Two paths, different trade-offs
Custom MCP Server
Run a Model Context Protocol server that exposes your tool. Best for rich, bidirectional integrations where the agent needs tool-shaped access.
Custom REST Integration
Point RubixKube at a REST endpoint with an OpenAPI spec. Best for simple read-or-write integrations with an existing API.
If the tool you want to integrate already ships an MCP server, use that. If it only has a REST API, the REST path is simpler. If neither exists, write an MCP server for anything beyond a single endpoint.
Prerequisites
- Admin access to your RubixKube workspace.
- The internal tool’s API reachable from RubixKube Cloud (for SaaS-hosted tools), or a site-to-site tunnel for private endpoints.
- About thirty minutes for a simple integration, longer for MCP.
Path A: Custom REST Integration
Use this when the tool exposes a REST API and an OpenAPI spec.Gather the OpenAPI spec
Most internal tools already have one, or you can generate it from the service. RubixKube validates against OpenAPI 3.0 or 3.1.
Pick an auth type
- API key
- OAuth 2.0
- mTLS
Simplest option. Pass in a header or query parameter. Good for read-only or low-risk endpoints.
Register the integration
Open Integrations → Custom REST, upload the OpenAPI spec, select the auth type, and scope which environments can use it.
Test a single endpoint
The console has a test pane. Call one endpoint, confirm the response shape, fix any auth issues before enabling broadly.
Path B: Custom MCP Server
Use this when the integration is richer than REST (think: a runbook framework, a bespoke deployment tool, or an internal data platform).Write or adopt an MCP server
MCP is an open protocol. SDKs exist for TypeScript, Python, Go, and Rust. The server exposes a set of tools, each with a JSON schema for its arguments.
Host the server
- RubixKube-managed
- Self-hosted
Point RubixKube at a container registry and a manifest. We run the server for you in an isolated sandbox. Easiest for most teams.
Register in the console
Integrations → Custom MCP, then point at either the hosted URL or the manifest. Upload any required credentials to the workspace secret vault.
Validate tool schemas
The console lists every tool the server advertises. Click each to see its JSON schema and test it. Fix schema issues here, not in production prompts.
Auth types supported
API key, Bearer, HMAC
API key, Bearer, HMAC
Static credentials stored in the workspace secret vault. Rotated on a schedule you control.
OAuth 2.0 (Authorization Code, Client Credentials)
OAuth 2.0 (Authorization Code, Client Credentials)
mTLS
mTLS
Client certificates for private APIs. Certificates are stored in the secret vault and attached per outbound call.
Custom headers and signatures
Custom headers and signatures
Webhook-style signed requests, JWT-in-header, and similar patterns. Configurable per endpoint.
What a good custom integration looks like
Narrow scope
One job, one tool schema per endpoint. The agent plans better against small, clear surfaces than sprawling ones.
Read-first
Ship read-only endpoints first. Add mutating ones once the read side proves reliable.
Approval on writes
Anything that mutates state needs human approval by default. You can relax later, never start permissive.
Typed arguments
JSON schema with enums and ranges beats free-form strings. Planning accuracy jumps.
Common questions
Can I self-host an MCP server inside my cluster?
Can I self-host an MCP server inside my cluster?
Yes. Point RubixKube at the internal URL via a tunnel, or ship a small runner in the same cluster as the Observer. No inbound firewall changes required.
How are secrets stored?
How are secrets stored?
Workspace secret vault. Encrypted at rest, scoped per integration, rotated on a schedule or on demand. Secrets never appear in agent prompts or logs.
Does a custom integration affect my investigation count?
Does a custom integration affect my investigation count?
No. Tool calls are not billed. Investigations count only whole detect-to-resolution cycles.
Can I share a custom integration across workspaces?
Can I share a custom integration across workspaces?
Related guides
How to add custom agent skills
Skills use these custom integrations as their tool surface.
Integrations overview
The out-of-the-box integrations and how they fit together.