Using MCP in Bob
The Model Context Protocol (MCP) extends Bob's capabilities by connecting to external tools and services. This guide shows you how to configure, manage, and use MCP servers with Bob.
For conceptual information, see Understanding MCP.
Configuration levels
You can configure MCP servers at two levels:
- Global: Stored in
~/.bob/mcp_settings.json, applies across all workspaces - Project: Stored in
.bob/mcp.jsonin your project root, allows team sharing via version control
Project-level configurations take precedence over global settings when server names conflict.
Edit configuration files
You can edit MCP configuration files from the settings menu:
- Click the icon in the Bob panel.
- Select the MCP tab.
- Click the appropriate button:
- Edit Global MCP: Opens the global
mcp_settings.jsonfile - Edit Project MCP: Opens the project-specific
.bob/mcp.jsonfile (Bob creates it if it does not exist)
- Edit Global MCP: Opens the global
Both files use JSON format with an mcpServers object containing named server configurations.
Find and install servers
IBM Bob does not include pre-installed MCP servers. To find servers:
- Build your own: Use the MCP SDK to create custom servers (see the MCP GitHub repository)
- Community servers: Explore community-contributed MCP servers in the MCP ecosystem
Enable or disable MCP servers
When you disable MCP servers, Bob removes all MCP-related logic and definitions from your system prompt, reducing token usage. Bob cannot connect to any MCP servers, and the use_mcp_tool and access_mcp_resource tools are unavailable. This setting is enabled by default.
To enable or disable MCP servers:
- Click the icon in the Bob panel.
- Select the MCP tab.
- Check or uncheck Use MCP Servers.
Enable or disable MCP server creation
When you disable MCP server creation, Bob removes the instructions from your system prompt that Bob uses to write MCP servers. Bob retains the context for operating existing MCP servers, reducing token usage. This setting is enabled by default.
To enable or disable MCP server creation:
- Click the icon in the Bob panel.
- Select the MCP tab.
- Check or uncheck Enable MCP Server Creation.
Enable or disable individual MCP tools
You can enable or disable specific tools within an MCP server to control which capabilities Bob can access. This provides fine-grained control over MCP functionality and helps reduce context window usage by excluding unused tool definitions.
To manage individual tools:
- Click the icon in the Bob panel.
- Select the MCP tab.
- Locate the MCP server in the list.
- Expand the server to view its available tools.
- Toggle individual tools on or off as needed.
Disabling unused tools reduces the amount of context consumed by tool definitions, allowing more space for your code and conversation history.
Transport types
MCP supports different transport types for server communication. Choose the transport based on where your server runs and how you want to deploy it. For detailed information on all transport types, see MCP server transports.
STDIO transport
Use STDIO transport for local servers running on your machine.
Benefits:
- Lower latency (no network overhead)
- Better security (no network exposure)
- Simpler setup (no HTTP server needed)
Configuration parameters:
| Parameter | Required | Description |
|---|---|---|
command | Yes | Executable to run (e.g., node, python, npx) |
args | No | Array of arguments to pass to the command |
cwd | No | Working directory for the server process |
env | No | Environment variables for the server process |
alwaysAllow | No | Array of tool names to auto-approve |
disabled | No | Set to true to disable this server |
Example:
{
"mcpServers": {
"local-server": {
"command": "node",
"args": ["server.js"],
"cwd": "/path/to/project/root",
"env": {
"API_KEY": "your_api_key"
},
"alwaysAllow": ["tool1", "tool2"],
"disabled": false
}
}
}For more detailed information, see STDIO transport.
SSE transport (legacy)
Use SSE transport for remote servers accessed over HTTP/HTTPS. For new remote servers, use Streamable HTTP transport instead.
Benefits:
- Can be hosted on different machines
- Supports multiple client connections
- Allows centralized deployment
Configuration parameters:
| Parameter | Required | Description |
|---|---|---|
url | Yes | Full URL endpoint of the remote MCP server |
headers | No | Custom HTTP headers (e.g., authentication tokens) |
alwaysAllow | No | Array of tool names to auto-approve |
disabled | No | Set to true to disable this server |
Example:
{
"mcpServers": {
"remote-server": {
"url": "https://your-server-url.com/mcp",
"headers": {
"Authorization": "Bearer your-token"
},
"alwaysAllow": ["tool3"],
"disabled": false
}
}
}Create an MCP server with Bob
You can ask Bob to build custom MCP servers for specific capabilities you need.
Prerequisite: Enable the Enable MCP Server Creation setting.
To create a server:
-
Request the tool or capability from Bob. For example:
- "Create an MCP tool that gets the current Bitcoin price"
- "Build an MCP server to interact with the GitHub Gist API"
-
Bob will:
- Scaffold a server project (typically TypeScript) in the default MCP directory
- Implement the requested tool with necessary API calls
- Prompt you for API keys or credentials if needed
- Add the server configuration to your settings file
- Connect to the new server automatically
For more information about tool mechanics, see Understand Bob's tools.
Manage individual servers
To access server settings:
- Click the icon in the Bob panel.
- Select the MCP tab.
- Locate the server in the list.
Available actions:
- Delete: Click and confirm deletion
- Restart: Click to restart the server
- Enable/Disable: Toggle the server on or off using the power toggle
- Network timeout: Set response timeout (30 seconds to 5 minutes, default 1 minute)
- Manage tools: Expand the server to enable or disable individual tools
Auto-approve tools
MCP tool auto-approval is disabled by default and works per-tool:
- Enable the global "Use MCP servers" option in Auto-approving actions.
- In the MCP server settings, locate the tool.
- Check Always allow next to the tool name.
The global setting takes precedence—if disabled, no MCP tools auto-approve.
Use MCP tools effectively
After configuring an MCP server, Bob automatically detects available tools. Effective usage depends on clear tool definitions.
Workflow
- Type your request in the Bob chat interface
- Bob analyzes your request and available MCP tools
- Bob proposes tool use; you approve (unless auto-approved)
Write effective tool descriptions
Bob's ability to select and use tools correctly depends on description quality. Follow these guidelines when defining MCP tools:
Tool names
Use descriptive, unambiguous names that indicate the primary function.
Tool descriptions
Provide comprehensive summaries that include:
- What the tool does
- Its purpose and use cases
- Prerequisites or important context
- Expected outcomes
Parameter descriptions
For each parameter, specify:
- Purpose and expected data type
- Formatting requirements or constraints
- Example valid values
- Whether optional or required
Example
Poor description:
Gets dataGood description:
Retrieves user profile data from the API using a user ID.
Returns JSON containing username, email, and account creation date.
Requires valid authentication token in environment.Additional guidance
Use Custom rules to define preferred approaches, complex workflows, or tool prioritization for your team.
MCP security considerations
Using MCP servers introduces security considerations that you should carefully evaluate before deployment.
Data privacy risks
External MCP servers:
- May send your data to external providers or third-party services
- Could expose sensitive code, credentials, or proprietary information
- May store or log data in ways you don't control
Recommendations:
- Review the MCP server's data handling policies before use
- Avoid using external MCP servers with sensitive or proprietary code
- Prefer local MCP servers for confidential projects
Local security risks
Local MCP servers:
- Run with the same permissions as Bob
- Can access your file system, environment variables, and system resources
- May execute arbitrary code on your machine
- Could potentially modify or delete files
Recommendations:
- Only install MCP servers from trusted sources
- Review the source code of MCP servers before installation when possible
- Understand what permissions and capabilities each server requires
- Be cautious with servers that request broad file system access
Organizational compliance
Business and enterprise considerations:
- Ensure MCP server usage aligns with your organization's security policies
- Verify that data handling complies with regulatory requirements (GDPR, HIPAA, etc.)
- Check if MCP servers are approved for use within restricted networks
- Document which MCP servers are authorized for use in your environment
Best practices:
- Maintain an inventory of approved MCP servers
- Establish a review process for new MCP servers
- Regularly audit MCP server usage and permissions
- Provide security training for team members using MCP
Vetting MCP servers
Before installing any MCP server:
- Research the source: Verify the publisher's reputation and track record
- Review documentation: Understand what the server does and what it accesses
- Check permissions: Evaluate what system resources the server requires
- Read the code: If open source, review the implementation for security issues
- Test in isolation: Try the server in a non-production environment first
- Monitor behavior: Watch for unexpected network activity or file access
When in doubt, consult your security team or IT department before installing MCP servers, especially in corporate or regulated environments.