Overview
Kindo supports integrations using a combination of Nango for Auth and standardizing on the MCP protocol for agents to access those underlying systems. Most of the MCP servers today are built in house and are run by the customer as part of a self managed installation, but there's a growing number of official hosted MCPs that we can directly access without a customer needing to run the MCP server in their environment. This document outlines how to get Kindo setup with these integrations in a self managed installation.
Nango Setup
Connecting Your Nango Server With Your SMK Install
.png)
1. Setting environment variable values in Kindo
| Env var | Description/where to find | Services where this value must be set |
|---|---|---|
NANGO_SECRET_KEY |
Obtain this value via the Nango dashboard and set the env var in the required services | api,task-worker-ts |
| NANGO_URL | The host on the Ingress (or load balancer / reverse proxy route) that points to the nango service. |
|
| This should match the URL root via which you are accessing the Nango dashboard. | api,task-worker-ts | |
| API_INTEGRATION_WEBHOOK_BASE_URL | Same as NANGO_URL |
task-worker-ts |
| NEXT_PUBLIC_NANGO_API_URL | Same as NANGO_URL |
next |
| NEXT_PUBLIC_NANGO_CONNECT_URL | The host on the Ingress (or load balancer / reverse proxy route) that points to the nango-connect-ui service. |
next |
2. Setting environment variable values in Nango
-
Set the value of Callback URL to:
${NANGO_URL}/oauth/callback -
Webhook setup: In order to receive and register new integration connections,
-
Set the primary webhook URL in Nango. In the Nango dashboard, under the
Environment Settingstab, scroll down to theWebhooks URLssection. Set the value ofPrimary URLto:${API_BASE_URL}/webhook/nangowhere
API_BASE_URLcorresponds to the value of the environment variable that is set in the api service. Make sure that theProdenvironment is selected. -
Toggle ON
Auth: new connection webhoooks. All other toggles can be set to OFF.
-
Configuring New Integrations In Nango
Integrations can be configured as follows:
After logging into Nango, click Integrations → Configure New Integration → Select desired integration/auth method
NOTE: Some integrations may support multiple authentication methods, please see the chart below for supported auth methods for each integration:
| MCP Server | Authentication Method | Scopes | |
|---|---|---|---|
| Azure DevOps | BASIC | ||
| Box | OAUTH2 | ||
| Cisco Catalyst | BASIC | ||
| Cisco FMC | BASIC | ||
| Cofense Triage | OAUTH2_CC | ||
| CrowdStrike Falcon | OAUTH2_CC | ||
| Datadog | API_KEY | ||
| Dropbox | OAUTH2 | account_info.read, files.metadata.read, files.content.read, openid, profile, email, files.metadata.write, files.content.write, sharing.write, sharing.read, file_requests.write, file_requests.read, contacts.read | |
| GitHub (User OAuth) | OAUTH2 | repo, read:org, user | |
| GitLab | OAUTH2 | api | |
| Google Docs | OAUTH2 | https://www.googleapis.com/auth/documents, https://www.googleapis.com/auth/drive | |
| Google Drive | OAUTH2 | https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, openid, https://www.googleapis.com/auth/drive | |
| Google SecOps | OAUTH2 (configured per connection, not in Nango) | ||
| Grafana | API_KEY | ||
| Graylog | BASIC | ||
| Jira | OAUTH2 | read:me, read:account, read:jira-work, read:jira-user, manage:jira-webhook, offline_access, write:jira-work NOTE: These scopes must be configured in Jira under “User Identity API” and “Jira API” scopes. offline_access is only specified in Nango. |
|
| Linear | OAUTH2 | admin, read, write | |
| Microsoft Entra ID | OAUTH2 | offline_access, .default | |
| Microsoft Fabric | OAUTH2_CC | offline_access, Team.ReadBasic.All, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelMessage.Send, Chat.ReadWrite, User.Read, User.Read.All | |
| Microsoft Teams | OAUTH2 | offline_access, Team.ReadBasic.All, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelMessage.Send, Chat.ReadWrite, User.Read, User.Read.All | |
| Neo4j | BASIC | ||
| NVD | API_KEY | ||
| OneDrive | OAUTH2 | offline_access, User.Read, Files.Read, Files.ReadWrite.All | |
| ReliaQuest GreyMatter | API_KEY | ||
| SailPoint | OAUTH2_CC | ||
| SAP S/4HANA (OData) | BASIC | ||
| SAP S/4HANA RFC | BASIC | ||
| ServiceNow | OAUTH2_CC | ||
| Slack | OAUTH2 | channels:history, channels:manage, channels:read, channels:write.invites, chat:write, chat:write.public, groups:history, groups:read, groups:write, groups:write.invites, im:history, im:read, im:write, incoming-webhook, mpim:history, mpim:read, mpim:write, users:read, users:read.email | |
| Smartsheet | OAUTH2 | ADMIN_SHEETS, READ_SHEETS, WRITE_SHEETS, DELETE_SHEETS, CREATE_SHEETS, READ_FOLDERS, READ_WORKSPACES | |
| Sourcegraph | API_KEY | ||
| Splunk | API_KEY | ||
| Sumo Logic | BASIC | ||
| Tenable Vulnerability Management | API_KEY |
.png)
OAUTH2 Integrations
To connect an OAUTH2 integration, you will first need create an OAUTH app from within the integration. Guides for creating OAUTH apps for each integration can be found in Nango’s docs. (Select the desired integration/auth method and search for OAUTH app creation guides. e.g. Jira docs). NOTE: The callback URL should be \<NANGO_URL\>/oauth/callback . After creating the integration, you can then configure the Client ID and Client Secret with the values provided by the integration provider. Required scopes for each integration are listed in the table above.
.png)
BASIC, API_KEY, and OAUTH2_CC Integrations
For BASIC and OAUTH2_CC, no modification to the integration configurations should be necessary as all required credentials are specified on creation of the connection in the Kindo platform.
If setting up webhooks for Linear or Jira, proceed to the next section. If not, you may skip to “Syncing Your Nango Integrations With Your SMK App”.
Setting Up Integration Webhooks
Integration Webhooks set up through this method are required for using Integration Event triggers in the product.
Direct Webhook URL triggers do not require this configuration, and can be used with any system that supports webhooks by simply following the in-app instructions.
Prerequisites
- To set up a webhook for an integration, you must first configure a new integration in Nango (see section above).
Linear
In Linear, go to Settings → API and select the OAUTH app created in the previous section. Then, click the three dots and select “Edit Application”. Enable the “Webhooks” toggle and enter \<API_SERVICE_URL\>/webhook/integration-connection/linear as the webhook URL where API_SERVICE_URL is the publicly exposed URL for the Kindo API Service. Select “Issues” under “Data change events” and copy the webhook signing secret before saving. In Nango, paste the freshly copied webhook secret into the “Webhook Secret” input and save the changes. NOTE: Any connections created via the Kindo UI before configuring the webhooks in linear will have to be reauthenticated (deleted and reconnected in the Kindo UI)
.png)
Jira
No additional setup is needed.
Syncing Your Nango Integrations With Your SMK App
-
Prerequisites:
- Access to the Hatchet dashboard
-
Use when:
- You need to sync the integrations that are registered in Nango with your SMK Kindo application
-
Steps:
-
In the Hatchet dashboard, go to the
Activity \> Runstab -
Click the
Trigger Runbutton, which will open a pop-up -
In the pop-up, under
Task or Workflow, click theSelect Task or Workflowbutton -
Search for and select the workflow
sync-all-integration-configs-workflow -
Click the
Run Taskbutton
-
.png)
.png)
- Checking that it worked:
- In the Hatchet dashboard, you should see something like:
.png)
- In the Kindo app, open the settings modal and click on the `INTEGRATIONS` tab. Under `Available Integrations`, you should see the api providers that were configured in Nango.
.png)
# MCP Servers Setup
Connecting Your SMK App to MCP Servers
After syncing your Nango integrations with your SMK app (see previous section), the integration configs will appear in the IntegrationConfig table in your database.
To connect MCP servers, you need to manually update the mcpServerUrl field in the IntegrationConfig table for each integration:
- Sync your Nango integrations using the Hatchet workflow (see "Syncing Your Nango Integrations With Your SMK App" above)
- Verify the configs are in the database: Check that the integration configs now appear in the
IntegrationConfigtable - Update the
mcpServerUrlfield: For each integration you want to enable, set themcpServerUrlto the URL where that MCP server is accessible - Update the
supportsWebhooksfield: For integrations that support webhooks (currently Jira and Linear), set thesupportsWebhooksfield totrueif you want to enable trigger functionality for those integrations
Example URLs (adjust based on your deployment's namespace and service naming conventions):
- Slack:
http://mcp-slack.mcp:80 - Jira:
http://mcp-jira.mcp:80 - Linear:
http://mcp-linear.mcp:80
Note: The exact URL format will depend on your Kubernetes namespace configuration and service naming conventions.