Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk MCP Server with Kiro CLI inexistent /authorize endpoint HTTP 404

fla_torres
New Member
‎01-12-2026 08:54 PM

I have installed and configured Splunk MCP Server on Splunk on a EC2 (Amazon Linux 2023). There is a regular user with a role and a token assigned to the user with Audience=mcp. I have my endpoint open to the world. Postman is able to connect to the Splunk MCP server and list tools accordingly. 

Now, I am trying to use Amazon Kiro CLI configured with Splunk MCP, however, upon establishing the connection, Kiro throws me a request for further authentication thru a given URL. Upon clicking on the URL (which is related to my splunk server), the link throws me a HTTP 404 error, which suggests me that the endpoint "/authorize" does not exist or is not packed with the Splunk MCP application.

Error message:

> /mcp

splunk-mcp-server

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔

[2026:16:42]: ⚠ splunk-mcp-server requires OAuth authentication. Follow this link to proceed:

https://44.221.46.xxx:8089/authorize?response_type=code&client_id=Q+DEV+CLI&state=gMvuvFnkt-01uWwXxxxxd9Q&code_challenge=Pn3ge-Aj3X6P7NYRkisGUpik-gG7zvjZAls-CsIL2Vk&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A51928&scope=openid+email+profile+offline_access

When I click on the link, the splunk webserver gives me a HTTP 404 error, which suggests me the endpoint "/authorize" does not exist on https://44.221.46.xxx:8089/

MCP configuration:

"splunk-mcp-server": {

"url": "https://44.221.46.xxx:8089/services/mcp",

"headers": {

"Authorization": "Bearer eyJraWQiOiJzcGx1bmsxxxxxXIiOiJ2MiIsInR20gaXAtMTcyLTM-sss-17uzDFurjz3uXbHxxxx"

 }

 }

When I click on the link https://44.221.46.xxx:8089/ I can only see a few APi endpoints but no "/authorize", which suggests me that it is missing in the application code.

Splunk Atom Feed: splunkd

Updated: 2026-01-13T04:49:55+00:00 Splunk build: 10.0.2

services

 
 

1970-01-01T00:00:00+00:00

servicesns

 
 

1970-01-01T00:00:00+00:00

static

 
 

1970-01-01T00:00:00+00:00

Labels (2)
0 Karma
Reply

bettyborer
Observer
‎01-12-2026 11:32 PM

Hi @fla_torres ,

1: Please install "Splunk MCP Server" app from the splunkbase.
https://splunkbase.splunk.com/app/7931

2: You need to make sure token audience should need to tag as "mcp". When you first time create splunk token, in the "Audience" fields please add "mcp" then it will work by below mcp server setting.


{
    "mcpServers": {
        "splunk-mcp-server": {
            "command": "npx",
            "args": [
                "-y",
                "mcp-remote",
                "https://localhost:8089/services/mcp",
                "--header",
                "Authorization: Bearer <splunk_token>"
            ]
        }
    }
}


Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...