Connect external clients to managed MCP servers

Beta

This feature is in Beta.

Connect external AI assistants and IDEs that support Model Context Protocol (MCP) to Databricks-managed MCP servers. This lets you use Databricks data and tools directly in your development environment.

Databricks-managed MCP servers support two authentication methods:

• OAuth - Recommended for secure, scoped access using OAuth applications
• PAT tokens - Simple short-lived token-based authentication using Personal Access Tokens

Prerequisites

Before connecting external tools:

• Identify your MCP server URLs. For Databricks-supported managed MCP servers, see Managed MCP servers.

• Ensure your account has access to the Unity Catalog resources (catalogs, schemas, functions, or vector indexes) you want to use.

Authentication with OAuth

OAuth provides secure, scoped access to Databricks-managed MCP servers using OAuth applications.

Set up OAuth authentication

1. Create an OAuth application: Ask an account admin to create or get an existing Databricks OAuth Application. Make sure you add the redirect URLs needed from your external client and obtain the client ID and/or client secret values from your OAuth application. Follow these instructions to create a new partner OAuth application: Enable OAuth for partner integrations.

Via Account Console UI

• Navigate to your Settings -> App Connections -> Add connection

Via Databricks CLI (Source: Databricks API):

JSON

   databricks account custom-app-integration create --json '{
     "name": "mcp-public-client",
     "redirect_urls": ["https://redirectclient.com/callback"],
     "confidential": false,
     "scopes": ["all-apis"],
     "token_access_policy": {
       "access_token_ttl_in_minutes": 60,
       "refresh_token_ttl_in_minutes": 10080
     }
   }'

• Note: MCP servers support both public and confidential clients as specified in the MCP Authorization documentation. If you are creating a public client, be sure to uncheck the Generate a client secret checkbox in the Databricks accounts console UI. If you are creating one via the Databricks CLI, set "confidential": false.

2. Configure your MCP client: Use your MCP server URL OAuth client ID (and optional client secret) in your external MCP client configuration. Use connection type streamable-http for the server.

3. Confirm your workspace IP ACL restrictions: Databricks-managed MCP servers honor Workspace IP ACL restrictions. If your Databricks workspace has any IP access restrictions, add any outbound IP addresses corresponding to your external client to the allowlist.

Client configuration examples with OAuth

Configure Claude with OAuth

If you have Claude Connectors using Remote MCP enabled, you can add Databricks managed MCP servers via the UI.

In Databricks:

1. Create an OAuth App Connection via the UI or databricks CLI that includes Claude's redirect urls

Via Account Console UI:

• Navigate to your Settings -> App Connections -> Add connection

Via Databricks CLI: (Source: Databricks API):

JSON

   databricks account custom-app-integration create --json '{
     "name": "claude-mcp-public-client",
     "redirect_urls": ["https://claude.ai/api/mcp/auth_callback"],
     "confidential": false,
     "scopes": ["all-apis"],
     "token_access_policy": {
       "access_token_ttl_in_minutes": 60,
       "refresh_token_ttl_in_minutes": 10080
     }
   }'

• Note: OAuth applications need to have all-apis scoping for Claude in Beta.

2. If you have workspace IP ACL restrictions, add Claude's outbound IP addresses to your workspace's allowlist

In Claude:

1. Navigate to Settings > Connectors.

2. Locate the Connectors section.

3. Click Add custom connector at the bottom of the page.

4. Add your Databricks managed MCP server URL as the Remote MCP server URL.

5. Add your OAuth App Integration Client ID and optional secret (if your client is confidential).

6. Click Add to finish configuring your connector.

   

Authentication with PAT tokens

Personal Access Tokens (PAT) provide a simple way to authenticate with Databricks-managed MCP servers.

Set up PAT authentication

1. Generate a Personal Access Token (PAT): See Personal access tokens.

2. Use the PAT in your configuration: Add the token to your MCP client configuration as shown in the examples below.

Client configuration examples with PAT

Configure Cursor with PAT

Cursor supports MCP through its settings configuration. Add the following to your Cursor settings:

The example shows Unity Catalog Functions, but you can adapt it for any managed MCP server URL path:

JSON

{
  "mcpServers": {
    "uc-function-mcp": {
      "type": "streamable-http",
      "url": "https://<your-workspace-hostname>/api/2.0/mcp/functions/{catalog_name}/{schema_name}",
      "headers": {
        "Authorization": "Bearer <YOUR_TOKEN>"
      },
      "note": "Databricks UC function"
    }
  }
}

Configure Claude Desktop with PAT

To use Databricks-managed MCP servers in Claude Desktop, use mcp-remote. Add the following configuration to your claude_desktop_config.json file.

The configuration file can be found in the following locations by default:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

The example shows Unity Catalog Functions, but you can adapt it for any managed MCP server URL path:

JSON

{
  "mcpServers": {
    "uc-function-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://<your-workspace-hostname>/api/2.0/mcp/functions/{catalog_name}/{schema_name}",
        "--header",
        "Authorization: Bearer <YOUR_TOKEN>"
      ]
    }
  }
}

After updating the configuration, restart Claude Desktop for the changes to take effect.

Why can't I connect to custom MCP servers?

Custom MCP servers hosted on Databricks Apps require interactive login flows that external IDEs do not support. This means external tools like Cursor and Claude Desktop cannot connect to custom MCP servers yet.