- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Configuring automation capabilities
- Solutions
- Audit
- Settings
- Registry
- Cloud robots
- Automation Suite Robots
- Folders Context
- Processes
- Jobs
- Apps
- Triggers
- Logs
- Monitoring
- Indexes
- Queues
- Assets
- Connections
- Business Rules
- Storage Buckets
- MCP Servers
- Orchestrator testing
- Resource Catalog Service
- Integrations
- Troubleshooting
Orchestrator user guide
When MCP Servers run locally (using uipath run), authentication happens at two separate layers:
- Runtime to cloud: the local runtime authenticates so that it can register the MCP Server with the cloud.
- Client to cloud: external clients authenticate when they call the cloud-facing MCP Server endpoint.
Layer 1: runtime to cloud (server registration)
The uipath run command needs its own token to register the MCP Server with the cloud. This is the developer's authentication, the identity of the person running the server locally.
# Authenticate the runtime — interactive login
uipath auth
# Or authenticate the runtime — client credentials
uipath auth --client-id "..." \
--client-secret "..." \
--base-url "https://cloud.uipath.com/{org}/{tenant}" \
--scope "OR.Default"
# Start the local server
uipath run mcp-server
# Authenticate the runtime — interactive login
uipath auth
# Or authenticate the runtime — client credentials
uipath auth --client-id "..." \
--client-secret "..." \
--base-url "https://cloud.uipath.com/{org}/{tenant}" \
--scope "OR.Default"
# Start the local server
uipath run mcp-server
The runtime uses this token to establish a SignalR connection to the cloud and register the server's tools.
Layer 2: client to cloud (calling the server)
External clients (such as MCP Inspector, cURL, an IDE, or any HTTP client) authenticate to the cloud through any of the four standard methods described in MCP Server authentication. The URL is the same as for any other MCP Server:
https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}
https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}
How requests flow
The client's Bearer token never reaches the local runtime. The cloud validates the token and forwards only the MCP protocol message through Redis. The local runtime and the MCP Server process do not see the token.
Applicable MCP Server types
Ground-to-cloud authentication applies to MCP Server types that have a local runtime:
- Self-hosted: always runs locally, always uses ground-to-cloud authentication.
- Coded and Command: use ground-to-cloud authentication when run locally through
uipath runduring development. Once deployed to Orchestrator, they run as cloud jobs and no local runtime is involved.
Client credentials with local servers
When using client credentials with uipath run, set the UIPATH_FOLDER_KEY environment variable. The Python SDK's GetFoldersForCurrentUser call does not support client credentials. For details, see Known limitation: GetFoldersForCurrentUser.