# Dynamic MCP Server Registration

Dynamic MCP server registration allows Teleport administrators to register new MCP servers (or update/unregister existing ones) without having to update the static configuration files read by Teleport Application Service instances.

The MCP server resources are registered as `app` resources in the Teleport backend. Application Service instances periodically query the Teleport Auth Service for `app` resources, each of which includes the information that the Application Service needs to proxy an application.

## Required permissions

In order to interact with dynamically registered applications, a user must have a Teleport role with permissions to manage `app` resources.

In the following example, a role allows a user to perform all possible operations against `app` resources:

```
allow:
  rules:
    - resources:
        - app
      verbs: [list, create, read, update, delete]

```

## Enabling dynamic registration

To enable dynamic registration, include a `resources` section in your Application Service configuration with a list of resource label selectors you'd like this service to monitor for registering:

```
app_service:
  enabled: true
  resources:
  - labels:
      "*": "*"

```

You can use a wildcard selector to register all dynamic app resources in the cluster on the Application Service or provide a specific set of labels for a subset:

```
resources:
- labels:
    "env": "prod"
- labels:
    "env": "test"

```

## Creating a MCP server

The following example configures Teleport to proxy the "Everything" MCP server by launching it through docker:

```
kind: app
version: v3
metadata:
  name: everything
  description: The Everything MCP server
  labels:
    env: dev
spec:
  mcp:
    # Command to launch stdio-based MCP servers.
    command: "docker"
    # Args to execute with the command.
    args: ["run", "-i", "--rm", "mcp/everything"]
    # Name of the host user account under which the command will be
    # executed. Required for stdio-based MCP servers.
    run_as_host_user: "docker"

```

See the full resource spec [reference](https://goteleport.com/docs/enroll-resources/mcp-access/reference.md).

To create the resource, run:

```
Log in to your cluster with tsh so you can use tctl from your local machine.
You can also run tctl on your Auth Service host without running "tsh login"
first.
$ tsh login --proxy=teleport.example.com --user=myuser
$ tctl create mcp_server.yaml
```

After the resource has been created, it will appear among the list of available MCP servers (in `tsh mcp ls` or UI) as long as at least one Application Service instance picks it up according to its label selectors.

To update an existing application resource, run:

```
$ tctl create -f mcp_server.yaml
```

If the updated resource's labels no longer match a particular app agent, it will unregister and stop proxying it.

To delete the resource, run:

```
$ tctl rm app/everything
```