Documentation Grafana documentation Developer resources Grafana MCP server Configure Client TLS

Client TLS (Grafana connection)

If your Grafana instance uses mTLS or a custom CA, configure the MCP server to use the correct certificates when it calls the Grafana API.

What you’ll achieve

The server uses your client certificate and key (and optionally a CA file) for HTTPS requests to Grafana, or verifies Grafana’s server certificate with a custom CA.

Before you begin

• Client certificate and key (and CA file if needed) for your Grafana endpoint.
• The server installed (binary or Docker with access to the cert files).

Configure client TLS

Use these flags when starting the server:

• –tls-cert-file – Path to the client certificate file.
• –tls-key-file – Path to the client private key file.
• –tls-ca-file – Path to the CA certificate file for server verification.
• –tls-skip-verify – Skip TLS verification (insecure; use only for testing).

Example:

Bash Copy

mcp-grafana \
  --tls-cert-file /path/to/client.crt \
  --tls-key-file /path/to/client.key \
  --tls-ca-file /path/to/ca.crt

With Docker, mount the cert directory and pass the paths inside the container (for example, /certs/client.crt).

Next steps

• Client configuration examples for full MCP JSON (binary and Docker) with TLS flags.
• Server TLS (streamable-http) if you want HTTPS for the MCP server itself.
• Authentication for Grafana credentials.
• Command-line flags for all TLS-related flags.