docs: mcp split into 2 pages

bobbyiliev · bobbyiliev · commit bae83d4ccba7 · 2026-04-03T15:35:07.000+03:00
diff --git a/doc/user/content/integrations/_index.md b/doc/user/content/integrations/_index.md
@@ -46,10 +46,11 @@ See also the following integration guides for BI tools:
 - [Connect to Materialize via HTTP](/integrations/http-api/)
 - [Connect to Materialize via WebSocket](/integrations/websocket-api/)
 
-## Coding agents
+## AI agents
 
-- [Built-in MCP Server](/integrations/mcp/)
-- [MCP Server (Python)](/integrations/llm/)
+- [MCP Server for Agents](/integrations/mcp-agents/) — built-in endpoint for exposing real-time data products to AI agents
+- [MCP Server for Observability](/integrations/mcp-observatory/) — built-in endpoint for AI-powered troubleshooting via system catalog
+- [MCP Server (Python)](/integrations/llm/) — standalone Python server with `stdio` and `sse` transport support, for use outside the built-in endpoints
 - [Coding Agent Skills](/integrations/coding-agent-skills/)
 
 ## Foreign data wrapper
diff --git a/doc/user/content/integrations/mcp-agents.md b/doc/user/content/integrations/mcp-agents.md
@@ -1,6 +1,6 @@
 ---
-title: Built-in MCP Server
-description: "Connect AI agents directly to Materialize's built-in MCP endpoints for real-time data access."
+title: MCP Server for Agents
+description: "Expose real-time data products to AI agents via Materialize's built-in MCP endpoint."
 make_table_row_headers_searchable: true
 menu:
   main:
@@ -10,46 +10,37 @@ menu:
 
 {{< private-preview />}}
 
-Materialize provides built-in [Model Context Protocol
-(MCP)](https://modelcontextprotocol.io/) endpoints that let AI agents discover
+Materialize provides a built-in [Model Context Protocol
+(MCP)](https://modelcontextprotocol.io/) endpoint that lets AI agents discover
 and query your real-time data products over HTTP. The MCP interface is served
 directly by the database; no sidecar process or external server is required.
 
-## MCP endpoints overview
+**Endpoint:** `POST /api/mcp/agents` (HTTP port, default `6876`)
 
-| Endpoint | Path | Description |
-|----------|------|-------------|
-| **Agents** | `/api/mcp/agents` | Discover and read data products (indexed views with comments). Designed for customer-facing AI agents. Available on the HTTP port (default `6876`). |
-| **Observatory** | `/api/mcp/observatory` | Query `mz_*` system catalog tables for troubleshooting and observability. Available on the HTTP port (default `6876`). |
-
-The endpoints use [JSON-RPC 2.0](https://www.jsonrpc.org/specification) over
-HTTP POST and support the MCP `initialize`, `tools/list`, and `tools/call`
+The endpoint uses [JSON-RPC 2.0](https://www.jsonrpc.org/specification) over
+HTTP POST and supports the MCP `initialize`, `tools/list`, and `tools/call`
 methods.
 
-### Enabling / Disabling the MCP endpoints
+### Enabling the endpoint
 
-MCP endpoints can be toggled at runtime using system parameters:
+The agents endpoint is disabled by default. Enable it at runtime using system
+parameters:
 
 | Parameter | Default | Description |
 |-----------|---------|-------------|
 | `enable_mcp_agents` | `false` | Enable or disable the `/api/mcp/agents` endpoint. |
-| `enable_mcp_observatory` | `false` | Enable or disable the `/api/mcp/observatory` endpoint. |
 | `enable_mcp_agents_query_tool` | `false` | Show or hide the `query` tool on the agents endpoint. |
 | `mcp_max_response_size` | `1000000` | Maximum response size in bytes. Queries exceeding this limit return an error. |
 
 ```mzsql
--- Disable the agents endpoint
-ALTER SYSTEM SET enable_mcp_agents = false;
-
--- Enable the query tool
-ALTER SYSTEM SET enable_mcp_agents_query_tool = true;
+ALTER SYSTEM SET enable_mcp_agents = true;
 ```
 
-When an endpoint is disabled, requests return HTTP 503 (Service Unavailable).
+When the endpoint is disabled, requests return HTTP 503 (Service Unavailable).
 
 ## Authentication and access control {#rbac}
 
-Accessing the MCP endpoints requires [basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme),
+Accessing the MCP endpoint requires [basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme),
 just as connecting via a SQL client (e.g. `psql`). The authenticated role
 determines which data products are visible based on RBAC privileges.
 
@@ -64,7 +55,7 @@ Use the credentials of a Materialize user or
 * **Password:** An [app password](/security/cloud/users-service-accounts/create-service-accounts/).
 
 For production use, we recommend creating a dedicated service account and
-granting it a role with limited privileges (see below).
+granting it a role with limited privileges (see [Required privileges](#required-privileges)).
 
 {{< /tab >}}
 
@@ -100,7 +91,7 @@ workloads. This ensures agent queries do not consume resources from your other
 clusters, and limits visibility to only the data products you choose to expose.
 
 ```mzsql
-CREATE CLUSTER mcp_cluster SIZE 'xsmall';
+CREATE CLUSTER mcp_cluster SIZE '25cc';
 CREATE SCHEMA mcp_schema;
 ```
 
@@ -177,8 +168,11 @@ GRANT mcp_agent TO '<service-account-name>';
 
 {{< tab "Self-Managed" >}}
 
+Create a functional role for privileges, then assign it to a login role:
+
 ```mzsql
-CREATE ROLE mcp_agent LOGIN PASSWORD 'secret';
+-- Functional role (cannot log in, holds privileges)
+CREATE ROLE mcp_agent;
 
 GRANT USAGE ON DATABASE materialize TO mcp_agent;
 GRANT USAGE ON SCHEMA mcp_schema TO mcp_agent;
@@ -190,21 +184,23 @@ GRANT USAGE ON CLUSTER mcp_cluster TO mcp_agent;
 -- and only see objects in mcp_schema by default.
 ALTER ROLE mcp_agent SET cluster TO mcp_cluster;
 ALTER ROLE mcp_agent SET search_path TO mcp_schema;
+
+-- Login role (used for authentication)
+CREATE ROLE my_agent LOGIN PASSWORD 'secret';
+GRANT mcp_agent TO my_agent;
 ```
 
+You can create additional login roles and grant them the same `mcp_agent` role
+as needed.
+
 {{< /tab >}}
 
 {{< /tabs >}}
 
 If any privilege is missing, the data product will not appear in the agent's
 tool list.
 
-## Agents endpoint
-
-**`POST /api/mcp/agents`**
-
-The agents endpoint exposes your data products as MCP tools. It provides the
-following tools:
+## Tools
 
 ### `get_data_products`
 
@@ -318,39 +314,6 @@ Execute a SQL `SELECT` statement against your data products.
 }
 ```
 
-## Observatory endpoint
-
-**`POST /api/mcp/observatory`**
-
-The observatory endpoint gives agents read-only access to the Materialize
-system catalog for troubleshooting and observability.
-
-### `query_system_catalog`
-
-Execute a SQL query restricted to `mz_*` system tables.
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `sql_query` | string | Yes | `SELECT` query using only `mz_*` system tables. |
-
-**Example response:**
-
-```json
-{
-  "jsonrpc": "2.0",
-  "id": 1,
-  "result": {
-    "content": [
-      {
-        "type": "text",
-        "text": "[\n  [\n    \"quickstart\",\n    \"ready\"\n  ],\n  [\n    \"mcp_cluster\",\n    \"ready\"\n  ]\n]"
-      }
-    ],
-    "isError": false
-  }
-}
-```
-
 ## Client configuration
 
 Replace `<host>` with your Materialize hostname (or region host for Cloud) and
@@ -360,68 +323,17 @@ encode your credentials in Base64:
 printf 'user:app_password' | base64
 ```
 
-### Claude Desktop
-
-Add the following to your Claude Desktop MCP configuration
-(`claude_desktop_config.json`):
-
 {{< tabs >}}
 
-{{< tab "Cloud" >}}
+{{< tab "Claude Desktop" >}}
 
-```json
-{
-  "mcpServers": {
-    "materialize": {
-      "url": "https://<region-host>/api/mcp/agents",
-      "headers": {
-        "Authorization": "Basic <base64(user:app_password)>"
-      }
-    }
-  }
-}
-```
-
-{{< /tab >}}
-
-{{< tab "Self-Managed" >}}
+Add to your Claude Desktop MCP configuration (`claude_desktop_config.json`):
 
 ```json
 {
   "mcpServers": {
     "materialize": {
-      "url": "http://<host>:6876/api/mcp/agents",
-      "headers": {
-        "Authorization": "Basic <base64(username:password)>"
-      }
-    }
-  }
-}
-```
-
-{{< /tab >}}
-
-{{< /tabs >}}
-
-### Cursor
-
-In Cursor's MCP settings (`.cursor/mcp.json`):
-
-{{< tabs >}}
-
-{{< tab "Cloud" >}}
-
-```json
-{
-  "mcpServers": {
-    "materialize-agents": {
-      "url": "https://<region-host>/api/mcp/agents",
-      "headers": {
-        "Authorization": "Basic <base64(user:app_password)>"
-      }
-    },
-    "materialize-observatory": {
-      "url": "https://<region-host>/api/mcp/observatory",
+      "url": "https://<host>/api/mcp/agents",
       "headers": {
         "Authorization": "Basic <base64(user:app_password)>"
       }
@@ -432,52 +344,16 @@ In Cursor's MCP settings (`.cursor/mcp.json`):
 
 {{< /tab >}}
 
-{{< tab "Self-Managed" >}}
-
-```json
-{
-  "mcpServers": {
-    "materialize-agents": {
-      "url": "http://<host>:6876/api/mcp/agents",
-      "headers": {
-        "Authorization": "Basic <base64(username:password)>"
-      }
-    },
-    "materialize-observatory": {
-      "url": "http://<host>:6876/api/mcp/observatory",
-      "headers": {
-        "Authorization": "Basic <base64(username:password)>"
-      }
-    }
-  }
-}
-```
-
-{{< /tab >}}
-
-{{< /tabs >}}
-
-### Claude Code
+{{< tab "Claude Code" >}}
 
 In your project's `.mcp.json`:
 
-{{< tabs >}}
-
-{{< tab "Cloud" >}}
-
 ```json
 {
   "mcpServers": {
     "materialize-agents": {
       "type": "http",
-      "url": "https://<region-host>/api/mcp/agents",
-      "headers": {
-        "Authorization": "Basic <base64(user:app_password)>"
-      }
-    },
-    "materialize-observatory": {
-      "type": "http",
-      "url": "https://<region-host>/api/mcp/observatory",
+      "url": "https://<host>/api/mcp/agents",
       "headers": {
         "Authorization": "Basic <base64(user:app_password)>"
       }
@@ -488,23 +364,17 @@ In your project's `.mcp.json`:
 
 {{< /tab >}}
 
-{{< tab "Self-Managed" >}}
+{{< tab "Cursor" >}}
+
+In Cursor's MCP settings (`.cursor/mcp.json`):
 
 ```json
 {
   "mcpServers": {
     "materialize-agents": {
-      "type": "http",
-      "url": "http://<host>:6876/api/mcp/agents",
+      "url": "https://<host>/api/mcp/agents",
       "headers": {
-        "Authorization": "Basic <base64(username:password)>"
-      }
-    },
-    "materialize-observatory": {
-      "type": "http",
-      "url": "http://<host>:6876/api/mcp/observatory",
-      "headers": {
-        "Authorization": "Basic <base64(username:password)>"
+        "Authorization": "Basic <base64(user:app_password)>"
       }
     }
   }
@@ -513,18 +383,12 @@ In your project's `.mcp.json`:
 
 {{< /tab >}}
 
-{{< /tabs >}}
-
-### Generic HTTP client
+{{< tab "Generic HTTP" >}}
 
 Any MCP-compatible client can connect by sending JSON-RPC 2.0 requests:
 
-{{< tabs >}}
-
-{{< tab "Cloud" >}}
-
 ```bash
-curl -X POST https://<region-host>/api/mcp/agents \
+curl -X POST https://<host>/api/mcp/agents \
   -H "Content-Type: application/json" \
   -H "Authorization: Basic <base64(user:app_password)>" \
   -d '{
@@ -536,27 +400,14 @@ curl -X POST https://<region-host>/api/mcp/agents \
 
 {{< /tab >}}
 
-{{< tab "Self-Managed" >}}
-
-```bash
-curl -X POST http://<host>:6876/api/mcp/agents \
-  -H "Content-Type: application/json" \
-  -H "Authorization: Basic <base64(username:password)>" \
-  -d '{
-    "jsonrpc": "2.0",
-    "id": 1,
-    "method": "tools/list"
-  }'
-```
-
-{{< /tab >}}
-
 {{< /tabs >}}
 
-## Related Pages
+For self-managed deployments, use `http://<host>:6876` instead of `https://`.
+
+## Related pages
 
-- [MCP Server (Python)](/integrations/llm/): standalone Python MCP server
-  for `stdio` and `sse` transports
+- [MCP Server for Observability](/integrations/mcp-observatory/)
+- [MCP Server (Python)](/integrations/llm/)
 - [Coding Agent Skills](/integrations/coding-agent-skills/)
 - [CREATE INDEX](/sql/create-index)
 - [COMMENT ON](/sql/comment-on)
diff --git a/doc/user/content/integrations/mcp-observatory.md b/doc/user/content/integrations/mcp-observatory.md
