Connect a client

Point an MCP client at Tracemill Cloud with a workspace API token.

The Tracemill MCP server is a remote server over streamable HTTP. Any MCP client that supports remote servers can connect. There is nothing to install.

1. Issue an API token

In Tracemill Cloud, open Team → API tokens and issue a token. It starts with tmk_ and is shown once — copy it immediately. See API tokens.

The token's role decides what the agent may do. A viewer token can read detections and coverage; writing content, starting runs, and enrolling need editor or above. Issue the least-privileged token that does the job.

Only tmk_ tokens work here. The tmv_ token you gave the Splunk add-on is target-scoped and is rejected.

2. Add the server to your client

The endpoint is:

https://api.tracemill.io/mcp

Transport is streamable HTTP, and the token goes in an Authorization: Bearer header. Most clients express that as JSON like this:

{
  "mcpServers": {
    "tracemill": {
      "type": "http",
      "url": "https://api.tracemill.io/mcp",
      "headers": {
        "Authorization": "Bearer tmk_your_token_here"
      }
    }
  }
}

Check your client's own documentation for where that configuration lives and what it calls the transport — some say http, some streamable-http.

3. Check it works

curl -sS https://api.tracemill.io/mcp \
  -H "Authorization: Bearer $TRACEMILL_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{
        "protocolVersion":"2025-06-18","capabilities":{},
        "clientInfo":{"name":"curl","version":"0"}}}'

A working server answers with its capabilities:

{"jsonrpc":"2.0","id":1,"result":{
  "capabilities":{"logging":{},"prompts":{"listChanged":true},"tools":{"listChanged":true}},
  "protocolVersion":"2025-06-18",
  "serverInfo":{"name":"tracemill","version":"0.1.0"}}}

Both Accept media types are required. Omit text/event-stream and the request is rejected with 400 Accept must contain both 'application/json' and 'text/event-stream'.

Note that a bad token does not come back as 401. The HTTP request succeeded; the JSON-RPC call inside it did not:

{"jsonrpc":"2.0","id":1,"error":{"code":0,"message":"unauthorized"}}

A 404 means the MCP server is not enabled for your environment.

Tracemill never reads your Splunk. The agent does that from your side — listing saved searches, fetching a detection's SPL, exporting events that fired it.

Splunk publishes an official MCP server for exactly this. Install it alongside Tracemill's and give it read-only Splunk credentials.

If you cannot install Splunkbase apps, you do not need it: everything the flow reads from Splunk is available from Splunk's REST API, and an agent with shell access can curl it directly. Your Splunk credentials never reach Tracemill either way.

Next

Enroll a custom detection — the guided flow.