MCP Server Catalog
The MCP Catalog is where you review and approve new MCP servers before they can run.
Understanding the Catalog
When a user tries to use an MCP server for the first time, it appears in the catalog with Pending status.
Server States
| State | Meaning | Action Needed |
|---|---|---|
| Pending | New server awaiting review | Admin must approve or block |
| Approved | Safe to use organization-wide | None |
| Blocked | Prohibited by policy | None (unless policy changes) |
| Auto-Approved | Same hash as approved server | None |
Approving Servers
- Navigate to MCP Catalog
- Find pending server
- Click Review
- Examine details:
- Server name and command
- Which user requested it
- Which application
- Server identity hash
- Click Approve or Block
Due Diligence
Always verify the server is from a trusted source before approving. Check npm package, GitHub repo, or internal code review.
Server Details
When reviewing a server, check:
- Command - What executable runs the server?
- Args - What parameters are passed?
- Transport - STDIO or SSE?
- Environment - What env vars does it need?
- Requested By - Who tried to use it?
- First Seen - When was it detected?
- Application - Which IDE uses it?
Bulk Approval
Select multiple servers to approve/block at once:
- Check boxes next to servers
- Click Bulk Actions menu
- Choose Approve Selected or Block Selected
Auto-Approval
Once you approve a server on one device, it's automatically approved on other devices with the same configuration (same hash).
Example:
Device A: Approve "github" server → Hash: abc123
Device B: User tries "github" → Hash: abc123 → Auto-approved ✓
Device C: User tries "github" with different token → Hash: def456 → Pending (requires review)Filtering
Filter catalog by:
- Status - Pending, Approved, Blocked
- Application - Claude, Cursor, VS Code, etc.
- User - Who requested
- Date - When detected
Next Steps
- Core Concepts: MCP Servers - Technical details
- Threat Reports - Monitor server behavior