> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up the Wiz MCP server

> Create a Wiz service account, then register the Wiz MCP server in C1 and govern the tools your AI clients can call.

<Note>
  **Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.
</Note>

The Wiz MCP server lets you govern access to the Wiz cloud security platform — issues, vulnerabilities, cloud resources, and other data exposed by the Wiz GraphQL API — as tools your AI clients can call through C1.

Wiz authenticates with a service account using the OAuth2 client credentials flow. The service account's client ID and client secret authenticate every user, so all tool calls reach Wiz as one shared identity.

## How C1 connects to Wiz

C1 hosts the Wiz MCP server, so your users' AI clients only ever see MCP tools — they never call Wiz directly. When an AI client calls one of these tools, C1 makes the matching request to the Wiz API using the credentials you configure here, then returns the result to the AI client.

The credentials you set up below are what C1 uses to call Wiz on your users' behalf.

## Before you begin

* AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management).
* A Wiz account with permission to create a service account. See [Set up Wiz service accounts](https://docs.wiz.io/wiz-docs/docs/set-up-wiz-service-accounts).
* Your regional Wiz API endpoint, such as `https://api.us1.app.wiz.io`.

<Note>
  If you don't see **Wiz** in your MCP server catalog, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
</Note>

## Create a Wiz service account

Wiz issues a client ID and client secret to a service account, which C1 exchanges for an access token using the client credentials flow.

<Steps>
  <Step>
    In the Wiz portal, go to **Settings** > **Access Management** > **Service Accounts** and create a new service account with a recognizable name such as `C1`.
  </Step>

  <Step>
    Grant the service account only the API scopes you need, such as read access to issues and cloud resources. Choose a custom-integration service account so you control its scopes.
  </Step>

  <Step>
    Copy the **Client ID** and **Client Secret**. Wiz shows the secret only once.
  </Step>
</Steps>

For a shared production setup, use a dedicated service account so activity is attributable to C1 rather than a person.

## How Wiz credentials are shared

The service account authenticates every user as one shared Wiz identity, so Wiz sees a single identity for all tool calls. C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage). For a shared setup, use a dedicated service account so activity is attributable to C1 rather than a person.

For how shared and per-user credentials work across MCP servers, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).

## Register the Wiz MCP server in C1

With your service account credentials ready, register the server and provide them.

<Steps>
  <Step>
    Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Wiz** from the catalog.
  </Step>

  <Step>
    Enter your regional Wiz API endpoint, such as `https://api.us1.app.wiz.io`.
  </Step>

  <Step>
    When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **OAuth2 — client credentials** and enter the service account's **client ID** and **client secret**.
  </Step>

  <Step>
    Save your changes. C1 starts a sync that discovers the tools the Wiz server exposes.
  </Step>
</Steps>

## Discover and govern tools

After you register the server, C1 runs tool discovery against Wiz. Discovered tools appear on the server's **Tools** tab.

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **Settings** > **AI Connections**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Wiz tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

<Note>
  Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Wiz credentials when an approved user successfully calls a Wiz tool from their AI client.
</Note>

## Manage your Wiz credentials

* **Rotate the client secret** by rotating the service account's secret in Wiz, then update the secret on the server's authentication settings in C1.
* **Adjust access** by editing the scopes granted to the service account in Wiz.
