Token-based connection to Port MCP server
When integrating the Port MCP Server with AI agents in automated environments like CI/CD pipelines, the authentication approach differs from interactive local usage. This guide explains how to establish secure connections between AI agents and the Port MCP Server without requiring user interaction.
The Challengeโ
Interactive OAuth flows that work well for local development become problematic in automated environments because:
- No User Interaction: CI/CD pipelines and automated agents can't handle browser-based authentication flows
- Security Requirements: Credentials must be managed securely without exposing them in logs or configurations
- Token Management: Short-lived tokens are preferred for security, but must be programmatically generated
The Solutionโ
The Port MCP Server supports programmatic authentication using the Client Credentials flow, which enables AI agents to:
- Generate short-lived access tokens using your Port client credentials (
clientId+clientSecret) - Connect to the remote MCP server with the generated token for secure API access
- Invoke Port tools through the MCP interface without user intervention
This approach maintains security while enabling powerful automation capabilities.
Example: Claude Code in GitHub Actionsโ
Here's a complete example showing how to connect Claude Code to the Port MCP Server within a GitHub Actions workflow:
Show example workflow
name: Port MCP Server Demo with Claude Code
on: workflow_dispatch
env:
PORT_MCP_URL: ${{ vars.PORT_MCP_URL }}
PORT_AUTH_BASE_URL: ${{ vars.PORT_AUTH_BASE_URL }}
jobs:
demo:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate with Port
id: port-auth
run: |
response=$(curl -s -X POST "${{ env.PORT_AUTH_BASE_URL }}/auth/access_token" \
-H "Content-Type: application/json" \
-d '{"clientId":"${{ secrets.PORT_CLIENT_ID }}","clientSecret":"${{ secrets.PORT_CLIENT_SECRET }}"}')
token=$(echo "$response" | jq -r '.accessToken')
echo "::add-mask::$token"
echo "access_token=$token" >> "$GITHUB_OUTPUT"
- name: Claude Code against Port MCP
uses: anthropics/claude-code-action@beta
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
mode: agent
mcp_config: |
{
"mcpServers": {
"port-prod": {
"command": "npx",
"args": [
"mcp-remote",
"${{ env.PORT_MCP_URL }}",
"--header",
"Authorization: Bearer ${{ steps.port-auth.outputs.access_token }}"
]
}
}
}
allowed_tools: "mcp__port-prod__list_blueprints,mcp__port-prod__get_entities"
direct_prompt: |
List all blueprints, then show entities of the "zendesk_ticket" blueprint.
How this workflow worksโ
- Authentication โ The
port-authstep exchanges your Port client credentials for a short-lived access token using the Client Credentials flow - MCP Connection โ Claude Code connects to the remote MCP server using the
mcp-remotepackage, passing the access token in the Authorization header - Tool Access โ Claude Code can invoke only the specific Port tools listed in
allowed_tools, ensuring controlled access to your Port instance - Execution โ The AI agent executes the provided prompt using the available Port tools to query your software catalog
For read-only workflows, limit allowed_tools to just the query operations you need.
Choose the appropriate MCP URL for your Port region (EU: https://mcp.port.io/v1, US: https://mcp.us.port.io/v1)
Adapting for Other AI Agentsโ
While this example focuses on Claude Code, the same authentication pattern can be applied to other AI agents and platforms:
General Integration Stepsโ
- Obtain Port Credentials: Create a client ID and secret in your Port dashboard.
- Generate Access Token: Use the Client Credentials flow to get a short-lived token.
- Configure MCP Connection: Point your AI agent to the remote MCP server with the token.
- Define Tool Permissions: Specify which Port tools the AI agent can access.
- Execute Workflows: Let the AI agent interact with your Port data and capabilities.