Kiteworks MCP

Kiteworks MCP Server Installation & Setup

The setup path depends on your deployment mode and the MCP client you're connecting to. This page covers the Claude Desktop Connector, Local STDIO setup for individual users, the one-time Admin Portal enablement, and Remote HTTPS deployment for administrators setting up a shared server.

Innovators in AI
Join the Innovators in AI program — Full MCP access included for all members

Unlimited agent workflows, policy controls, and audit telemetry at no additional cost for the first 6 months. Kiteworks admins can activate it through the admin console.

I want to…Deployment modeGo to
Enable Kiteworks MCP for my organization (required first step) Admin Portal Configure MCP in Admin Portal
Connect Kiteworks to Claude Desktop from the connector marketplace Claude Desktop Connector Claude Desktop Connector
Use Kiteworks from Claude Code or VS Code on my machine Local STDIO Local STDIO
Deploy a shared MCP server for my team or organization Remote HTTPS Remote HTTPS

Configure MCP in Admin Portal

Start here. Kiteworks MCP is governed by a single fixed OAuth application managed from the Admin Portal console. Enabling it is the one required step before anyone can connect. Once it is on, users can start using the Claude Desktop Connector or any other local MCP installation.

Enable Kiteworks MCP

  1. Log into the Kiteworks Admin Portal console
    Sign in as an administrator.
  2. Open the Kiteworks MCP settings
    Go to Application Setup → Apps and Plugins and select the Kiteworks MCP tab. The fixed app is disabled by default.
  3. Enable Kiteworks MCP
    Toggle Kiteworks MCP to enabled and click Save. That's it — users can now start using the Claude Desktop Connector or other local MCP installations.

Optional configuration

The defaults work for most local deployments. Adjust these only if your environment requires it:

  • Disable local MCP — turn off the local redirect if you want users to connect only through an MCP server deployed on a remote server.
  • Add the remote callback URL — if you run a remote MCP server, add its callback (redirect) URL so the fixed app can complete the OAuth flow for remote clients.
  • Configure scopes — adjust the OAuth scopes granted to the fixed app to widen or narrow what connected AI clients can do. Note that currently only the scopes selected by default map to supported functionality in the Kiteworks MCP Server.
The same fixed app covers both local and remote MCP through dual redirect URLs, so a single enable step keeps licensing, tracking, and reporting consistent across deployment modes.

Claude Desktop Connector

The quickest way to connect Kiteworks to Claude Desktop. The Kiteworks MCP Server is now available directly in the Claude Desktop connector marketplace — you no longer need to download a binary and upload it manually. The full install, permissions, and configuration walkthrough lives on its own page.

Claude Desktop Connector

Install from the marketplace · Configure permissions · Manage the connection

Open the guide
Before users can install the connector, an administrator must enable Kiteworks MCP in the Admin Portal console (see Configure MCP in Admin Portal).

Download the Binary

For Local STDIO deployments (Claude Code and VS Code), native binaries for Windows, Linux, and macOS are available from the Kiteworks MCP GitHub repository. Always download the latest release to ensure you have current security patches.

Kiteworks MCP — GitHub Releases

Binaries for Windows, Linux, and macOS · Source code · Changelog

View on GitHub

Local STDIO — Claude Code & VS Code

The Local STDIO binary runs on your machine and gives AI agents a direct data channel for uploading and downloading files — capabilities not available in Remote HTTPS mode. Install it once and register it with your MCP client.

macOS users can follow the end-to-end macOS Quick Start Guide ↗ which covers both Claude Desktop and Claude Code with AWS Bedrock.

Claude Code

Register the binary as an MCP server using the claude mcp add command. Replace /path/to/kiteworks-mcp with the actual path to the downloaded binary and https://your.kiteworks.domain with your instance URL.

terminal
claude mcp add --transport stdio kiteworks \
  /path/to/kiteworks-mcp start https://your.kiteworks.domain
command prompt
claude mcp add --transport stdio kiteworks ^
  C:\Path\To\kiteworks-mcp.exe start https://your.kiteworks.domain

Start Claude Code and type /mcp, then select kiteworks and authenticate in your browser when prompted.

Optional flags

Append these after the start command as needed:

FlagEffect
--insecure-absolute-pathsAllow file operations on absolute paths (e.g. /home/user/docs/file.txt). By default, only relative paths are permitted.
--enable-destructive-toolsEnable move and delete operations. Disabled by default as a safety measure.
--ca-cert /path/to/ca_chain.pemTrust a custom CA certificate. Required if your Kiteworks instance uses a self-signed or private CA certificate.
Path security: By default, file operations are restricted to relative paths from the MCP client's working directory. Enabling --insecure-absolute-paths allows access to any path on the file system — use with caution in shared or multi-user environments.

Visual Studio Code

Add Kiteworks as an MCP server in your VS Code settings. See the VS Code MCP Servers Guide ↗ for full documentation. A minimal configuration looks like this:

settings.json (MCP servers)
{
  "mcpServers": {
    "kiteworks": {
      "command": "/path/to/kiteworks-mcp",
      "args": [
        "start",
        "https://your.kiteworks.domain"
      ]
    }
  }
}

Add optional flags (e.g. --enable-destructive-tools, --ca-cert) to the args array as needed.

Remote HTTPS Server

The Remote HTTPS server runs as a centralized service that multiple users connect to via their MCP clients. Deployment is a multi-step process — creating the directory structure, generating cryptographic secrets, placing TLS certificates, writing the environment configuration, and setting up a reverse proxy. The full, up-to-date instructions live in the Kiteworks MCP GitHub repository.

Remote HTTPS mode does not have access to users' local file systems. File upload and download are not available in this mode — those capabilities require Local STDIO.

Remote HTTPS Deployment Guide

Directory setup · Secret generation · Docker Compose · systemd · Reverse proxy config

Open Deployment Guide
Need a hand with the deployment? Reach out to Kiteworks Support and the team can help you stand up and configure the remote server.

Security Notes

A few behaviors worth knowing before going to production:

  • Credentials are never exposed to the LLM. OAuth tokens are stored in your operating system's encrypted keychain or credential store — not in the AI context window.
  • File content is not automatically shared with the LLM. In Local STDIO mode, binary files are transferred without entering the LLM context. Text files can be loaded into context explicitly.
  • TLS certificate validation is enforced. The MCP Server validates the TLS certificate of your Kiteworks instance and will abort if it cannot be verified. Use --ca-cert to supply a custom CA chain for self-signed or private CA certificates.
  • FIPS 140-3 mode can be enabled by setting GODEBUG=fips140=only as an environment variable before starting the server.

Next Steps

With the server installed and connected:

  • Claude Desktop Connector → Install and use the Kiteworks connector in Claude Desktop
  • Kiteworks Marketplace Coming Soon — Ready-to-use, governed AI use cases built on the MCP Server
  • Available MCP Tools ↗ — Full list of tools exposed to connected LLM applications