Grafana MCP Server
Official Grafana Labs MCP server providing 90 tools covering dashboards, Prometheus, Loki, alerting, incidents, on-call, annotations, plugins, RBAC, and many datasource-specific query tools (CloudWatch, ClickHouse, Snowflake, Athena, Elasticsearch, InfluxDB, Graphite, Pyroscope).
Score Breakdown
Server Info
- Package
- mcp-grafana
- Registry
- github
- Repository
- grafana/mcp-grafana
- Maintainer
- GrafanaVendor
- Category
- Developer Tools
- Tags
- observabilitydashboardsprometheus
- Last Scanned
- 28 May 2026
Findings
7 issuesAuthentication & Identity
HIGHNo MCP OAuth spec implementation
Server does not implement the MCP OAuth authorization server spec. The platform must handle the full OAuth flow, token management, and credential injection externally.
Implement the MCP OAuth spec (.well-known/oauth-authorization-server) for native per-user authentication.
HIGHEnv var credentials with no rotation mechanism
Credentials (GRAFANA_URL, GRAFANA_SERVICE_ACCOUNT_TOKEN, GRAFANA_API_KEY) are read from environment variables at startup. Rotation requires restarting the server process. All requests share the same service account credential.
Support dynamic credential refresh or secrets manager integration.
Tool Schema Quality
MEDIUMOnly 0 of 90 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: grafana_api_request: executes arbitrary authenticated HTTP requests against any Grafana API endpoint; no path restriction or method allowlist
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM20 list operations lack pagination
Query tools (query_prometheus, query_loki_logs, query_athena, query_snowflake, query_click_house, query_elasticsearch, query_influx_db, query_graphite, query_cloud_watch) return full response objects from the respective datasource. Prometheus/Loki query tools accept limit/step parameters. Full Grafana API responses returned without server-side filtering. No field selection (no $select equivalent). Datasource query results bounded by the query itself (time range, limit). grafana_api_request returns raw API responses with optional jq-style filtering.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Tools
90 total| Name | Description | Risk |
|---|---|---|
| grafana_api_request | Make an authenticated HTTP request to the Grafana API. Similar to 'gh api' for GitHub. Supports any Grafana API endpoint with optional jq-style response filtering. Use this for API endpoints that don't have a dedicated tool. | admin |
| grafana_api_request_read_only | Read-only variant of grafana_api_request; restricted to GET methods only. | read |
| query_prometheus | WORKFLOW: list_prometheus_metric_names -> list_prometheus_label_values -> query_prometheus. Query a PromQL-compatible datasource (Prometheus, Thanos, Mimir, Cloud Monitoring, etc.) using a PromQL expression. Supports instant queries and range queries. | read |
| query_prometheus_histogram | Query histogram metrics from a Prometheus-compatible datasource. | read |
| list_prometheus_metric_names | List available metric names from a Prometheus datasource. | read |
| list_prometheus_label_names | List label names for a Prometheus datasource. | read |
| list_prometheus_label_values | List values for a specific label in a Prometheus datasource. | read |
| list_prometheus_metric_metadata | List metric metadata from a Prometheus datasource. | read |
| query_loki_logs | Executes a log query against a Loki or VictoriaLogs datasource and returns matching log entries. Defaults to last hour, limit 10, backward direction. Accepts LogQL (Loki) or LogsQL (VictoriaLogs). | read |
| query_loki_patterns | Query log patterns from a Loki datasource. | read |
| query_loki_stats | Query log stream statistics from a Loki datasource. | read |
| list_loki_label_names | List available label names from a Loki datasource. | read |
| list_loki_label_values | List values for a specific label in a Loki datasource. | read |
| analyze_loki_labels | Analyze label cardinality and distribution for a Loki datasource. | read |
| find_error_pattern_logs | Find error patterns in Loki log streams. | read |
| find_slow_requests | Find slow requests in Loki log streams. | read |
| suggest_loki_alloy_label_config | Suggest Grafana Alloy label configuration for a Loki datasource. | read |
| get_dashboard_by_uid | Get a Grafana dashboard by its UID. | read |
| update_dashboard | Create or update a dashboard. Two modes: full JSON or patch with JSONPath operations. DestructiveHint=true. Supports patch operations via JSONPaths including array append and remove. | write |
| get_dashboard_panel_queries | Get the queries for all panels in a Grafana dashboard. | read |
| get_dashboard_property | Get a specific property from a Grafana dashboard by JSONPath. | read |
| get_dashboard_summary | Get a summary of a Grafana dashboard including panels, variables, and datasources. | read |
| search_dashboards | Search for Grafana dashboards by query string. | read |
| search_folders | Search for Grafana folders. | read |
| create_folder | Create a new Grafana folder. | write |
| run_panel_query | Run a panel query for a specific panel in a Grafana dashboard. | read |
| list_datasources | List all configured datasources in Grafana. | read |
| get_datasource | Get a specific datasource by name or UID. | read |
| alerting_manage_rules | Create, update, and delete Grafana alerting rules. DestructiveHint=true. | admin |
| alerting_manage_rules_read | Read Grafana alerting rules (read-only variant of alerting_manage_rules). | read |
| alerting_manage_routing | Manage Grafana alerting notification routing and policies. | write |
| list_alert_groups | List alert groups from Grafana Alertmanager. | read |
| get_alert_group | Get a specific alert group from Grafana Alertmanager. | read |
| create_annotation | Create a new annotation on a dashboard or panel. | write |
| update_annotation | Update an existing Grafana annotation. | write |
| get_annotations | Get annotations from a Grafana dashboard or panel. | read |
| get_annotation_tags | Get available annotation tags in Grafana. | read |
| install_plugin | Install a Grafana plugin by plugin ID. | admin |
| get_plugin | Get information about an installed Grafana plugin. | read |
| search_plugins | Search the Grafana plugin catalog. | read |
| create_incident | Create a new Grafana incident. Requires title, severity, and room prefix. Should be used judiciously and only after user confirmation as it may notify many people. | write |
| get_incident | Get a specific Grafana incident by ID. | read |
| list_incidents | List Grafana incidents with optional filtering. | read |
| add_activity_to_incident | Add an activity entry to an existing Grafana incident. | write |
| get_current_on_call_users | Get the users currently on call in Grafana OnCall. | read |
| list_on_call_schedules | List on-call schedules in Grafana OnCall. | read |
| list_on_call_teams | List teams configured in Grafana OnCall. | read |
| list_on_call_users | List users in Grafana OnCall. | read |
| get_on_call_shift | Get a specific on-call shift by ID. | read |
| get_sift_analysis | Retrieve a specific analysis from a Sift investigation by UUID. | read |
| get_sift_investigation | Get a specific Sift investigation by ID. | read |
| list_sift_investigations | List Sift investigations. | read |
| get_assertions | Get assertions from Grafana Asserts. | read |
| get_panel_image | Render a Grafana panel as an image. | read |
| query_cloud_watch | Query CloudWatch metrics via a configured CloudWatch datasource in Grafana. | read |
| list_cloud_watch_namespaces | List CloudWatch metric namespaces. | read |
| list_cloud_watch_metrics | List CloudWatch metrics in a namespace. | read |
| list_cloud_watch_dimensions | List CloudWatch dimensions for a metric. | read |
| query_click_house | Execute a SQL query against a ClickHouse datasource configured in Grafana. | read |
| list_click_house_tables | List tables in a ClickHouse datasource. | read |
| describe_click_house_table | Describe the schema of a ClickHouse table. | read |
| query_snowflake | Execute a SQL query against a Snowflake datasource configured in Grafana. | read |
| list_snowflake_tables | List tables in a Snowflake datasource. | read |
| describe_snowflake_table | Describe the schema of a Snowflake table. | read |
| query_athena | Execute a SQL query against an AWS Athena datasource configured in Grafana. | read |
| list_athena_catalogs | List AWS Glue Data Catalog catalogs available in Athena. | read |
| list_athena_databases | List databases in an Athena catalog. | read |
| list_athena_tables | List tables in an Athena database. | read |
| describe_athena_table | Describe the schema of an Athena table. | read |
| query_elasticsearch | Execute a query against an Elasticsearch datasource configured in Grafana. | read |
| query_influx_db | Execute a query against an InfluxDB datasource configured in Grafana. | read |
| query_graphite | Execute a Graphite query against a Graphite datasource configured in Grafana. | read |
| list_graphite_metrics | List available metrics from a Graphite datasource. | read |
| list_graphite_tags | List available tags from a Graphite datasource. | read |
| query_graphite_density | Query data density statistics from a Graphite datasource. | read |
| list_pyroscope_profile_types | List available profile types from a Pyroscope datasource. | read |
| list_pyroscope_label_names | List label names from a Pyroscope datasource. | read |
| list_pyroscope_label_values | List label values from a Pyroscope datasource. | read |
| query_pyroscope | Query profiling data from a Pyroscope datasource. | read |
| list_teams | List teams in Grafana. | read |
| list_users_by_org | List users in the current Grafana organization. | read |
| list_all_roles | List all RBAC roles defined in Grafana. | read |
| get_role_details | Get detailed permissions for a specific Grafana RBAC role. | read |
| get_role_assignments | Get role assignments for users or teams in Grafana. | read |
| get_user_roles | Get roles assigned to a specific Grafana user. | read |
| list_team_roles | List roles assigned to a specific Grafana team. | read |
| get_resource_permissions | Get permissions for a specific Grafana resource (dashboard, folder, datasource). | read |
| get_resource_description | Get a natural-language description of a Grafana resource. | read |
| generate_deeplink | Generate a Grafana deep link URL for a dashboard or panel. | read |
| get_query_examples | Get example queries for a Grafana datasource type. | read |
Deploy Grafana MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow