Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Developer resourcesbreadcrumb arrow Grafana MCP serverbreadcrumb arrow Configurebreadcrumb arrow Authentication
Enterprise Open source

Authentication

The Grafana MCP server needs credentials to call the Grafana API. Use a service account token (recommended) or a username and password.

What you’ll achieve

You set the environment variables (or equivalent) so the server can authenticate to your Grafana instance. The same credentials apply whether you run the server with uvx, Docker, a binary, or Helm.

Before you begin

  • A Grafana instance (Grafana 9.0 or later).
  • For token auth: a service account with a token and the RBAC permissions needed for the tools you use.

Use a service account token

Set GRAFANA_URL and GRAFANA_SERVICE_ACCOUNT_TOKEN in the environment passed to the server.

  • GRAFANA_URL: Your Grafana base URL (for example, http://localhost:3000 or https://myinstance.grafana.net).
  • GRAFANA_SERVICE_ACCOUNT_TOKEN: The token you created for the service account.

The deprecated GRAFANA_API_KEY is still supported but will be removed in a future version; use GRAFANA_SERVICE_ACCOUNT_TOKEN instead.

Read the token from a file

Set GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE to a file path that contains the token instead of passing the value inline. The file is read fresh on every request, so a rotated token is picked up automatically without restarting the server.

This is useful in Kubernetes, where a Secret mounted as a volume is updated in place when the underlying Secret changes. Because the server’s client cache is keyed on the token value, a rotated token transparently produces a new client with no pod restart:

YAML 
env:
  - name: GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE
    value: /var/run/secrets/grafana/token
volumeMounts:
  - name: grafana-token
    mountPath: /var/run/secrets/grafana
    readOnly: true
volumes:
  - name: grafana-token
    secret:
      secretName: grafana-mcp-token

Surrounding whitespace (including a trailing newline) is trimmed from the file contents. If both GRAFANA_SERVICE_ACCOUNT_TOKEN and GRAFANA_SERVICE_ACCOUNT_TOKEN_FILE are set, the inline token takes precedence.

Use username and password

You can use basic auth by setting GRAFANA_USERNAME and GRAFANA_PASSWORD instead of a token. This is less suitable for automation; prefer a service account token when possible.

Next steps