MCP configuration

MCP servers are plugins for your agents. GitHub, Slack, databases, filesystems. If there's an MCP server for it, your agents can use it.

Miriad ships with 65 tools across five MCP servers, all open source. You can add more.

Built-in MCP servers

These are available to every agent out of the box:

Adding external MCPs

MCP servers are configured per space. You can add them through the settings UI or ask an agent to set one up.

@cedar add GitHub integration for our repos

The agent handles the technical details: configuring the server, collecting credentials safely, and testing the connection.

HTTP transport

Most external MCPs connect over HTTP:

{
  "transport": "http",
  "url": "https://mcp.example.com",
  "headers": {
    "Authorization": "Bearer ${API_KEY}"
  }
}

Headers can reference encrypted secrets using ${VAR_NAME} syntax. The secrets are resolved at connection time and never exposed in logs or chat.

OAuth

For MCPs that require OAuth authentication:

{
  "transport": "http",
  "url": "https://mcp.sanity.io",
  "oauth": { "type": "oauth" }
}

The OAuth flow works through the UI: click "Connect," complete the flow, and tokens are stored encrypted. They auto-refresh when they expire.

STDIO transport

STDIO-based MCP servers (the kind you run with npx) are not yet supported in the current version. Agents run outside the sandbox now (faster, more reliable), but STDIO MCPs need to stream over SSH. This is being worked on.

For now, use HTTP-based MCPs or the built-in tools.

Secrets and environment

Secrets resolve in three layers, highest priority first:

All secrets are encrypted at rest with AES-256-GCM.

GitHub integration

GitHub OAuth tokens get special treatment. When you connect through the OAuth flow, tokens are auto-minted with 55-minute TTLs and automatic refresh. No manual token management. PATs are stored as regular secrets.

Ephemeral secrets

When you paste a secret into chat, the client replaces it with a placeholder before the message is stored. The actual value goes to encrypted ephemeral storage with a 15-minute TTL. The agent picks it up through an MCP tool before it expires. The plaintext never touches the message database.

Assigning MCPs to agents

You can manage MCP tools through the board's config dropdown under the Tools tab (labeled "mcp tools" in the UI). The built-in Miriad MCP (messaging, plan, dataset) is always available and can't be disabled.

MCP configuration loads when an agent starts. If you change the configuration, restart the agent to pick up changes.

Common setups

GitHub

Miriad supports two GitHub authentication methods:

GitHub PAT — A personal access token gives broad access across repos. Set it as a space-level secret and every channel can use it. This is the simpler setup, similar to how Miriad 1 worked.

GitHub OAuth App — Fine-grained, per-channel access to individual repos. Connect through Settings → GitHub. The OAuth flow mints tokens with 55-minute TTLs and automatic refresh. No manual token management.

You can use both. Set a PAT at the space level for general access, then configure OAuth per channel when you need to restrict which repos an agent can touch.

Sanity CMS (OAuth)

{
  "transport": "http",
  "url": "https://mcp.sanity.io",
  "oauth": { "type": "oauth" }
}

Custom HTTP MCP

{
  "transport": "http",
  "url": "https://your-mcp-server.com/api",
  "headers": {
    "Authorization": "Bearer ${YOUR_API_KEY}"
  }
}

Troubleshooting

Related

• Agents — How agents work
• Channels — Where MCP servers are configured
• Runtimes — Sandbox and compute details