Use the Agent Registry MCP server

This document shows you how to use the Agent Registry remote Model Context Protocol (MCP) server to connect with AI applications including Gemini CLI, ChatGPT, Claude, and custom applications you are developing. The Agent Registry remote MCP server lets your AI applications dynamically discover other agents, endpoints, and MCP servers available in your environment.

The Agent Registry remote MCP server is enabled when you enable the Agent Registry API.

Model Context Protocol (MCP) standardizes how large language models (LLMs) and AI applications or agents connect to external data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

What's the difference between local and remote MCP servers?

Local MCP servers: Typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device.
Remote MCP servers: Run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information about MCP architecture, see MCP architecture.

Google and Google Cloud remote MCP servers

Google and Google Cloud remote MCP servers have the following features and benefits:

Simplified, centralized discovery
Managed global or regional HTTP endpoints
Fine-grained authorization
Optional prompt and response security with Model Armor protection
Centralized audit logging

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview.

Before you begin

Before you can use the Agent Registry MCP server, you must set up Agent Registry. You also need your project ID to authenticate and perform discovery tasks.

Required roles

To get the permissions that you need to use the Agent Registry MCP server, ask your administrator to grant you the following IAM roles on the project where you want to use the Agent Registry MCP server:

Make MCP tool calls: MCP Tool User (roles/mcp.toolUser)
Discover resources: Agent Registry API Viewer (roles/agentregistry.viewer)
Manage resources: Agent Registry API Editor (roles/agentregistry.editor)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to use the Agent Registry MCP server. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to use the Agent Registry MCP server:

Make MCP tool calls: mcp.tools.call

You might also be able to get these permissions with custom roles or other predefined roles.

Authentication and authorization

The Agent Registry remote MCP server uses the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The Agent Registry MCP server requires a principal for IAM control and doesn't accept API keys. We recommend that you create a separate identity for agents that are using MCP tools so that you can control and monitor access to resources.

For more information about authentication, see Authenticate to MCP servers.

Agent Registry MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, see Using OAuth 2.0 to access Google APIs.

Agent Registry has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI	Description
`https://www.googleapis.com/auth/cloud-platform`	Full access to all Google Cloud resources.
`https://www.googleapis.com/auth/agentregistry.read-write`	Read and write access to Agent Registry resources.

Additional scopes might be required on the resources accessed during a tool call. To view a list of roles and permissions required for Agent Registry, see Agent Registry roles and permissions.

Configure an MCP client to use the Agent Registry MCP server

AI applications and agents can create an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client requires the remote MCP server's URL.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Agent Registry MCP server, enter the following as required:

Server name: Agent Registry MCP server
Server URL or Endpoint: https://agentregistry.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information about authentication, see Authenticate to MCP servers.
OAuth scope: The OAuth 2.0 scope that you want to use when connecting to the Agent Registry MCP server.

For more general guidance, see the following resources:

Available tools

To view details of available MCP tools and their descriptions for the Agent Registry MCP server, see the Agent Registry MCP reference.

The Agent Registry API separates read and write operations. You query the read-only Agent, McpServer, or Endpoint resources to discover capabilities, but you must use the writable Service resource to create, update, and delete entries.

Discovery tools

The most common tools used by AI agents for dynamic discovery include:

search_agents: Performs a keyword or prefix search to discover agents within a specific project and location based on natural language queries, specific skills, tags, or descriptions.
search_mcp_servers: Performs a keyword or prefix search to discover MCP servers based on the specific tools they offer or their descriptions.
get_agent, get_mcp_server, get_endpoint: Retrieves the full metadata and configuration details of specific resources using their unique resource names.
get_service: Retrieves a specific service record to inspect the underlying registration specification used to manually onboard a resource.
get_operation: Gets the latest state of a long-running operation.
list_bindings, get_binding, fetch_available_bindings: Retrieves binding configurations that connect source agents to target resources or auth providers.

Search tools are best suited for natural language queries. However, the MCP server also provides listing tools that return paginated lists of resources. These tools are useful to enumerate resources or filter by resource attributes rather than natural language searches:

list_agents: Returns a paginated list of agents within a specified Google Cloud project and location.
list_mcp_servers: Returns a paginated list of MCP servers within a specified Google Cloud project and location.
list_endpoints, list_services: Returns a paginated list of registered endpoints and manually onboarded services in a given project and location.

Administrative tools

AI applications primarily use Agent Registry for discovery. However, the MCP server also exposes tools to programmatically manage registry entries:

create_service: Manually registers a new custom workload, such as an agent, MCP server, or endpoint, by providing its JSON specification.
update_service: Updates the specification or parameters of an existing service, such as patching an uploaded Agent Card.
delete_service: Deletes a service record, effectively deregistering the manually onboarded resource from the registry.
create_binding, update_binding, delete_binding: Programmatically manages connections and delegated access mappings between your agents and target MCP servers or endpoints.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Agent Registry remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: agentregistry.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list"
}

Example use cases

When you connect your AI application or agent to the Agent Registry MCP server, you can use natural language prompts to dynamically discover and retrieve resources in your environment.

The following are example prompts you can use with your connected AI application:

Discover an agent by skill: "Find an agent capable of booking corporate flights."
Discover MCP servers: "What MCP servers are registered that offer BigQuery data tools?"
Retrieve specific resource details: "Show me the metadata and configuration details for the agent named projects/123456789/locations/global/agents/travel-agent."

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that you can do with the MCP tools. To minimize and manage these risks, Google Cloud offers default settings and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety.

Use Model Armor

Model Armor is a Google Cloud service designed to enhance the security and safety of your AI applications. It works by proactively screening LLM prompts and responses, protecting against various risks and supporting responsible AI practices. Whether you are deploying AI in your cloud environment, or on external cloud providers, Model Armor can help you prevent malicious input, verify content safety, protect sensitive data, maintain compliance, and enforce your AI safety and security policies consistently across your diverse AI landscape.

When Model Armor is enabled with logging enabled, Model Armor logs the entire payload. This might expose sensitive information in your logs.

Enable Model Armor

You must enable Model Armor APIs before you can use Model Armor.

Console

Enable the Model Armor API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API
Select the project where you want to activate Model Armor.

gcloud

Before you begin, follow these steps using the Google Cloud CLI with the Model Armor API:

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command to set the API endpoint for the Model Armor service.
```
gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.LOCATION.rep.googleapis.com/"
```
Replace LOCATION with the region where you want to use Model Armor.

Configure protection for MCP servers

To help protect your MCP tool calls and responses you can use Model Armor floor settings. A floor setting defines the minimum security filters that apply across the project. This configuration applies a consistent set of filters to all MCP tool calls and responses within the project.

Set up a Model Armor floor setting with MCP sanitization enabled. For more information, see Configure Model Armor floor settings.

See the following example command:

gcloud model-armor floorsettings update \
--full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
--enable-floor-setting-enforcement=TRUE \
--add-integrated-services=GOOGLE_MCP_SERVER \
--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \
--enable-google-mcp-server-cloud-logging \
--malicious-uri-filter-settings-enforcement=ENABLED \
--add-rai-settings-filters='[{"confidenceLevel": "MEDIUM_AND_ABOVE", "filterType": "DANGEROUS"}]'

Replace PROJECT_ID with your Google Cloud project ID.

Note the following settings:

INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts and responses that match the filters.
ENABLED: The setting that enables a filter or enforcement.
MEDIUM_AND_ABOVE: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, though lower values might result in more false positives. For more information, see Model Armor confidence levels.

Disable scanning MCP traffic with Model Armor

To stop Model Armor from automatically scanning traffic to and from Google MCP servers based on the project's floor settings, run the following command:

gcloud model-armor floorsettings update \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
  --remove-integrated-services=GOOGLE_MCP_SERVER

Replace PROJECT_ID with the Google Cloud project ID. Model Armor doesn't automatically apply the rules defined in this project's floor settings to any Google MCP server traffic.

Model Armor floor settings and general configuration can impact more than just MCP. Because Model Armor integrates with services like Vertex AI, any changes you make to floor settings can affect traffic scanning and safety behaviors across all integrated services, not just MCP.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help you secure Google Cloud remote MCP servers. Configure these policies to block unwanted MCP tool access.

For example, you can deny or allow access based on:

The principal
Tool properties like read-only
The application's OAuth client ID

For more information, see Control MCP use with Identity and Access Management.

What's next

Review the Agent Registry MCP reference documentation
Learn more about Google Cloud MCP servers