Loading

Revoke an MCP client or connection

Revoking OAuth access in Elastic Agent Builder immediately cuts off an MCP host's ability to use the Agent Builder tools. You can revoke at two granularities: a single user's connection, or the entire MCP client and all its connections.

  • Revoke a connection — removes one user's authorized session for an MCP client, while leaving the client registered. The user can reconnect by going through the consent flow again.
  • Revoke an MCP client — revokes the entire client and all its connections. Users whose connections are removed can no longer connect until a new client is created.

There is no OAuth /revoke endpoint. All revocation is through the Kibana and Elastic Cloud interfaces.

Tip

Organization owners and project administrators can also revoke connections from the Cloud Console. See Manage application connections.

Any user with access to the project can revoke connections from the Application connections page in Security Management.

  1. In Kibana, go to Agent Builder → Tools library, click Manage MCP, and select Manage MCP clients (OAuth). Then click Manage application connections. Alternatively, go to Admin and settings → Application connections.
  2. Find the connection. In Group by client view, expand a client row to see its connections. Switch to List view to see all connections in a flat list.
  3. Click Revoke in the connection's row.
  4. Review the details in the confirmation dialog, then click Revoke.

The connection is revoked immediately. The MCP client stays registered and can accept new connections. Applications can be reconnected at any time by going through the consent flow again.

  1. In Kibana, go to Admin and settings → Application connections (or click Manage application connections from Agent Builder → Tools library → Manage MCP → Manage MCP clients (OAuth)).
  2. Select the checkbox next to each connection you want to revoke. To select all connections for a client, select the checkbox in the client's row.
  3. Click Revoke N connections.
  4. Review the list in the confirmation dialog, then click Revoke.

Revoking a client immediately terminates all its connections. The client is no longer listed in Agent Builder, and existing OAuth tokens for those connections stop working at the next validation.

  1. In Kibana, go to Agent Builder → Tools library, click Manage MCP, and select Manage MCP clients (OAuth).
  2. Find the client and click Revoke in its row.
  3. In the Revoke [client name]? dialog, review the number of active connections that will be affected.
  4. In the MCP client name field, type the client name exactly as shown to confirm, then click Revoke.

After revocation, users can no longer connect with that client until a new MCP client is created.

Note

Removing a user from your identity provider does not automatically revoke that user's connections. Revoke their connections manually when offboarding.

  • If you revoked a client and want to restore access, create a new MCP client and distribute the new credentials to users.