Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsManage artifact labelsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
IntroductionMigrate from v1 to v2
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Get started with configuration as code
Set up configuration as code
Configuration as code reference
Configuration-as-Code examples
Flag impressions and activity status
Flag health
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Secure your MCP connection

3 minute read

When you connect an AI agent to CloudBees Unify using MCP, follow these security best practices.

Authentication

You authenticate using the same OAuth flow as the CloudBees Unify web interface:

  1. Your AI client opens your web browser.

  2. You sign in using Google, GitHub, or SSO.

  3. You select your Root Organization.

  4. Your AI client stores your credentials securely.

Your AI agent acts with the same permissions as your user account.

Best practices

Follow these practices to maintain secure access.

Use least-privilege accounts

Connect your AI agent with an account that has only the access it needs:

  • Developers typically need read access to components, workflows, and builds, plus permission to trigger workflows.

  • Platform engineers may require broader access for configuration and management tasks.

  • Security engineers may need read-only access to security findings and reports.

Avoid using highly privileged accounts for routine use.

Create a dedicated service account for your AI agent to use with appropriately scoped roles, rather than using a personal account with broad access.

Authenticate each machine separately

Authenticate each developer machine independently:

  • Don’t share authentication between machines or users.

  • If a machine is lost or compromised, reauthenticate your other machines to ensure they continue working.

Reauthenticate when prompted

Your authentication expires after a period of time. When prompted, reauthenticate to continue using MCP.

If you suspect your authentication is compromised, reauthenticate immediately.

Monitor activity

All MCP activity is logged and attributed to your user account.

Contact CloudBees Support for audit inquiries or security investigations.

Control access with roles

CloudBees Unify enforces role-based access control (RBAC) when you use MCP.

All tools are visible to authenticated users, but your roles determine which resources you can access:

  • A user with only the Developer role cannot access user management resources.

  • A user with only read permissions cannot trigger workflows or modify feature flags.

  • A user not in a team cannot access that team’s components.

To restrict what an AI agent can do:

  1. Create or identify the user account for your AI agent to use.

  2. Assign only the necessary roles to that account.

  3. Test the connection to verify required operations work.

Network configuration

Your AI client connects outbound to mcp.cloudbees.io over HTTPS (port 443).

No inbound connections are required. No firewall rules need to be opened on developer machines.

Corporate proxies

If your organization uses a corporate proxy:

  1. Configure your AI client to use the proxy for HTTPS connections.

  2. Ensure the proxy allows connections to mcp.cloudbees.io.

  3. Configure proxy credentials in your AI client if needed.

For Claude Code, proxy settings are typically inherited from system environment variables (HTTP_PROXY, HTTPS_PROXY).

Test connectivity

If you have connection issues, test connectivity:

curl https://mcp.cloudbees.io/v1/mcp

If this fails, check your network configuration or contact your network administrator.

Security checklist

Use this checklist to verify your MCP connection follows security best practices:

AI agents authenticate with least-privilege user accounts.

Each machine has its own authentication (no shared credentials).

Administrator accounts are not used for day-to-day AI agent operations.

Corporate proxy settings are correctly configured if needed.

Team members have reviewed Privacy and data handling.

Incident response

If you suspect a security incident:

  1. Immediate action: Reauthenticate your AI client to obtain new credentials.

  2. Notify your security team: Follow your organization’s incident response procedures.

  3. Contact support: Contact CloudBees Support. CloudBees can review activity logs and assist with security concerns.

Data privacy

For information about what data is shared with CloudBees Unify and how it’s protected, refer to Privacy and data handling.

CloudBees Unify follows industry-standard security practices covered by the CloudBees SOC2 certification.

What’s next

Migrate to the remote MCP server
Tool reference