Govern an MCP service
This feature is in Beta. Account admins can control access to this feature from the account console Previews page. See Manage Databricks previews.
This page describes how to govern an MCP Service with the same Unity Catalog primitives that protect your other securables: limit which tools the service exposes, apply service policies to allow or deny individual calls, set rate limits, and monitor usage. These controls apply to both MCP Services you register and Databricks-provided MCP Services.
Select which tools are exposed
By default, an MCP Service makes available all of the tools the MCP server provides. To make available only a subset, select the tools when you create the MCP Service, or update the selection later. Each selector is matched against tool names: a pattern ending in * is a prefix match (get_* matches get_me and get_issue), and any other value is an exact match (search_repositories matches only that tool).
- UI
- REST API
In the create flow, under Tools:
- Select Select manually to select each tool individually.
- Select Advanced to enter selection patterns, using the prefix and exact-match rules described above.
- Turn on Automatically include tools added to this server in the future to make new tools available as the MCP server adds them.
To change the tool selection after creation, set include_tool_selectors with a PATCH request. Restrict a service to only get_* tools:
databricks api patch \
"/api/2.1/unity-catalog/mcp-services/main.default.my_mcp?update_mask=config.include_tool_selectors" \
--json '{
"config": {
"include_tool_selectors": ["get_*"]
}
}'
Reset to make available all tools by setting include_tool_selectors to an empty list.
Tools that you don't select don't appear in tools/list, and the MCP Service rejects a tools/call for an unselected tool:
{ "code": -32003, "message": "Tool not allowed by MCP service configuration." }
Apply a service policy
A service policy evaluates each tool call before it runs (ON CALL) and, optionally, its result (ON RESULT). A policy can allow, deny, or require human approval for the request—for example, to block destructive operations or block calls that contain PII—without changing which tools are available. Service policies are part of AI governance in Unity Catalog.
To write a policy function and attach it to an MCP Service, see Service policies for AI securables and Create and attach a service policy.
Set rate limits
Limit how frequently agents can call an MCP Service to control cost and protect the external server. See Configure rate limits for AI services using Unity AI Gateway.
Monitor usage
Unity AI Gateway records activity for every MCP Service in Unity Catalog system tables:
- Usage: call volume, errors, and latency in
system.ai_gateway.usage(filterservice_type = 'MCP_SERVICE'). See Model usage for Unity AI Gateway services. - Audit: control-plane changes (
createMcpService,updateMcpService,deleteMcpService) and each invocation (mcpCall) insystem.access.audit. See Audit log system table reference. - Traces: tool-call requests, responses, and policy decisions are captured by trace logging, which is enabled once at the account level and shared across all MCP Services.
- Dashboard: external MCP server traffic appears in the built-in Unity AI Gateway usage dashboard. See Built-in usage dashboard.
For all Unity Catalog system tables, see System tables reference. For an overview of governing AI traffic, see AI governance in Unity Catalog.
Next steps
- Register an external MCP server to register and invoke an external MCP server.
- Service policies for AI securables for service policy concepts and built-in guardrails.
- AI governance with Unity AI Gateway to govern MCP servers and LLM endpoints from a central location.