Skip to content

Accessing 12Port via MCP (Model Context Protocol)

The platform provides integration with the Model Context Protocol (MCP) to enable AI agents and automation services to securely discover and request privileged credentials through the 12Port PAM API.

This capability allows AI-driven tools to dynamically obtain authorized credentials required to access protected resources (for example databases, services, or infrastructure systems) without embedding secrets directly in agent configurations.

Overview

When MCP support is enabled, the PAM system exposes a discovery endpoint that allows compatible agents to identify available MCP services and obtain information about how to request credentials.

Agents interact with the system using the following workflow:

  1. The agent retrieves the MCP discovery document from the tenant-specific endpoint.
  2. The discovery document identifies the available MCP service and its REST API specification.
  3. The agent authenticates and requests access credentials through the MCP service.
  4. If the request is authorized, the PAM system issues the appropriate credentials for the target resource.

This approach ensures that sensitive credentials remain centrally managed and are only issued when required by an authorized agent.

MCP Discovery Endpoint

Each tenant exposes an MCP discovery endpoint that allows agents to locate the MCP service.

Example discovery URL where <TENANT> is each uniquely named tenant within the 12Port PAM deployment:

https://contoso.pam.com:6443/ztna/<TENANT>/root/.well-known/agent.json

The discovery document provides metadata describing the MCP service and references the REST API specification used by agents to interact with the service.

MCP Service API

The MCP Service exposes a REST API that enables agents to:

  • Discover available credential resources
  • Request temporary or managed credentials
  • Retrieve access information for protected systems
  • Integrate with automated workflows requiring privileged access

The API specification referenced by the discovery document can be reviewed using an OpenAPI-compatible browser.

Example API specification location:

../.well-known/mcp-agent.json

The specification describes all available MCP endpoints, request formats, authentication requirements, and response structures.

Authorization

Access to the MCP Service REST API is controlled through a dedicated MCP Service site role.

Only services or identities assigned the Site Role: MCP Service are permitted to interact with MCP endpoints and request credentials. This ensures that only authorized agents or automation tools can obtain sensitive access information.