You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ai/mcp-server/index.md
+22Lines changed: 22 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -263,6 +263,28 @@ Don't worry about remembering command names — your AI client handles that. Jus
263
263
-**Jobs** – Start, monitor, and debug execution flows.
264
264
-**Documentation** – Search official Keboola docs from within your AI chat.
265
265
266
+
## Restricting Tool Access
267
+
268
+
When using the remote MCP server, you may want to limit which tools are available to AI agents. This is useful for:
269
+
270
+
-**AI Agent Restrictions**: Limiting what actions an AI agent (like Devin or Cursor) can perform in your project
271
+
-**Compliance and Security**: Enforcing data governance policies by restricting write operations
272
+
-**Customer-Specific Access**: Creating tailored access profiles for different use cases
273
+
274
+
The MCP server supports three HTTP headers for tool authorization:
275
+
276
+
| Header | Purpose |
277
+
|--------|---------|
278
+
|`X-Allowed-Tools`| Only allow specific tools (comma-separated list) |
279
+
|`X-Disallowed-Tools`| Block specific tools (comma-separated list) |
280
+
|`X-Read-Only-Mode`| Restrict to read-only tools only (`true`/`1`/`yes`) |
281
+
282
+
These headers are set by the client (e.g., your AI agent integration or custom MCP client) when making HTTP requests to the MCP server. Refer to your MCP client's documentation for how to configure custom HTTP headers.
283
+
284
+
For example, setting `X-Read-Only-Mode: true` allows agents to query and explore data but prevents them from creating or modifying configurations.
285
+
286
+
For detailed technical documentation including the full list of read-only tools and header combination behavior, see the [Developer Documentation](https://developers.keboola.com/integrate/mcp/#tool-authorization-and-access-control).
287
+
266
288
## Advanced Setup Options
267
289
These methods are for developers or specific use cases (e.g., testing, contributing to the MCP server).
268
290
For CLI control, dev environments, or contributing to the MCP Server, check out the [MCP GitHub repo](https://github.com/keboola/mcp-server).
0 commit comments