> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Servers

> Admin API operations for managing inbound MCP servers: create remote servers with open, header, or OAuth authentication, and rename, enable, disable, and delete them.

These operations manage inbound MCP servers — the upstream servers your gateways expose. Creating and editing servers requires the Basic server management capability; enabling, disabling, and deleting have their own capabilities.

<Info>
  **Closed beta.** The MCP Manager Admin API and MCP server are available now to a
  limited set of workspaces through the **MCP Manager Admin API** entitlement
  (`ff-mcpm-admin`), ahead of general availability. If you don't see **Settings →
  MCP & API** in your workspace, it isn't enabled for you yet — ask your MCP Manager
  contact to join the beta.
</Info>

## List Servers

<Badge color="green">Read-only</Badge>

List the caller's inbound MCP servers.

Returns each accessible inbound server as `{ guid, name, url, enabled, authenticationType, authenticationStatus }`. The set is scoped to the servers the caller's role and team membership permit, exactly like the servers overview page.

**MCP tool:** `list_inbound_servers` · **REST:** `GET /api/v1/mcpm-admin/servers` · **Capability:** View all servers (`viewAllServers`)

**Parameters:** none.

**Example**

```json theme={null}
{}
```

## Get Server

<Badge color="green">Read-only</Badge>

Fetch a single inbound server, including its authentication status.

Returns the server as `{ guid, name, url, enabled, authenticationType, authenticationStatus }`. Poll `authenticationStatus` after `create_inbound_server`: feature-learn runs asynchronously, so a newly created token-auth server stays `needs-authentication` until it is validated, then flips to `authenticated` (or `unsupported` on failure). Open servers report `open`.

**MCP tool:** `get_inbound_server` · **REST:** `GET /api/v1/mcpm-admin/servers/:inboundServerGuid` · **Capability:** View all servers (`viewAllServers`)

**Parameters**

<ParamField path="inboundServerGuid" type="string" required>
  The guid of the inbound server to fetch (from list\_inbound\_servers).
</ParamField>

**Example**

```json theme={null}
{"inboundServerGuid":"MIS-..."}
```

## Create Server

Create a remote inbound MCP server (open, static-header, or OAuth auth).

Creates an unmanaged remote inbound server owned by the caller (a `creator` edge to the calling user), enabled by default, then kicks off feature-learning to validate it and discover its tools.

* `authType: "none"` — an open server needing no credential. No identity or secret is created; the server reports `authenticationStatus: "open"`.
* `authType: "headers"` — static-header / API-key auth. Provide `headers` as a name → value map; a credential identity is created and the headers are stored **encrypted**. Header values are never logged.
* `authType: "oauth"` — OAuth 2.1. Two completion paths:
* **Headless token injection**: supply `oauthAccessToken`, `oauthClientId`, and `oauthTokenEndpoint` (plus optional `oauthRefreshToken`, `oauthExpiresAt`, `oauthClientSecret`, `oauthScope`). The server is authenticated with no browser step; secrets are stored **encrypted** and never logged.
* **Interactive**: omit the `oauth*` token fields. The response includes `authorizationUrl` — relay it to the user to open in a browser and approve at the provider. The server-side redirect callback then completes the exchange and creates the identity automatically. Until that approval the server has NO credential identity, so if you assign it to a gateway now, prefer identityScheme:'userIdentity' (each user authenticates themselves) or wait until approval and then select the shared identity.

Feature-learning runs asynchronously, so a `headers` / token-injected server is returned as `needs-authentication`; poll `get_inbound_server` until `authenticationStatus` becomes `authenticated` (or `unsupported` on failure). For the interactive OAuth path, poll until the human finishes approving.

**MCP tool:** `create_inbound_server` · **REST:** `POST /api/v1/mcpm-admin/servers` · **Capability:** Basic server management (`basicServerManagement`)

**Parameters**

<ParamField body="name" type="string" required>
  A human-readable name for the server (e.g. "Microsoft Learn MCP").
</ParamField>

<ParamField body="url" type="string" required>
  The remote MCP server URL (e.g. "[https://learn.microsoft.com/api/mcp](https://learn.microsoft.com/api/mcp)").
</ParamField>

<ParamField body="authType" type="string" required>
  How to authenticate to the server: 'none' for an open server that needs no credential, 'headers' for static-header / API-key auth (provide `headers`), or 'oauth' for OAuth 2.1 (supply the `oauth*` token fields for a fully headless setup, or omit them to receive an authorization URL for a human to approve). One of: `none`, `headers`, `oauth`.
</ParamField>

<ParamField body="headers" type="object">
  Static request headers to authenticate with, as a name → value map (e.g. `{ "Authorization": "Bearer ..." }`). Required when `authType` is `headers`. Header values are secrets — they are stored encrypted and never logged. `mcpm-` prefixed headers are reserved and dropped. *(a string → string map)*
</ParamField>

<ParamField body="oauthAccessToken" type="string">
  OAuth access token for headless token injection (`authType: "oauth"`). When provided together with `oauthClientId` and `oauthTokenEndpoint`, the server is authenticated without any browser step. Secret — never logged.
</ParamField>

<ParamField body="oauthRefreshToken" type="string">
  OAuth refresh token (optional) for headless token injection. Secret — never logged.
</ParamField>

<ParamField body="oauthExpiresAt" type="integer">
  Unix epoch milliseconds at which the access token expires (optional) for headless token injection.
</ParamField>

<ParamField body="oauthTokenEndpoint" type="string">
  The OAuth token endpoint URL, used to refresh the access token. Required for headless token injection.
</ParamField>

<ParamField body="oauthClientId" type="string">
  The OAuth client id. Required for headless token injection.
</ParamField>

<ParamField body="oauthClientSecret" type="string">
  The OAuth client secret (optional — confidential clients only) for headless token injection. Secret — never logged.
</ParamField>

<ParamField body="oauthScope" type="string">
  Space-separated OAuth scopes granted to the token (optional) for headless token injection.
</ParamField>

<ParamField body="identityLabel" type="string">
  A name for the credential identity created on the `headers` / `oauth` paths. Defaults to "\<server> Identity".
</ParamField>

<ParamField body="accessControl" type="string" default="private">
  Who may use the created credential: 'private' (only the creator) or 'global' (anyone in the org). Defaults to 'private'. Ignored on the open path. One of: `private`, `global`.
</ParamField>

**Example**

```json theme={null}
{"name":"Microsoft Learn MCP","url":"https://learn.microsoft.com/api/mcp","authType":"none"}
```

## Rename Server

Change a server's name.

Renames the inbound server to `newName` (the only editable field — a remote server's URL and auth are fixed at creation). Saved only when the name actually changes. Returns the updated server as `{ guid, name, url, enabled, authenticationType, authenticationStatus }`.

**MCP tool:** `rename_inbound_server` · **REST:** `PATCH /api/v1/mcpm-admin/servers/:inboundServerGuid/name` · **Capability:** Basic server management (`basicServerManagement`)

**Parameters**

<ParamField path="inboundServerGuid" type="string" required>
  The guid of the server to rename (from list\_inbound\_servers).
</ParamField>

<ParamField body="newName" type="string" required>
  The new display name for the server.
</ParamField>

**Example**

```json theme={null}
{"inboundServerGuid":"MIS-...","newName":"Atlassian (prod)"}
```

## Enable Server

Enable a server.

Enables the inbound server so it can be reached through its gateways. Saved only when the state actually changes. Returns the updated server summary.

**MCP tool:** `enable_inbound_server` · **REST:** `POST /api/v1/mcpm-admin/servers/:inboundServerGuid/enable` · **Capability:** Disable and enable servers (`enableDisableServers`)

**Parameters**

<ParamField path="inboundServerGuid" type="string" required>
  The guid of the server to enable (from list\_inbound\_servers).
</ParamField>

**Example**

```json theme={null}
{"inboundServerGuid":"MIS-..."}
```

## Disable Server

Disable a server.

Disables the inbound server so it is no longer reachable through any gateway (assignments stay but go inert). Saved only when the state actually changes. Returns the updated server summary.

**MCP tool:** `disable_inbound_server` · **REST:** `POST /api/v1/mcpm-admin/servers/:inboundServerGuid/disable` · **Capability:** Disable and enable servers (`enableDisableServers`)

**Parameters**

<ParamField path="inboundServerGuid" type="string" required>
  The guid of the server to disable (from list\_inbound\_servers).
</ParamField>

**Example**

```json theme={null}
{"inboundServerGuid":"MIS-..."}
```

## Delete Server

<Badge color="red">Destructive</Badge>

Delete a server.

Permanently deletes the inbound server. Its gateway assignments and identities are not deleted — the assignments go inert (the server they point at is gone) and any identities linger until removed explicitly. Returns `{ deleted: true, inboundServerGuid }`.

**MCP tool:** `delete_inbound_server` · **REST:** `DELETE /api/v1/mcpm-admin/servers/:inboundServerGuid` · **Capability:** Delete servers (`deleteServers`)

**Parameters**

<ParamField path="inboundServerGuid" type="string" required>
  The guid of the server to delete (from list\_inbound\_servers).
</ParamField>

**Example**

```json theme={null}
{"inboundServerGuid":"MIS-..."}
```

## Further reading

<CardGroup cols={2}>
  <Card title="Identities" icon="arrow-right" href="/admin-api/reference/identities">
    Where to go next in this section.
  </Card>

  <Card title="Authentication & access" icon="shield-halved" href="/admin-api/authentication">
    Tokens, the entitlement, capability gating, and error codes for every operation here.
  </Card>

  <Card title="Tool & endpoint reference" icon="book" href="/admin-api/reference/overview">
    The full reference index across every domain.
  </Card>

  <Card title="Capabilities" icon="key" href="/deployment/rbac-and-roles/capabilities">
    What each capability named on this page actually allows.
  </Card>
</CardGroup>
