Scope the service account token to the smallest set of Grafana permissions needed for your workflow. Broad Editor-style access can query and change many dashboards, alert rules, incidents, annotations, and OnCall resources., Disable write-capable or unused tool groups when you only need investigation. The server can expose operations for creating or updating dashboards, alert rules, incidents, annotations, and other Grafana resources., Treat LLM-generated PromQL, LogQL, SQL, and TraceQL as suggestions. Review expensive or broad time-range queries before running them against production datasources., Large dashboards and broad log queries can consume significant model context and Grafana query capacity. Prefer summaries, narrow time windows, and specific datasource scopes.
Privacy notes
Grafana query results may include production logs, metrics, traces, labels, dashboard JSON, alert rules, annotations, incident details, and OnCall data that become visible to the connected MCP client and model session., Store GRAFANA_SERVICE_ACCOUNT_TOKEN outside prompts and source control. Pass it through MCP environment configuration or your client secret-management flow., Logs and traces often contain user identifiers, request payloads, IP addresses, error messages, and other sensitive operational data; redact or avoid broad queries before sharing transcripts., When routing through Grafana datasources, the MCP server uses Grafana's configured access path. Credential exposure depends on the server configuration, client logs, and what query results are returned.
Author
Grafana Labs
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
4 safety and 4 privacy notes across 5 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.
5 areas
SafetyCredentials & tokensScope the service account token to the smallest set of Grafana permissions needed for your workflow. Broad Editor-style access can query and change many dashboards, alert rules, incidents, annotations, and OnCall resources.
SafetyGeneralDisable write-capable or unused tool groups when you only need investigation. The server can expose operations for creating or updating dashboards, alert rules, incidents, annotations, and other Grafana resources.
SafetyExecution & processesTreat LLM-generated PromQL, LogQL, SQL, and TraceQL as suggestions. Review expensive or broad time-range queries before running them against production datasources.
SafetyPermissions & scopesLarge dashboards and broad log queries can consume significant model context and Grafana query capacity. Prefer summaries, narrow time windows, and specific datasource scopes.
PrivacyCredentials & tokensGrafana query results may include production logs, metrics, traces, labels, dashboard JSON, alert rules, annotations, incident details, and OnCall data that become visible to the connected MCP client and model session.
PrivacyCredentials & tokensStore GRAFANA_SERVICE_ACCOUNT_TOKEN outside prompts and source control. Pass it through MCP environment configuration or your client secret-management flow.
PrivacyNetwork accessLogs and traces often contain user identifiers, request payloads, IP addresses, error messages, and other sensitive operational data; redact or avoid broad queries before sharing transcripts.
PrivacyCredentials & tokensWhen routing through Grafana datasources, the MCP server uses Grafana's configured access path. Credential exposure depends on the server configuration, client logs, and what query results are returned.
Safety notes
Scope the service account token to the smallest set of Grafana permissions needed for your workflow. Broad Editor-style access can query and change many dashboards, alert rules, incidents, annotations, and OnCall resources.
Disable write-capable or unused tool groups when you only need investigation. The server can expose operations for creating or updating dashboards, alert rules, incidents, annotations, and other Grafana resources.
Treat LLM-generated PromQL, LogQL, SQL, and TraceQL as suggestions. Review expensive or broad time-range queries before running them against production datasources.
Large dashboards and broad log queries can consume significant model context and Grafana query capacity. Prefer summaries, narrow time windows, and specific datasource scopes.
Privacy notes
Grafana query results may include production logs, metrics, traces, labels, dashboard JSON, alert rules, annotations, incident details, and OnCall data that become visible to the connected MCP client and model session.
Store GRAFANA_SERVICE_ACCOUNT_TOKEN outside prompts and source control. Pass it through MCP environment configuration or your client secret-management flow.
Logs and traces often contain user identifiers, request payloads, IP addresses, error messages, and other sensitive operational data; redact or avoid broad queries before sharing transcripts.
When routing through Grafana datasources, the MCP server uses Grafana's configured access path. Credential exposure depends on the server configuration, client logs, and what query results are returned.
Prerequisites
uv and uvx available, or Docker, Helm, or the mcp-grafana binary installed
Grafana 9.0 or later for full functionality
Grafana Cloud or self-hosted Grafana instance reachable from the MCP server
Grafana service account token with RBAC permissions for the tools you enable
Claude Code, Claude Desktop, Cursor, VS Code, or another MCP-capable client
Existing Grafana datasources such as Prometheus, Loki, Tempo, CloudWatch, Elasticsearch, OpenSearch, or ClickHouse for query tools
The Grafana MCP server connects Claude and other MCP-capable clients to a
Grafana instance. It gives an assistant a structured way to query observability
data, inspect dashboards, work with alerting and incident workflows, and
generate accurate deeplinks back into Grafana.
This is a strong fit for teams that already use Grafana as their operations
hub. Instead of asking an assistant to guess URLs or invent PromQL, users can
give Claude access to Grafana-backed tools with explicit authentication,
transport, and RBAC boundaries.
The official quick-start path uses uvx mcp-grafana, but Grafana also documents
Docker, downloaded binary, source build, and Helm deployment options. Grafana
9.0 or later is required for full functionality.
Features
Query Prometheus metrics through Grafana datasources.
Query Loki logs and LogQL-backed metrics.
Inspect datasource metadata, labels, metric names, and query examples.
Search dashboards and fetch dashboard summaries, properties, panel queries,
and datasource details.
Generate Grafana deeplinks for dashboards, panels, Explore, time ranges, and
datasource-specific views.
List and manage Grafana alert rules, notification policies, contact points,
and related alerting configuration when permissions allow.
Work with Grafana Incident, Sift investigations, and Grafana OnCall resources
when those products and permissions are available.
Enable or disable tool groups so the MCP surface matches the team's risk
tolerance and Grafana setup.
Run locally over stdio with uvx, Docker, or a binary, or run as an HTTP
server with SSE or streamable HTTP transports.
Use Cases
Ask Claude to investigate a recent latency spike using Grafana metrics and
narrowed time windows.
Search dashboards and retrieve only the panels or JSON paths needed for a
specific incident review.
Generate Grafana Explore links for a Prometheus or Loki query without relying
on hand-built URLs.
Review alert rule state, routing, and notification policy context during an
incident.
Use Grafana Incident or OnCall context alongside logs and metrics when
triaging production issues.
Give an assistant read-only observability context while keeping dashboard and
alert writes disabled or out of scope.
Installation
Claude Code
Install uv and confirm uvx is available.
Create a Grafana service account token with only the permissions needed for
the tool groups you plan to use.
Add the MCP server with your Grafana URL and token:
Ask Claude to find the production API dashboard, summarize its panels, and show
which Prometheus and Loki datasources it uses.
Find dashboards related to the production API and summarize the panels and datasources.
Investigate a metric spike
Use the Prometheus tools with a specific datasource, time window, and metric
name instead of broad exploratory queries.
For the last 30 minutes, query the production Prometheus datasource for API p95 latency and error rate.
Review log patterns
Use Loki against a bounded time range and service label when looking for common
errors.
Check Loki logs for the checkout service over the last 15 minutes and group recurring error messages.
Generate a Grafana deeplink
Ask Claude to create a Grafana Explore link for a specific datasource query and
time range.
Create a Grafana Explore link for this Loki query over the incident window.
Security
Prefer service account token authentication over username and password for
automation.
Grant only the RBAC actions and scopes required for your enabled tools. Use
datasource, dashboard, folder, and team scopes where possible instead of broad
organization-wide access.
Start with read-only investigation workflows. Add write-capable dashboard,
alerting, incident, or annotation tools only when the operator has a clear
approval process.
Keep tokens in MCP environment configuration, not in prompts, chat history, or
checked-in files.
Review generated queries before running them against large production
datasources, especially when they include wide time ranges or unbounded label
selectors.
Troubleshooting
Claude cannot start the server
Confirm uvx is installed and available in the same environment that launches
your MCP client. If you use Docker, a downloaded binary, or Helm instead, update
the client configuration to match that runtime.
Authentication fails
Verify GRAFANA_URL points at the correct Grafana instance and that
GRAFANA_SERVICE_ACCOUNT_TOKEN belongs to a service account with the required
RBAC permissions.
Queries return permission errors
Check the service account role and scopes for the datasource, dashboard, folder,
alerting, or incident resource being accessed. A token can authenticate
successfully and still lack permission for a specific tool.
Responses are too large
Use dashboard summaries, specific dashboard properties, narrower time windows,
and more precise label filters before fetching full dashboard JSON or broad log
results.
Show that Grafana MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/grafana-mcp-server)
How it compares
Grafana MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
Official AWS Labs MCP server that gives troubleshooting agents task-oriented access to Amazon CloudWatch metrics, alarms, logs, and PromQL queries for AI-assisted root-cause analysis and remediation recommendations.
Query observability data, manage dashboards, and monitor your systems from Claude — run APL queries against datasets, list metrics, inspect monitors, and retrieve saved queries — with the official Axiom remote MCP server.
✓Scope the service account token to the smallest set of Grafana permissions needed for your workflow. Broad Editor-style access can query and change many dashboards, alert rules, incidents, annotations, and OnCall resources.
Disable write-capable or unused tool groups when you only need investigation. The server can expose operations for creating or updating dashboards, alert rules, incidents, annotations, and other Grafana resources.
Treat LLM-generated PromQL, LogQL, SQL, and TraceQL as suggestions. Review expensive or broad time-range queries before running them against production datasources.
Large dashboards and broad log queries can consume significant model context and Grafana query capacity. Prefer summaries, narrow time windows, and specific datasource scopes.
✓This server reads CloudWatch telemetry from your AWS account; scope the AWS credentials/profile to read-only CloudWatch access and the intended accounts and regions.
It is designed for observability and troubleshooting (metrics, alarms, logs, PromQL) and does not modify resources, but it can issue many CloudWatch read APIs that may incur AWS request costs.
Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account.
Some PromQL tooling is region-limited and may require enabling OTel enrichment (`aws cloudwatch start-otel-enrichment`); review the server docs before relying on it.
✓Prometheus MCP executes PromQL instant and range queries against the configured Prometheus endpoint.
Broad range queries, high-cardinality metric discovery, or repeated autonomous analysis can load Prometheus, remote storage, and network links.
Metrics can describe production systems, incidents, customer traffic, hostnames, Kubernetes namespaces, service names, deployment topology, and security-relevant labels.
`PROMETHEUS_URL_SSL_VERIFY=False` disables TLS verification and should not be used for production endpoints.
Protect `PROMETHEUS_PASSWORD`, `PROMETHEUS_TOKEN`, client certificate files, client key files, custom headers, and tenant IDs in MCP client configs and logs.
For Kubernetes use, review the Helm values, service exposure, ingress, ServiceMonitor, pod security context, and secret handling before deployment.
✓The MCP server includes dashboard management tools (create, update, delete) — review any write operations before confirming.
APL queries run against live datasets; complex queries over large time windows may be slow or consume significant dataset quota.
Privacy notes
✓Grafana query results may include production logs, metrics, traces, labels, dashboard JSON, alert rules, annotations, incident details, and OnCall data that become visible to the connected MCP client and model session.
Store GRAFANA_SERVICE_ACCOUNT_TOKEN outside prompts and source control. Pass it through MCP environment configuration or your client secret-management flow.
Logs and traces often contain user identifiers, request payloads, IP addresses, error messages, and other sensitive operational data; redact or avoid broad queries before sharing transcripts.
When routing through Grafana datasources, the MCP server uses Grafana's configured access path. Credential exposure depends on the server configuration, client logs, and what query results are returned.
✓Metric values, alarm states and history, log group contents, namespaces, dimensions, ARNs, and account/region metadata can be returned through tool calls and exposed to the model.
Queries and time ranges you ask about are sent to the CloudWatch APIs using your configured credentials; keep account identifiers and credentials out of public prompts, issues, and screenshots.
✓Tool calls can expose PromQL queries, metric names, labels, target metadata, scrape health, tenant IDs, service URLs, and query results to the MCP client and model context.
Returned metrics may include usernames, customer IDs, IP addresses, internal routes, hostnames, pod names, error messages, or other sensitive labels if present in Prometheus.
Prometheus credentials, authentication variables, and custom headers can appear in local config, shell history, Kubernetes secrets, logs, or crash reports if not handled carefully.
Prometheus UI links in query results can reveal internal URLs unless `PROMETHEUS_DISABLE_LINKS=True` is used.
✓Log data, traces, metrics, and monitor configurations from your Axiom datasets and organization are surfaced in Claude's context.
OAuth is the recommended authentication method — no API token is stored in your MCP configuration.
Prerequisites
uv and uvx available, or Docker, Helm, or the mcp-grafana binary installed
Grafana 9.0 or later for full functionality
Grafana Cloud or self-hosted Grafana instance reachable from the MCP server
Grafana service account token with RBAC permissions for the tools you enable
An AWS account with CloudWatch telemetry (metrics, alarms, and/or logs).
Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) with read access to the CloudWatch APIs you intend to use.
An MCP client that supports stdio servers; the server runs locally on the same host as the client.
Docker for the recommended container install path, or Kubernetes and Helm for cluster deployment.
A reachable Prometheus-compatible API endpoint in `PROMETHEUS_URL`.
Optional basic auth, bearer token, mutual TLS certificate, organization ID, or custom headers for protected and multi-tenant Prometheus deployments.
Review of Prometheus access policy, metric cardinality, retention, query limits, and incident-data handling before giving an agent query access.
An Axiom account — authenticate via OAuth when prompted in Claude Code, or generate an API token in Axiom settings.
An MCP client such as Claude Code or Claude Desktop.