Access Confluent Cloud with the Managed MCP Servers
You can use the Confluent-managed MCP servers to explore environments and clusters, inspect topics and schemas, debug connectors, and query metrics in Confluent Cloud directly from your AI assistant. The servers connect through the Model Context Protocol (MCP), and all tools are read-only, so you can explore your Confluent resources without risk of modifying them.
Access is governed by your existing Confluent Cloud permissions, so each server returns only the data your API key can access.
Prerequisites
To use the managed MCP servers, you need the following:
A Confluent Cloud account.
An API key for authentication. For details on which key types work with each server, see Set up authentication.
An MCP-compatible AI assistant, such as Claude Code, Cursor, or VS Code with GitHub Copilot.
Global and regional MCP servers
You connect to two managed MCP servers that serve different sets of tools:
The global MCP server handles organization-wide operations that are not tied to a specific region. It provides tools for discovering environments and clusters, debugging connectors, and querying metrics.
The regional MCP server handles operations that require direct access to resources in a specific region. It provides tools for inspecting topics and schemas and reading messages. The URL includes your cloud provider, region, and organization ID.
Configure both servers in your MCP client to get the full set of tools. If you only need environment and cluster discovery, the global server is sufficient on its own.
Global server URL:
https://api.confluent.cloud/mcp/v1
Regional server URL:
https://mcp.<region>.<cloud>.confluent.cloud/mcp/v1/organizations/<org_id>
Replace the following placeholders:
<region>: your cloud region, for exampleus-west-2<cloud>: your cloud provider:aws,gcp, orazure<org_id>: your Confluent Cloud organization ID
Available tools
The managed MCP servers provide the following read-only tools.
Global server tools
You can use the global server to discover environments and clusters, inspect and debug connectors, and query operational metrics.
Explore your environment
You can use the following tools to discover your Confluent Cloud environments and Apache Kafka® clusters.
Tool | Description |
|---|---|
| List all Confluent Cloud environments you can access, including environment IDs, names, and stream governance packages. |
| Get details for a specific environment. |
| List Kafka clusters in an environment, including cluster type, cloud provider, region, and availability. |
| Get details and endpoints for a specific cluster. |
Inspect and debug connectors
You can use the following tools to inspect connector health, review logs, and get AI-generated diagnostics for failing connectors.
Tool | Description |
|---|---|
| List all connectors in a cluster with name, type, and current status. |
| Get the full configuration for a connector, including configuration parameters and task list. |
| Get runtime status and per-task status with error traces. Possible statuses: PROVISIONING, RUNNING, DEGRADED, FAILED, PAUSED, and DELETED. |
| Fetch recent connector logs. Returns ERROR-level logs by default, with optional WARN and INFO levels. Maximum lookback is 72 hours. |
| Get partition and offset information showing the connector’s consumption progress. |
| Fetch time-series metrics for a connector. |
| Get an AI-generated summary of connector errors extracted from task status and error traces. |
| Get AI-generated fix recommendations for a failing connector. |
Query metrics
You can use the following tools to query throughput, consumer lag, and other operational metrics.
Tool | Description |
|---|---|
| List available metric descriptors, including names, types, and units. Supports resource types: |
| Query time-series metric data for a cluster, such as throughput or consumer lag. Supports custom time intervals, granularity, and grouping by topic or consumer group. |
Regional server tools
You can use the regional server to work with Kafka topics and Schema Registry schemas in a specific cloud region.
Inspect topics and schemas
You can use the following tools to list topics, view topic configuration, read sample messages, and get schema definitions.
Tool | Description |
|---|---|
| List all topics in a cluster. |
| Get topic configuration, including partition count and replication factor. |
| Read one to ten sample messages from a topic. You can target a specific partition and offset. |
| List all schema subjects in Schema Registry, including subject name, version, schema ID, and schema type. |
| Get the full schema definition for a subject, including content, version, and references. |
Set up authentication
The managed MCP servers use HTTP Basic authentication. The key type you use depends on which server you want to access.
Key type | Global server | Regional server |
|---|---|---|
Global API key (recommended) | Supported | Supported |
Cloud API key | Supported | Not supported |
Flink API key | Not supported | Supported |
A global API key provides access to both servers. A single global API key is the simplest way to configure both the global and regional servers. For more information, see Global API Keys.
A Cloud API key provides access to the global server only. Create a Cloud API key in the Confluent Cloud Console or with the Confluent CLI.
A Flink API key provides access to the regional server only and is scoped to a specific cloud provider and region. Create a Flink API key in the Confluent Cloud Console or with the Confluent CLI.
You must Base64-encode your API key and secret for the Authorization header. To do so, run the following command:
echo -n '<api_key>:<api_secret>' | base64
Use the resulting Base64 value when you configure your MCP client in the next section.
MCP tools return only the resources that your API key has permission to access. Your access through MCP matches your access through the Confluent Cloud API and CLI, so the same roles that grant API access also grant access through MCP.
Configure your MCP client
After you create an API key and encode your credentials, configure your MCP client with the server URLs and authorization header.
Configure Claude Code
To add the global server, run the following command:
claude mcp add --transport http \
confluent-mcp-global \
https://api.confluent.cloud/mcp/v1 \
--header "Authorization: Basic <encoded_credentials>"
To add the regional server, run the following command:
claude mcp add --transport http \
confluent-mcp-regional \
https://mcp.<region>.<cloud>.confluent.cloud/mcp/v1/organizations/<org_id> \
--header "Authorization: Basic <encoded_credentials>"
Replace <encoded_credentials> with the Base64 value from the previous section.
Configure any MCP client
Any MCP client that supports streamable HTTP transport can connect to the managed MCP servers. Configure your client with the following settings:
Global server:
URL:
https://api.confluent.cloud/mcp/v1Transport:
httpHeader:
Authorization: Basic <encoded_credentials>
Regional server:
URL:
https://mcp.<region>.<cloud>.confluent.cloud/mcp/v1/organizations/<org_id>Transport:
httpHeader:
Authorization: Basic <encoded_credentials>
Example prompts
After you configure your MCP client, you can ask your AI assistant to work with your Confluent Cloud resources. The following examples show prompts organized by task.
Explore your environment
Use these prompts to discover your environments, clusters, and metrics:
“List my Confluent Cloud environments and clusters.”
“Show the details for cluster lkc-abc123.”
“What is the throughput for my cluster over the last six hours?”
Inspect topics and schemas
Use these prompts to explore topics, read messages, and view schemas:
“What topics exist in my cluster?”
“Describe the configuration for the orders topic.”
“Read the latest messages from the user-events topic.”
“Show the schema for the orders-value subject.”
Debug connectors
Use these prompts to investigate connector issues:
“List all connectors and show their current status.”
“Why is my S3 sink connector failing? Show the error logs.”
“Get fix recommendations for the postgres-source connector.”
Limitations
The managed MCP servers have the following limitations:
The managed MCP servers provide read-only access to your Confluent Cloud resources. You cannot create, modify, or delete clusters, topics, or connectors through MCP tools.
Connector error summaries and fix recommendations are generated by AI models. Because AI model outputs can vary between requests, review all AI-generated suggestions before taking action.
The regional server is available in regions where Confluent Cloud Flink is available, which covers most Confluent Cloud regions.
Rate limits match the underlying Confluent Cloud API limits. If you experience throttling, reduce the frequency of your requests.
Private networking
If your cluster uses private networking, you must file a support ticket to enable MCP access before you can use the regional server with that cluster. Include your organization ID, environment ID, and cluster ID in the ticket.
Without this enablement, regional server tools that access private clusters return the following error: FORBIDDEN: private network access is not enabled for this kafka cluster.
Warning
Cross-network access with private networking
With private networking enabled, topics might be accessible across private networks within your environment. Review your network topology and access configuration before enabling the feature.
Troubleshooting
If a tool returns no data, verify that your API key has the required permissions and that the resource exists in the specified environment or cluster.
If you receive a 404 or “no such host” error when connecting to the regional server, verify that your endpoint URL is correct. The URL must include the <org_id> path segment and the region must match a region where Confluent Cloud Flink is available.
If you receive a 401 or FORBIDDEN error, verify the following:
Your API key is valid and has not expired.
You are using the correct key type for the server. Cloud API keys work only with the global server, and Flink API keys work only with the regional server.
Your API key belongs to the same organization as the
<org_id>in the regional server URL. This is a common issue when you have multiple organizations.You are not using a resource-scoped API key. Keys scoped to a specific resource, such as a cluster or Schema Registry, are not supported.
You encoded your credentials correctly as Base64.
You can track MCP tool calls in the Confluent Cloud audit log. Each tool call is logged with a method name prefixed by mcp.tools/call., followed by the tool name, and attributed to the authenticated principal.