Liongard MCP Server Integration Guide

This guide explains how to generate MCP access tokens in your Admin panel and configure Liongard’s MCP Server integration. To get started, follow the steps below to securely authenticate and connect your MCP server with Liongard.

Overview

• MCP Access Tokens: Provides secure, tenant-wide API access to MCP data.
• Access is not scoped by user permissions: Exercise appropriate caution and management.
• Vendors Access Tokens: Only user access tokens are supported. Vendor tokens coming soon.
• Key Use Case: Integrate MCP data with Liongard for asset inventory, configuration monitoring, and security insights.

1. Generate an MCP Access Token

1. Navigate to Admin > AI > MCP Admin.

2. Click the Access Tokens tab.

   

3. Click Create Credential.

   1. 
      

4. Fill Out Credential Details.

   1. Label: Input a meaningful name (e.g., "Liongard Integration").

   2. Expiration (Optional): Set an expiration date if desired for better key rotation and security.

   3. Environments (Optional): Scope the token to specific environments as needed. Leave empty for full access. (Environment Group support is coming soon.)

      

5. Copy Access Key ID and Secret. ( Important : Copy and store these securely. You won’t be able to access the secret again.)

   1. Access Key ID should include the "lg_mcp_" prefix

6. Click DONE.

Configure the MCP Server Block for Liongard

You’ll add a block to your client configuration referencing the new key pair as follows:

"Liongard": {
    "url": "https://[server].app.liongard.com/api/mcp",
    "headers": {
        "Authorization": "Bearer [ACCESS_KEY_ID]:[ACCESS_KEY_SECRET]",
        "MCP-Protocol-Version": "2025-11-25"
    }
}

Sample (with URL and key redacted):

"Liongard": {
    "url": "https://xxxxx.app.liongard.com/api/mcp",
    "headers": {
        "Authorization": "Bearer lg_mcp_xxxxxxxxxx:xxxxxxxxxxxxxxxxxxx",
        "MCP-Protocol-Version": "2025-11-25"
    }
}

---

Integrating with OpenAI

1. Add a new tool.

   

2. MCP Server Tool → + Server.

   

3. Populate with the following + your own instance endpoint url and MCP token.

   

4. Click connect, then it should populate the tools

   

5. Add to the prompt and use the tool!

---

Integrating with Zed

1. Select Configure Remote

   

2. Configure the Server with the appropriate URL and headers

3. Authorization key is the complete string, including Bearer prefix and token with secret separated by a :

4. Once configured, return to Settings and toggle on the server

   

---

Integrating with Cursor

{
  "mcpServers": {
        "Liongard": {
            "url": "https://[server].app.liongard.com/api/mcp",
            "headers": {
                "Authorization": "Bearer [ACCESS_KEY_ID]:[ACCESS_KEY_SECRET]",
                "MCP-Protocol-Version": "2025-11-25"
            }
        }
    }
}

• Add the json blob with the key and secret.

  

• Once completed, you should see the Liongard MCP enabled.

---

Integrating with n8n

1. Select “Create New Credential“

   

2. Choose “Multiple Headers Auth”

   

3. Use these three headers

   1. Authorization: the MCP token from the dashboard (Authorization key is the complete string, including Bearer prefix and token with secret separated by a :)

   2. Accept: application/json

   3. MCP-Protocol-Version: 2025-06-18

      

4. Create an MCP client node, using this credential as the auth and https://(instance).app.liongard.com/api/mcp as the MCP endpoint url.

   

---

Integrating with Claude Code

🚧

NOTE: Claude Desktop Chat does not work with the Liongard MCP yet, as we do not support Oauth

1. Install Claude Code locally

2. Create a new local project under your root user folder or wherever.

   

3. Under the Claude Code tab, select the folder.

4. Within the folder, place the following code config, but replace it with your own bearer token, server, and name

{
  "mcpServers": {
    "Liongard": {
      "type": "http",
      "url": "https://[server].app.liongard.com/api/mcp",
      "headers": {
        "Authorization": "Bearer [ACCESS_KEY_ID]:[ACCESS_KEY_SECRET]",
        "MCP-Protocol-Version": "2024-11-05"
      }
    }
  }
}

---

Microsoft Copilot Studio (Coming Soon!)

1. Select Agents

2. Click Tools > Add a Tool

   

3. Select MCP

   

4. Provide the details

   

   1. Server Name: [Preferred Name]
      Server Description: Provides Liongard system configuration data and asset intelligence
      Server URL: https://[server].app.liongard.com
      Authentication: API Key
      Type: Header
      Header name: Authorization

5. Next step, paste in the full string Bearer [ACCESS_KEY_ID]:[ACCESS_KEY_SECRET]

   

6. Subsequent screen should display the list of tools:

   

7. When testing, it may take you back to Manage your connections

   

8. Follow the steps to select the Tool for the agent to use.

---

OpenAI ChatKit

1. Within an Agent or MCP type node
   1. 

      Configure the a new MCP Server hosted tool

   2. 

      Click the “+Server” button from the top right corner

      1. 

         Configure the Connection with the following values

         

      2. URL: https://[SERVER].app.liongard.com
         Label: Liongard
         Description (optional): Label as needed
         Authentication: Select Custom Headers
         Authorization: Bearer [ACCESS_KEY_ID]:[ACCESS_KEY_SECRET]
         Accept: application/json
         MCP-Protocol: 2025-11-25

2. Click Connect and a chip should appear in the configuration panel Tools section
3. The MCP configuration screen should also display any available tools upon successful connection
   1. Select the desired tool calling Approval level
4. To test the chat functionality, toggle on the interface to Preview mode

3. Verify and Manage Credentials

• **Status: **Active/inactive state visible in the Access Tokens list.
• Manage: Revoke any credential immediately if compromised.
• Environment Scoping: Ensure your token is scoped correctly per best practices (e.g., only to required environments).

4. Security and Compliance Notes

• Credential Management: Store both Access Key ID and Secret securely (e.g., password manager).
• Tenant-wide Access: All MCP data accessed via these credentials is available tenant-wide and not restricted by user role.
• Best Practices:
  • Rotate keys regularly.
  • Set expirations.
  • Scope tokens as narrowly as possible per environment.

5. Registry Tab

• Registry: For advanced configuration and observing registered resource types.

6. Troubleshooting

• Missing Data: Confirm that the right environments are selected for the token.
• Invalid Key: Double-check for extra spaces or missing characters in the Authorization header.
• Expiration: Ensure your token has not expired.

7. Tools

Environments

• What it does: Lists and looks up your customer accounts (environments) in Liongard. Think of environments as folders, one per client or organization you manage.
• Example question: "Show me all my client environments that have 'Production' in the name."

---

Systems

• What it does: Shows the IT systems Liongard is monitoring for things like email servers, firewalls, cloud services, domains, and certificates. You can search, filter, and inspect any system.
• Example question: "What Exchange servers are being monitored across my clients?"

---

Assets (Inventory)

• What it does: Searches your device and identity inventory for computers, servers, and user accounts Liongard has discovered. This is your go-to for questions about specific people or machines.
• Example question: "Find all devices manufactured by Dell in the Acme Corp environment."

---

Metrics

• What it does: Evaluates and generates data checks against your systems. Metrics answer specific "what is the current state?" questions about configurations, like whether MFA is enabled or how many licenses are in use.
• Example question: "How many users have MFA disabled in our Microsoft 365 tenant?"

---

Alerts

• What it does: Retrieves actionable notifications triggered when something important changes or a rule is violated — like a certificate expiring or a security setting being turned off.
• Example question: "Show me all new, unresolved alerts for Acme Corp from the past week."

---

Detections (Change Detections)

• What it does: Tracks what changed between inspections. If a DNS record was updated, a configuration was modified, or a certificate expired, detections surface that change.
• Example question: "What configuration changes were detected in the Contoso environment recently?"

---

Timeline

• What it does: Shows the history of inspection runs, when they happened, whether they succeeded or failed, and what they found. Useful for understanding inspection health and history.
• Example question: "Did the last inspection for our firewall system complete successfully?"

---

Launchpoints

• What it does: Manages how and when inspections run, the schedules, credentials, and connection details. Useful for diagnosing why an inspection might be failing or not running on time.
• Example question: "Are there any launchpoints in an error state for the Acme Corp environment?"

---

Reports

• What it does: Retrieves generated reports and summaries, the kind you'd share in a client review or compliance audit. These pull together data from systems, metrics, and detections into a readable format.
• Example question: "Assess the domain expiration report for Acme Corp."

---

Query (Natural Language)

• What it does: Lets you ask complex, cross-cutting questions in plain English. It reasons across environments, systems, metrics, and assets to give you a synthesized answer — no filters or technical syntax needed.
• Example question: "Which of my environments have the most alerts this month, and what are they about?"