Note: This documentation applies to the Standard, Plus, and Frontline editions of Gemini Enterprise. For information about the Business edition, see the Gemini Enterprise - Business edition Help Center.

Set up your custom MCP server data store

This page explains how to connect your data sources using a custom Model Context Protocol (MCP) server, letting Gemini Enterprise securely access your company's private data.

The custom MCP server data store lets you integrate private data, custom internal tools, and MCP-compliant third-party systems directly into the Google Cloud console. This approach provides a unified method to connect internal and legacy systems when standard connectors are unavailable. With this integration, your AI agents can access business-critical information and specialized logic within your private infrastructure, maximizing the value of your existing technology investments.

Limitations

The custom MCP server has the following limitations:

Server-Sent Events (SSE): The old SSE transport is not supported. The connector exclusively supports the new StreamableHTTP transport.
Private Service Connect (PSC): PSC integration isn't supported in the current version.
VPC Service Controls: VPC-SC isn't supported in the current preview.

Before you begin

Before you set up your custom MCP server connection, ensure you perform the following:

Override the organization policy constraint that blocks the creation of data stores from custom MCP servers. For more information, see Override the organization policy for Custom MCP data stores.
Grant the Discovery Engine Editor role (roles/discoveryengine.editor). This role is required for your administrator to create the data store.

To grant this role, do the following:
1. In the Google Cloud console, go to the IAM page.
  
  Go to IAM
2. Locate the user account, and click the edit Edit icon.
3. Grant the Discovery Engine Editor role to your user. For more information, see IAM roles and permissions.
Register Gemini Enterprise as an OAuth client application with your identity provider (for example, Okta, Azure AD, or Google).

To register the app, do the following:
1. Set the authorization redirect URL to https://vertexaisearch.cloud.google.com/oauth-redirect.
2. Grant necessary OAuth scopes to the client app.
After you register the client app, obtain the client_id and client_secret that are needed for configuring the custom MCP server data store in the following steps.

Create the custom MCP server data store

To set up the configuration flow, follow these steps:

In the Google Cloud console, go to the Gemini Enterprise page.

Gemini Enterprise
In the navigation menu, click Data stores.
Click Create data store.
On the Select a data source page, enter Custom MCP Server into the Search sources field. The Custom MCP Server (Preview) card displays.
Click Add MCP server. The MCP Server Configuration page displays.

In the Authentication settings section, enter values in the following required fields:

Field	Description
MCP Server URL	This is the endpoint where your MCP server is hosted. It must be an HTTPS URL. Gemini Enterprise only supports the `StreamableHTTP` transport, and the URL often ends with `/mcp`. For example, `https://mcp.example.com/mcp`.
Authorization URL	The base URL for the user to authorize Gemini Enterprise to access your MCP server. For example, `https://mcp.example.com/authorize/`. Note: Enter only the base URL, without query parameters. Gemini Enterprise automatically appends standard OAuth parameters (such as `client_id`, `redirect_uri`, and `scope`) during authorization. If your authorization server requires additional parameters, specify them in the Authorization URL Parameters field.
Authorization URL Parameters	Optional. Any additional parameters required by your authorization URL. For example, to get a refresh token from a Google MCP server, enter `&access_type=offline&prompt=consent`. If your authorization server requires an `audience` parameter, you can add it as a parameter in this setting. For example, `&audience=https://api.your-domain.com/v1/`.
Token URL	The endpoint is used for token exchange. For example, `https://mcp.example.com/token/`.
Client ID	The unique identifier of the OAuth app that you registered in your identity provider to represent Gemini Enterprise.
Client Secret	The confidential key associated with the OAuth app that you registered in your identity provider to represent Gemini Enterprise.
Scopes	The permissions that define what actions Gemini Enterprise is allowed to perform on behalf of a user, or what data it's allowed to access. The scopes are used to access the MCP server. Gemini Enterprise requests these scopes during user authorization. Ensure that your OAuth app is configured to use these scopes. When you specify scopes, consider the following: Provide a space-separated list of scopes. For example, for Box, you provide: `root_readwrite manage_managed_users manage_groups`. Ensure the scopes provided are sufficient to let the user sign in and use the tools or actions enabled by the administrator; otherwise, the agent cannot access your app. A common scope is `offline_access`, which lets the app request a refresh token.

Click Login, and complete the sign in.
Click Continue, and the Advanced options section opens.
In the MCP Server Description field, enter a description that helps Gemini Enterprise understand what the server does and when to use it. For more information, see Write effective MCP server descriptions and instructions.
Click Continue.
In the Configure your data connector section, select the Location of your data connector from the Multi-region field list.
In Your data connector name field, enter a name for your data store.
Click Create. Gemini Enterprise creates your data store and displays your data stores on the Data Stores page.

Note: By default, no tools or actions from your custom MCP servers are enabled. You must enable the tools or actions. For more information, see Enable actions.

Verify the state of the custom MCP server

To verify the state of the custom MCP server, do the following:

Click your data store in the Data stores list. The details of your data store display.
Monitor the state of your data store until it changes to Active. After the state of your data store changes from Creating to Active, your custom MCP server data store is ready to be used.

Enable actions

By default, all actions are turned off, which means tools from the MCP servers you connect are not available. To enable tools for your users, follow these steps:

Go to your custom MCP server data store.
Click Actions > Reload custom actions to reauthenticate.

Note: This action performs a tools/list call on the MCP server to retrieve available tools, which are then displayed on the screen.
Select the actions to enable.
Click Enable actions.

What's next

To protect against malicious inputs and outputs, enable Model Armor. For more information, see Enable Model Armor.
If you want to query your MCP server using a custom agent, instead of the Gemini Enterprise assistant, see Create an agent.
To connect your agent to the custom MCP server, see Connect a data store to app and authorize Gemini Enterprise.
To use your agent that's connected to your custom MCP server, see Use an agent.