Skip to main content
These operations manage inbound MCP servers — the upstream servers your gateways expose. Creating and editing servers requires the Basic server management capability; enabling, disabling, and deleting have their own capabilities.
Closed beta. The MCP Manager Admin API and MCP server are available now to a limited set of workspaces through the MCP Manager Admin API entitlement (ff-mcpm-admin), ahead of general availability. If you don’t see Settings → MCP & API in your workspace, it isn’t enabled for you yet — ask your MCP Manager contact to join the beta.

List Servers

Read-only List the caller’s inbound MCP servers. Returns each accessible inbound server as { guid, name, url, enabled, authenticationType, authenticationStatus }. The set is scoped to the servers the caller’s role and team membership permit, exactly like the servers overview page. MCP tool: list_inbound_servers · REST: GET /api/v1/mcpm-admin/servers · Capability: View all servers (viewAllServers) Parameters: none. Example

Get Server

Read-only Fetch a single inbound server, including its authentication status. Returns the server as { guid, name, url, enabled, authenticationType, authenticationStatus }. Poll authenticationStatus after create_inbound_server: feature-learn runs asynchronously, so a newly created token-auth server stays needs-authentication until it is validated, then flips to authenticated (or unsupported on failure). Open servers report open. MCP tool: get_inbound_server · REST: GET /api/v1/mcpm-admin/servers/:inboundServerGuid · Capability: View all servers (viewAllServers) Parameters
inboundServerGuid
string
required
The guid of the inbound server to fetch (from list_inbound_servers).
Example

Create Server

Create a remote inbound MCP server (open, static-header, or OAuth auth). Creates an unmanaged remote inbound server owned by the caller (a creator edge to the calling user), enabled by default, then kicks off feature-learning to validate it and discover its tools.
  • authType: "none" — an open server needing no credential. No identity or secret is created; the server reports authenticationStatus: "open".
  • authType: "headers" — static-header / API-key auth. Provide headers as a name → value map; a credential identity is created and the headers are stored encrypted. Header values are never logged.
  • authType: "oauth" — OAuth 2.1. Two completion paths:
  • Headless token injection: supply oauthAccessToken, oauthClientId, and oauthTokenEndpoint (plus optional oauthRefreshToken, oauthExpiresAt, oauthClientSecret, oauthScope). The server is authenticated with no browser step; secrets are stored encrypted and never logged.
  • Interactive: omit the oauth* token fields. The response includes authorizationUrl — relay it to the user to open in a browser and approve at the provider. The server-side redirect callback then completes the exchange and creates the identity automatically. Until that approval the server has NO credential identity, so if you assign it to a gateway now, prefer identityScheme:‘userIdentity’ (each user authenticates themselves) or wait until approval and then select the shared identity.
Feature-learning runs asynchronously, so a headers / token-injected server is returned as needs-authentication; poll get_inbound_server until authenticationStatus becomes authenticated (or unsupported on failure). For the interactive OAuth path, poll until the human finishes approving. MCP tool: create_inbound_server · REST: POST /api/v1/mcpm-admin/servers · Capability: Basic server management (basicServerManagement) Parameters
name
string
required
A human-readable name for the server (e.g. “Microsoft Learn MCP”).
url
string
required
The remote MCP server URL (e.g. “https://learn.microsoft.com/api/mcp”).
authType
string
required
How to authenticate to the server: ‘none’ for an open server that needs no credential, ‘headers’ for static-header / API-key auth (provide headers), or ‘oauth’ for OAuth 2.1 (supply the oauth* token fields for a fully headless setup, or omit them to receive an authorization URL for a human to approve). One of: none, headers, oauth.
headers
object
Static request headers to authenticate with, as a name → value map (e.g. { "Authorization": "Bearer ..." }). Required when authType is headers. Header values are secrets — they are stored encrypted and never logged. mcpm- prefixed headers are reserved and dropped. (a string → string map)
oauthAccessToken
string
OAuth access token for headless token injection (authType: "oauth"). When provided together with oauthClientId and oauthTokenEndpoint, the server is authenticated without any browser step. Secret — never logged.
oauthRefreshToken
string
OAuth refresh token (optional) for headless token injection. Secret — never logged.
oauthExpiresAt
integer
Unix epoch milliseconds at which the access token expires (optional) for headless token injection.
oauthTokenEndpoint
string
The OAuth token endpoint URL, used to refresh the access token. Required for headless token injection.
oauthClientId
string
The OAuth client id. Required for headless token injection.
oauthClientSecret
string
The OAuth client secret (optional — confidential clients only) for headless token injection. Secret — never logged.
oauthScope
string
Space-separated OAuth scopes granted to the token (optional) for headless token injection.
identityLabel
string
A name for the credential identity created on the headers / oauth paths. Defaults to “<server> Identity”.
accessControl
string
default:"private"
Who may use the created credential: ‘private’ (only the creator) or ‘global’ (anyone in the org). Defaults to ‘private’. Ignored on the open path. One of: private, global.
Example

Rename Server

Change a server’s name. Renames the inbound server to newName (the only editable field — a remote server’s URL and auth are fixed at creation). Saved only when the name actually changes. Returns the updated server as { guid, name, url, enabled, authenticationType, authenticationStatus }. MCP tool: rename_inbound_server · REST: PATCH /api/v1/mcpm-admin/servers/:inboundServerGuid/name · Capability: Basic server management (basicServerManagement) Parameters
inboundServerGuid
string
required
The guid of the server to rename (from list_inbound_servers).
newName
string
required
The new display name for the server.
Example

Enable Server

Enable a server. Enables the inbound server so it can be reached through its gateways. Saved only when the state actually changes. Returns the updated server summary. MCP tool: enable_inbound_server · REST: POST /api/v1/mcpm-admin/servers/:inboundServerGuid/enable · Capability: Disable and enable servers (enableDisableServers) Parameters
inboundServerGuid
string
required
The guid of the server to enable (from list_inbound_servers).
Example

Disable Server

Disable a server. Disables the inbound server so it is no longer reachable through any gateway (assignments stay but go inert). Saved only when the state actually changes. Returns the updated server summary. MCP tool: disable_inbound_server · REST: POST /api/v1/mcpm-admin/servers/:inboundServerGuid/disable · Capability: Disable and enable servers (enableDisableServers) Parameters
inboundServerGuid
string
required
The guid of the server to disable (from list_inbound_servers).
Example

Delete Server

Destructive Delete a server. Permanently deletes the inbound server. Its gateway assignments and identities are not deleted — the assignments go inert (the server they point at is gone) and any identities linger until removed explicitly. Returns { deleted: true, inboundServerGuid }. MCP tool: delete_inbound_server · REST: DELETE /api/v1/mcpm-admin/servers/:inboundServerGuid · Capability: Delete servers (deleteServers) Parameters
inboundServerGuid
string
required
The guid of the server to delete (from list_inbound_servers).
Example

Further reading

Identities

Where to go next in this section.

Authentication & access

Tokens, the entitlement, capability gating, and error codes for every operation here.

Tool & endpoint reference

The full reference index across every domain.

Capabilities

What each capability named on this page actually allows.