Skip to content

Team-shared MCP endpoint

Use case: A team exposes a shared MCP endpoint (staging database tools, internal APIs, browser automation) so every member can connect from Cursor with their own credentials — without copying upstream secrets or sharing one API key.

Why MCPZERO fits

ChallengeMCPZERO approach
Shared tools, individual accountabilityPer-member API keys with tool allow/deny
Credential sprawlUpstream MCP creds stay on the tunnel host
Audit for complianceCall ledger — tool, latency, status; payload retention by plan
Multiple environmentsSeparate endpoints or endpoint clusters (Team+)

Architecture

Team member A (Cursor) ──┐
Team member B (Cursor) ──┼── HTTPS + own API key ──▶ gw.mcpzero.io/v1/ep_staging
Team member C (Codex) ──┘ │
WS tunnel
Dev machine / CI runner
(mcpzero tunnel + mcp.json)

Steps

1. Create a Team workspace

Upgrade to Team+ and invite members in Dashboard → Team.

2. One member runs the tunnel

The tunnel host keeps upstream credentials local:

Terminal window
mcpzero tunnel start --endpoint ep_staging --mcp-config ./mcp.json

Use -d for a detached daemon on a shared runner or developer laptop that stays online.

3. Issue per-member API keys

Each member creates keys in Dashboard → API Keys. Configure tool permissions (allow/deny lists) per key when needed.

4. Members connect independently

Everyone uses the same endpoint URL with their own key:

FieldValue
URLhttps://gw.mcpzero.io/v1/ep_staging
HeaderAuthorization: Bearer mz_live_<member_key>

5. Review audit logs

Admins review Activity and export NDJSON on Personal+ / Team plans.

Endpoint clusters (Team+)

When tools live on multiple tunnels (e.g. staging on laptop A, prod tools on laptop B), create an endpoint cluster (epc_*) to search and call across endpoints from one URL. See Endpoint clusters.