management: Credentials stored via SecretProvider, never in plaintext
stdio Security
stdio transport spawns processes on the MCPExecutor host. Security measures:
| Measure | Description |
|---|---|
| Admin-only | Only admins can configure stdio servers |
| Isolated executor | MCPExecutor runs in its own container/pod |
| Command allowlist | Optional: restrict to approved commands |
| Env sanitization | Dangerous env vars stripped |
Trust model: stdio servers can execute arbitrary code on the MCPExecutor host. Only register servers from trusted sources.
Prompt Injection Risks
MCP tools can be vectors for prompt injection:
- Review tool outputs: Attackers may embed instructions in data
- Validate inputs: Don’t pass untrusted user input directly to tools
- Limit sensitive access: Minimize MCP access to sensitive data sources
Best practices:
- Use official MCP servers from service providers
- Review tool definitions before enabling
- Monitor tool execution logs
- Implement user confirmation for destructive operations
Architecture Details
Dual-Path Model
Path 1: Agent Direct (runtime tool execution)
Agent → MCPTool → MCPSessionProvider → MCP Server- Used for: Low-latency agent tool calls
- Session management: Persistent, ref-counted
- Pattern: BeeAI framework compatible
Path 2: Gateway HTTP API (management operations)
Studio → Gateway → MCPExecutor → MCP Server- Used for: Test, discover, sync; external integrations
- Session management: Per-request
- Endpoints:
/api/mcp/test,/api/mcp/discover,/api/mcp/call
Data Flow
API Reference
tRPC Endpoints
| Endpoint | Auth | Description |
|---|---|---|
mcpServers.list | User | List all registered servers |
mcpServers.get | User | Get server by ID |
mcpServers.create | Admin | Register new server |
mcpServers.update | Admin | Update server config |
mcpServers.delete | Admin | Remove server |
mcpServers.setEnabled | Admin | Enable/disable server |
mcpServers.testConnection | Admin | Test server connectivity |
mcpServers.discoverTools | Admin | Fetch and sync tools |
mcpServers.callTool | User | Execute a tool |
mcpServers.callToolByDefinitionId | User | Execute by ToolDefinition ID |
Gateway Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/mcp/test | POST | Test MCP server connection |
/api/mcp/discover | POST | List tools from server |
/api/mcp/call | POST | Execute a tool |
Best Practices
Server Registration
- Test with Inspector first — Validate servers work before registering
- Use descriptive names — “Playwright Browser” not “mcp-1”
- Document purpose — Add description explaining what the server provides
- Start disabled — Enable after verifying tools work correctly
Tool Management
- Review before enabling — Check tool descriptions and schemas
- Assign selectively — Only give agents the tools they need
- Monitor usage — Watch for unexpected tool calls in logs
- Re-discover periodically — Server tools may change over time
Production Deployment
- Separate MCPExecutor — Run in isolated container with minimal privileges
- Network policies — Restrict MCPExecutor egress to known MCP servers
- Resource limits — Set CPU/memory limits to prevent runaway processes
- Audit logging — Log all MCP operations for security review
Next Steps
- Gateways — Configure gateway connections
- Deployments — Monitor MCPExecutor deployment
- Registry — Discover registered services
- Debug — Troubleshoot MCP issues