# Grant access to MCP tools

Last validated Jun 16, 2026

\[Missing snippet: aperture\_release\_note.mdx]

\[Missing snippet: aperture\_mcp\_experimental\_note.mdx]

When you configure [connectors][kb-aperture-connectors] with Aperture, users can access MCP tools, resources, templates, and HTTP connector endpoints through the Aperture proxy. Like model access, connector access is deny-by-default. You need to configure grants that specify which connector capabilities each user or group can use.

This topic assumes you have already [configured model access grants][kb-grant-model-access]. Connector grants use the same structure, with the `connectors` field for connector capabilities.

## Prerequisites

Before you begin, ensure you have the following:

* An [Aperture instance][kb-get-started] with at least one [configured connector][kb-aperture-connectors-config].
* [Admin access][kb-set-up-admin-access] to the Aperture dashboard.
* Users who already have a `role` grant and network access to the Aperture device. If not, complete [Grant access to models][kb-grant-model-access] first.

## Configure connector access grants

Add the `connectors` field to your grants to control which connector capabilities users can access. The `connectors` field accepts an array of fully qualified name (FQN) glob patterns in `"connectorID/category/resource"` format.

Open the **Settings** page of the Aperture dashboard and add `connectors` entries to the `tailscale.com/cap/aperture` capability array.

The following example grants users in `group:ai-users` access to all capabilities from the built-in Aperture connector, all capabilities from a GitHub connector, and all tools from `local`, an example MCP connector you define in your [`connectors.servers`][kb-aperture-connectors-config] configuration:

```json
{
  "grants": [
    {
      "src": ["group:ai-users"],
      "app": {
        "tailscale.com/cap/aperture": [
          { "role": "user" },
          { "models": "anthropic/**" },
          { "connectors": ["aperture/**", "github/**", "local/tools/*"] }
        ]
      }
    }
  ]
}
```

Matching `group:` sources, like `group:ai-users` in the example above, requires [visible groups][kb-visible-groups] enabled for the Aperture device.

\[Missing snippet: aperture\_grant\_dst\_note.mdx]

### Connector capability fields

Each capability entry under `tailscale.com/cap/aperture` can include the `connectors` field:

| Field        | Format             | Description                                                                          |
| :----------- | :----------------- | :----------------------------------------------------------------------------------- |
| `connectors` | Array of FQN globs | Grant access to connector capabilities by `"connectorID/category/resource"` pattern. |

The following grant categories are available:

| Category    | Applies to      | Description                            | Example                |
| :---------- | :-------------- | :------------------------------------- | :--------------------- |
| `tools`     | MCP connectors  | MCP tools                              | `"local/tools/search"` |
| `resources` | MCP connectors  | MCP resources                          | `"local/resources/*"`  |
| `templates` | MCP connectors  | MCP resource templates                 | `"local/templates/*"`  |
| `proxy`     | HTTP connectors | Proxy access to `/v1/connectors/<id>/` | `"github/proxy"`       |

A `proxy` grant authorizes the connector's entire `/v1/connectors/<id>/` path. It has no per-path granularity.

Patterns use the same glob syntax as model grants: `*` matches a single path segment and also matches any characters within a segment (for example, `get_*` matches tool names that start with `get_`), and `**` matches zero or more segments.

A malformed pattern, such as one with more than two slashes or with an unrecognized category segment, is silently dropped rather than reported as an error. A typo in a grant pattern grants nothing, so confirm each pattern matches an existing connector capability.

> **Note:**
>
> The deprecated `mcp_tools`, `mcp_resources`, and `mcp_templates` grant fields continue to work. New configurations should use the `connectors` field instead.

### Pattern examples

The following examples show how to use FQN patterns to grant access to specific connector capabilities:

| Pattern            | Matches                                 |
| :----------------- | :-------------------------------------- |
| `"local/tools/*"`  | All MCP tools from `local` connector    |
| `"local/**"`       | All capabilities from `local`           |
| `"github/proxy"`   | Proxy access to `github` HTTP connector |
| `"github/**"`      | All access to `github` connector        |
| `"aperture/**"`    | Built-in Aperture system connector      |
| `"*/tools/search"` | The `search` tool from any connector    |
| `"**"`             | All capabilities from all connectors    |

An FQN pattern always includes at least the connector ID. To grant access to everything a connector exposes, use `"connectorID/**"`.

### What denial looks like

When a user lacks a matching grant, Aperture hides the capability rather than exposing it. Tools and resources the user cannot access do not appear in the tool or resource list, and a direct call to an unauthorized tool returns an "unknown tool" error (or "unknown resource" for a resource). A request to an unauthorized HTTP connector proxy path returns `403 access denied`.

If a capability is missing or a request is denied unexpectedly, check for a missing or misspelled grant pattern.

## Built-in connectors

Aperture includes a built-in `aperture` system connector. It exposes a `list_connectors` tool (surfaced to models as `aperture_list_connectors`) for discovering the HTTP API connectors available through Aperture. This tool is registered only when at least one HTTP connector is configured. Grant access with:

```json
{ "connectors": ["aperture/**"] }
```

The `aperture` connector ID is reserved and cannot be used for custom connectors.

> **Note:**
>
> Connector access follows a three-layer authorization model:
>
> 1. **Configuration**: The connector must be declared in your [`connectors.servers`][kb-aperture-connectors-config] configuration.
> 2. **Grants**: The user needs a matching `connectors` grant pattern. Grants define the ceiling of what a user can access.
> 3. **Credentials**: For connectors using per-user OAuth, the user must complete the OAuth authorization flow before accessing the connector.

## Next steps

* Learn about [connectors][kb-aperture-connectors] and how to configure them.
* [Grant access to models][kb-grant-model-access] to manage which LLM models users can access.
* Refer to the [grants configuration reference][kb-aperture-grants] for the full grants syntax.
* [Set per-user spending limits][kb-set-per-user-spending-limits] to manage costs across models and tools.

[kb-aperture-connectors-config]: /docs/aperture/configuration#connectors

[kb-aperture-connectors]: /docs/aperture/connectors

[kb-aperture-grants]: /docs/aperture/configuration#grants

[kb-get-started]: /docs/aperture/get-started

[kb-grant-model-access]: /docs/aperture/how-to/grant-model-access

[kb-mcp-server]: /docs/aperture/mcp-server

[kb-set-per-user-spending-limits]: /docs/aperture/how-to/set-per-user-spending-limits

[kb-set-up-admin-access]: /docs/aperture/how-to/set-up-admin-access

[kb-visible-groups]: /docs/aperture/visible-groups
