> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Grafana Cloud

> How to forward MCP Manager logs to Grafana Cloud over OpenTelemetry: the /otlp/v1/logs gateway URL, building the instanceID:token Basic auth header, the logs:write access-policy token, and querying logs in Loki with LogQL.

Grafana Cloud exposes a managed OTLP gateway that accepts OpenTelemetry logs natively over OTLP/HTTP, so MCP Manager can send logs directly with no intermediate collector. Grafana Cloud converts incoming OTLP logs into **Loki**, where you query them with LogQL.

This guide covers the Grafana Cloud-specific details. For what MCP Manager sends, how forwarding behaves, who can configure it, and general troubleshooting, see [Export to SIEM](/enterprise/export-to-siem).

<Info>
  Configuring log forwarding requires the **Manage OpenTelemetry collector** capability and an Enterprise plan that includes the OpenTelemetry integration. If you do not see the **Logging → Integrations** panel, see [Who can set up log export](/enterprise/export-to-siem#who-can-set-up-log-export).
</Info>

## What you'll need

* A **Grafana Cloud** stack.
* Your stack's numeric **instance ID** and OTLP gateway URL (both shown in the Grafana Cloud portal).
* A **Cloud Access Policy token** scoped with `logs:write` — **not** a Grafana API or service-account token.
* Access to MCP Manager with the **Manage OpenTelemetry collector** capability.

## Step 1: Find your OTLP gateway URL and instance ID

In the Grafana Cloud portal, select your stack and open the **OpenTelemetry** ("Configure") panel. It shows your OTLP gateway URL and your numeric instance ID. The gateway URL has the shape:

```text theme={null}
https://otlp-gateway-<zone>.grafana.net/otlp
```

Your `<zone>` is region-specific, for example `prod-us-east-0` or `prod-eu-west-0`. The gateway is rooted at `/otlp`, so the **logs** endpoint you paste into MCP Manager is that base plus `/v1/logs`, on port `443`:

```text theme={null}
https://otlp-gateway-<zone>.grafana.net/otlp/v1/logs
```

<Warning>
  Include the `/otlp` segment. Grafana Cloud's logs path is `/otlp/v1/logs`, **not** `/v1/logs` — and because MCP Manager appends nothing to the URL, pasting `.../v1/logs` without the `/otlp` prefix returns a `404` on every export. This is by far the most common Grafana Cloud setup mistake.
</Warning>

## Step 2: Create an access-policy token with logs:write

In the Grafana Cloud portal, go to **Access Policies**, create (or reuse) a policy that includes the `logs:write` scope, and generate a **token** under it. Use this Cloud Access Policy token — a Grafana API key or service-account token will not authenticate against the OTLP gateway.

## Step 3: Build the Basic auth header value

Grafana Cloud's OTLP gateway uses HTTP **Basic** authentication, where the credentials are your **instance ID** and **access-policy token** joined with a colon and base64-encoded. Build the value yourself:

```bash terminal theme={null}
printf '%s' '<instance-id>:<access-policy-token>' | base64
```

The header value you give MCP Manager is the word `Basic`, a space, and that encoded string:

```text theme={null}
Basic <base64 of instance-id:access-policy-token>
```

## Step 4: Connect MCP Manager to Grafana Cloud

<Steps>
  <Step title="Open the OpenTelemetry collector panel">
    In MCP Manager, go to [Logs → Integrations](https://app.mcpmanager.ai/settings/logging/integrations) and find the **OpenTelemetry collector** panel.
  </Step>

  <Step title="Enter the collector URL">
    In **Logs collector URL**, paste your full logs endpoint including the `/otlp` prefix, for example `https://otlp-gateway-prod-us-east-0.grafana.net/otlp/v1/logs`. (To also export traces, set **Traces collector URL** to the matching `/otlp/v1/traces` endpoint; this guide covers logs.)
  </Step>

  <Step title="Add the Authorization request header">
    Under **Request headers**, add one header:

    * **Field name:** `Authorization`
    * **Field value:** `Basic <base64 of instance-id:access-policy-token>` from Step 3
  </Step>

  <Step title="Save the configuration">
    Select **Save**. MCP Manager stores the configuration and encrypts the header value. Saving confirms storage only — it does not confirm delivery.
  </Step>
</Steps>

## Step 5: Find your logs in Loki

Grafana Cloud routes OTLP logs into **Loki**, so query them with **LogQL** in Grafana Explore (or the Logs Drilldown app). The OTLP `service.name` resource attribute becomes the `service_name` label, so filter MCP Manager's logs with:

```logql theme={null}
{service_name="mcp-manager"}
```

Use the exact `service.name` shown in MCP Manager's **Filter your logs by** panel. To discover available labels, open the label browser in Grafana Explore.

## Troubleshooting

<AccordionGroup>
  <Accordion title="Export is failing with 404">
    The `/otlp` prefix is almost certainly missing. The logs endpoint is `https://otlp-gateway-<zone>.grafana.net/otlp/v1/logs` — MCP Manager appends nothing, so the URL must include `/otlp/v1/logs` in full.
  </Accordion>

  <Accordion title="Export is failing with 401">
    The `instance-id:access-policy-token` pair is wrong or was not base64-encoded. Rebuild the value with `printf '%s' '<instance-id>:<token>' | base64` and confirm the header is `Basic <encoded>` (a single `Basic` prefix). Also confirm you used a **Cloud Access Policy token with `logs:write`**, not a Grafana API or service-account token.
  </Accordion>

  <Accordion title="No logs appear in Grafana">
    Make sure you are querying **Loki**, not Prometheus. MCP Manager sends logs, which land in Loki; querying the Prometheus (metrics) datasource returns nothing and looks identical to logs not arriving. Switch the datasource selector in Explore to your Loki datasource and query `{service_name="mcp-manager"}`.
  </Accordion>

  <Accordion title="Test the connection manually">
    From any machine with outbound HTTPS access:

    ```bash terminal theme={null}
    curl -v -X POST "https://otlp-gateway-<zone>.grafana.net/otlp/v1/logs" \
      -H "Authorization: Basic <base64>" \
      -H "Content-Type: application/json" \
      -d '{}'
    ```

    A `2xx` confirms the URL and credentials are valid; `401` means the `instance-id:token` pair is wrong or not base64-encoded; `404` almost always means the `/otlp` prefix was omitted; `400` means a malformed body (expected for this empty probe once the URL and auth are correct).
  </Accordion>
</AccordionGroup>

## Further reading

<CardGroup cols={2}>
  <Card title="Datadog" icon="dog" href="/enterprise/export-to-siem/datadog">
    The next per-vendor guide — per-site endpoint and the dd-api-key header.
  </Card>

  <Card title="Export to SIEM" icon="tower-broadcast" href="/enterprise/export-to-siem">
    What MCP Manager sends, how forwarding behaves, and general troubleshooting.
  </Card>

  <Card title="Self-hosted Collector" icon="server" href="/enterprise/export-to-siem/self-hosted-collector">
    Route through your own collector to filter, enrich, or fan out.
  </Card>
</CardGroup>

## External sources

<CardGroup cols={2}>
  <Card title="Grafana Cloud OTLP overview" icon="arrow-up-right-from-square" href="https://grafana.com/docs/grafana-cloud/send-data/otlp/">
    Grafana's reference for native OTLP ingest into Loki, Mimir, and Tempo.
  </Card>

  <Card title="Send data to the OTLP endpoint" icon="arrow-up-right-from-square" href="https://grafana.com/docs/grafana-cloud/send-data/otlp/send-data-otlp/">
    The gateway URL shape and the instance-ID/token Basic auth construction.
  </Card>

  <Card title="Create access policies and tokens" icon="arrow-up-right-from-square" href="https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/create-access-policies/">
    Generate the Cloud Access Policy token with the `logs:write` scope.
  </Card>

  <Card title="OTLP specification" icon="arrow-up-right-from-square" href="https://opentelemetry.io/docs/specs/otlp/">
    The protocol spec, including the success and partial-success response contract.
  </Card>
</CardGroup>
