Documentation

Configure Pathfinder MCP

The Pathfinder MCP (Model Context Protocol) gateway lets AI agents securely query data across your BeyondTrust products through a single endpoint. It is available as an Early Access feature in the US region only.

Activate MCP

MCP is off by default. An administrator must enable it for each site before users can generate tokens or connect agents.

  1. Navigate to the Administration site of your Pathfinder instance.
  2. Under Site Feature Configuration > Platform AI Features, locate the Platform Model Context Protocol (MCP) dropdown.
  3. Select Read Only.
  4. Select Update Site.

Once enabled, users on that site can generate MCP access tokens from their profile.

Generate an MCP access token

Each user who needs to connect an AI agent to the MCP gateway must generate their own access token.

  1. Navigate to the site where MCP has been enabled.
  2. Select your profile icon in the top-right corner, then select Manage Profile.
  3. In the MCP Access Tokens section, select an expiration period from the Expiration Date dropdown:
    • 30 days
    • 60 days
    • 90 days
    • Custom date (maximum of one year)
  4. Select Create Token.
  5. Select Close.

Your token will look like: MCP_xxxxxxxxxxxxxxxxxxxx

Use it in your agent configuration as:

Authorization: Bearer MCP_xxxxxxxxxxxxxxxxxxxx

Manage tokens

The MCP Access Tokens section on the Manage Profile page displays a grid of all tokens generated by the current user.

Token grid columns

ColumnDescription
Creation DateWhen the token was created
Last LoginThe last time the token was used to authenticate
Expiration DateWhen the token expires
Token StatusActive or Expired
CommandAction available for the token

Token actions

  • Revoke: Available for active tokens. Revokes the token immediately and removes it.
  • Delete: Available for expired tokens. Removes the expired token from the list.

Filter tokens

Use the Token Status Filter dropdown to filter the grid by status: All, Active, or Expired.

Product-Specific configuration

Some BeyondTrust products work with the MCP gateway automatically once MCP is enabled at the site level. Other products may require additional in-app configuration and a minimum product version.

ProductMinimum VersionIn-App Configuration Required
Identity Security Insights26.04.1No, works automatically when MCP is enabled
EntitleApril 2026No, works automatically when MCP is enabled
Password Safe26.1See Password Safe docs
EPM for Windows and Mac26.1No, works automatically when MCP is enabled
EPM for LinuxMarch 2026No, works automatically when MCP is enabled
Privileged Remote Access26.1TBD
Remote Support26.1See Remote Support Configuration
ℹ️

Note:

If a product requires in-app configuration, the MCP gateway will not expose tools for that product until the configuration is complete. Refer to the product-specific documentation linked above for setup steps.

Disable MCP

To disable MCP for a site:

  1. Navigate to the Administration site.
  2. Select the Edit button for the site.
  3. Set the Platform Model Context Protocol (MCP) dropdown to Off.
  4. Select Update Site.

Users on that site will no longer be able to use existing MCP tokens to connect. Previously generated tokens will stop working, but will still appear in the token management grid until they expire or are deleted.

Requirements

  • An active BeyondTrust Pathfinder tenant
  • A site in the US region with MCP enabled by an administrator
  • One or more licensed BeyondTrust products connected to the site

Updated about 4 hours ago

What’s Next

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.