MCP Connector Catalog
Register the MCP servers and REST APIs your organization can install as Connectors in ThreoAI. A field-by-field guide to the two-step New connector wizard, with worked examples.
Overview
Section titled “Overview”The MCP Catalog tab in Platform Admin is your company connector catalog: the MCP servers and REST APIs your organization’s members can install as Connectors in ThreoAI. Each row shows the adapter, kind, endpoint, auth modes, and state.
Two things worth knowing before you add one:
- Scope. A catalog entry belongs either to the global (Synthreo-wide) catalog, which only root administrators manage, or to a specific customer’s catalog. When you add an entry as a customer administrator, it is scoped to your company.
- Disabling is safe. Disabling a row leaves existing installs working; only new installs lose access. Entries are soft-disabled, not hard-deleted, so you can re-enable them later.
Open Platform Admin in Canopy, select the MCP Catalog tab, then select New connector to open the two-step wizard.

Step 1: Details
Section titled “Step 1: Details”| Field | What to enter |
|---|---|
| Name | The display name tenants see in the install picker (for example, “GitHub”). Up to 120 characters. |
| Adapter ID | A slug that identifies the adapter, auto-filled from the name. Lowercase letters, numbers, dashes, and underscores only (for example, github_mcp). It cannot be changed after the entry is created. |
| Kind | MCP Server or REST API. The rest of the form changes to match. |
For an MCP Server, you also set:
| Field | What to enter |
|---|---|
| Transport | streamable_http, sse, or stdio. |
| Address | The MCP server URL (for example, https://example.com/mcp). |
For a REST API, you instead set:
| Field | What to enter |
|---|---|
| Base URL | The API base (for example, https://api.example.com). |
| OpenAPI URL | The OpenAPI document (for example, https://api.example.com/openapi.json). |
An Advanced section (optional) adds a Description, an Icon URL, and a comma-separated Category list.
Select Continue to move to Auth.

Step 2: Auth
Section titled “Step 2: Auth”First choose the supported auth modes - how tenants authenticate to this connector. You can select more than one:
| Auth mode | Meaning |
|---|---|
| Per-user OAuth | Each user authorizes with their own OAuth account. |
| Shared OAuth | One OAuth client is shared across the organization. |
| Shared API key | One API key is shared. |
| Shared headers | Fixed headers are sent with every call. |
The rest of the step appears based on what you pick.
OAuth metadata (shown when an OAuth mode is selected)
Section titled “OAuth metadata (shown when an OAuth mode is selected)”| Field | What to enter |
|---|---|
| Authorization server URL | Required. The OAuth authorization server (for example, https://auth.example.com). |
| Token endpoint URL | The token endpoint (for example, https://auth.example.com/token). |
| Well-known metadata URL | The discovery document, if the server publishes one. |
| Default scopes | Space- or comma-separated scopes to request. |
| Supports Dynamic Client Registration | Whether the server can register an OAuth client automatically. |
Some vendors do not support Dynamic Client Registration (DCR). For those, the Supports Dynamic Client Registration box is locked off and a pre-issued OAuth client is required. The connectors this applies to are: GitHub, Slack, HubSpot, N-central, ScalePad, HaloPSA, Hudu, and Liongard.
Pre-issued OAuth client (shown for a customer entry with OAuth and no DCR)
Section titled “Pre-issued OAuth client (shown for a customer entry with OAuth and no DCR)”| Field | What to enter |
|---|---|
| Client ID | The client ID issued by the provider. |
| Client secret | The client secret. It is stored securely and never shown again; on edit, leave it blank to keep the stored secret. |
| Token endpoint auth method | client_secret_post, client_secret_basic, or none. |
A confidential client is always per-customer; the global catalog never collects one. For a global OAuth entry, each customer supplies their own OAuth client when they install the connector.
API key defaults (shown when Shared API key is selected)
Section titled “API key defaults (shown when Shared API key is selected)”| Field | What to enter |
|---|---|
| Header name | The header the key is sent in (for example, Authorization). |
| Scheme | The scheme prefix (for example, Bearer). |
Finishing
Section titled “Finishing”Two more options apply to any entry:
- Public - whether the entry appears in the tenant-facing install picker (the list your members choose from when they add a connector). Global entries are Public by default, so every tenant sees them. A customer-scoped entry starts out not public: leave it off while you set it up or test it, then turn it on to make it installable by your members.
- Registry URL - optional. A reference to an MCP registry listing for this server. Synthreo’s catalog can sync entries from the public MCP registry at
https://registry.modelcontextprotocol.io; set this only when you are pointing at a registry-published server, and leave it blank for a plain custom server.
Select Create entry (or Save changes when editing) to finish.
Worked examples
Section titled “Worked examples”A shared-API-key MCP server. Kind = MCP Server, Transport = streamable_http, Address = the server URL. On Auth, select Shared API key, then set the API key defaults (for example, header Authorization, scheme Bearer). Members install it and it authenticates with the shared key.
An OAuth server that supports DCR. Kind = MCP Server, Address set. On Auth, select Per-user OAuth, enter the Authorization server URL (and token or well-known URL if needed), and leave Supports Dynamic Client Registration on. No client ID or secret is needed; the server registers a client automatically.
A no-DCR OAuth vendor (for example, GitHub) in a customer catalog. Kind = MCP Server, Address set. On Auth, select an OAuth mode and enter the Authorization server URL. Because GitHub is a known no-DCR vendor, the DCR box is locked off and the Pre-issued OAuth client block appears: paste the Client ID, Client secret, and pick the Token endpoint auth method. Save to register the client alongside the catalog entry.
Managing entries
Section titled “Managing entries”From the MCP Catalog table you can Edit an entry, Disable it (existing installs keep working; new installs cannot add it), Re-enable a disabled entry, or Delete it. The adapter ID stays fixed for the life of the entry.
Related
Section titled “Related”- Platform Admin - the MCP Catalog tab in context
- Connectors - the end-user side, where members install and use connectors

