Skip to main content

Admin MCP

Run your MintMCP organization from the same MCP client your team already uses. The Admin MCP exposes MintMCP's admin operations as tools, so you can install a connector, write a guardrail rule, or invite a teammate in plain language from Claude Code, Cursor, or ChatGPT, without opening the dashboard.

Because every action runs as you, the Admin MCP enforces the same permissions as the dashboard and writes the same audit trail, so an AI assistant can only do what your role already allows.

What you can do

Onboard a new organization

Ask the assistant to get you started and it inspects your org (which servers are installed, whether you've invited your team) and walks you through remaining setup steps with live links into the dashboard.

"Help me get my MintMCP organization set up."

Browse and install MCP servers

Search the MintMCP catalog, see what a connector needs before you commit, and install it, or add an MCP server that isn't in the catalog by URL. New servers default to admin-only access until you choose to roll them out to the whole organization.

"Install the GitHub connector, but keep it admin-only for now." "Add the remote MCP server at https://mcp.example.com and make it available to everyone."

Deploy and operate hosted connectors

Build and ship MCP servers that MintMCP runs on its own infrastructure: push a container image, deploy it, set environment variables, check runtime status, and restart when needed. Secrets never pass through chat: the assistant hands you a browser link to enter them.

"Deploy this Dockerfile as a hosted connector and show me its status." "Restart the hosted connector behind our internal-tools server."

Customize what each server exposes

List the tools a server offers and turn individual tools on or off so your organization only sees the operations you've approved.

"List the tools on our Salesforce server and disable the ones that can delete records."

Govern with rules and middleware

Create declarative rules that match tool names or prompt text with a regex, or write custom JavaScript middleware for logic a pattern can't express: allowlists, masking, or programmatic checks. Author middleware with create_gateway_middleware, then activate it with a rule that references it. Test a rule against sample inputs before it goes live, and roll back middleware to a previous version from the history.

"Block any tool call that runs kubectl get secrets and tell me if it would have caught these three examples." "Write middleware that redacts email addresses from tool responses."

Manage users and roles

Invite teammates by email with the right role, see which roles are available, and remove people who no longer need access.

"Invite alex@acme.com as an admin and dana@acme.com as a member."

Monitor activity and audit usage

Get a summary of recent MCP activity, see which users called which servers over any period, and query the call log (tool calls, prompt reads, timing, and status) to investigate a specific incident.

"Which users called our production database server this week?" "Show me failed tool calls on the Slack server in the last 24 hours."

Permissions and audit trail

The Admin MCP comes pre-installed as MintMCP Admin, scoped to your organization, with access restricted to admins by default. Admins can open it to more members, and each operation is permission-checked at the moment it runs: if your role can't perform an action in the dashboard, the same action fails here. An assistant connected to the Admin MCP is never more privileged than the person using it.

Every call flows through the MintMCP gateway like any other MCP traffic, so admin actions land in the same activity log and audit trail as the rest of your organization's usage.

Tool reference

The Admin MCP's tools fall into four groups: Activity, Deploy, Connector, and Rules. The Admin MCP evolves quickly, so connect to it for the current tool list.

Activity tools

Review organization-wide MCP usage.

ToolWhat it doesKey inputs
activity_overviewSummarizes MCP activity for the last day, week, or month. Read-only, returns bounded aggregate stats.period (day, week, or month)
users_by_gatewayShows which users used which Virtual MCP (VMCP) gateways over a period. Returns up to 1000 users per gateway when gatewayId is provided, otherwise 50.period, gatewayId (optional), limitUsersPerGateway (optional)

Deploy tools

Deploy, update, and observe hosted connectors. For the full walkthrough, see Custom MCP connectors.

ToolWhat it doesKey inputs
get_deploy_guideReturns the full guide for building and deploying a hosted connector: transport selection, credential handling, Dockerfile templates, and debugging. Call this first.none
create_registry_push_sessionIssues a short-lived Docker registry credential URL for pushing an image. Pass hostedId to update an existing connector; omit it to create a new one.hostedId (optional)
deploy_pushed_imageFinalizes and deploys a pushed image: updates the connector named by hostedId, or creates a new one when config is provided.finalizeToken, hostedId (optional), envVars (optional), config (optional)
configure_connector_envSets environment variables on a hosted connector. Global vars take a value immediately; per-user vars are declared by name only and each user fills in their own value in the MintMCP UI.gatewayId, envVars
query_mcp_logsQueries the organization's MCP call logs: recent tool calls, prompt reads, and resource reads with timing and error info. Filter to a single caller with actor, and each returned entry carries its caller's userId, userEmail, or agentId so one query's results feed the next.gatewayId (optional), actor (optional: exactly one of userId, userEmail, or agentId), status (optional: success or error), limit (optional, default 20, max 100)

Connector tools

Install new MCPs, then inspect and operate installed MCPs (Virtual MCPs and bundles) and the connectors behind them.

ToolWhat it doesKey inputs
install_catalog_connectorInstalls an MCP from the MintMCP catalog by canonical name (for example com.mintmcp/gmail). Defaults to admin-only availability, and any secret values (bearer tokens, OAuth client secrets, encrypted headers, hosted secret env vars) go through the browser handoff: the tool returns pending_secret_input with a configureUrl instead of taking secrets in chat.name, availability (optional: admin_only or all_members, default admin_only), serverUrl (optional), connectionConfig (optional), headers (optional), oauthBroker (optional)
install_remote_mcpInstalls a remote URL-based MCP server that isn't in the catalog, with the same admin-only default and browser handoff for secrets. Pure OAuth/DCR and no-auth installs complete without a handoff.url, title (optional), availability (optional, default admin_only), connectionConfig (optional), headers (optional), includeUserIdentity (optional), oauthBroker (optional)
update_remote_mcpUpdates the connection settings of an existing remote MCP server. Secret values go through the same browser handoff (pending_secret_input with a configureUrl); pure OAuth/DCR and no-auth updates complete without one.gatewayId, plus the connection fields to change
list_gatewaysLists all installed MCPs with each MCP's ID, title, and type (registry, hosted, remote, bundled, or local_instructions).none
get_mcp_detailsReturns a VMCP's full configuration: title, targets (connectors), tool settings, middleware, and OAuth config.gatewayId
list_mcp_toolsLists all tools a VMCP exposes, with customizations (enabled/disabled, name and description overrides) applied.gatewayId
list_connector_toolsLists the raw tools reported by the underlying connector, before MCP-level customizations. Works when the MCP maps to exactly one connector.gatewayId
refresh_mcp_toolsRe-fetches the tool list from the running connector. Works when the MCP maps to exactly one connector.gatewayId
get_hosted_connector_configReturns a hosted connector's deployment config: command, env vars (as hashes, never plaintext), transport, CPU/memory, scaling, and OAuth setup.gatewayId
get_hosted_connector_statusReturns the runtime state of a hosted connector.gatewayId
restart_hosted_connectorRestarts the machine running a hosted connector.gatewayId
get_remote_server_configReturns the connection config for a remote MCP server: URL, auth method, credential mode, connection status, header names (values never shown), tool customizations, and auth instructions.gatewayId

Rules tools

Draft, test, and manage guardrail rules for Agent Monitor.

ToolWhat it doesKey inputs
list_rulesLists all custom organization rules with each rule's ID, name, description, enabled status, and matcher configuration.none
create_ruleCreates a rule. All actions are stripped automatically, so new rules are live but harmless until you add actions with update_rule.rule (matcher, name, description, is_enabled)
test_ruleTests a regex matcher against sample tool calls (testCases) or prompts (testStrings). Testing a saved rule by ruleId is preferred over an inline matcher.ruleId or matcher, testCases, testStrings
update_ruleUpdates a rule by ID, typically to add actions (agent-level: deny tool calls, send Slack notifications) or gatewayActions (gateway-level: allow, mask, or block requests, send Slack notifications) after testing. Takes the full rule body.ruleId, rule

Secret handling

Secrets never pass through the MCP conversation: not to the assistant, not to the model, not into the chat log.

  • Registry credentials are short-lived. Deploying an image uses a scoped, single-purpose registry credential that expires after the push, so there's no standing password to copy around or rotate.
  • Secret values are entered in the browser, not the chat. When a deploy needs a secret environment variable, the assistant hands you a secure link to the MintMCP dashboard. You enter values there directly, they're encrypted at rest, and the connector deploys with secrets already in place, so the assistant only ever sees that the step completed.
  • Per-user secrets stay per-user. Variables scoped per-user are declared by name only; each member supplies their own value in the UI, so one user's credential is never visible to another.
  • Read-back is scrubbed. Tools that return connector configuration show environment values as hashes and never reveal credential or header values.

Connect to the Admin MCP

The Admin MCP is installed automatically when your organization is created, so it already appears in your server list.

  1. Open the MintMCP Admin server in your servers.
  2. Go to the MCP Client Setup tab and copy the MCP URL.
  3. Add that URL to your MCP client (see Connect Claude Code, Connect Claude on the web, or Connect ChatGPT).

If it was removed, install it again from the MCP store, where it's listed as MintMCP Admin.