Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Developer resourcesbreadcrumb arrow Grafana MCP serverbreadcrumb arrow Configurebreadcrumb arrow Command-line flags
Enterprise Open source

Command-line flags

The mcp-grafana binary accepts flags for transports, tools, TLS, and observability. Run mcp-grafana --help for the exact list in your installed build.

What you’ll achieve

You can look up defaults, choose --disable-* flags, or configure TLS without reading the source.

Before you begin

Configure transport and HTTP options

  • -t / --transport: Transport type (stdio, sse, or streamable-http). Default: stdio.
  • --address: Host and port for the SSE or streamable-http server. Default: localhost:8000.
  • --base-path: Base path for the SSE or streamable-http server.
  • --endpoint-path: HTTP path for the streamable-http MCP endpoint. Default: /mcp.
  • --session-idle-timeout-minutes: Idle timeout for streamable-http sessions, in minutes. Sessions with no activity for this duration are automatically reaped. Set to 0 to disable. Default: 30.

Configure HTTP transport security

The SSE and streamable-http transports validate Host and Origin headers on every route (/sse, /mcp, /healthz, /metrics) to block DNS-rebinding attacks. Stdio transport is unaffected.

  • --allowed-hosts: Comma-separated allowlist of Host header values. When unset (or when the parsed value is empty — for example, ,,,), it falls back to loopback variants of --address (for example, localhost:8000, 127.0.0.1:8000, [::1]:8000). Pass * to disable the check — only safe behind a trusted reverse proxy that rewrites Host.
  • --allowed-origins: Comma-separated allowlist of Origin header values. Empty by default — any request that carries an Origin header is rejected (browsers always send Origin for cross-origin requests, and no browser should be calling this server directly). Pass an explicit list to permit browser clients, or * to disable the check.

When deploying behind an ingress or reverse proxy that forwards the original Host, set --allowed-hosts to the expected hostname (or * if the proxy is fully trusted). Kubernetes httpGet liveness/readiness probes send Host: <pod-ip>:<port> by default — either set --allowed-hosts '*', override the probe’s host: field, or use a tcpSocket probe. External /metrics scrapes must add the scrape source’s Host to the allowlist (or use --metrics-address to bind metrics on a separate port, which is unaffected).

Configure debug and logging

  • --debug: Enable debug mode for detailed HTTP request and response logging to and from the Grafana API.
  • --log-level: Log level (debug, info, warn, error). Default: info.

Configure observability endpoints

  • --metrics: Expose a Prometheus metrics endpoint at /metrics (SSE and streamable-http only).
  • --metrics-address: Optional separate listen address for metrics (for example, :9090). If empty, metrics are served on the main HTTP server.

Configure tool categories

  • --enabled-tools: Comma-separated list of enabled tool categories. The default is exactly:

    search,datasource,incident,prometheus,loki,alerting,dashboard,folder,oncall,asserts,sift,pyroscope,navigation,proxied,annotations,rendering,snapshot

    Categories not in that default string are off until you add them, including: admin, elasticsearch, cloudwatch, examples, clickhouse, snowflake, influxdb, quickwit, and runpanelquery. Pass a full comma-separated list to replace the default entirely, or use --disable-* flags to turn off pieces of the default set.

  • --disable-search: Disable search tools.

  • --disable-datasource: Disable datasource tools.

  • --disable-incident: Disable incident tools.

  • --disable-prometheus: Disable Prometheus tools.

  • --disable-write: Disable write tools (read-only mode; refer to the following section).

  • --disable-loki: Disable Loki tools.

  • --disable-elasticsearch: Disable Elasticsearch tools.

  • --disable-quickwit: Disable Quickwit tools.

  • --disable-influxdb: Disable InfluxDB tools.

  • --disable-alerting: Disable alerting tools.

  • --disable-dashboard: Disable dashboard tools.

  • --disable-folder: Disable folder tools.

  • --disable-oncall: Disable OnCall tools.

  • --disable-asserts: Disable Asserts tools.

  • --disable-sift: Disable Sift tools.

  • --disable-admin: Disable admin tools.

  • --disable-pyroscope: Disable Pyroscope tools.

  • --disable-navigation: Disable navigation (deeplink) tools.

  • --disable-rendering: Disable rendering tools (panel or dashboard image export).

  • --disable-snapshot: Disable snapshot tools.

  • --disable-cloudwatch: Disable CloudWatch tools.

  • --disable-examples: Disable query examples tools.

  • --disable-clickhouse: Disable ClickHouse tools.

  • --disable-snowflake: Disable Snowflake tools.

  • --disable-runpanelquery: Disable run panel query tools.

  • --disable-annotations: Disable annotation tools.

  • --disable-proxied: Disable proxied tools (tools from external MCP servers).

  • --disable-provisioning: Disable provisioning tools.

Configure tool limits

  • --max-loki-log-limit: Maximum number of log lines returned per query_loki_logs call.

Run in read-only mode

--disable-write prevents write operations to Grafana. Use it with read-only service accounts, safer production assistants, or to avoid accidental changes.

When enabled, the following writes are disabled:

Dashboard tools

  • update_dashboard

Folder tools

  • create_folder

Incident tools

  • create_incident
  • add_activity_to_incident

Alerting tools

  • alerting_manage_rules (create, update, delete)

Annotation tools

  • create_annotation
  • update_annotation

Sift tools

  • find_error_pattern_logs (creates investigations)
  • find_slow_requests (creates investigations)

Snapshot tools

  • create_snapshot
  • delete_snapshot

Read operations (queries, lists, searches) stay available.

Configure client TLS for Grafana

  • --tls-cert-file: Client certificate for mTLS to Grafana.
  • --tls-key-file: Client private key.
  • --tls-ca-file: CA certificate for verifying Grafana’s server certificate.
  • --tls-skip-verify: Skip TLS verification (insecure; testing only).

Configure server TLS for streamable-http

These flags secure the MCP HTTP server (between your MCP client and mcp-grafana), not the connection from mcp-grafana to Grafana:

  • --server.tls-cert-file: Server certificate for HTTPS.
  • --server.tls-key-file: Server private key.
  • --version: Print the version and exit.

Next steps