Authorize MCP with OAuth 2.1
The MCP server connects directly to your Coralogix data using OAuth 2.1 with OpenID Connect (OIDC).
Use it to:
- Avoid storing separate Coralogix credentials in your MCP client
- Ensure MCP operates within the signed-in user’s existing access control and permissions
- Connect securely while you validate MCP behavior in a controlled team scope
This article explains how Coralogix OAuth works for MCP, what MCP tokens represent, how team access works, what you will see on the OAuth screen, and how to revoke access.
How it works
Coralogix OAuth tokens represent a user context. MCP uses OAuth to authenticate you and then call Coralogix APIs on your behalf.
Note
OAuth access tokens issued by Coralogix represent a user context, not a standalone API key or service account.
A typical OAuth flow looks like this:
- Your MCP client redirects you to Coralogix to log in and approve the requested access (scopes).
- Coralogix authenticates you (for example, via SSO and any configured MFA policies).
- Coralogix returns an authorization response to the MCP client.
- The MCP client exchanges the authorization response for an access token (and optionally a refresh token).
- The MCP client calls Coralogix APIs with the access token.
- Coralogix evaluates every request based on your permissions, policy scopes, and team membership. MCP does not receive additional privileges.
Set up MCP and start the OAuth flow
- In your
mcp.jsonfile, configure the MCP server. - In your MCP client, enable the MCP client and connect.
- You are redirected to Coralogix for login (if needed) and authorization.
Team access
An MCP integration may connect to one team, selected by the user.
- Select one team during setup.
- If you need MCP access to another team, connect MCP again with a separate server for that team.
Scopes
Before MCP can access private Coralogix data, it requests an access token. MCP includes one or more scope values in the scope parameter to indicate the permissions it is requesting.
Scopes define which resources and actions the token allows. Some scopes are required, while others may vary by MCP client and configuration.
| Scope | What it allows |
|---|---|
openid | Enables OpenID Connect log in so the app can authenticate you. |
email | Identifies you as a Coralogix user (email address). |
profile | Lets the app read basic profile details for display (for example, name). |
offline_access | Allows the app to refresh its token so it stays connected without repeated approvals. |
cx_teams:list | Lets the app list the teams you belong to (availability depends on the integration). |
Note
Team-related scopes allow MCP to display your available teams, enabling you to select a team during setup. They do not grant MCP access to multiple teams.
These scopes alone do not give MCP access to telemetry. Actual data access depends on the team you select and your existing permissions in that team.
Approve or deny
Approve access is available only when:
- The request is valid.
- Required information is loaded.
- You selected one team.
If you are unsure, select Deny and verify the request before you try again.
What happens after you approve
When you approve access, Coralogix sends an authorization code to the integration. The integration exchanges that code for tokens (access_token and refresh_token) and then uses the access token to call Coralogix APIs on your behalf, limited to the requested scopes and your existing permissions.
- Your password is not shared with the MCP client.
- Your existing security policies still apply:
- SSO and MFA requirements are enforced at login.
- If your account is disabled or your team membership changes, your access will change accordingly.
- MCP cannot exceed what you are already allowed to do in Coralogix.
You typically do not see the consent page again for that MCP client unless:
- The authorization expires.
- You revoke access or log out in a way that invalidates the session.
- The client changes the scopes it requests.
Revoking access
To block MCP from accessing Coralogix, use one of these options.
From the MCP client
Many MCP clients include a Disconnect from Coralogix or Log out of Coralogix option. Use that option first when available.
From Coralogix
- Remove the user from the selected team to block access to that team.
- Adjust the user’s roles or permissions to reduce what the token can do. MCP is limited by the user’s permissions.
- Contact Support to revoke tokens associated with a specific integration if needed.
After access is blocked or tokens are revoked, the next time MCP tries to use Coralogix, it fails and prompts you to reconnect through the OAuth flow.