Use the CX Agent Studio MCP server

CX Agent Studio provides a remote Model Context Protocol (MCP) server which can be used by agents and AI applications to edit CX Agent Studio resources. For example, you can use the Gemini CLI or Antigravity to help design and build your CX Agent Studio agent application.

This feature enables AI-assisted development workflows, drastically reducing the friction of building and maintaining agent applications:

Vibe Coding (Rapid Prototyping): Instead of manually clicking through the UI to create an agent, you can simply tell your AI-assisted IDE "Create a retail support agent that uses the Shopify API and speaks in a friendly tone." The coding agent uses the MCP server to construct the agent architecture for you.
Mass Refactoring & Clean-up: The MCP server excels at bulk operations that are tedious in a UI. For example, you can command "Rename the 'customer_id' parameter across all 15 sub-agents" or "Find and delete all unused intents".
Interactive Eval-Driven Development: You can run a failing evaluation and instruct the agent: "Modify the instructions until this specific evaluation passes".
Self-Healing & Optimization: An automated "Helper Agent" can monitor an agent's performance (for example, failing a specific evaluation) and use the MCP server to autonomously tweak instructions or fix tool definitions to improve the score ("Hill Climbing").
Contextual Awareness: The server allows coding assistants to "read" the current state of a deployed agent, making it easier for you to understand complex legacy configurations without digging through JSON files manually.

Limitations

The following limitations apply:

Only the us region is supported.
Token Context Limits: Large agent configurations (with many tools and extensive instructions) may exceed the context window of some coding models when retrieving full agent definitions. We recommend fetching specific sub-components (for example, just one tool) rather than the entire app definition at once. Additionally, users should monitor their context window usage and restart their agent session periodically (every few requests) to clear the buffer.
Latency: "Direct Mutation" (API calls) are generally faster for small changes. However, for massive architectural refactors (renaming variables across 50 files), we recommend the "Export -> Local Edit -> Import" workflow to ensure data integrity, which the MCP server also supports using export_app and import_app tools.

How it works

The server exposes the CX Agent Studio API, which is also used by the UI to build agents. Your AI application is configured to use the server and connect to it. The server advertises a list of available tools, such as:

list_agents()
create_tool(name, python_code, ...)
update_instruction(agent_name, new_instruction)
run_evaluation(dataset)

When you provide a natural language command to your AI application, the AI application decides whether to use the CX Agent Studio MCP server and which tool to call.

Direct versus local mutations

You can use one of two distinct workflows depending on the complexity of the task:

Direct Mutation (Best for Speed & Prototyping): Connect the MCP server directly to your coding environment to make real-time changes using API calls.
Local Copies (Best for Scale & Control): Use the MCP server's export_app tool to download the agent to your local file system, edit the files with your coding assistant, and push changes back using import_app. This is useful for large-scale refactoring, version control integration, or merging team contributions.

Required roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the following IAM roles on your project:

Enable APIs and MCP servers in the project: Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
Make MCP tool calls: MCP Tool User (roles/mcp.toolUser)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable the MCP server in a project

If you're using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the ces.googleapis.com service and the MCP server on both projects.

To enable the server in your Google Cloud project, run the following command:

gcloud beta services mcp enable ces.googleapis.com \
    --project=PROJECT_ID

Disable the MCP server in a project

To disable the MCP server in your project, run the following command:

gcloud beta services mcp disable ces.googleapis.com \
    --project=PROJECT_ID

Authentication and authorization

Google Cloud MCP servers use the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

We recommend that you create a separate identity for agents that are using MCP tools so that access to resources can be controlled and monitored. For more information about authentication, see Authenticate to MCP servers.

MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

CX Agent Studio has the following MCP tool OAuth scopes: https://www.googleapis.com/auth/ces

Configure an MCP client to use the CES MCP server

AI applications and agents, such as Claude or Gemini CLI, can instantiate an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know the remote MCP server's URL.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL..

For the CX Agent Studio MCP server, enter the following as required:

Server name: CES MCP server
Server URL or Endpoint: https://ces.us.rep.googleapis.com/mcp
Transport: HTTP
Authentication details: your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. Which authentication details you choose depend on how you want to authenticate. For more information, see Authenticate to MCP servers.

For host-specific guidance about setting up and connecting to MCP server, see the following:

For more general guidance, see the following resources:

Available tools

To view details of available MCP tools and their descriptions for the Customer Experience Agent Studio MCP server, see the Customer Experience Agent Studio MCP reference.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Customer Experience Agent Studio remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: ces.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that you can do with the MCP tools. To minimize and manage these risks, Google Cloud offers default settings and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety.

Use Model Armor

Model Armor is a Google Cloud service that's designed to enhance the security and safety of your AI applications. It works by proactively screening LLM prompts and responses, protecting against various risks and supporting responsible AI practices. Whether you deploy AI in your cloud environment, or on external cloud providers, Model Armor can help you prevent malicious input, verify content safety, protect sensitive data, maintain compliance, and enforce your AI safety and security policies consistently across your diverse AI landscape.

Model Armor is only available in specific regional locations. If Model Armor is enabled for a project, and a call to that project comes from an unsupported region, Model Armor makes a cross-regional call. For more information, see Model Armor locations.

Enable Model Armor

You must enable Model Armor APIs before you can use Model Armor.

Console

Enable the Model Armor API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API
Select the project where you want to activate Model Armor.

gcloud

Before you begin, follow these steps using the Google Cloud CLI with the Model Armor API:

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command to set the API endpoint for the Model Armor service.
```
gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.LOCATION.rep.googleapis.com/"
```
Replace LOCATION with the region where you want to use Model Armor.

Configure protection for Google and Google Cloud remote MCP servers

To protect your MCP tool calls and responses, you create a Model Armor floor setting and then enable MCP content security for your project. A floor setting defines the minimum security filters that apply across the project. This configuration applies a consistent set of filters to all MCP tool calls and responses within the project.

Set up a Model Armor floor setting with MCP sanitization enabled. For more information, see Configure Model Armor floor settings.

Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.

See the following example command:
```
gcloud model-armor floorsettings update \
--full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
--enable-floor-setting-enforcement=TRUE \
--add-integrated-services=GOOGLE_MCP_SERVER \
--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \
--enable-google-mcp-server-cloud-logging \
--malicious-uri-filter-settings-enforcement=ENABLED \
--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'
```
Replace PROJECT_ID with your Google Cloud project ID.

Note the following settings:
- INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts and responses that match the filters.
- ENABLED: The setting that enables a filter or enforcement.
- HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, though lower values might result in more false positives. For more information, see Configure floor settings.
For your project, enable Model Armor protection for remote MCP servers.
```
gcloud beta services mcp content-security add modelarmor.googleapis.com --project=PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project ID. After you run this command, Model Armor sanitizes all MCP tool calls and responses from the project, regardless of where the calls and responses originate.
To confirm that Google MCP traffic is sent to Model Armor, run the following command:
```
gcloud beta services mcp content-security get --project=PROJECT_ID
```
Replace PROJECT_ID with the Google Cloud project ID.

Disable scanning MCP traffic with Model Armor

If you want to use Model Armor in a project, and you want to stop scanning Google MCP traffic with Model Armor, run the following command:

gcloud model-armor floorsettings update \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
  --remove-integrated-services=GOOGLE_MCP_SERVER

Replace PROJECT_ID with the Google Cloud project ID.

Model Armor won't scan MCP traffic in the project.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help you secure Google Cloud remote MCP servers. Configure these policies to block unwanted MCP tool access.

For example, you can deny or allow access based on:

The principal.
Tool properties like read-only.
The application's OAuth client ID.

For more information, see Control MCP use with Identity and Access Management.

What's next

Read the Customer Experience Agent Studio MCP reference documentation.
Learn more about Google Cloud MCP servers.