The Admin API and MCP server are now in closed beta. You can provision and manage most of your workspace over MCP tools and a REST API, scoped by your role capabilities. See the Admin API & MCP section for the full documentation. Access is gated by the MCP Manager Admin API entitlement — ask your MCP Manager contact to join.
Manage your workspace with the Admin API
The Admin API and MCP server are the control plane for MCP Manager. From an agent or a script you can create and configure inbound servers, gateways and their assignments, identities, hosts and connections, teams, roles, and access tokens, and query the call logs and alerts — the same actions available in the app, enforced by the same role capabilities. Every operation is exposed both as an MCP tool and as a REST endpoint under/api/v1/mcpm-admin.
This is in closed beta: available now to workspaces with the MCP Manager Admin API entitlement (ff-mcpm-admin), ahead of general availability. To get started, see Connect an agent and the tool & endpoint reference.
Still to come
A few programmatic surfaces are planned but not in the beta yet — the Admin API roadmap tracks them:- A downloadable CLI to script the same operations and wire them into pipelines and infrastructure-as-code workflows.
- Gateway rules, custom rule engines, feature provisioning, reporting, and an admin audit log over the Admin API.
A dedicated Terraform provider is not available. Teams that manage infrastructure declaratively can drive the REST API from their own automation today; a first-class Terraform provider isn’t something we offer yet. If declarative infrastructure-as-code is a requirement for you, tell your MCP Manager contact — it helps us prioritise.
What you can automate today without the beta
Two related capabilities ship to every workspace and don’t require the Admin API entitlement. Both are about connecting agents to gateways, not about provisioning the gateways themselves.- Token-based agent connection. A headless agent connects to a gateway with a gateway API access token rather than an interactive sign-in. You create a token-based host and issue it a token scoped to a single gateway connection. See API Tokens & Headless Agents.
- Per-user identity passing. A single agent can carry each end user’s own identity through to downstream servers, so actions run as the real person and stay fully logged. See Agents that Pass Identities to MCP Manager.
Two kinds of access token, for two different jobs. A gateway API access token connects a headless agent to a gateway (the data plane). An admin Personal Access Token (
mcpm_pat_…) authenticates to the Admin API to manage your configuration (the control plane). They are not interchangeable — see Admin API & MCP.Working with log data programmatically
Log data leaves MCP Manager in three ways. In the Admin API beta, thequery_logs operation reads the AI-usage call logs with filters and pagination — useful for ad-hoc inspection from an agent. For durable pipelines into your own tooling, log data is also available as a file export (CSV or ND-JSON) and pushed to your own collector over OpenTelemetry. For a continuous feed into a SIEM, prefer OpenTelemetry over polling query_logs. See Accessing log data programmatically and Export to SIEM.
Further reading
Admin API & MCP
The control-plane API and MCP server for managing your workspace from code.
API Tokens & Headless Agents
How a headless agent connects to a gateway with a scoped API access token.
Agents passing identities
One agent, many users, each acting as themselves through per-user tokens.
Connection Experience
The authorization flow every host uses to connect to a gateway.

