OAuth for MCP Server

Version 1.2.x and higher of Splunk MCP Server includes OAuth for MCP Server. This feature can help make Splunk data easier to securely access from AI tools such as Glean, without the need to manage static credentials.

Note: This feature was previously offered as a closed preview.

You can use OAuth to let an MCP-compatible client such as Claude Code, Codex, Cursor, or the MCP Inspector, sign in to your Splunk MCP Server through a browser-based OAuth flow rather than a long-lived token.

With OAuth configured, end users authenticate interactively against Splunk, and the client exchanges the resulting authorization code for an access token that it uses to call the MCP endpoint. No static credentials are stored in the MCP client configuration.

OAuth prerequisites

You must be a Splunk Cloud Platform customer to use OAuth.

Before configuring OAuth, the Splunk MCP Server app itself must already be installed and configured on your stack, including the following:
Note: If any of the prerequisites are missing, OAuth sign-in might succeed but tool calls will fail with permission or API-access errors.
  • Splunkbase install of the MCP Server for Splunk platform app on your Search Head or Search Head Cluster. See Splunk MCP Server.
  • REST API access enabled for the deployment.

  • Token-based authentication enabled. This is required for the underlying MCP Server, independent of the OAuth flow.

  • Role assignment of the mcp_tool_execute capability, and mcp_tool_admin capability for administrators, to the Splunk roles that need MCP access.

  • (Optional) Splunk AI Assistant for generation, explanation, and optimization tools. See Splunk AI Assistant.

Using OAuth for Splunk MCP Server

OAuth for Splunk MCP Server is enabled by Splunk on a per-stack basis. When OAuth is enabled, you will see Splunk OAuth Clients under Settings, and then under Authentication methods in Splunk Web.

Required versions

Note: Older MCP client versions might not handle the callback or scope negotiation correctly.
Component Minimum version
Splunk Cloud Platform 10.3.2512.11
Splunk MCP Server app 1.2.1 or higher
MCP client Version with OAuth 2.1 authorization code plus PKCE support. For Claude Code, use 2.1.114 or newer.

Access and environment

See the following table for Splunk administrator and end-user access and environment requirements:

User Requirements
Admin Splunk administrator credentials with permission to create and manage OAuth clients.
End-user A web browser on the same device where the MCP client runs.

The MCP endpoint URL for your Splunk stack, provided by your administrator.

Note: The Splunk MCP endpoint and OAuth authorization endpoints use HTTPS on the default port 443. No additional outbound port configuration is required on the client side.

A free, local TCP port, for example, 8787, available for the OAuth callback at http://localhost:<callback-port>/callback.

Note: This local callback port is only required for MCP clients that run on your workstation. For example, Claude Code, Cursor, MCP Inspector. Web-based MCP clients use a hosted HTTPS callback URL instead.

The MCP endpoint URL for your Splunk stack, provided by your administrator. See step 2 in the "Create an OAuth client in Splunk" section.

Create an OAuth client in Splunk

As an administrator, you can perform these steps once per MCP client application you want to authorize.

Step 1: Open the OAuth client configuration

Complete the following steps:

  1. Sign in to Splunk Web as an administrator.

  2. Go to Settings and then choose Authentication methods.

  3. Open Splunk OAuth Clients.

Note: If this option is not visible, OAuth is not enabled on your stack. Contact Splunk Support to request enablement.

Step 2: Create a new OAuth client

Complete the following steps:

  1. Select New OAuth Client and provide the following:

    1. Client Name. A descriptive label, for example claude-code, cursor, or mcp-inspector.

    2. Redirect URIs. The callback URL the MCP client will listen on after the user signs in. Choose the pattern that matches your MCP client type:

      1. For local MCP clients (running on the user's workstation, for example Claude Code, Cursor, MCP Inspector):

        1. http://localhost:<callback-port>/callback

        2. Replace <callback-port> with the port the MCP client will listen on. For example, 8787. The port value must match exactly between the Splunk Redirect URI and the MCP client configuration.

      2. For Web based or Hosted MCP clients that are running as a hosted service, and not on the user's workstation:

        1. https://<domain>/oauth/callback

        2. https://<domain>/api/mcp/auth_callback

        3. Use the exact callback URI documented by your MCP client. The path varies by product. Confirm with the client's documentation before saving.

  2. Select Save.

Step 3: Capture the client credentials

After the client is created, Splunk displays the following information:

  • Client ID

  • Client secret

    • This is shown once. Copy and store it in a secure location or using a password manager or secrets vault.

  • Authorization URL

  • Token URL

  • Grant type

    • Authorization Code with PKCE .

Share the following with the end user through a secure channel:

  • Client ID

  • Client secret

  • Redirect URI, including the chosen port

  • The MCP server endpoint for your stack

Note: You can create a separate OAuth client per tool or per team so you can revoke access independently.

Connect your MCP client

As an end-user you can perform these steps to connect your MCP client. To learn more see Connect Cursor to Splunk MCP Server and Connect Claude to Splunk MCP Server.

Values required

You must have the following values from your Splunk administrator:
Note: The Splunk OAuth server advertises more scopes than most MCP clients support. You can restrict your client to openid offline_access to avoid scope negotiation errors.
Value Example
MCP endpoint https://<your-stack>.splunkcloud.com/.../mcp
Client ID abc123...
Client secret s3cr3t...
Redirect URI

http://localhost:8787/callback

Callback port 8787: Must match the redirect URI
Scopes openid offline_access

Connection steps

Every MCP client differs in configuration syntax, but you can follow this general workflow:

  1. Register the Splunk MCP Server in your client, using HTTP transport and the MCP endpoint URL.

  2. Configure the OAuth section with your Client ID, callback port, and scopes (openid offline_access). Enter the client secret when prompted.

  3. Trigger the authentication flow from the client. Your browser opens the Splunk sign-in page.

  4. Sign in and approve access for the application.

  5. The browser redirects to http://localhost:<callback-port>/callback and the client completes authentication.

  6. List available tools in the client to confirm the connection.

Troubleshooting OAuth

See the following issues you might encounter when using OAuth and how to address those issues.

Browser opens, but the callback fails or the page shows a redirect error:

The port in the Splunk Redirect URI does not match the callback port configured in your MCP client. Both must be identical, including any protocol or path differences. Correct the mismatch on one side and retry.

Authentication appears to succeed but the client reports a scope error:

Make sure your client is explicitly limited to openid offline_access. Splunk currently advertises additional scopes that many MCP clients do not support.

Self-signed certificate in certificate chain or similar TLS error:

Your operating system does not trust the TLS certificate presented by your Splunk stack. Export the certificate from the Splunk server, add it to your OS trusted certificate store, and mark it as trusted. Restart the MCP client and retry.

Older MCP client version:

If you hit unexpected OAuth or MCP errors, upgrade to a recent release. For Claude Code, confirm version 2.1.114 or newer.

Known limitations

  • Manual scope restriction required. Splunk's OAuth server advertises more scopes than most MCP clients handle today. Restrict the client to openid offline_access explicitly.

  • 1 OAuth client per application is suggested. Splunk does not provide shared-consent management across multiple MCP clients.

    • Create a separate OAuth client per tool to keep revocation granular.