Control access to MCP with beta features setting (!209782) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This allows users to control access to MCP server using instance and namespace beta features setting.

References

Screenshots or screen recordings

Before	After

How to set up and validate locally

Run GDK with SaaS simulation.
Generate a new PAT via the UI.

In rails console, set the token scopes to ["mcp"].

PersonalAccessToken.first.update(scopes: ["mcp"])

In rails console, enable the feature flags
```
Feature.enable(:mcp_server)
```
Enable AI Beta Features settings in a top level group, e.g. GitLab Duo (doc)

Verify the API request to MCP server is successful.

curl --request POST \
  --url http://gdk.test:8080/api/v4/mcp \
  --header "Authorization: Bearer $GITLAB_TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
  "jsonrpc": 2.0,
  "method": "tools/call",
  "id": 1,
  "params": {
    "name":"get_mcp_server_version"
  }
}
'

Disable AI Beta Features settings in a top level group, e.g. GitLab Duo (doc)
Verify the same API request to MCP server returns 404 Not Found.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 22, 2025 by Tan Le

Control access to MCP with beta features setting

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports