Wasabi MCP is an OAuth-protected Model Context Protocol (MCP) server that lets an AI client perform actions within your Wasabi account (S3, IAM/STS, WACM) without ever receiving your Wasabi access keys. The client gets a short-lived, scoped OAuth token. Your Wasabi credentials stay encrypted on the server.
The MCP is how AI clients such as Cursor talk to external tool servers.
This article is a step-by-step playbook for connecting agent-enabled applications—Cursor, Claude, Codex, and other MCP clients—to the Wasabi MCP server.
Wasabi’s MCP service is currently in beta and may be subject to changes, limitations, or occasional instability. Report any issues you encounter to Wasabi Support (support@wasabi.com).
Requirements
Agent client that supports remote MCP servers over Streamable HTTP (Cursor, Claude, Codex, or similar).
Wasabi account with credentials for the services you want to use
S3 / IAM / STS—Wasabi access key and secret key.
WACM Connect—WACM username and API key. This is a separate credential. Your S3/IAM access key will not work for WACM, and you do not need WACM credentials to use the S3 or IAM tools.
Public test instance at https://mcp.wasabisys.dev (best-effort, no uptime guarantee—good for trying the flow).
You do not need to put your Wasabi access keys into the client config. Credentials are entered once in the Wasabi MCP web dashboard during the authentication step.
Wasabi MCP Endpoints
The server is split by service family. Each path is a separate MCP resource with its own OAuth scope, so you add only the services you need. There is intentionally no combined /mcp endpoint.
Service | MCP Endpoint URL | Tool Prefix |
Wasabi S3 | wasabi_s3_* | |
Wasabi IAM + STS | wasabi_iam_*, wasabi_sts_* | |
Wasabi WACM | wasabi_wacm_* |
The root URL https://mcp.wasabisys.dev is the OAuth issuer and the web dashboard.

How the Connection Works
All clients follow the same connection workflow:
You add an endpoint URL (for example, https://mcp.wasabisys.dev/s3) to your client MCP configuration.
The client calls the endpoint and receives an OAuth challenge (HTTP 401).
The client discovers the OAuth endpoints, registers itself, and opens your browser to sign in.
You sign in/authorize in the browser. The client receives a short-lived OAuth access token.
The first time, you save your Wasabi credentials in the web dashboard (see Authentication and credential setup).
Tool calls start working. The model sees tool inputs and outputs—never your raw Wasabi keys.
Transport is Streamable HTTP. You connect by URL, not by a local command/stdio process. Clients that only support stdio MCP servers can still connect using the mcp-remote bridge.
Cursor
Cursor is a first-party client for Wasabi MCP and works out of the box with the public instance.
Option A: Project config File
Add a .cursor/mcp.json (with the code below) to your project. You can also place this in your global Cursor MCP config (~/.cursor/mcp.json) to make the servers available in every project.
{
"mcpServers": {
"Wasabi S3": {
"url": "https://mcp.wasabisys.dev/s3"
},
"Wasabi IAM": {
"url": "https://mcp.wasabisys.dev/iam"
},
"Wasabi WACM": {
"url": "https://mcp.wasabisys.dev/wacm"
}
}
}Option B: Cursor Settings UI
Open Cursor Settings (Cmd+, on macOS, Ctrl+, on Windows/Linux).
Go to the MCP (Tools / MCP Servers) section.
Click Add new MCP server.
Give it a name (for example, Wasabi S3) and paste the endpoint URL.
Repeat for each service you want.
Authorize
After adding an endpoint, Cursor shows the server as needing authentication and opens your browser to the OAuth flow. Approve it, then return to Cursor. The server should show a green/connected indicator and list its tools.
Cursor's Tools & MCPs settings page shows the connected Wasabi servers, their enabled tool counts, and the green connected indicators.

Claude
Claude supports remote MCP servers, but how it connects depends on the surface because each surface uses a different OAuth callback URL.
Claude Code (CLI)
Claude Code uses loopback redirect URIs (http://localhost/callback, http://127.0.0.1/callback), which the Wasabi MCP server allowlists by default. This works against the public instance with no server changes.
Add a server using the command below:
claude mcp add --transport http wasabi-s3 https://mcp.wasabisys.dev/s3Repeat for IAM and WACM as needed. On first use, Claude Code triggers the OAuth flow in your browser. You can manage and re-authenticate servers with the /mcp command inside a session.
Claude Desktop / Claude.ai (custom connectors)
In recent versions, Claude Desktop and Claude.ai add remote MCP servers as custom connectors using the steps below.
Open Settings and Connectors.
Click Add custom connector.
Enter the MCP server URL (for example, https://mcp.wasabisys.dev/s3).
(Optional) Open Advanced settings to provide an OAuth Client ID/Secret. For Wasabi MCP, this is not required. The server supports dynamic client registration.
Click Add and Connect to run the OAuth flow.
Claude's custom connector dialog takes a connector name and one per-service Wasabi MCP URL. After OAuth succeeds, the connector appears as connected, and Claude shows the Wasabi tools available for that service.
Set Tool Permissions (Claude-only)
Claude lets you control when it is allowed to run each tool in a connector—a feature unique to Claude's surfaces. After connecting, open the connector and use Tool permissions to decide, per tool (or for a whole group, such as read-only tools), whether Claude can Always allow, Ask permission first, or Never allow that action.
This is a good place to require confirmation before any write or destructive Wasabi operation (for example, deleting objects or modifying IAM policies) while leaving read-only tools on Always allow. The setting only changes when Claude prompts you. I does not affect what the Wasabi MCP server permits.
Hosted Claude surfaces authorize through https://claude.ai/api/mcp/auth_callback and may also use https://claude.com/api/mcp/auth_callback. The public mcp.wasabisys.dev instance allowlists both callbacks and supports dynamic client registration, so no advanced OAuth client settings are required.
Codex CLI
Codex connects to remote servers over Streamable HTTP and uses loopback OAuth, which the Wasabi MCP server allowlists by default. This works with the public instance with no server changes.
Option A: Add and Authenticate
Register the endpoint using the command below.
codex mcp add wasabi-s3 --url https://mcp.wasabisys.dev/s3 Start the OAuth login (opens your browser).
codex mcp login wasabi-s3 Repeat for IAM and WACM. Verify with codex mcp list or run /mcp inside a Codex session to see connected servers and their tools.
Option B: Edit config.toml File
Edit ~/.codex/config.toml directly.
[mcp_servers.wasabi-s3]
url = "https://mcp.wasabisys.dev/s3"
enabled = true
[mcp_servers.wasabi-iam]
url = "https://mcp.wasabisys.dev/iam"
enabled = true
[mcp_servers.wasabi-wacm]
url = "https://mcp.wasabisys.dev/wacm"
enabled = true
After editing the file, run the command below for each server to complete OAuth.
codex mcp login <name> The Codex CLI confirms OAuth support, opens the browser authorization flow, and reports when login succeeds:
If your OAuth provider requires a fixed callback port (for example, behind a strict firewall), set mcp_oauth_callback_port at the top level of config.toml. Otherwise, Codex binds to an ephemeral loopback port, which the Wasabi server accepts.
Other MCP Clients (Generic)
Any client that speaks remote MCP over Streamable HTTP and supports OAuth can use the same endpoint URLs. The general steps are:
Add the endpoint URL (for example, https://mcp.wasabisys.dev/s3).
Complete the OAuth flow in the browser when prompted.
Use the tools.
Clients That Only Support stdio Servers
If your client can only launch a local command (stdio) MCP server, bridge to the remote endpoint with mcp-remote.
{
"mcpServers": {
"Wasabi S3": {
"command": "npx",
"args": ["-y", "mcp-remote", "https://mcp.wasabisys.dev/s3"]
}
}
}mcp-remote handles the OAuth handshake (using a loopback redirect, which the server allowlists) and proxies the connection over stdio to your client.
Authentication and Credential Setup
There are two layers of authentication. Understanding the split avoids most confusion.
Layer 1: Client ←→ MCP Server (OAuth)
This is the flow your client kicks off when you add an endpoint:
The client calls the endpoint and gets an OAuth challenge.
Your browser opens the Wasabi MCP sign-in page (https://mcp.wasabisys.dev).
You authorize. The client receives a short-lived, scoped OAuth token bound to that resource URL.
The client never receives your Wasabi keys—only this token.
Layer 2: MCP Server ←→ Wasabi (Your Credentials)
The first time you connect, you save your Wasabi credentials in the web dashboard (https://mcp.wasabisys.dev). The server encrypts them at rest and uses them only when a tool call needs them.
S3 / IAM / STS—Save a Wasabi access key and secret key (region and endpoint are optional; an STS session token is also supported for temporary credentials).
WACM—Open the WACM Connect tab and save your WACM username and API key. This is a different credential type from your S3/IAM access key.
The dashboard lets you create a managed key or paste an existing access key/secret key:
After sign-in, the dashboard shows the saved key for the current session and a button to return to the AI editor.
Verify the Connection
A quick way to confirm the server is reachable and OAuth-protected (it should return a 401 with a WWW-Authenticate challenge when called without a token) is:
curl -i https://mcp.wasabisys.dev/s3Inside your client, list the tools for a connected server. You should see names such as wasabi_s3_list_buckets, wasabi_iam_get_user, or wasabi_wacm_get_sub_accounts. Tool names always follow wasabi_<service>_<operation>.
Client Compatibility Matrix
Client | Transport | OAuth Redirect It Uses | Works with public instance? |
Cursor (IDE) | Streamable HTTP | cursor:// native scheme | Yes (first-party) |
Cursor hosted agents | Streamable HTTP | Yes | |
Codex CLI / IDE | Streamable HTTP | Loopback (http://127.0.0.1:<port>) | Yes |
Claude Code (CLI) | Streamable HTTP | Loopback (http://localhost/callback) | Yes |
Claude Desktop / Claude.ai connector | Streamable HTTP | https://claude.ai/api/mcp/auth_callback or https://claude.com/api/mcp/auth_callback | Yes |
Generic client via mcp-remote | stdio → HTTP bridge | Loopback | Yes |
Rule Behind the Table
Dynamically registered clients may only use redirect URIs that are loopback addresses, native editor schemes (cursor:, vscode:, vscode-insiders:), the hosted Cursor/Claude callbacks, or a browser URI explicitly listed in the server's OAuth config.
Troubleshooting
The client keeps reopening the auth window, or never shows tools
Confirm you used a real per-service path: /s3, /iam, or /wacm. Any /mcp path does not exist and will fail.
Make sure the base host is correct (https://mcp.wasabisys.dev).
Authorization fails for Claude Desktop / Claude.ai
Confirm your connector URL uses a per-service path such as /s3, /iam, or /wacm. Then reconnect the connector.
WACM tools return reauth_required
Open the dashboard, go to the WACM Connect tab, and save a WACM username and API key. An S3 or IAM access key does not authenticate against the WACM Connect API.
Connection refused / timeout
Check that no firewall blocks the OAuth loopback callback. For Codex, you can pin the port with mcp_oauth_callback_port.
Tools were working, then started returning auth errors
OAuth access tokens are short-lived and refreshed automatically. If refresh fails, remove and re-add the server in your client to re-run the flow. You can also usually just tell your agent to reauthenticate the MCP.
Codex: OAuth login does nothing in a headless environment
codex mcp login opens a browser. In a headless/SSH session without a browser, the loopback OAuth flow cannot complete. Run the login from a machine with a browser, or use a client that supports another flow.
Quick Reference Cheatsheet
Endpoints (public)
S3 https://mcp.wasabisys.dev/s3
IAM/STS https://mcp.wasabisys.dev/iam
WACM https://mcp.wasabisys.dev/wacm
Issuer https://mcp.wasabisys.dev
Cursor — .cursor/mcp.json
{ "mcpServers": { "Wasabi S3": { "url": "https://mcp.wasabisys.dev/s3" } } }
Claude Code
claude mcp add --transport http wasabi-s3 https://mcp.wasabisys.dev/s3Codex
codex mcp add wasabi-s3 --url https://mcp.wasabisys.dev/s3
codex mcp login wasabi-s3Generic (stdio bridge)
npx -y mcp-remote https://mcp.wasabisys.dev/s3Smoke check
curl -i https://mcp.wasabisys.dev/s3 # expect HTTP 401 + WWW-AuthenticateTool naming
wasabi_<service>_<operation> (e.g. wasabi_s3_list_buckets).