Skip to main content

JupiterOne AI Integration (MCP Server)

The JupiterOne Model Context Protocol (MCP) Server enables AI assistants like Claude Desktop, Claude Code, Cursor, and Amazon Kiro to interact directly with your JupiterOne account using natural language.

JupiterOne MCP Demo

Prerequisites

  • Active JupiterOne account with API access
  • JupiterOne API key and account ID
  • Node.js version 18 or higher (for local server only)
  • AI assistant with MCP support (Claude Desktop, Claude Code, Cursor IDE, GitHub Copilot, Continue.dev, Cline, Windsurf, Amazon Kiro, etc.)

Installation Methods

Have an AI set this up for you

If you'd rather not edit JSON by hand, copy the prompt below and paste it into your AI assistant. It will ask for the credentials it needs and walk you through the install.

Preview the prompt

Help me install the JupiterOne MCP server in this client. The setup docs are at https://docs.jupiterone.io/integrations/jupiterone-mcp-server.

  1. Ask whether I want the remote (OAuth, recommended) or local (API key) deployment.
  2. If local, ask me for my JupiterOne API key and account ID. My account ID can be found at https://docs.jupiterone.io/features/admin/admin-settings#account-management — this is the account ID, not the vanity domain.
  3. Show me the JSON to add to your MCP config file. If a config already exists, preserve existing servers and merge mine in.
  4. Tell me how to restart and verify the server is connected.

Manual setup

The JupiterOne MCP Server can be configured in two ways:

Use JupiterOne's hosted MCP server without local installation:

  • URL Format: https://your-account-id-here.mcp.<REGION>.jupiterone.io/mcp
  • Example: https://j1dev.mcp.us.jupiterone.io/mcp
  • Authentication: OAuth-based authentication with JupiterOne login

Replace <REGION> with us or eu based on your JupiterOne instance. The examples in this guide use us.

Remote Server Benefits

The remote HTTP server option:

  • Requires no local installation
  • Handles authentication through JupiterOne's OAuth flow
  • Automatically stays up-to-date with the latest features
  • Works across different machines without setup

Option 2: Local Server (stdio)

Install and run the MCP server locally using npx:

npx @jupiterone/jupiterone-mcp

Or install globally for repeated use:

npm install -g @jupiterone/jupiterone-mcp

Configuration

Get Your Credentials

For Remote Server (Option 1)

  • Account ID: Found in Account Management
  • Region: Your JupiterOne instance region (e.g., us, eu)

For Local Server (Option 2)

  1. API Key: Navigate to SettingsUser API Tokens in JupiterOne and create a new API key
  2. Account ID: Found in Account Management or by running: find jupiterone_account as x return x.accountId
AI Access
  • Local Server: Uses API key authentication and runs within the context of the user, respecting RBAC configuration
  • Remote Server: Uses OAuth authentication through JupiterOne login, automatically applying your user permissions

AI Platform Setup

Configuration file location:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
Local server

Edit the configuration file above and add:

Local Server Configuration:

{
  "mcpServers": {
    "jupiterone": {
      "command": "npx",
      "args": ["-y", "@jupiterone/jupiterone-mcp"],
      "env": {
        "JUPITERONE_API_KEY": "your-api-key-here",
        "JUPITERONE_ACCOUNT_ID": "your-account-id-here"
      }
    }
  }
}

Restart Claude Desktop.

Remote server

In the Claude Desktop App:

  1. Navigate to SettingsConnectors.
  2. Click Add custom connector at the bottom of the section.
  3. Set the title to JupiterOne and the URL to https://your-account-id-here.mcp.us.jupiterone.io/mcp.
  4. Click Add and complete the OAuth sign-in.

Verify Installation

Once configured, test the connection by asking your AI assistant:

"List my JupiterOne integrations"

A successful response confirms the MCP server is connected and authenticated. If you receive an error or no response, see Troubleshooting.

What You Can Do

Ask your AI assistant natural language questions like:

  • "Show me all critical vulnerabilities from the last 7 days"
  • "Which EC2 instances have public IP addresses?"
  • "Create a dashboard tracking my biggest security risks"
  • "Find all users with admin privileges"
  • "Get active alerts related to unauthorized access"

The MCP server provides 26 tools for querying data, managing alerts and rules, creating dashboards, and monitoring integrations.

Known Limitations

Current Limitations
  • Limited write operations: Modify and delete actions are restricted for safety
  • ChatGPT incompatibility: Does not work with ChatGPT's current MCP specification
API Rate Limits

The MCP server consumes your JupiterOne API rate limit quota. Each operation counts against your API rate limits. Monitor your usage to avoid hitting limits during critical operations.

Troubleshooting

URL uses your vanity domain instead of your account ID

The remote server URL must use your account ID, not your vanity domain (the custom subdomain like acme.apps.us.jupiterone.io). If you see authentication or "account not found" errors with the remote server, double-check the URL.

Find your account ID in Account Management — it is listed separately from the Vanity URL.

Server does not appear in your client

  1. Confirm your JSON config is valid (a single trailing comma will cause silent failure).
  2. Restart your AI client. Most clients only load MCP config on startup.
  3. Check the client's MCP log:
    • Claude Desktop: ~/Library/Logs/Claude/mcp*.log (macOS) or %APPDATA%\Claude\logs\mcp*.log (Windows)
    • Cursor: Output panel → "Cursor MCP"
    • VS Code (Copilot/Cline): Output panel → relevant extension
    • Kiro: Output panel → "Kiro - MCP Logs"
    • Claude Code: run /mcp inside the session

npx or command not found errors

The local server requires Node.js 18+ on your PATH. Run node --version in the same shell your client uses. On macOS, GUI apps may not inherit your shell's PATH; use an absolute path to npx (find it with which npx) in the config.

OAuth flow fails for the remote server

Sign out of your JupiterOne account in your browser, then retry the OAuth handshake.

Hitting API rate limits

Each MCP query consumes JupiterOne API quota. See API rate limiting for limits and recommendations.

FAQ

Data Residency & Processing

The JupiterOne MCP Server is available in two deployment modes. The local server runs on your machine and uses your API key to fetch data on demand from JupiterOne's cloud — data never passes through any centralized JupiterOne MCP host. The remote HTTP server is hosted by JupiterOne in the same region as your account and authenticates via OAuth; data residency follows the same regional principles as standard JupiterOne API access. In both modes, retrieved data is forwarded to your AI assistant's LLM provider (e.g., Anthropic, OpenAI) per your client's configuration.

LLM Compatibility & Data Handling

The MCP Server integrates with any AI assistant that supports the Model Context Protocol (MCP), including Claude Desktop, Claude Code, Cursor IDE, GitHub Copilot, Continue.dev, Cline, Windsurf, and Amazon Kiro. Once the server is running and configured, your assistant can use natural language to request security data, which is fetched from JupiterOne and passed to the LLM for interpretation. This means data such as asset inventories, vulnerability reports, or alert summaries can be included in AI prompts, depending on what you query. It's important to treat this as a form of third-party data sharing—ensure your selected assistant has appropriate enterprise security practices in place.

Privacy, Logging & Data Sharing

JupiterOne does not store or inspect MCP interactions beyond standard API behavior. Your API key (local server) or OAuth session (remote server) governs all access, and data is only transmitted in response to your assistant's specific queries. The local server runs on your machine and does not retain data; the remote server processes requests transiently without persistent storage of payloads. However, your AI assistant may log conversations or prompts on its own platform, just as it would during typical usage. To manage exposure, review your LLM provider's data retention and privacy terms, and consider using enterprise or self-hosted models for sensitive environments.

Access Control & Security Enforcement

Data access through the MCP Server is governed entirely by the credentials you provide. The local server inherits all access controls from the user role attached to the API key; the remote server inherits them from the OAuth-authenticated user. AI assistants can only retrieve what your account has permission to access. You can further restrict access by scoping the API key, adjusting user roles, or disabling individual MCP tools. You retain full control over when the server runs and what it can access — turning off the server or removing its configuration from your assistant completely disables AI access.

Rate Limits & Quotas

Every request made through the MCP Server counts against your JupiterOne API rate limit. This includes queries for asset data, alerts, dashboards, or integrations. Frequent use through an AI assistant could impact your rate quota if not monitored. We recommend reviewing your API usage regularly—especially when enabling assistants for broad or high-frequency queries—to avoid service slowdowns.

Deployment, Support & Customer Control

The JupiterOne MCP Server can be deployed either locally on your machine or accessed through JupiterOne's hosted remote server. The local server runs entirely in your environment with no persistent connections; the remote server connects securely through OAuth authentication and is hosted in the same region as your account. You can disable either at any time by stopping the local process or removing your AI assistant's MCP configuration. For assistance or onboarding, reach out to your CSM or email support@jupiterone.com.

Support

For technical support or questions, contact your Customer Success Manager or reach out through your standard JupiterOne support channels.

Contents