Adding MCP Servers
Via Command Line
The quickest way to add an MCP server:--command) imply stdio.
Remote MCP servers use Streamable HTTP by default. If the server responds with an HTTP 4xx error, the CLI falls back to SSE on the same URL. Set
"transport": "sse" explicitly if needed — see Legacy SSE fallback below..devin/config.local.json, gitignored). Use -s/--scope to change:
Via Config File
Add servers directly to your config file’smcpServers section:
- Project config
- User config
- Local override
Project-level servers are shared with your team via version control.
Server Configuration Options
MCP servers can be configured in two ways: as a local command (stdio transport) or as a remote server (HTTP transport).Local Command (stdio)
Remote Server (Streamable HTTP)
Examples
GitHub (stdio)
GitHub (stdio)
Notion (HTTP with OAuth)
Notion (HTTP with OAuth)
After adding an OAuth-based server, run
devin mcp login notion to authenticate. See Authentication below.Linear (HTTP with OAuth)
Linear (HTTP with OAuth)
Atlassian / Jira (HTTP with OAuth)
Atlassian / Jira (HTTP with OAuth)
After adding, run
devin mcp login atlassian to authenticate. Each MCP client (Windsurf, Claude Code, Devin CLI) maintains its own OAuth session, so you must log in separately even if you’ve already authenticated in another tool.Custom server (stdio)
Custom server (stdio)
Authentication
Some remote MCP servers require OAuth authentication. After adding an OAuth-based server to your config, authenticate using thelogin command:
If the server supports OAuth, you will also be prompted to authenticate automatically when the server is first used.
Pre-registered OAuth clients
Most OAuth-based MCP servers support dynamic client registration (DCR), so Devin CLI registers itself automatically and you don’t need to provide any client credentials. Some providers (e.g. GitHub) don’t support DCR and instead require a pre-registered OAuth client. For those, supply the client ID — and a client secret if it’s a confidential client — viaoauthClientId / oauthClientSecret:
oauthClientId is set, Devin CLI skips dynamic client registration and uses your pre-registered client during the OAuth flow. Run devin mcp login <name> (or trigger first use) to authenticate as usual.
You can also set these from the command line when adding or logging into a server:
oauthClientId / oauthClientSecret are OAuth client credentials used during the authorization flow. They are not generic per-request credentials — if a server expects a static token, use headers (HTTP) or env (stdio) instead.OAuth resource override
During OAuth authorization and token exchange, Devin CLI sends an RFC 8707resource parameter so the authorization server can issue audience-restricted tokens. By default the value is the MCP server’s URL. Override it with oauthResource:
- Unset (default): sends
resourceset to the MCP server URL. - Non-empty value: replaces the default with your value (e.g. a specific application ID URI).
- Empty string (
""): omits theresourceparameter entirely from both the authorization URL and the token exchange.
oauthResource supports ${env:VAR} and ${file:/path} expansion.
Enabling and Disabling Servers
You can temporarily disable an MCP server without removing its configuration. A disabled server is skipped during tool discovery — its tools won’t appear and the server process won’t be started."disabled": true flag on the server entry in the config file. Use -s/--scope to target a specific scope:
Disabling is useful when you want to keep a server’s configuration (including environment variables and OAuth credentials) but temporarily stop using it — for example, to reduce startup time or isolate an issue.
Managing Secrets
For team projects, the recommended pattern is:- Define the server in
.devin/config.jsonwith placeholder or no env vars - Each team member adds their personal keys in
.devin/config.local.json
MCP Permissions
You can pre-approve, deny, or force-ask for specific MCP tools in your permissions config:Organization restrictions
If you’re on an enterprise team, your admin may restrict which MCP servers you can connect to. A server you’ve configured can be blocked if MCP is disabled for your team, or if it isn’t on your team’s allowlist or in an enforced MCP registry — in which case it won’t connect and its tools won’t be available. See Team Settings — MCP Registry for details.Troubleshooting
Auth required / OAuth errors with remote servers
Auth required / OAuth errors with remote servers
If you see errors like Each MCP client authenticates independently. Even if you’ve already authenticated in Windsurf or Claude Code, you need to run
Auth required or AuthRequired when connecting to a remote MCP server, the server requires OAuth authentication.Run:devin mcp login separately for Devin CLI.To verify your auth status, try removing and re-adding credentials:Server won't start
Server won't start
Verify the command works outside Devin CLI:Check that all required environment variables are set.
Tools not appearing
Tools not appearing
Ask the agent to list MCP servers and tools. The server may need a moment to initialize.
Permission denied
Permission denied
Check your permissions config. MCP tools default to prompting for approval. Add them to
permissions.allow to auto-approve.OAuth errors due to the resource parameter
OAuth errors due to the resource parameter
Some authorization servers reject OAuth requests that include the RFC 8707 Then re-authenticate:See OAuth resource override for the full set of
resource parameter. Set oauthResource to an empty string to omit the parameter:oauthResource behaviors.Legacy SSE fallback
Legacy SSE fallback
When connecting to an HTTP server, Devin CLI tries Streamable HTTP first. If the server responds with an HTTP 4xx error (e.g. 404 or 405), it automatically falls back to legacy SSE on the same configured URL. This follows the MCP spec’s backwards-compatibility guidance.The fallback only triggers on 4xx responses — connection errors, timeouts, and 5xx responses are reported directly without attempting SSE.If your server’s SSE endpoint is at a different path (e.g.
/sse instead of /mcp), set "transport": "sse" with the SSE URL to connect directly without the Streamable HTTP attempt.If both transports fail, the error message includes details from both attempts to help with troubleshooting.
