Guide users through configuring key MongoDB MCP server options. Use this skill when a user has the MongoDB MCP server installed but hasn't configured the…
MongoDB MCP Server Setup This skill guides users through configuring the MongoDB MCP server for use with an agentic client. Overview The MongoDB MCP server requires authentication. Users have three options: Connection String (Option A): Direct connection to a specific cluster Quick setup for single cluster Requires MDB_MCP_CONNECTION_STRING environment variable Service Account Credentials (Option B): MongoDB Atlas Admin API access Recommended for Atlas users - simplifies authentication and data access Access to Atlas Admin API and dynamic cluster connection via atlas-connect-cluster No manual DB user credential management Requires MDB_MCP_API_CLIENT_ID and MDB_MCP_API_CLIENT_SECRET environment variables Atlas Local (Option C): Local development with Docker Best for local testing - zero configuration required Runs Atlas locally in Docker, requires Docker installed No credentials or cloud cluster access This is an interactive step-by-step guide. The agent detects the user's environment and provides tailored instructions, but never asks for or handles credentials — users add those directly to their shell profile or agentic client config in Step 5. Make this clear to the user whenever credentials come up in Steps 3a and 3b. Step 0: Detect Client Before anything else, determine which agentic client the user is running. This controls how credentials are configured in Step 1 and Step 5. Run: env | grep "^CODEX_" If no CODEX_* variables are present → the user is running a shell-based client (Claude, Cursor, Gemini CLI, Copilot CLI, etc.). Credentials are configured via shell profile environment variables. If any CODEX_* variables are present → the user is running Codex. Credentials are stored in ~/.codex/config.toml (macOS/Linux) or %USERPROFILE%\.codex\config.toml (Windows), not in shell environment variables. The desktop app does not inherit shell env vars when launched from Finder, Launchpad, or the Windows Start menu. Carry this client type (Codex vs. shell-based) forward through every subsequent step. Step 1: Check Existing Configuration Check whether credentials are already configured. For shell-based clients — check the current environment: env | grep "^MDB_MCP" | sed '/^MDB_MCP_READ_ONLY=/!s/=.*/=[set]/' For Codex — search ~/.codex/config.toml (macOS/Linux) or %USERPROFILE%\.codex\config.toml (Windows): grep -E 'MDB_MCP_(CONNECTION_STRING|API_CLIENT_ID|API_CLIENT_SECRET|READ_ONLY)' ~/.codex/config.toml 2>/dev/null | sed '/MDB_MCP_READ_ONLY/!s/[[:space:]]*=[[:space:]].*/ = "[set]"/' Interpretation (both): If MDB_MCP_CONNECTION_STRING appears → connection string auth is configured If both MDB_MCP_API_CLIENT_ID and MDB_MCP_API_CLIENT_SECRET appear → service account auth is configured. If only one is present, treat it as incomplete. If MDB_MCP_READ_ONLY appears → read-only mode is enabled Partial Configuration Handling: User wants to add read-only to existing setup (has auth, no read-only flag) → skip to Step 4 User wants to switch authentication methods → explain they should remove the old credentials first (from config.toml for Codex, from their shell profile for shell-based clients), then proceed with Steps 2–5 User wants to update credentials → skip to Step 5 Important: If the user wants an Atlas Admin API action (managing clusters, creating users, performance advisor) but only has MDB_MCP_CONNECTION_STRING, explain they need service account credentials and offer to walk through setup. Step 2: Present Configuration Options If no valid configuration exists, present the options: Connection String (Option A) — Best for: Single cluster access Existing database credentials Self-hosted MongoDB or no Atlas Admin API needs Service Account Credentials (Option B) — Best for: MongoDB Atlas users (recommended) Multi-cluster switching Atlas Admin API access (cluster management, user creation, performance monitoring) Atlas Local (Option C) — Best for: Local development/testing without cloud setup Fastest setup with Docker, no credentials required Ask the user which option they'd like to proceed with. Step 3a: Connection String Setup If the user chooses Option A: 3a.1: Explain How to Find the Connection String Explain where and how to obtain their connection string: For MongoDB Atlas: Go to cloud.mongodb.com Select your cluster → click Connect Choose Drivers or Shell → copy the connection string Replace <username> and <password> with your database user credentials For self-hosted MongoDB: The connection string is typically configured by your DBA or in your application config Format: mongodb://username:password@host:port/database Expected formats: mongodb://username:password@host:port/database mongodb+srv://username:password@cluster.mongodb.net/database mongodb://host:port (local, no auth) Proceed to Step 4 (Determine Read-Only Access). Step 3b: Service Account Setup If the user chooses Option B: 3b.1: Guide Through Atlas Service Account Creation Direct the user to create a MongoDB Atlas Service Account: Full documentation: https://www.mongodb.com/docs/mcp-server/prerequisites/ Walk them through the key steps: Navigate to MongoDB Atlas — cloud.mongodb.com Select your organization from the ORGANIZATION section near the top of the page Go to "Project Identity and Access" on the left sidebar → Applications → Create Service Account Set Permissions — Grant Organization Member or Project Owner (see docs for exact permission mappings) Generate Credentials — Create Client ID and Secret ⚠️ The Client Secret is shown only once — save it immediately before leaving the page Note both values — you'll need Client ID and Client Secret for Step 5 3b.2: API Access List Configuration ⚠️ CRITICAL: The user MUST add their IP address to the service account's API Access List, or all Atlas Admin API operations will fail. Steps: On the service account details page, find API Access List Click Add Access List Entry Add your current IP address. Use a specific IP or CIDR range whenever possible. ⚠️ 0.0.0.0/0 allows access from any IP — this is a significant security risk. Only use it as a last resort for temporary testing and remove it immediately afterward. It should never be used in production. Save changes This is more secure than global Network Access settings as it only affects API access, not database connections. Proceed to Step 4 (Determine Read-Only Access). Step 3c: Atlas Local Setup If the user chooses Option C: 3c.1: Check Docker Installation Verify Docker is installed: docker info If not installed, direct them to: https://www.docker.com/get-started 3c.2: Confirm Setup Complete Atlas Local requires no credentials — the user is ready to go: Create deployments: atlas-local-create-deployment List deployments: atlas-local-list-deployments All operations work out of the box with Docker Skip Steps 4 and 5 (no configuration needed) and proceed to Step 6 (Next Steps). Step 4: Determine Read-Only vs Read-Write Access Only applies to Options A and B. Skip to Step 6 for Option C. Ask whether they want read-only or read-write access: Read-Write (default): Full data access, modifications allowed Best for: Development, testing, administrative tasks Read-Only: Data reads only, no modifications Best for: Production data safety, reporting, compliance If read-only: include the read-only flag in the credential snippet in Step 5. If read-write: omit it (defaults to read-write). Proceed to Step 5 (Configure Credentials). Step 5: Configure Credentials Do not ask for or handle credentials — provide exact instructions so the user can add them directly. 5.1: Add credentials For shell-based clients — store credentials in a dedicated ~/.mcp-env file (not directly in the shell profile), then source it from the profile. This keeps credentials out of files that are often group/world readable by default and prevents accidentally committing them to git. For Codex — add to ~/.codex/config.toml (macOS/Linux) or %USERPROFILE%\.codex\config.toml (Windows). Show the user the appropriate snippet: For Connection String (Option A): Shell-based clients (~/.mcp-env): export MDB_MCP_CONNECTION_STRING="<paste-your-connection-string-here>" Codex (config.toml): [mcp_servers.mongodb.env] MDB_MCP_CONNECTION_STRING = "<paste-your-connection-string-here>" For Service Account (Option B): Shell-based clients (~/.mcp-env): export MDB_MCP_API_CLIENT_ID="<paste-your-client-id-here>" export MDB_MCP_API_CLIENT_SECRET="<paste-your-client-secret-here>" Codex (config.toml): [mcp_servers.mongodb.env] MDB_MCP_API_CLIENT_ID = "<paste-your-client-id-here>" MDB_MCP_API_CLIENT_SECRET = "<paste-your-client-secret-here>" If read-only was chosen (Step 4), also add: Shell-based: export MDB_MCP_READ_ONLY="true" in ~/.mcp-env. Codex: MDB_MCP_READ_ONLY = "true" under the same [mcp_servers.mongodb.env] section. ⚠️ Both config.toml and ~/.mcp-env are stored in plaintext. Do not commit them to version control. 5.2: Finalize (shell-based clients only) Restrict permissions on ~/.mcp-env: # adjust for windows if needed chmod 600 ~/.mcp-env Add source ~/.mcp-env to the shell profile (e.g. ~/.zshrc). Adjust for the detected shell (e.g. for fish: bass source ~/.mcp-env or set -x; for PowerShell: dot-source a .ps1 file instead). Detect the shell and profile file by running echo $SHELL if needed. 5.3: Verify Shell-based clients — reload the profile first, then verify: source ~/.zshrc # adjust to match the profile file env | grep "^MDB_MCP" | sed '/^MDB_MCP_READ_ONLY=/!s/=.*/=[set]/' Codex: # adjust path if on Windows grep -E 'MDB_MCP_(CONNECTION_STRING|API_CLIENT_ID|API_CLIENT_SECRET|READ_ONLY)' ~/.codex/config.toml 2>/dev/null | sed '/MDB_MCP_READ_ONLY/!s/[[:space:]]*=[[:space:]].*/ = "[set]"/' Expected output shows the configured key(s) with values redacted to [set]. If nothing appears, check that credentials were saved and (for shell-based clients) that the profile was reloaded. Proceed to Step 6 (Next Steps). Step 6: Next Steps For Options A & B (Connection String / Service Account): Restart the agentic client: Shell-based clients: Fully quit the client, then run source <profile-file> to load the new variables, and reopen the client from that same terminal session so it inherits the environment. Codex: Fully quit and relaunch the app. No terminal session needed — credentials come from config.toml. Verify MCP Server: After restart, test by performing a MongoDB operation. Using the Tools: Option A: Direct database access tools available Option B: Additionally has Atlas Admin API tools and atlas-connect-cluster Important (Option B): Ensure your IP is in the service account's API Access List or all API calls will fail For Option C (Atlas Local): Ready to use: No restart or configuration needed! Next steps: Create deployments: atlas-local-create-deployment List deployments: atlas-local-list-deployments Use standard database operations once connected Troubleshooting Variables not appearing after source (shell-based clients): Check the profile file path and confirm the file was saved Client doesn't pick up variables: Ensure full restart (quit + reopen), not just a reload Codex desktop app not picking up credentials: If launched from Finder, Launchpad, or the Windows Start menu, Codex does not inherit shell environment variables from .zshrc/.zprofile/PowerShell profiles. Use ~/.codex/config.toml (macOS/Linux) or %USERPROFILE%\.codex\config.toml (Windows) instead (see Step 5) Invalid connection string format: Re-check the format; must start with mongodb:// or mongodb+srv:// Atlas Admin API errors (Option B): Verify your IP is in the service account's API Access List Read-only mode not working: Check that MDB_MCP_READ_ONLY is set — in config.toml under [mcp_servers.mongodb.env] for Codex, or via env | grep ^MDB_MCP_READ_ONLY for shell-based clients fish/PowerShell: Syntax differs — use set -x (fish) or $env: (PowerShell) instead of export
don't have the plugin yet? install it then click "run inline in claude" again.