MCP server proxying

Last validated: Jun 27, 2026

Aperture MCP server proxying is currently in alpha.

Aperture can aggregate tools and resources from multiple remote Model Context Protocol (MCP) servers and expose them to AI agents through a single /v1/mcp endpoint. This lets you centralize MCP tool management behind your Aperture proxy with the same identity-based access control used for LLM providers. This page covers MCP protocol connectors specifically. For HTTP API connectors, refer to the connectors feature guide.

Aperture acts as an MCP server when communicating with AI agent clients and as an MCP client when communicating with remote MCP servers. Clients connect to Aperture's /v1/mcp endpoint and access an aggregated view of all tools and resources from every configured remote server.

Use cases

MCP server proxying addresses the following use cases:

Centralized tool access: Aggregate tools from multiple MCP servers behind a single endpoint. AI agents connect to one URL instead of managing connections to each server individually.
Identity-based access control: Control which users can access which MCP tools and resources using the same Tailscale identity and grants system used for LLM providers.
Dynamic tool discovery: Register and unregister MCP servers at runtime. When a server comes online, its tools become available automatically. When it goes offline, Aperture removes its tools.
Protocol compatibility: Connect MCP servers that use different protocol versions. Aperture auto-detects whether each server supports Streamable HTTP or legacy SSE and handles the translation.

Key MCP concepts

The Model Context Protocol defines a standard way for AI agents to discover and use external capabilities. The following concepts are relevant to configuring MCP in Aperture:

Tools: Functions that LLMs can discover and call, such as searching a database or running a command.
Resources: Contextual data identified by URI that LLMs can read, such as file contents or API responses.
Streamable HTTP: The current MCP transport protocol that uses a single HTTP endpoint for bidirectional communication.
Legacy SSE: The deprecated MCP transport that uses Server-Sent Events. Aperture supports both transports for backward compatibility.

Prerequisites

Before you can use MCP server proxying, you need the following:

Aperture enabled on your tailnet. Refer to get started with Aperture if you have not set this up.
At least one MCP server accessible from the Aperture host over your tailnet.
The URL of each MCP server's endpoint (for example, http://mcp-server.example.ts.net:8080/v1/mcp).
The connectors feature flag enabled in your Aperture configuration. Add "flags": {"connectors": {"value": true}} to your configuration. Refer to the flags reference for details.

MCP server proxying via the connectors section requires the connectors feature flag. The legacy mcp.servers syntax does not require the flag.

Get started

To configure MCP server proxying in Aperture, add remote servers, grant users access to MCP tools, and connect an MCP client.

Step 1: Configure MCP servers

Open the Settings page of the Aperture dashboard and add a connectors section to your configuration with one or more remote servers. Each connector can include optional description and context fields. description is a human-readable label shown in the UI and surfaced to agents. context provides prompt information to help models understand the connector and accepts a plain string or JSON.

{
  "connectors": {
    "servers": {
      "analytics": {
        "protocol": "mcp",
        "url": "https://analytics.example.com/v1/mcp",
        "description": "Internal analytics MCP server",
        "context": "Use this connector to query product analytics data. Returns JSON with metrics for DAU, MAU, and revenue."
      }
    }
  }
}

Both description and context are visible to all authenticated users through MCP tool discovery. Do not include secrets or sensitive information.

Each key in the servers map is a server ID that Aperture uses as a name prefix. For a connector named docs:

Tools from the docs server are prefixed with docs_ (for example, a tool named search becomes docs_search).
Resources use a hyphen instead of an underscore (for example, docs-files://readme.md).

Name prefixing prevents collisions when multiple servers expose tools with the same name. Clients receive the prefixed names and Aperture automatically strips the prefix when forwarding calls to the remote server.

Legacy syntax (no flag required)

The mcp.servers syntax is deprecated and does not require the connectors feature flag. New configurations should use the connectors syntax shown above. Refer to the connectors feature guide for migration details.

{
  "mcp": {
    "servers": {
      "docs": {
        "url": "http://docs.example.ts.net:8185/v1/mcp"
      },
      "remote": {
        "url": "http://mcp-server.example.ts.net:8080/v1/mcp"
      }
    }
  }
}

The Aperture host uses its tailnet HTTP client for connections to remote MCP servers, so you can use tailnet hostnames (for example, http://mcp-server.example.ts.net:8080/v1/mcp) without additional network configuration.

Step 2: Grant access to MCP tools

Aperture is deny-by-default. Without MCP grants, users cannot access any MCP capabilities. Add MCP grants in the grants section of your configuration.

MCP grants use the connectors field with "connectorID/category/resource" FQN glob patterns. The following example grants all users access to all tools from the docs connector and all built-in Aperture tools:

{
  "grants": [
    {
      "src": ["*"],
      "app": {
        "tailscale.com/cap/aperture": [
          {"connectors": ["aperture/**"]},
          {"connectors": ["docs/tools/*"]}
        ]
      }
    }
  ]
}

You can use * to match any characters within a single path segment (it does not cross /) and ** to match zero or more segments. For example:

"docs/tools/search" matches the search tool from the docs connector.
"docs/tools/*" matches all tools from the docs connector.
"docs/**" matches all capabilities (tools, resources, templates) from the docs connector.
"**" matches all capabilities from all connectors.

Aperture checks grants when clients list available tools and resources, and enforces them at invocation time. Users can only access the items their grants permit.

The deprecated mcp_tools and mcp_resources grant fields continue to work for backward compatibility with the "server/item" pattern syntax. New configurations should use the connectors field.

Refer to the grants configuration reference for the full grants syntax, or follow the grant access to MCP tools guide for a step-by-step walkthrough.

The grant examples on this page use Aperture configuration syntax, where the dst field is not required because the destination is the Aperture device itself. If you define grants in the tailnet policy file instead, you must include a dst key specifying the Aperture device (for example, "dst": ["tag:aperture"]). Omitting dst in a tailnet policy file grant causes the grant to silently have no effect. For a full comparison and conversion steps, refer to Aperture grants vs. tailnet policy file grants.

Step 3: Connect an MCP client

Configure your MCP client (the AI agent host) to use the Aperture URL as the MCP server endpoint. For example, in an MCP client configuration file:

{
  "mcpServers": {
    "aperture": {
      "url": "http://<aperture-hostname>/v1/mcp"
    }
  }
}

Replace <aperture-hostname> with the MagicDNS name of your Aperture instance.

Aperture automatically detects whether the client uses Streamable HTTP (the current MCP protocol) or legacy SSE and responds with the appropriate transport.

Step 4: Verify the connection

Connect your MCP client to http://<aperture-hostname>/v1/mcp and list available tools. The tool list should include prefixed names from all configured servers (for example, docs_search, remote_get_user).

Built-in tools

Aperture provides the following built-in tools through system connectors:

aperture system connector: Always present, but subject to a matching connectors grant like any other connector. Being a system connector confers no default access. Exposes the aperture_list_connectors tool (grant it with the FQN aperture/tools/list_connectors), which returns a list of all HTTP API connectors available through Aperture. Agents call this tool to discover available authenticated API proxies.
aperture_web_search and aperture_web_fetch: Available when the web_tools feature flag is enabled and an EXA API key is configured. These tools let agents search the web and fetch page content.

Grant access to system connector tools with "connectors": ["aperture/**"] or "connectors": ["aperture/tools/*"]. Grant access to web tools with "connectors": ["aperture/tools/web_search"] or the broader "aperture/**" pattern.

Common scenarios

The following sections describe common tasks related to MCP server proxying.

Enable dynamic registration

Dynamic registration lets MCP servers register themselves with Aperture at runtime instead of being configured statically. Set accept_registrations to true in the mcp section.

{
  "mcp": {
    "accept_registrations": true,
    "servers": {}
  }
}

When dynamic registration is enabled, remote servers register by sending a POST request to /v1/mcp/register with a JSON body containing their URL:

curl -X POST http://<aperture-hostname>/v1/mcp/register \
  -H "Content-Type: application/json" \
  -d '{"url": "http://my-mcp-server:8080/v1/mcp"}'

Aperture performs an initial capability fetch from the registering server, then responds with HTTP 200 and begins polling the server for capability changes. Each dynamically registered server receives a sequential ID (auto1, auto2, and so on) and its tools are prefixed accordingly (for example, auto1_search).

The registration endpoint requires Tailscale authentication, the same as all other Aperture endpoints. The registering server must be accessible through the tailnet.

The registering server must keep the HTTP connection to /v1/mcp/register open. Aperture sends keepalive messages on this connection every second. When the server closes the connection, Aperture automatically unregisters all of its tools and resources.

You can combine static servers and dynamic registration in the same configuration. Static servers are always available, while dynamically registered servers come and go as they connect and disconnect.

Connect with per-user OAuth authorization

The oauth2_authorization_code auth type enables per-user OAuth flows. Each user completes their own authorization and Aperture manages tokens per-user.

{
  "connectors": {
    "servers": {
      "linear": {
        "protocol": "mcp",
        "url": "https://mcp.linear.app/sse",
        "auth": {
          "type": "oauth2_authorization_code",
          "client_id": "your-client-id",
          "auth_url": "https://linear.app/oauth/authorize",
          "token_url": "https://api.linear.app/oauth/token",
          "scopes": ["read", "write"]
        }
      }
    }
  }
}

Per-user OAuth uses lazy population: tools do not appear until the user completes the OAuth flow.

The client_secret field is optional and not required for PKCE-only flows. Use auth_params to pass extra parameters to both the OAuth authorization and token requests, such as "access_type": "offline" to obtain refresh tokens.

HTTP API connectors

Aperture can also proxy HTTP API requests through connectors with protocol: "http". These connectors act as authenticated reverse proxies that inject credentials into outgoing requests.

HTTP connectors are accessed through /v1/connectors/<id>/<path> rather than /v1/mcp. Agents discover available HTTP connectors by calling the aperture_list_connectors tool exposed by the aperture system connector.

{
  "connectors": {
    "servers": {
      "github": {
        "protocol": "http",
        "url": "https://api.github.com",
        "description": "GitHub REST API (read-only)",
        "auth": {
          "type": "bearer_token",
          "secret": "github_pat_example"
        }
      }
    }
  }
}

Refer to the connectors feature guide for full documentation on HTTP API connectors, including supported auth types and access control.

MCP configuration reference

Refer to the Aperture configuration reference for the full mcp configuration syntax. The following sections describe how Aperture handles transport detection and server availability.

For connectors configuration, including HTTP API connectors and auth types, refer to the connectors feature guide and the connectors configuration reference.

Transport auto-detection

Aperture automatically detects whether each remote MCP server supports Streamable HTTP (the current protocol) or legacy SSE. When connecting to a remote server, Aperture tries Streamable HTTP first and falls back to SSE if the server does not support it. Remote servers can be upgraded to a later protocol version without restarting Aperture.

The same auto-detection applies to clients connecting to Aperture's /v1/mcp endpoint. Aperture serves both Streamable HTTP and legacy SSE clients.

Capability polling

Aperture polls each configured remote MCP server every 5 seconds to detect capability changes. When a remote server adds or removes tools or resources, Aperture automatically updates the registrations, making the changes visible to connected clients.

If a remote server becomes unavailable, Aperture unregisters all of its tools and resources until the server recovers. Polling continues in the background, and Aperture re-registers capabilities when the server comes back online.

Servers using oauth2_authorization_code authentication are an exception. They have no 5-second background poller because capabilities are per-user. Instead, Aperture loads a user's capabilities lazily when that user starts a session, and refreshes them when the user calls the capability refresh endpoint (PUT /api/connectors/<id>/capabilities).

Limitations

MCP server proxying has the following limitations:

Experimental feature: The MCP configuration syntax and grants format are not yet stable and can change in future releases.
Polling-based discovery: Aperture detects remote server capability changes through polling (every 5 seconds), not push notifications, except for oauth2_authorization_code connectors, whose per-user capabilities load lazily. There is a brief delay between a remote server adding a tool and that tool becoming available to clients.
Grant enforcement: Aperture enforces grants at both listing and invocation time. Users can access only the tools and resources their grants permit, and Aperture rejects tools/call and resources/read requests that do not match a grant with an "unknown tool" or "unknown resource" error.

Troubleshooting

Use the following sections to diagnose and resolve common issues with MCP server configuration.

MCP tools do not appear

If tools from a configured MCP server are not visible:

Verify the URL in your configuration is correct and the MCP server is running.
Check that the MCP server is reachable from the Aperture host. Test with curl -v <your-mcp-server-url> from the Aperture host.
Verify your grants include connectors patterns (or the deprecated mcp_tools patterns) that match the server and tool names. Without grants, users cannot access any MCP tools.

Connection refused or host not found

These errors indicate the MCP server URL is unreachable.

Connection refused: The server is not running or is not listening on the configured port.
Host not found: The hostname cannot be resolved. For tailnet hostnames, verify the MCP server device is connected to the tailnet and check with tailscale status.

Tools appear and then disappear

If tools are briefly visible and then become unavailable, the remote MCP server is likely crashing or restarting. Aperture automatically unregisters tools when a remote server becomes unreachable and re-registers them when the server recovers.

Dynamic registration fails

If remote servers cannot register dynamically:

Verify accept_registrations is set to true in your mcp configuration.
Ensure the remote server sends a valid POST request to /v1/mcp/register with a JSON body containing {"url": "<mcp-server-url>"}.
The remote server must keep the HTTP connection open after registration. If the connection closes, Aperture unregisters the server's tools immediately.

Tool calls time out

If tool calls fail with timeout errors, the remote MCP server is taking too long to respond. Aperture retries tool calls once on connection errors. Check the remote server's performance and ensure it can respond within a reasonable time.