Custom MCP Server Integration
You can connect MCP servers already built within your enterprise to QueryPie AIP.
Key Features
- Real-time communication with Remote MCP servers based on SSE (Server-Sent Events).
- Supports authentication through custom headers. Currently only supports authentication with fixed values.
- Supports OAuth 2.0 authentication, allowing users to securely log in with their personal accounts. Even when administrators change OAuth settings (Client ID, Secret, etc.), existing users’ authentication is maintained, so they can continue using the service without re-authentication.
- Supports dynamic tool schema loading.
- Supports various MCP protocol versions.
Authentication Methods
Three authentication methods are supported depending on your Custom MCP server’s requirements.
| Method | When to Use | Setup | Token Management |
|---|---|---|---|
| OAuth 2.0 | Per-user authentication with individual accounts | Enter MCP Server URL → OAuth login | Per-user tokens |
| Header-based Auth | Using fixed tokens such as Bearer Token or API Key | Enter directly in Headers | Shared across all users |
| No Auth | Public servers or network-level access control is sufficient | No additional setup | — |
OAuth 2.0 lets each user log in with their own account and receive individual tokens. If the MCP server supports OAuth, AIP automatically detects it when the URL is entered. See the OAuth2 Authentication & DCR Guide for details.
Header-based authentication uses fixed values entered in the Headers for MCP server section. Configure headers like Authorization: Bearer {token} or X-API-Key: {key}. The entered headers apply identically to all users accessing that MCP server. When a Bearer Token is set in headers, OAuth Discovery is not performed.
No authentication applies when the MCP server does not require authentication, or when network-level access control such as VPN is sufficient.
Shared vs Individual Authentication
When an admin integrates an MCP server, whether it operates with shared authentication or individual authentication is determined by how it is configured.
Shared authentication (header-based) — When the admin enters a token in Headers during integration setup, that token applies identically to all users. Users can use the MCP server immediately without separate login, but all requests are identified as the same account on the server side. This is suitable when per-user permission separation is not needed, or when a single service account is sufficient.
Individual authentication (OAuth 2.0) — When Headers are left empty and only the MCP Server URL is entered, AIP performs OAuth Discovery. If the MCP server supports OAuth, each user is presented with an OAuth login popup and receives their own individual tokens. This is suitable when the server needs to apply different permissions per user, or when audit trails of who performed what actions are required.
Configuration summary:
| Desired Behavior | Headers Setting | OAuth Support Required | Result |
|---|---|---|---|
| All users access via shared account | Enter token | Not required | All users share the same token |
| Per-user individual authentication | Leave empty | Required | Each user logs in via OAuth |
When a Bearer Token is set in Headers, OAuth Discovery is not performed. To use individual authentication, Headers must be left empty.
How to Integrate Custom MCP Server
Access MCP Integrations Page
Click the All Integrations tab in the Integrations menu.
Click the Custom MCP Integration Setup card to navigate to the Install New MCP Integration page.
Enter Integration Information
Enter the following information in the Integration Information section:
- Name (Required): Name of the MCP server to integrate (e.g.,
Custom SSE) - Description (Required): Brief description of the MCP server (e.g.,
Connect to Custom MCP SSE endpoint) - MCP Server URL (SSE) (Required): SSE endpoint URL of the MCP server
- Format:
https://mcp.example.com/sse - Enter the SSE endpoint URL of your actually running MCP server.
- Format:
In the Headers for MCP server (Optional) section, set headers if authentication is required.
- Key: Header key (e.g.,
Authorization,X-API-Key) - Value: Header value (e.g.,
Bearer your-token-here) - If additional headers are needed, click the + button to add more headers.
After entering all information, click the Install button.
Only for services that provide OAuth authentication, an OAuth authentication popup will be displayed. Depending on the service, the popup may not appear.
Integration Complete
Once integration is successful, you can check it in the Installed Integrations list.
The tools from the integrated MCP server automatically become available in AI chat.
You can create MCP Presets to combine tools for specific workflows.
Connecting to MCP Servers Running on Local or Private Networks
If the MCP server is running on a local or private network, you can use the Edge tunnel feature to connect AIP to the MCP server you registered as Custom MCP.
The Edge tunnel creates a secure connection between your local MCP server and AIP, allowing you to use local MCP servers without exposing them to the public internet.
For detailed setup instructions, see the Edge Tunnel documentation.
Troubleshooting
OAuth Popup Not Appearing
- Check if a Bearer Token is set in Headers. When a Bearer Token is present, OAuth Discovery is automatically disabled. To use individual authentication (OAuth), leave Headers empty.
- Verify that OAuth metadata discovery works correctly. AIP first checks Protected Resource Metadata (
WWW-Authenticateor/.well-known/oauth-protected-resource) and then followsauthorization_serversto Authorization Server Metadata. - For internal network servers, check that the Use Edge Tunnel option is enabled.
For detailed OAuth troubleshooting, see OAuth2 Authentication & DCR Guide.
Connection Failure
- Verify that the MCP server URL is correct.
- Check firewall settings.
- Verify that custom header settings are correct.
- Confirm that the MCP server is operating normally.
Tool Loading Failure
- Verify that the MCP server returns correct tool schemas.
- Check that the JSON format is correct.
- Check server logs to analyze error messages.