> ## Documentation Index
> Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Custom MCP

> Connect any MCP-compatible HTTP server to extend Clarion agents with your own tools.

This guide walks you through connecting a custom MCP server to Clarion. Once connected, every tool your server exposes becomes available to Clarion agents during triage and response.

<Note>
  **Estimated time:** 2 minutes. You will need a **Clarion workspace** with permission to manage integrations and an MCP-compatible HTTP server that Clarion can reach over the public internet.
</Note>

## Prerequisites

* A **Clarion workspace** with permission to manage integrations
* An **MCP server** that speaks the [Streamable HTTP transport](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http) and is reachable from Clarion
* (Optional) an **API key** if your server requires authentication — Clarion sends it as `Authorization: Bearer <key>` on every request

***

## Step 1 — Add an MCP server

1. In Clarion, go to **Settings > Integrations**
2. Scroll to the **Custom MCPs** section and click **Add MCP Server**
3. Fill in the form:
   * **Name** — a short label for this server (e.g. `My Security Scanner`). Clarion slugifies the name and registers the server as `custom-<your-slug>` so it can never shadow a built-in MCP server
   * **Server URL** — the HTTP endpoint of your MCP server (e.g. `https://mcp.example.com`)
   * **API key** *(optional)* — sent as `Authorization: Bearer <key>` on every request to your server
4. Click **Connect**

Clarion validates the connection before saving — if the server is unreachable or doesn't speak MCP, the form surfaces the error and nothing is stored.

<Info>
  You can add multiple custom MCP servers to a single workspace. Each one shows up as its own card on the Integrations page.
</Info>

***

## Step 2 — Verify the tools

Once connected, the server card shows the number of tools Clarion discovered. Open the card's **View tools** menu to see each tool's name and description as advertised by your server.

If you don't see the tools you expect, double-check that your server returns them from the MCP `tools/list` method and that the names contain no underscores in the server segment.

***

## What Clarion can do

After connecting, agents can:

* **Invoke any tool** your MCP server exposes — Clarion forwards the call through a proxy that authenticates the agent and attaches your API key on every request
* **See tool descriptions** straight from your server, so updating the description on your side is enough to update what the agent sees

Clarion does not modify or cache your tool schemas — every agent run pulls the live list from your server.

***

## Security model

* Your **server URL** and **API key** are stored encrypted and only decrypted server-side when a Clarion agent needs to call your server. The API key is never bundled into agent sandbox code or exposed to agent prompts.
* Requests from Clarion agents are proxied through Clarion's backend — your server only ever sees traffic from Clarion's IPs, never from the agent sandbox directly.
* Clarion validates the upstream URL before each call to prevent SSRF against internal addresses.
* Treat the tools your MCP server exposes as **attacker-controlled input** to Clarion agents. Tool descriptions and outputs can contain instructions — Clarion already redacts secrets in transcripts, but only connect servers you trust.

***

## Remove an MCP server

To remove a server:

1. Open **Settings > Integrations** in Clarion
2. Find the server card under **Custom MCPs**
3. Click the menu (**⋯**) and choose **Remove**
4. Confirm the dialog

Removing a server deletes its stored URL and API key from Clarion immediately and revokes agent access to its tools. Anything your server already did on Clarion's behalf stays in place — only the connection is removed.
