# Connect a GitHub MCP Server to Teleport Teleport can provide secure access to MCP servers via Teleport Application Service. In this guide, you will: 1. Configure your GitHub service for access by the MCP server. 2. Run the GitHub MCP Server. 3. Enroll the MCP server into your Teleport cluster and connect to it. ## How it works The [GitHub MCP server](https://github.com/github/github-mcp-server) uses a personal access token of a service account to access GitHub and [`mcp-proxy`](https://github.com/sparfenyuk/mcp-proxy) exposes it to the Teleport Application Service over a streamable-HTTP endpoint by translating the original transport. Teleport proxies all client requests to the server, which interacts with GitHub using the permissions granted to the service account. ## Prerequisites - A running Teleport (v18.3.0 or higher) cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tsh` client. Installing `tsh` client 1. Determine the version of your Teleport cluster. The `tsh` client must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tsh` client: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tsh` client: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tsh` client to your %PATH% NOTE: Do not place the `tsh` client in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tsh` client. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * Access to a service account to your GitHub organization. * A host to run the MCP server that is reachable by the Teleport Application Service. * A running Teleport Application Service. If you have not yet done this, follow the [Getting Started guide](https://goteleport.com/docs/enroll-resources/mcp-access/getting-started.md). * A Teleport user with sufficient permissions (e.g. role `mcp-user`) to access MCP servers. ## Step 1/3. Create a personal access token Log in to GitHub using your service account. Navigate to Settings > Developer Settings > Personal access tokens, then click **Generate new token**. When creating the token, grant only the minimal permissions needed. Avoid broad scopes such as write or admin access unless absolutely required. Once the token is created, save it for use in the next step. ## Step 2/3. Run the GitHub MCP server First, install `mcp-proxy` on the host that will run the MCP server: ``` Option 1: With uv (recommended) $ uv tool install mcp-proxy Option 2: With pipx (alternative) $ pipx install mcp-proxy ``` Now start the GitHub MCP server behind `mcp-proxy`, using the personal access token github\_personal\_access\_token: ``` $ mcp-proxy \ --host MCP_HOST --port 8000 \ -- docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN=github_personal_access_token \ ghcr.io/github/github-mcp-server ``` Replace MCP\_HOST with the hostname of the host machine running the MCP server. The host must be reachable by the Teleport Application Service. After starting, `mcp-proxy` exposes a streamable-HTTP endpoint at `http://MCP_HOST:8000/mcp`. ## Step 3/3. Connect via Teleport You can register an MCP application in Teleport by defining it in your Teleport Application Service configuration, or by using dynamic registration with `tctl` or Terraform: **Static configuration** Replace MCP\_HOST with the host running the GitHub MCP server: ``` app_service: enabled: "yes" apps: - name: "github-mcp" uri: "mcp+http://MCP_HOST:8000/mcp" labels: env: dev service: github ``` Restart the Application Service. **tctl** Create an `app` resource definition file named `app-github-mcp.yaml`. Replace MCP\_HOST with the host running the GitHub MCP server: ``` # app-github-mcp.yaml kind: app version: v3 metadata: name: github-mcp labels: env: dev service: github spec: uri: "mcp+http://MCP_HOST:8000/mcp" ``` Create the `app` resource with: ``` $ tctl create -f app-github-mcp.yaml ``` **Terraform** Create a `teleport_app` resource in terraform. Replace MCP\_HOST with the host running the GitHub MCP server: ``` resource "teleport_app" "github" { version = "v3" metadata = { name = "github" labels = { "teleport.dev/origin" = "dynamic" "env" = "dev" "service" = "github" } } spec = { uri = "mcp+http://MCP_HOST:8000/mcp" } } ``` Apply the configuration: ``` $ terraform apply ``` To grant access to the MCP server and all its tools, assign the preset `mcp-user` role to your Teleport user. Optionally, you can limit which MCP tools the user can access by adjusting the `mcp.tools` list in their role. For example: ``` kind: role version: v8 metadata: name: github-mcp-readonly spec: allow: app_labels: 'service': 'github' mcp: tools: - ^(get|search|list)_.*$ - ^.*_read$ ``` Now wait until the application appears in `tsh mcp ls`, then configure your MCP clients to access the MCP server, for example: ``` $ tsh mcp config github-mcp --client-config claude ``` After configuring your MCP client, you will find GitHub-related tools from `teleport-mcp-github-mcp`. You can now use these tools to interact with GitHub via Teleport in your MCP clients: ![GitHub Claude](/docs/assets/images/github-claude-3bde3ffece6e9207083cd8893c5b0ab6.png) ## Connect to GitHub without service account Instead of using a service account's personal access token, you can require each Teleport user to supply their own token from the client side. This removes the need to run an `mcp-proxy`, allowing you to use the official MCP server directly when configuring your MCP server: ``` app_service: enabled: "yes" apps: - name: "github-mcp" uri: "mcp+https://api.githubcopilot.com/mcp/" labels: env: dev service: github ``` When configuring the MCP client, use your own personal access token as a bearer token for the `Authorization` header: ``` $ tsh mcp config github-mcp --client-config claude --header "Authorization: Bearer github_personal_access_token" ``` ## Next steps - Review [Enroll a Streamable-HTTP MCP Server](https://goteleport.com/docs/enroll-resources/mcp-access/enrolling-mcp-servers/streamable-http.md). - See the [dynamic registration](https://goteleport.com/docs/enroll-resources/mcp-access/dynamic-registration.md) guide. - Learn more about [github-mcp-server](https://github.com/github/github-mcp-server). - Connect your [MCP clients](https://goteleport.com/docs/connect-your-client/model-context-protocol/mcp-access.md).