This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Documentation Grafana documentation Developer resources Grafana MCP server Configure Client TLS

Client TLS (Grafana connection)

If your Grafana instance uses mTLS or a custom CA, configure the MCP server to use the correct certificates when it calls the Grafana API.

What you’ll achieve

The server uses your client certificate and key (and optionally a CA file) for HTTPS requests to Grafana, or verifies Grafana’s server certificate with a custom CA.

Before you begin

• Client certificate and key (and CA file if needed) for your Grafana endpoint.
• The server installed (binary or Docker with access to the cert files).

Configure client TLS

Use these flags when starting the server:

• –tls-cert-file – Path to the client certificate file.
• –tls-key-file – Path to the client private key file.
• –tls-ca-file – Path to the CA certificate file for server verification.
• –tls-skip-verify – Skip TLS verification (insecure; use only for testing).

Example:

Bash Copy

mcp-grafana \
  --tls-cert-file /path/to/client.crt \
  --tls-key-file /path/to/client.key \
  --tls-ca-file /path/to/ca.crt

With Docker, mount the cert directory and pass the paths inside the container (for example, /certs/client.crt).

Next steps

• Client configuration examples for full MCP JSON (binary and Docker) with TLS flags.
• Server TLS (streamable-http) if you want HTTPS for the MCP server itself.
• Authentication for Grafana credentials.
• Command-line flags for all TLS-related flags.