--- title: "Authentication | Grafana documentation" description: "Authenticate the Grafana MCP server to Grafana using a service account token or username and password." --- > For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt). # Authentication The Grafana MCP server needs credentials to call the Grafana API. Use a service account token (recommended) or a username and password. ## What you’ll achieve You set the environment variables (or equivalent) so the server can authenticate to your Grafana instance. The same credentials apply whether you run the server with uvx, Docker, a binary, or Helm. ## Before you begin - A Grafana instance (Grafana 9.0 or later). - For token auth: a [service account](/docs/grafana/latest/administration/service-accounts/#add-a-token-to-a-service-account-in-grafana) with a token and the RBAC permissions needed for the tools you use. ## Use a service account token Set `GRAFANA_URL` and `GRAFANA_SERVICE_ACCOUNT_TOKEN` in the environment passed to the server. - **GRAFANA\_URL:** Your Grafana base URL (for example, `http://localhost:3000` or `https://myinstance.grafana.net`). - **GRAFANA\_SERVICE\_ACCOUNT\_TOKEN:** The token you created for the service account. The deprecated `GRAFANA_API_KEY` is still supported but will be removed in a future version; use `GRAFANA_SERVICE_ACCOUNT_TOKEN` instead. ### Read the token from a file Set `GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE` to a file path that contains the token instead of passing the value inline. The file is read fresh on every request, so a rotated token is picked up automatically without restarting the server. This is useful in Kubernetes, where a Secret mounted as a volume is updated in place when the underlying Secret changes. Because the server’s client cache is keyed on the token value, a rotated token transparently produces a new client with no pod restart: YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml env: - name: GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE value: /var/run/secrets/grafana/token volumeMounts: - name: grafana-token mountPath: /var/run/secrets/grafana readOnly: true volumes: - name: grafana-token secret: secretName: grafana-mcp-token ``` Surrounding whitespace (including a trailing newline) is trimmed from the file contents. If both `GRAFANA_SERVICE_ACCOUNT_TOKEN` and `GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE` are set, the inline token takes precedence. ## Use username and password You can use basic auth by setting `GRAFANA_USERNAME` and `GRAFANA_PASSWORD` instead of a token. This is less suitable for automation; prefer a service account token when possible. ## Next steps - [Enable and disable tools](/docs/grafana-cloud/machine-learning/mcp/configure/enable-and-disable-tools) to control which MCP tools are available. - [Transports and addresses](/docs/grafana-cloud/machine-learning/mcp/configure/transports-and-addresses) for stdio, SSE, and streamable-http.