Loading
Agentforce and Einstein Generative AI
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Register a Third-Party MCP Server in Agentforce Registry

            You are here:

            1. Salesforce Help
            2. Docs
            3. Quickstart Your Einstein Generative AI Solution

            Register a Third-Party MCP Server in Agentforce Registry

            Create a connection to an MCP server and allowlist the server tools you want to use with your agents.

            Required Editions

            Available in: Lightning Experience
            Available in: Enterprise, Performance, Unlimited, and Developer Editions. Required add-on licenses vary by agent type.
            User Permissions Needed
            To register an MCP server: Manage AI Agents AND the required permissions for your agent type
            1. From Setup, in the Quick Find box, enter Agentforce, and then select Agentforce Registry.
            2. Click New. You can register a server from scratch or browse and install pre-packaged servers from AgentExchange.
            3. Enter a server name, description, and URL.
            4. Select an authentication method. We support no authentication and OAuth 2.0 client credential. We support some advanced authentication patterns with additional configuration, including OAuth 2.1 client credentials.
              If you select OAuth 2.0, provide the following fields. You can usually find this information in your identity provider’s settings or documentation, or in the documentation for the MCP server you’re registering.
              • Identity Provider URL: The URL of your authorization server, which specifies the server endpoint for user authentication and authorization requests. If you’re registering a server from AppExchange that uses OAuth 2.0, this field is filled automatically and can’t be edited.
              • Scope (optional): A list of permissions that the MCP server requires for the client to access server tools and APIs, formatted as a comma-separated list. If you’re registering a server from AppExchange that uses OAuth 2.0, this field is filled automatically and can’t be edited.
              • Client ID: The unique ID of the MCP server, used to request access via the authorization server.
              • Client Secret: A password known only to the MCP server and the authorization server, used to authenticate the MCP server when requesting access tokens. Must be kept secure.
                Example: OAuth 2.0

                PayPal’s MCP server uses OAuth 2.0 to establish a secure connection between an MCP client and PayPal’s MCP server. In the OAuth 2.0 protocol, the client exchanges their client ID and client secret for an access token.

                • The URL for the PayPal MCP server is https://mcp.paypal.com/http.
                • The identity provider URL is https://api-m.sandbox.paypal.com/v1/oauth2/token.
                • PayPal’s developer documentation provides a list of common scopes for accessing PayPal APIs.

                  PayPal’s scopes are written in URL format, but scopes can be written in any string format (for example, “read” or “services-payment-refund”). Check the documentation for your MCP server for specifics.

                • PayPal’s MCP server documentation provides steps for how to use a PayPal account client ID and client secret.
            5. Click Create and Continue.
              Salesforce creates a connection with the server and sends a ping to validate the connection.
              When you create the connection, Salesforce creates a named credential, external credential, and permission set for you so that Salesforce can authenticate with your server. The permission set (“ServerName Permission Set”) is automatically assigned to you and allows you to manage the server. You don’t need to assign the permission set to users or the agent’s user record for your agent to use your server tools. Learn more about named credentials, external credentials, and permission sets.
              Note
              Note If you delete the permission set associated with a registered server or remove the permission set from your user record, you won’t be able to edit or manage your server (for example, allowlist or remove server tools).
            6. After your connection is created, select the server tools you want agents to be able to use. Then click Next.
              Only allow tools you trust. Before allowlisting, carefully review tool names and descriptions to ensure you understand their function and scope. If you see a warning that one or more tool descriptions contain bidirectional or decorative Unicode characters, invisible characters, or multiple languages or scripts, these tools are considered high risk. Before allowlisting, copy and paste the tool descriptions into a text editor and manually review them.
            7. Optionally, if you’ve created any policies for MCP servers in Agentforce Gateway that are available to add manually, you can apply them to your server. If your server meets the conditions for any rule-based MCP server policies you’ve created, the policies are applied automatically.
            8. Save your changes.

            After you save, the MCP server tools you selected are added to the asset library as agent actions and are available to add to an agent.

            To view the MCP tool actions available to add to an agent, from Setup, in the Quick Find box, enter Agentforce, and then select Agentforce Assets. Select the Actions tab. Tool actions follow the naming pattern “Tool Name ServerName” and are indicated by the MCP tool action icon icon. If you don’t see an agent action associated with your MCP tool, refresh the page.

             
            Loading
            Salesforce Help | Article