Skip to main content

Adding MCP Servers

Via Command Line

The quickest way to add an MCP server:
The transport type is inferred automatically: a URL implies HTTP (Streamable HTTP), and trailing args (or --command) imply stdio.
Remote MCP servers use Streamable HTTP by default. If the server responds with an HTTP 4xx error, the CLI falls back to SSE on the same URL. Set "transport": "sse" explicitly if needed — see Legacy SSE fallback below.
By default, servers are saved to local scope (.devin/config.local.json, gitignored). Use -s/--scope to change:
You can also manage servers from the command line:

Via Config File

Add servers directly to your config file’s mcpServers section:
Project-level servers are shared with your team via version control.

Server Configuration Options

MCP servers can be configured in two ways: as a local command (stdio transport) or as a remote server (HTTP transport).

Local Command (stdio)

Remote Server (Streamable HTTP)

Examples

After adding an OAuth-based server, run devin mcp login notion to authenticate. See Authentication below.
After adding, run devin mcp login atlassian to authenticate. Each MCP client (Windsurf, Claude Code, Devin CLI) maintains its own OAuth session, so you must log in separately even if you’ve already authenticated in another tool.

Authentication

Some remote MCP servers require OAuth authentication. After adding an OAuth-based server to your config, authenticate using the login command:
For example:
This opens a browser window where you can authorize access. The OAuth tokens are stored locally and refreshed automatically. You can optionally request specific OAuth scopes:
To remove stored OAuth credentials for a server:
If the server supports OAuth, you will also be prompted to authenticate automatically when the server is first used.

Pre-registered OAuth clients

Most OAuth-based MCP servers support dynamic client registration (DCR), so Devin CLI registers itself automatically and you don’t need to provide any client credentials. Some providers (e.g. GitHub) don’t support DCR and instead require a pre-registered OAuth client. For those, supply the client ID — and a client secret if it’s a confidential client — via oauthClientId / oauthClientSecret:
When oauthClientId is set, Devin CLI skips dynamic client registration and uses your pre-registered client during the OAuth flow. Run devin mcp login <name> (or trigger first use) to authenticate as usual. You can also set these from the command line when adding or logging into a server:
oauthClientId / oauthClientSecret are OAuth client credentials used during the authorization flow. They are not generic per-request credentials — if a server expects a static token, use headers (HTTP) or env (stdio) instead.
Don’t commit a client secret to a shared config. Reference it from an environment variable (${env:VAR}), read it from a file (${file:/path}), or put it in .devin/config.local.json (gitignored). See the “Managing Secrets” section below.

OAuth resource override

During OAuth authorization and token exchange, Devin CLI sends an RFC 8707 resource parameter so the authorization server can issue audience-restricted tokens. By default the value is the MCP server’s URL. Override it with oauthResource:
The field has three behaviors:
  • Unset (default): sends resource set to the MCP server URL.
  • Non-empty value: replaces the default with your value (e.g. a specific application ID URI).
  • Empty string (""): omits the resource parameter entirely from both the authorization URL and the token exchange.
You can also set it from the command line when adding or logging into a server:
Like other OAuth fields, oauthResource supports ${env:VAR} and ${file:/path} expansion.

Enabling and Disabling Servers

You can temporarily disable an MCP server without removing its configuration. A disabled server is skipped during tool discovery — its tools won’t appear and the server process won’t be started.
This sets the "disabled": true flag on the server entry in the config file. Use -s/--scope to target a specific scope:
You can also set the flag directly in your config file:
Disabling is useful when you want to keep a server’s configuration (including environment variables and OAuth credentials) but temporarily stop using it — for example, to reduce startup time or isolate an issue.

Managing Secrets

Never commit API keys or secrets to version control. Use .devin/config.local.json for sensitive values.
For team projects, the recommended pattern is:
  1. Define the server in .devin/config.json with placeholder or no env vars
  2. Each team member adds their personal keys in .devin/config.local.json
The local config file is automatically excluded from git.

MCP Permissions

You can pre-approve, deny, or force-ask for specific MCP tools in your permissions config:
Permission matcher patterns:

Organization restrictions

If you’re on an enterprise team, your admin may restrict which MCP servers you can connect to. A server you’ve configured can be blocked if MCP is disabled for your team, or if it isn’t on your team’s allowlist or in an enforced MCP registry — in which case it won’t connect and its tools won’t be available. See Team Settings — MCP Registry for details.

Troubleshooting

If you see errors like Auth required or AuthRequired when connecting to a remote MCP server, the server requires OAuth authentication.Run:
Each MCP client authenticates independently. Even if you’ve already authenticated in Windsurf or Claude Code, you need to run devin mcp login separately for Devin CLI.To verify your auth status, try removing and re-adding credentials:
Verify the command works outside Devin CLI:
Check that all required environment variables are set.
Ask the agent to list MCP servers and tools. The server may need a moment to initialize.
Check your permissions config. MCP tools default to prompting for approval. Add them to permissions.allow to auto-approve.
Some authorization servers reject OAuth requests that include the RFC 8707 resource parameter. Set oauthResource to an empty string to omit the parameter:
Then re-authenticate:
See OAuth resource override for the full set of oauthResource behaviors.
When connecting to an HTTP server, Devin CLI tries Streamable HTTP first. If the server responds with an HTTP 4xx error (e.g. 404 or 405), it automatically falls back to legacy SSE on the same configured URL. This follows the MCP spec’s backwards-compatibility guidance.The fallback only triggers on 4xx responses — connection errors, timeouts, and 5xx responses are reported directly without attempting SSE.If your server’s SSE endpoint is at a different path (e.g. /sse instead of /mcp), set "transport": "sse" with the SSE URL to connect directly without the Streamable HTTP attempt.If both transports fail, the error message includes details from both attempts to help with troubleshooting.