MCP support is in preview. Pricing and availability may change.
Overview
Beyond thefunction tools you define yourself, you can give a model new capabilities by connecting it to a remote Model Context Protocol (MCP) server. The model calls that server’s tools to reach and control external services when it needs them to answer a prompt.
The mcp tool connects a user-supplied remote MCP server to an Agent API request. Agent API discovers the server’s tools when the request starts and calls them like native tools during the run, so you don’t have to write a custom function tool for each one.
The example below connects to the public DeepWiki MCP server, which needs no authentication, and asks the model to answer a question about a GitHub repository using the server’s tools.
Response
Response
Authentication
Unlike the DeepWiki server above, most MCP servers require authentication. The most common scheme is an OAuth access token, which you pass in theauthorization field of the mcp tool:
This example uses the GitHub MCP Server. Create a GitHub personal access token with access to the repositories you want the model to inspect, and export it as
GITHUB_MCP_TOKEN.Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
type | string | Yes | Must be "mcp". |
server_label | string | Yes | Unique per request, matching ^[a-zA-Z0-9_-]{1,64}$. Namespaces the server’s tools. |
server_url | string | Yes | HTTPS URL of the remote MCP server. Must be a Streamable HTTP MCP endpoint; the legacy SSE transport is not supported. |
authorization | string | No | An access token passed to the remote MCP server for authentication. Provide the raw token value. Never logged or echoed. |
headers | object | No | Extra request headers (string values) sent to the MCP server. |
allowed_tools | array | No | Allowlist of tool names to expose to the model. Omit or leave empty to expose all discovered tools. |
Response shape
When anmcp tool is used, the response output array can include two MCP-specific item types alongside the final message item:
mcp_list_tools— emitted once per server, listing the tools discovered when the request starts.mcp_call— emitted for each tool the model invokes on the server.
mcp_list_tools
| Field | Type | Description |
|---|---|---|
type | string | Always mcp_list_tools. |
id | string | Identifier for this output item. |
server_label | string | The server_label you supplied for this server. |
tools | array | The tools discovered on the server. |
error | string | null | null when the server’s tools were listed successfully. |
tools has the following fields:
| Field | Type | Description |
|---|---|---|
name | string | Tool name as exposed by the server. |
description | string | Tool description from the server. |
input_schema | object | The server’s JSON Schema for the tool’s input, passed through unmodified. |
mcp_call
| Field | Type | Description |
|---|---|---|
type | string | Always mcp_call. |
id | string | Identifier for this output item. |
server_label | string | The server_label of the server that ran the tool. |
name | string | Name of the tool that was called. |
arguments | string | JSON-encoded arguments the model passed. |
output | string | Tool output text. Empty when the call fails. |
error | string | null | null on success. When the call fails, holds the failure string, which is also returned to the model in-band. |
output array:
Error handling
| Case | What you see |
|---|---|
| Discovery failure | The request fails with external_connector_error (HTTP 424 Failed Dependency) — the server’s tools could not be listed, so the run never starts and no output array is returned. The error body’s message names the server, for example MCP server "github" could not be initialized. |
| Tool-call failure | The matching mcp_call item has its output empty and an error string set. The failure is also returned to the model in-band, so it can recover or explain in its final answer. |
external_connector_error and returns no output array.
Tool-call failures during the run do not fail the request. The error is returned to the model in-band on the mcp_call item (as above), so the model can recover or explain it in its final answer.
Risks and safety
Themcp tool lets you connect models to external services — a powerful capability that carries risk. Remote MCP servers are third-party services that have not been verified by Perplexity. They can let a model read, send, and receive data, and take actions in the connected service, and each server is subject to its own terms and conditions. Connect only servers you trust.
Use allowed_tools to limit which server tools the model can call. For servers with write or admin actions, prefer read-only server modes, read-only tokens, or a small allowlist of read-only tools.
Limitations
Themcp tool is backward-compatible with OpenAI’s Responses MCP API. The following OpenAI MCP features are temporarily not supported:
| Feature or field | Behavior |
|---|---|
require_approval | Ignored. Every MCP tool call auto-runs. |
mcp_approval_request / mcp_approval_response | Not emitted or accepted. Approval pause/continue flows are not available yet. |
connector_id and hosted connector catalogs | Ignored. Only bring-your-own server_url is honored. |
| Connector OAuth flows | Not supported. Pass credentials to your own remote server with authorization. |
defer_loading | Ignored. Tools are discovered when the request starts. |
| MCP resources, prompts, and sampling | Not supported yet; tools are the only supported MCP capability. |
approval_request_id and status on MCP output items | Not present in the MCP output item shapes. |