OAuth for MCP Server
Version 1.2.x and higher of Splunk MCP Server includes OAuth for MCP Server. This feature can help make Splunk data easier to securely access from AI tools such as Glean, without the need to manage static credentials.
You can use OAuth to let an MCP-compatible client such as Claude Code, Codex, Cursor, or the MCP Inspector, sign in to your Splunk MCP Server through a browser-based OAuth flow rather than a long-lived token.
With OAuth configured, end users authenticate interactively against Splunk, and the client exchanges the resulting authorization code for an access token that it uses to call the MCP endpoint. No static credentials are stored in the MCP client configuration.
OAuth prerequisites
You must be a Splunk Cloud Platform customer to use OAuth.
- Splunkbase install of the MCP Server for Splunk platform app on your Search Head or Search Head Cluster. See Splunk MCP Server.
-
REST API access enabled for the deployment.
-
Token-based authentication enabled. This is required for the underlying MCP Server, independent of the OAuth flow.
-
Role assignment of the
mcp_tool_executecapability, andmcp_tool_admincapability for administrators, to the Splunk roles that need MCP access. -
(Optional) Splunk AI Assistant for generation, explanation, and optimization tools. See Splunk AI Assistant.
Using OAuth for Splunk MCP Server
OAuth for Splunk MCP Server is enabled by Splunk on a per-stack basis. When OAuth is enabled, you will see Splunk OAuth Clients under Settings, and then under Authentication methods in Splunk Web.
Required versions
| Component | Minimum version |
|---|---|
| Splunk Cloud Platform | 10.3.2512.11 |
| Splunk MCP Server app | 1.2.1 or higher |
| MCP client | Version with OAuth 2.1 authorization code plus PKCE support. For Claude Code, use 2.1.114 or newer. |
Access and environment
See the following table for Splunk administrator and end-user access and environment requirements:
| User | Requirements |
|---|---|
| Admin | Splunk administrator credentials with permission to create and manage OAuth clients. |
| End-user | A web browser on the same device where the MCP client runs.
The MCP endpoint URL for your Splunk stack, provided by your administrator.
Note: The Splunk MCP endpoint and OAuth authorization endpoints use HTTPS on the default port 443. No additional outbound port configuration is required on the client side.
A free, local TCP port, for example, 8787, available for the OAuth callback at http://localhost:<callback-port>/callback.
Note: This local callback port is only required for MCP clients that run on your workstation. For example, Claude Code, Cursor, MCP Inspector. Web-based MCP clients use a hosted HTTPS callback URL instead.
The MCP endpoint URL for your Splunk stack, provided by your administrator. See step 2 in the "Create an OAuth client in Splunk" section. |
Create an OAuth client in Splunk
As an administrator, you can perform these steps once per MCP client application you want to authorize.
Step 1: Open the OAuth client configuration
Complete the following steps:
-
Sign in to Splunk Web as an administrator.
-
Go to Settings and then choose Authentication methods.
-
Open Splunk OAuth Clients.
Step 2: Create a new OAuth client
Complete the following steps:
-
Select New OAuth Client and provide the following:
-
Client Name. A descriptive label, for example claude-code, cursor, or mcp-inspector.
-
Redirect URIs. The callback URL the MCP client will listen on after the user signs in. Choose the pattern that matches your MCP client type:
-
For local MCP clients (running on the user's workstation, for example Claude Code, Cursor, MCP Inspector):
-
Replace <callback-port> with the port the MCP client will listen on. For example, 8787. The port value must match exactly between the Splunk Redirect URI and the MCP client configuration.
-
For Web based or Hosted MCP clients that are running as a hosted service, and not on the user's workstation:
-
Use the exact callback URI documented by your MCP client. The path varies by product. Confirm with the client's documentation before saving.
-
-
-
Select Save.
Step 3: Capture the client credentials
After the client is created, Splunk displays the following information:
-
Client ID
-
Client secret
-
This is shown once. Copy and store it in a secure location or using a password manager or secrets vault.
-
-
Authorization URL
-
Token URL
-
Grant type
-
Authorization Code with PKCE .
-
Share the following with the end user through a secure channel:
-
Client ID
-
Client secret
-
Redirect URI, including the chosen port
-
The MCP server endpoint for your stack
Connect your MCP client
As an end-user you can perform these steps to connect your MCP client. To learn more see Connect Cursor to Splunk MCP Server and Connect Claude to Splunk MCP Server.
Values required
openid offline_access to avoid scope negotiation errors.
| Value | Example |
|---|---|
| MCP endpoint | https://<your-stack>.splunkcloud.com/.../mcp |
| Client ID | abc123... |
| Client secret | s3cr3t... |
| Redirect URI | |
| Callback port | 8787: Must match the redirect URI |
| Scopes | openid offline_access |
Connection steps
Every MCP client differs in configuration syntax, but you can follow this general workflow:
-
Register the Splunk MCP Server in your client, using HTTP transport and the MCP endpoint URL.
-
Configure the OAuth section with your Client ID, callback port, and scopes (openid offline_access). Enter the client secret when prompted.
-
Trigger the authentication flow from the client. Your browser opens the Splunk sign-in page.
-
Sign in and approve access for the application.
-
The browser redirects to http://localhost:<callback-port>/callback and the client completes authentication.
-
List available tools in the client to confirm the connection.
Troubleshooting OAuth
See the following issues you might encounter when using OAuth and how to address those issues.
Browser opens, but the callback fails or the page shows a redirect error:
The port in the Splunk Redirect URI does not match the callback port configured in your MCP client. Both must be identical, including any protocol or path differences. Correct the mismatch on one side and retry.
Authentication appears to succeed but the client reports a scope error:
Make sure your client is explicitly limited to openid offline_access. Splunk currently advertises additional scopes that many MCP clients do not support.
Self-signed certificate in certificate chain or similar TLS error:
Your operating system does not trust the TLS certificate presented by your Splunk stack. Export the certificate from the Splunk server, add it to your OS trusted certificate store, and mark it as trusted. Restart the MCP client and retry.
Older MCP client version:
If you hit unexpected OAuth or MCP errors, upgrade to a recent release. For Claude Code, confirm version 2.1.114 or newer.
Known limitations
-
Manual scope restriction required. Splunk's OAuth server advertises more scopes than most MCP clients handle today. Restrict the client to
openid offline_accessexplicitly. -
1 OAuth client per application is suggested. Splunk does not provide shared-consent management across multiple MCP clients.
-
Create a separate OAuth client per tool to keep revocation granular.
-