Beta preview: OAuth for MCP Server

Version 1.1 and higher of Splunk MCP Server offers a feature preview of OAuth for MCP Server. This feature can help make Splunk data easier to securely access from AI tools such as Glean, without the need to manage static credentials.

CAUTION: OAuth for MCP is a closed preview for Splunk Cloud Platform customers only. The feature is off by default and must be enabled by Splunk. To request enablement, contact Splunk Support or your account team.

The preview is provided under the Splunk Pre-Release Agreement for Hosted Services.

You can use OAuth to let an MCP-compatible client such as Claude Code, Codex, Cursor, or the MCP Inspector, sign in to your Splunk MCP Server through a browser-based OAuth flow rather than a long-lived token.

With OAuth configured, end users authenticate interactively against Splunk, and the client exchanges the resulting authorization code for an access token that it uses to call the MCP endpoint. No static credentials are stored in the MCP client configuration.

Providing feedback

This feature is a closed preview. To report an issue or request enhancements, contact Splunk Support or your account team.

Preview disclaimer

Beta features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this Beta feature available at its sole discretion and may discontinue it at any time. Use of Beta features is subject to the Splunk Pre-Release Agreement for Hosted Services.

OAuth prerequisites

Before configuring OAuth, the Splunk MCP Server app itself must already be installed and configured on your stack, including the following:
Note: If any of the prerequisites are missing, OAuth sign-in might succeed but tool calls will fail with permission or API-access errors.
  • Splunkbase install of the MCP Server for Splunk platform app on your Search Head or Search Head Cluster. See https://splunkbase.splunk.com/app/7931

  • REST API access enabled for the deployment.

  • Token-based authentication enabled. This is required for the underlying MCP Server, independent of the OAuth flow.

  • Role assignment of the mcp_tool_execute capability, and mcp_tool_admin capability for administrators, to the Splunk roles that need MCP access.

  • (Optional) Splunk AI Assistant for generation, explanation, and optimization tools. See https://splunkbase.splunk.com/app/7245

Participating in the beta preview

OAuth for Splunk MCP Server is enabled by Splunk on a per-stack basis. Confirm your stack has been enabled before starting.

When OAuth is enabled, you will see Splunk OAuth Clients (preview) under Settings, and then under Authentication methods in Splunk Web.

Required versions

Note: Older MCP client versions might not handle the callback or scope negotiation correctly.
Component Minimum version
Splunk Cloud Platform 10.3.2512.11
Splunk MCP Server app 1.1.1 or higher
MCP client Version with OAuth 2.1 authorization code + PKCE support. For Claude Code, use 2.1.114 or newer.

Access and environment

See the following table for Splunk administrator and end-user access and environment requirements:
User Requirements
Admin Splunk admin credentials with permission to create and manage OAuth clients.
End-user A web browser on the same device where the MCP client runs.

The MCP endpoint URL for your Splunk stack, provided by your administrator.

Note: The Splunk MCP endpoint and OAuth authorization endpoints use HTTPS on the default port 443. No additional outbound port configuration is required on the client side.

A free, local TCP port, for example, 8787, available for the OAuth callback at http://localhost:<callback-port>/callback.

Note: This local callback port is only required for MCP clients that run on your workstation (for example, Claude Code, Cursor, MCP Inspector). Web-based MCP clients use a hosted HTTPS callback URL instead see Step 2 in Part 1.

The MCP endpoint URL for your Splunk stack, provided by your administrator.

Create an OAuth client in Splunk

As an administrator, you can perform these steps once per MCP client application you want to authorize.

Step 1: Open the OAuth client configuration

Complete the following steps:

  1. Sign in to Splunk Web as an administrator.

  2. Go to Settings and then choose Authentication methods.

  3. Open Splunk OAuth Clients (preview).

Note: If this option is not visible, OAuth is not enabled on your stack. Contact Splunk Support to request enablement.

Step 2: Create a new OAuth client

Complete the following steps:

  1. Select New OAuth Client and provide the following:

    1. Client Name. A descriptive label, for example claude-code, cursor, or mcp-inspector.

    2. Redirect URIs. The callback URL the MCP client will listen on after the user signs in. Choose the pattern that matches your MCP client type:

      1. For local MCP clients (running on the user's workstation, for example Claude Code, Cursor, MCP Inspector):

        1. http://localhost:<callback-port>/callback

        2. Replace <callback-port> with the port the MCP client will listen on (for example, 8787). The port value must match exactly between the Splunk Redirect URI and the MCP client configuration.

      2. For Web based / Hosted MCP clients (running as a hosted service, not on the user's workstation):

        1. https://<domain>/oauth/callback

        2. https://<domain>/api/mcp/auth_callback

        3. Use the exact callback URI documented by your MCP client. The path varies by product. Confirm with the client's documentation before saving.

  2. Select Save.

Step 3: Capture the client credentials

After the client is created, Splunk displays the following information:

  • Client ID

  • Client secret

    • This is shown once. Copy and store it in a secure location or using a password manager or secrets vault.

  • Authorization URL

  • Token URL

  • Grant type

    • Authorization Code with PKCE .

Share the following with the end user through a secure channel:

  • Client ID

  • Client secret

  • Redirect URI, including the chosen port

  • The MCP server endpoint for your stack

Note: You can sreate a separate OAuth client per tool or per team so you can revoke access independently.

Connect your MCP client

As an end-user you can perform these steps to connect your MCP client.

Values needed

You must have the following values from your Splunk administrator:
Note: The Splunk OAuth server advertises more scopes than most MCP clients support. For this beta version of OAuth, restrict your client to openid offline_access to avoid scope negotiation errors.
Value Example
MCP endpoint https://<your-stack>.splunkcloud.com/.../mcp
Client ID abc123...
Client secret s3cr3t...
Redirect URI

http://localhost:8787/callback
Callback port 8787: Must match the redirect URI
Scopes openid offline_access

Connection steps

Every MCP client differs in configuration syntax, but you can follow this general workflow:

  1. Register the Splunk MCP Server in your client, using HTTP transport and the MCP endpoint URL.

  2. Configure the OAuth section with your Client ID, callback port, and scopes (openid offline_access). Enter the client secret when prompted.

  3. Trigger the authentication flow from the client. Your browser opens the Splunk sign-in page.

  4. Sign in and approve access for the application.

  5. The browser redirects to http://localhost:<callback-port>/callback and the client completes authentication.

  6. List available tools in the client to confirm the connection.

Claude Code connection example

The following example uses Claude code and the command line interface (CLI) to make the connection.

For more information on scope restriction in Claude Code, see the Claude Code MCP documentation at https://code.claude.com/docs/en/mcp.

  1. Register the Splunk MCP Server.

    1. Run the following command on your workstation. Replace the placeholders with the values from your administrator:

      CODE 
      claude mcp add --transport http \ 
   --callback-port <callback-port> \ 
   --client-id <client-id> \ 
   --client-secret \ 
   splunk-mcp <mcp-endpoint>

    2. When prompted, paste the Client secret:

      1. The <callback-port> must exactly match the port in the Redirect URI your administrator configured in Splunk.

      2. The <client-id> is the Client ID from the Splunk OAuth client.

      3. The <mcp-endpoint> is the HTTP endpoint of the Splunk MCP Server.

  2. Restrict OAuth scopes. Open Claude Code's configuration file (~/.claude.json) and locate the splunk-mcp entry. Add a scopes field inside the oauth block, set to openid offline_access:

    JSON 
    "splunk-mcp": { 
   "type": "http", 
   "url": "<mcp-endpoint>", 
   "oauth": { 
     "clientId": "<client-id>", 
     "callbackPort": <callback-port>, 
     "scopes": "openid offline_access" 
   } 
}

  3. Authenticate:

    1. Start Claude Code: claude

    2. From inside Claude Code, run: /mcp

    3. Your browser opens to the Splunk sign-in page.

    4. Sign in with your Splunk credentials and approve access for the Claude Code application.

    5. The browser redirects to http://localhost:<callback-port>/callback and Claude Code completes authentication.

  4. Verify tools:

    1. Run /mcp again to confirm splunk-mcp is connected.

    2. Review the list of tools exposed by the Splunk MCP Server.

    3. Invoke any tool to validate end-to-end connectivity. For example, a read-only search tool.

Troubleshooting OAuth preview

See the following issues you might encounter when using the OAuth preview and how to address those issues.

"Splunk OAuth Clients (preview)" is not visible

OAuth is not enabled on your stack, or your Splunk role does not grant access to authentication settings. Contact Splunk Support to confirm enablement, and check your role assignments.

Browser opens, but the callback fails or the page shows a redirect error:

The port in the Splunk Redirect URI does not match the callback port configured in your MCP client. Both must be identical, including any protocol or path differences. Correct the mismatch on one side and retry.

Authentication appears to succeed but the client reports a scope error:

Make sure your client is explicitly limited to openid offline_access. Splunk currently advertises additional scopes that many MCP clients do not support.

Self-signed certificate in certificate chain or similar TLS error:

Your operating system does not trust the TLS certificate presented by your Splunk stack. Export the certificate from the Splunk server, add it to your OS trusted certificate store, and mark it as trusted. Restart the MCP client and retry.

Older MCP client version:

If you hit unexpected OAuth or MCP errors, upgrade to a recent release. For Claude Code, confirm version 2.1.114 or newer.

Known limitations

  • Closed preview. The feature is limited to Splunk Cloud Platform customers who have been enabled by Splunk. Support commitments follow the Splunk Pre-Release Agreement.

  • Manual scope restriction required. Splunk's OAuth server advertises more scopes than most MCP clients handle today. Restrict the client to openid offline_access explicitly.

  • One OAuth client per application is recommended. Splunk does not provide shared-consent management across multiple MCP clients.

    • Create a separate OAuth client per tool to keep revocation granular.