Model Context Protocol
Model Context Protocol (MCP) is an open protocol that lets models safely call tools exposed by external processes or services — for example, reading GitHub issues, querying databases, or operating the local file system. Kimi Code CLI acts as an MCP client to connect these external tools and exposes them to the Agent alongside built-in tools (Read, Bash, Grep, etc.) with no behavioral difference.
Connection Methods
Kimi Code CLI supports two MCP server connection methods:
- stdio: The CLI starts the local MCP server as a child process and communicates via standard input/output. Suitable for local command-line tools.
- HTTP: The CLI connects to an already-running HTTP endpoint. Suitable for remote services or processes that need to run persistently.
Configuration
MCP server configuration is written in mcp.json, at two levels:
- User level:
~/.kimi-code/mcp.json(or$KIMI_CODE_HOME/mcp.json), shared across projects - Project level:
.kimi-code/mcp.jsonin the working directory, effective only for the current repository
Entries with the same name: the project-level entry takes precedence and overrides the user-level entry.
Run /mcp-config in the TUI to interactively add, edit, or delete servers without manually editing the JSON file. Run /mcp to view the connection status of all current servers.
Structure of mcp.json:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
},
"linear": {
"url": "https://mcp.linear.app/mcp"
}
}
}Entries with a command field are stdio servers; entries with a url field are HTTP servers. The transport field generally does not need to be written manually.
Optional fields:
| Field | Type | Applies to | Description |
|---|---|---|---|
env | Record<string, string> | stdio | Environment variables injected into the child process |
cwd | string | stdio | Working directory for the child process |
headers | Record<string, string> | HTTP | Static request headers appended to every request |
enabled | boolean | Both | Set to false to disable this server |
startupTimeoutMs | number | Both | Connection timeout; default 30000 milliseconds |
toolTimeoutMs | number | Both | Timeout for a single tool call |
enabledTools | string[] | Both | Tool allowlist |
disabledTools | string[] | Both | Tool blocklist |
HTTP servers support providing static credentials via headers or bearerTokenEnvVar. When OAuth is needed, run /mcp-config login <server-name> to complete browser-based authorization.
Plugins can also declare MCP servers in their manifest. Servers declared by a plugin are enabled by default and can be disabled or re-enabled in /plugins, then a new session must be started. See Plugins for details.
Note
stdio entries in a project-level .kimi-code/mcp.json execute local commands when a session starts. Only enable these in repositories you trust.
Tool Naming and Permissions
MCP tools are named in the format mcp__<server>__<tool>, for example mcp__github__create_issue. Permission rules support * and ** wildcards, for example mcp__github__* matches all tools under that server. MCP tool parameters are not included in permission matching.
Calls that do not match any permission rule trigger an approval request. Selecting "Approve for this session" in the approval dialog automatically allows subsequent calls of the same kind within the current session.
You can also pre-configure permanent rules in [[permission.rules]] in config.toml:
[[permission.rules]]
decision = "allow"
pattern = "mcp__github__*"
[[permission.rules]]
decision = "deny"
pattern = "mcp__filesystem__write_file"For the full permission rule syntax, see Configuration files.
Security
When connecting to external MCP servers, be aware of:
- Only connect to servers from trusted sources
- Verify that tool names and parameters look reasonable in approval requests
- Keep manual approval for high-risk tools (file writes, command execution, etc.); avoid using
mcp__*wildcards to allow all tools at once
Note
In YOLO mode, MCP tool calls are automatically approved. Only use this mode when you fully trust the MCP servers you have connected.
Next steps
- Plugins — Declare MCP servers in a plugin manifest to package and distribute them together
- Configuration files — Full field reference for permission rules