Connecting to MCP servers and using MCP tools in action flows (EAP)

All Suites

Growth, Professional, Enterprise, or Enterprise Plus

Support

Team, Professional, or Enterprise

Support for MCP servers and MCP tools is currently in an early access program (EAP). To participate, click Activate early access and accept the EAP terms.

The Model Context Protocol (MCP) lets admins connect Zendesk to external MCP servers, discover the tools those servers provide, and use those tools as steps in action flows. This extends your Zendesk workflows to interact with third-party systems—such as project management tools, e-commerce platforms, or internal knowledge systems—without building custom API integrations.

MCP connections are created and managed in Admin Center. After you create a connection, Zendesk retrieves the available MCP tools from that server and displays them in the action builder so you can use them in action flows and, optionally, surface those flows to agents through auto assist.

This article contains the following topics:

Considerations for using the MCP tools
Creating an MCP server connection
Using MCP tools in action flows

Considerations for using the MCP tools

Before you begin, keep the following in mind:

Authentication
- OAuth is the only supported authentication method for MCP server connections. Only HTTP servers are supported. Stdio transport is not supported.
Data residency and retention
- External MCP connections may transmit data outside your selected region.
- Step execution outputs are retained for seven days.
Action credits
- During the EAP, MCP tool actions won't consume action credits. However, when the MCP actions become generally available, they will consume action credits.
Connection and tool limits
- There are no limits to the number of MCP servers you can connect to your Zendesk account.
- Action builder can only expose the first page of tools returned by an MCP server for use in action flows.
- During the EAP, there is no way to re-discover or refresh the list of an MCP server's tools. To reflect tool changes in action builder, you must delete the MCP server connection and recreate it.
  Note: When you delete an MCP server connection, any action flows that use tools from the server stop working. To fix them, you must replace any MCP tool actions associated with the deleted server within the action flow.

Creating an MCP server connection

Admins can add MCP server connections. Connected MCP servers appear on the MCP connections page in Admin Center. When a server is connected, Zendesk automatically discovers the tools exposed by the MCP server and makes the first page of identified tools available for use in action flows.

To create an MCP server connection

In Admin Center, click Apps and integrations in the sidebar, then select Actions > MCP connections. You must be a Zendesk admin to create an MCP server connection.
Click Create MCP connection.
Under Basics, enter the connection's Name and Description.
Click Next.
In MCP server, enter the URL of your MCP server.
Click Test URL to validate the connection to the MCP server.
If prompted, enter the Client ID and Client Secret for the MCP server.
When prompted, use the MCP server's authentication popup to complete the OAuth authentication flow for the external service.
If your MCP server requires you to create an OAuth app in an external service, such as Github or HubSpot, when prompted for a Redirect or Callback URL, enter https://zis.zendesk.com/api/services/zis/connections/oauth/callback.
Click Save.

Examples of MCP servers

Here are some examples of MCP servers you can connect to. Many other vendors provide MCP servers, and you can also connect to your own organization's MCP server.

Asana

MCP server URL: https://mcp.asana.com/v2/mcp
Client details: Follow the directions at Create your OAuth app to generate a Client ID and Secret.

Stripe

MCP server URL: https://mcp.stripe.com
Client details: Not required. The Client ID and Secret will be detected automatically when you test the connection.

GitHub

MCP server URL: https://api.githubcopilot.com/mcp/
Client details: Follow the directions at Creating an OAuth app to generate a Client ID and Secret.

Using MCP tools in action flows

After you create an MCP server connection, the discovered tools are available for use in the action builder. MCP connectors are considered external actions and are identified by the connection name you provided and an MCP tag. For more information about action flows, see Understanding the action builder and action flows.

When the action flow runs, Zendesk calls the selected MCP tool on the external server using your configured inputs, then returns the tool’s output so you can use it in later steps.

MCP servers aren’t required to define an output schema. If no output schema is provided and the output is an object or array, it converts to a string. If needed, use custom code steps in action flows to transform it into another form, such as an object.

To add an MCP tool as a step in an action flow

Open the action builder and create or edit an action flow.
In the action builder, beneath an existing step, click the Add step icon ().
In the step sidebar, under External actions, click the menu options to select the connected MCP server and then the specific action.
In the step sidebar, enter the required inputs for the selected action. See Providing inputs for actions and steps.

Note: Defining an output schema is optional for MCP servers. If no output schema is defined and the tool returns an object, you can reference the entire object as a variable in subsequent steps, but you cannot select individual key-value pairs from within it. To extract specific key-value pairs, use a custom code step. For a step-by-step guide, see Using custom code to process objects output from MCP actions

Troubleshooting

Servers with restricted access: Zendesk does not support servers that restrict access by client during the EAP. However, in some cases you may be able to ask the MCP server owner to add the Zendesk MCP client to their allowlist. In that case, the server owner may ask for the following details:
- Zendesk IP ranges for your account: https://yoursubdomain.zendesk.com/ips
- Zendesk MCP client redirect URL: https://zis.zendesk.com/api/services/zis/connections/oauth/callback
PKCE (Proof Key for Code Exchange): MCP servers that use PKCE with the S256 challenge method are supported. Servers that only support the plain challenge method are not supported for security reasons.
Execution timeout and rate limits: MCP tool calls are subject to a 30-second timeout. Long-running tool operations may time out before completing. For rate limits, see Considerations for using action flows.
Authentication: MCP servers that require no authentication aren't supported. Zendesk's MCP client supports servers that implement OAuth 2.0 with auto-discovery using the standard well-known endpoints.
To troubleshoot authentication issues with public MCP servers or set up your own organization's MCP server, try the following:
1. Initiate the handshake.
  When the MCP client first attempts to connect, the server responds with 401 Unauthorized and includes a reference to a Protected Resource Metadata document in the WWW-Authenticate header.
```
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="mcp",
resource_metadata="https://your-server.com/.well-known/oauth-protected-resource"
```
  This tells the client that authorization is required and where to retrieve the information needed to begin the authorization flow.
2. Discover the protected resource metadata.
  The client fetches the Protected Resource Metadata document to learn about the authorization server, supported scopes, and other resource details.
  
  Request:
```
https://your-mcp-server.com/.well-known/oauth-protected-resource
```
  Example response (200 OK):
  {"resource":"https://your-mcp-server.com","authorization_servers":["https://your-auth-server.com"],"scopes_supported":["mcp:read","mcp:write"]}
3. Discover the authorization server.
  The client discovers the authorization server's capabilities by fetching its metadata.
  Request:
```
https://your-auth-server.com/.well-known/oauth-authorization-server
```
  This endpoint may be hosted on the same domain as the MCP server if your OAuth server runs there.
  
  Example response (200 OK):
```
{
  "issuer": "https://your-auth-server.com",
  "authorization_endpoint": "https://your-auth-server.com/oauth/authorize",
  "token_endpoint": "https://your-auth-server.com/oauth/token",
  "registration_endpoint": "https://your-auth-server.com/oauth/register",
  "code_challenge_methods_supported": ["S256"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "none"],
  "scopes_supported": ["mcp:read", "mcp:write"]
}
```
4. Register the client.
  Once discovery is complete, the client must be registered with the authorization server using one of the following methods:
  - Pre-registered client: The client is already registered with the authorization server. You manually provide the client details to complete the authorization flow when creating the MCP connection.
  - Dynamic Client Registration (DCR): The client registers itself dynamically with the authorization server. If the authorization server supports DCR, the client sends a registration request to the registration_endpoint with its client information.