Skip to main content

Hosted MCP Server

Status: COMING SOON

Not yet available

The managed hosted endpoint (mcp.controlzero.ai) is not live yet. This page describes the planned hosted offering so you can evaluate it ahead of launch. The provisioning API exists in the backend, but the mcp.controlzero.ai URLs it returns do not resolve yet, so hosted MCP connections do not work today. The local MCP server is available now on all tiers and exposes the same tools.

The Hosted MCP Server will be a cloud-hosted version of the Control Zero MCP server that runs as an HTTP service. Any MCP-capable AI coding client will be able to connect to it via the Streamable HTTP transport protocol -- no local installation required.

Hosted vs Local

For the local (stdio) option, configure the Control Zero registry once: add @controlzero:registry=https://npm.controlzero.ai to your .npmrc (or run npm config set @controlzero:registry https://npm.controlzero.ai). It applies to npm install and npx for the whole @controlzero scope.

FeatureLocal (stdio)Hosted (HTTP)
TransportstdioStreamable HTTP
Installationnpm install -g @controlzero/mcp-serverNone (cloud-hosted)
AvailabilityAll tiersTeams tier (COMING SOON)
NetworkRuns on your machineRuns on Control Zero infrastructure
AuthenticationEnv var CONTROLZERO_API_KEYBearer token in HTTP header
ToolsAll 7 toolsAll 7 tools (identical)

Both versions expose the same 7 MCP tools covering policy lifecycle management, pre-flight policy checks, rapid safeguard provisioning, and expert knowledge lookup. See the full list in Available Tools below.

Provisioning

Via Dashboard

  1. Go to Integrations > MCP Server in the Control Zero dashboard
  2. In the Hosted MCP Server section, click Provision Hosted MCP
  3. The connection URL and client configuration snippets will appear
  4. Copy the configuration for your IDE

Via API

POST /api/projects/{projectID}/mcp/provision
Cookie: cz_session=<your dashboard session cookie>

Returns:

{
"status": "provisioned",
"mcp_url": "https://mcp.controlzero.ai/mcp",
"transport": "streamable-http",
"provisioned_at": "2026-04-11T10:00:00Z",
"instructions": "..."
}

Check Status

GET /api/projects/{projectID}/mcp/status

Deprovision

DELETE /api/projects/{projectID}/mcp/deprovision

Client Configuration

All configurations require your project API key (cz_live_* or cz_test_*).

Claude Desktop

Add to your Claude Desktop MCP configuration file:

{
"mcpServers": {
"controlzero": {
"url": "https://mcp.controlzero.ai/mcp",
"transport": "streamable-http",
"headers": {
"Authorization": "Bearer cz_live_YOUR_API_KEY"
}
}
}
}

Cursor

Add to Cursor's MCP settings:

{
"mcpServers": {
"controlzero": {
"url": "https://mcp.controlzero.ai/mcp",
"transport": "streamable-http",
"headers": {
"Authorization": "Bearer cz_live_YOUR_API_KEY"
}
}
}
}

VS Code (GitHub Copilot)

Add to VS Code settings JSON:

{
"mcp": {
"servers": {
"controlzero": {
"url": "https://mcp.controlzero.ai/mcp",
"transport": "streamable-http",
"headers": {
"Authorization": "Bearer cz_live_YOUR_API_KEY"
}
}
}
}
}

Windsurf / Cline / JetBrains

These clients support the Streamable HTTP transport. Use the same URL and headers pattern as above -- consult each client's documentation for the exact configuration file location.

Security Model (planned)

This section describes the launch design of the hosted service; none of it is live until the managed endpoint ships.

API Key Scoping

Every connection will be authenticated via the Authorization: Bearer header. The API key determines:

  • Project scope: The key is bound to a specific project. All tool calls operate within that project's policies, rules, and audit trail.
  • Organization scope: The key inherits the organization's tier and feature flags.
  • Scope enforcement: The key's scopes (read, write, admin) are enforced on every tool call.

Transport Security

  • All connections will use TLS (HTTPS only)
  • The server will run behind a managed reverse proxy with automatic TLS certificates
  • CORS headers will allow cross-origin requests (for web-based clients)
  • Rate limiting: 100 requests per minute per API key

Data Flow

AI Client -> HTTPS -> mcp.controlzero.ai -> Control Zero Backend API -> Response

The hosted MCP server will act as a thin translation layer between the MCP protocol and the Control Zero REST API. It will not cache or persist any data beyond the lifetime of a single request.

Available Tools

All 7 MCP tools will be available through the hosted server (the same set the local MCP server exposes today):

ToolDescription
list_policiesList all active governance policies
create_policyCreate a new governance policy (Model Block, Cost Cap, PII, Identity)
update_policyUpdate an existing governance policy
delete_policyDelete a governance policy
provision_safeguardsRapidly provision standard security safeguards (PII block + cost cap)
check_policyPre-flight check whether a specific action would be allowed or denied by active governance policies
expert_queryQuery the Control Zero expert knowledge base (pii-patterns, best-practices)

In addition, the server will expose two reference resources (cz://docs/pii-patterns, cz://docs/best-practices) and one prompt template (setup-hipaa-compliance).

Troubleshooting (once live)

"Invalid API key" (401)

  • Ensure the API key starts with cz_live_ or cz_test_
  • Verify the key has not been revoked in the dashboard
  • Check that the key belongs to a project in a Teams-tier organization

Connection timeout

  • Verify your network allows outbound HTTPS to mcp.controlzero.ai
  • Check if a corporate proxy or firewall is blocking the connection
  • The server has a 10-second timeout per request

"Method not found"

  • Ensure your MCP client is using the Streamable HTTP transport, not stdio
  • Verify the URL ends with /mcp (not /mcp/ with trailing slash)