> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up the Vectara MCP server

> Create a Vectara API key or OAuth app credentials, then register the Vectara MCP server in C1 and govern its tools.

<Note>
  **Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.
</Note>

The Vectara MCP server lets you govern access to Vectara — corpora, documents, queries, and account data — as tools your AI clients can call through C1.

Vectara supports two ways to authenticate, and you choose one when you register the server:

* **API key** (recommended for most setups). A single key authenticates everyone, so all tool calls reach Vectara as one shared identity.
* **OAuth2 client credentials**. C1 exchanges an app client ID and secret for a short-lived access token. A single app authenticates everyone, so all tool calls reach Vectara as one shared identity.

For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).

## How C1 connects to Vectara

C1 hosts the Vectara MCP server, so your users' AI clients only ever see MCP tools — they never call Vectara directly. When an AI client calls one of these tools, C1 makes the matching request to the Vectara API using the credentials you configure here, then returns the result to the AI client.

The credentials you set up below are what C1 uses to call Vectara on your users' behalf.

## Before you begin

* AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management).
* A Vectara account that can create API keys or OAuth app credentials, scoped to the corpora you want to govern.

<Note>
  If you don't see **Vectara** in your MCP server catalog, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
</Note>

## Option 1: Use an API key

A Vectara API key authenticates every user as one shared identity. Use this for the simplest setup.

### Create a Vectara API key

Create an API key in the Vectara Console to authenticate C1's requests. For more information, see Vectara's [API key management](https://docs.vectara.com/docs/security/authentication/api-key-management) documentation.

<Steps>
  <Step>
    Sign in to the Vectara Console and open the **API keys** section under your account settings.
  </Step>

  <Step>
    Create a new API key, give it a recognizable name such as `C1`, and choose whether it has read or read-write access to your corpora.
  </Step>

  <Step>
    Copy the key. Vectara shows the key only once.
  </Step>
</Steps>

For a shared production setup, scope the key to only the corpora and access level you want to govern so activity is attributable to C1 rather than a person.

### Register the server with an API key

With your API key ready, register the server and provide your credentials.

<Steps>
  <Step>
    Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Vectara** from the catalog.
  </Step>

  <Step>
    When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **Custom header**. Set the header name to `x-api-key` and the value to your Vectara API key.
  </Step>

  <Step>
    Save your changes. C1 starts a sync that discovers the tools the Vectara server exposes.
  </Step>
</Steps>

## Option 2: Use OAuth2 client credentials

OAuth2 client credentials authenticate every user as one shared identity using an app client ID and secret. Use this when your account standardizes on OAuth apps.

### Create a Vectara OAuth app

Create an app client in the Vectara Console for C1 to authenticate with. For more information, see Vectara's [App Clients for OAuth](https://docs.vectara.com/docs/console-ui/app-clients) documentation.

<Steps>
  <Step>
    Sign in to the Vectara Console and open the **App clients** section under your account settings.
  </Step>

  <Step>
    Create a new app client and choose the corpora and access level it should have.
  </Step>

  <Step>
    Copy the **Client ID** and **Client Secret**. Vectara shows the client secret only once.
  </Step>
</Steps>

For a shared production setup, scope the app to only the corpora and access level you want to govern so activity is attributable to C1 rather than a person.

### Register the server with OAuth2 client credentials

With your app credentials ready, register the server and provide them.

<Steps>
  <Step>
    Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Vectara** from the catalog.
  </Step>

  <Step>
    When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **OAuth2 — client credentials** and enter your app's **client ID** and **client secret**.
  </Step>

  <Step>
    Save your changes. C1 starts a sync that discovers the tools the Vectara server exposes.
  </Step>
</Steps>

## How Vectara credentials are shared

Both authentication methods use one shared identity:

* **API key.** Every user's tool calls use the one API key you provided, so Vectara sees a single shared identity.
* **OAuth2 client credentials.** Every user's tool calls use the one app you provided, so Vectara sees a single shared identity.

With either method, C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage). For a shared setup, scope the credential to a dedicated identity so activity is attributable to C1 rather than a person.

For how shared and per-user credentials work across MCP servers, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).

## Discover and govern tools

After you register the server, C1 runs tool discovery against Vectara. Discovered tools appear on the server's **Tools** tab.

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **Settings** > **AI Connections**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Vectara tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

<Note>
  Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Vectara credentials when an approved user successfully calls a Vectara tool from their AI client.
</Note>

## Manage your Vectara credentials

* **Rotate the API key** by creating a new key in the Vectara Console, updating it in C1, then deleting the old key.
* **Rotate the OAuth app secret** by generating a new client secret for the app in the Vectara Console and updating it in C1.
* **Adjust access** by editing the corpora and access level on the key or app in Vectara.
