Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
The Looker MCP server lets you govern access to Looker — dashboards, looks, queries, explores, content, and users — as tools your AI clients can call through C1. Looker authenticates with API credentials: a client ID and client secret that C1 exchanges for a short-lived access token. A single set of credentials authenticates everyone, so all tool calls reach Looker as one shared identity.

How C1 connects to Looker

C1 hosts the Looker MCP server, so your users’ AI clients only ever see MCP tools — they never call Looker directly. When an AI client calls one of these tools, C1 makes the matching request to the Looker API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call Looker on your users’ behalf.

Before you begin

  • AI access management must be enabled for your tenant. See Enable AI access management.
  • A Looker account with API credentials. API credentials inherit the permissions and content access of the user they belong to, so use a user that has the access you want this integration to have.
If you don’t see Looker in your MCP server catalog, contact the C1 support team to enable it for your tenant.

Create Looker API credentials

Create API credentials for the user whose Looker access this integration should carry. For more information, see Looker’s API authentication documentation.
1
Sign in to your Looker instance and open the user whose access the credentials should carry.
2
On that user’s page, find the API Keys section and generate a new key.
3
Copy both the Client ID and the Client Secret. Looker shows the client secret only once.
For a shared production setup, create the credentials under a dedicated service-account user so activity is attributable to C1 rather than a person, and grant that user only the roles and content access you want to govern.

How Looker credentials are shared

Every user’s tool calls use the one set of API credentials you provided, so Looker sees a single shared identity. C1 still attributes each call to the individual user in the AI tool usage audit log. For a shared setup, create the credentials under a dedicated service-account user so activity is attributable to C1 rather than a person. For how shared and per-user credentials work across MCP servers, see Configure authentication.

Register the Looker MCP server in C1

With your credentials ready, register the server and provide them to C1.
1
Follow Register an MCP server and select Looker from the catalog.
2
Enter your Looker instance URL when prompted.
3
When you configure authentication, choose OAuth2 — client credentials and enter your Looker client ID and client secret.
4
Save your changes. C1 starts a sync that discovers the tools the Looker server exposes.

Discover and govern tools

After you register the server, C1 runs tool discovery against Looker. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification. Before anyone can call a Looker tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to set this up.
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your Looker credentials when an approved user successfully calls a Looker tool from their AI client.

Manage your Looker credentials

  • Rotate the API credentials by generating a new key for the user in Looker, updating the client ID and client secret in C1, then deleting the old key.
  • Adjust access by editing the roles and content access of the user the credentials belong to in Looker.