The Checkly MCP Server uses OAuth and Checkly account authorization together. OAuth permissions decide which tools are visible to your MCP client. Checkly account membership, role, and feature entitlements decide whether a specific tool call can operate on an account.
Authentication
The MCP Server accepts Auth0-issued bearer tokens for https://api.checklyhq.com/mcp. Your MCP client completes the OAuth flow and sends the token with requests to the MCP endpoint.
The public MCP Server only supports OAuth clients that Checkly has approved in Auth0. Supported clients use Client ID Metadata Documents (CIMD). Checkly rejects clients that attempt to use Dynamic Client Registration (DCR). See known client limitations for unsupported clients.
Checkly maps the token subject to a Checkly user, then loads that user’s account memberships and account context for tool calls.
OAuth permissions
| Permission | Description |
|---|
checkly:account:read | Read your Checkly account membership and status |
checkly:account:invite | Invite members to your Checkly account |
checkly:checks:read | List checks, their status and results |
checkly:checks:run | Trigger Checkly checks and on-demand test sessions |
checkly:incidents:read | Read your Checkly incidents |
checkly:incidents:write | Create and update your Checkly incidents |
checkly:environment-variables:read | Read your Checkly account environment variables (secret values excluded) |
checkly:environment-variables:write | Create, update and delete your Checkly account environment variables |
checkly:status-pages:read | Read your Checkly status pages |
checkly:rca:read | Read your Checkly root cause analyses |
checkly:rca:run | Run Checkly root cause analysis for your account |
checkly:test-sessions:read | Read your Checkly test sessions |
checkly:assets:read | Read your Checkly assets |
tools/list when the MCP session does not include the required permission. Tool calls are also rejected if the session lacks the required permission.
Account context
Most tools operate on one Checkly account. You can select a specific account in your prompt or pin an account in your MCP client configuration. See Use a specific account for setup examples.
Accounts that require mTLS are not available through the public MCP Server.
Role checks
Some tools require both an OAuth permission and a Checkly account role:
| Tool or action | Additional account access required |
|---|
invite-account-member | Owner or Admin |
create-account-environment-variable | Write access |
update-account-environment-variable | Write access |
trigger-checks | Run access |
trigger-root-cause-analysis | Run access |
| Status page incident writes | Access required by the underlying incident action |
Write-action safety
Some MCP tools create side effects:
invite-account-member sends an invite email and is not idempotent.trigger-checks consumes check-run execution quota.trigger-root-cause-analysis consumes RCA invocation quota.create-status-page-incident, update-status-page-incident, and resolve-status-page-incident can notify subscribers and are not idempotent.- Environment variable write tools can create or replace account-level variables and secrets.
Review write tool calls in your MCP client before approving them.
Secrets
MCP read tools never reveal Checkly secret values. Secret values are returned as null.
When you create or update a secret through MCP, Checkly encrypts the value and does not echo it back in the tool response. 
