OpenSearch MCP Server
The official OpenSearch Project MCP server (opensearch-mcp-server-py) that lets AI assistants query and operate OpenSearch clusters — listing indices, reading mappings, running Query DSL and PPL searches, inspecting shards and cluster health — over stdio or streaming transports, with basic-auth, AWS IAM, and header-based authentication.
Open the source and read safety notes before installing.
Citation facts
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
- Canonical URL
- https://heyclau.de/entry/mcp/opensearch-mcp-server
- Source URLs
- https://github.com/opensearch-project/opensearch-mcp-server-py/blob/main/USER_GUIDE.md, https://github.com/opensearch-project/opensearch-mcp-server-py, https://opensearch.org/
- Brand
- OpenSearch MCP Server
- Brand domain
- opensearch.org
- Brand asset source
- brandfetch
- Safety notes
- Core tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions., Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments., Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously., Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent., In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it.
- Privacy notes
- The server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices., Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings., Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it., Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data.
- Author
- opensearch-project
- Submitted by
- davion-knight
- Claim status
- unclaimed
- Last verified
- 2026-07-07
Safety notes
- Core tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions.
- Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments.
- Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously.
- Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent.
- In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it.
Privacy notes
- The server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices.
- Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings.
- Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it.
- Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data.
Prerequisites
- Python 3.10 or newer and the `uv`/`uvx` package manager (or `pip install opensearch-mcp-server-py`)
- A reachable OpenSearch cluster — self-managed, Amazon OpenSearch Service, or OpenSearch Serverless
- Credentials for the chosen auth method — basic auth (username/password), AWS IAM role/profile, or header-based auth
- An MCP-compatible client (Claude Desktop, Claude Code, Cursor, Kiro, VS Code, etc.)
Schema details
- Install type
- cli
- Troubleshooting
- No
- Scope
- Source repo
- Website
- https://opensearch.org/
Full copyable content
{
"mcpServers": {
"opensearch-mcp-server": {
"command": "uvx",
"args": ["opensearch-mcp-server-py"],
"env": {
"OPENSEARCH_URL": "<your_opensearch_domain_url>",
"OPENSEARCH_USERNAME": "<your_username>",
"OPENSEARCH_PASSWORD": "<YOUR_PASSWORD>"
}
}
}
}
About this resource
Content
The OpenSearch MCP Server is the official Model Context Protocol server maintained by the OpenSearch Project. It bridges AI assistants and OpenSearch clusters — self-managed, Amazon OpenSearch Service, or OpenSearch Serverless — so an agent can list indices, read mappings, run Query DSL and PPL searches, inspect shards and cluster health, and call arbitrary OpenSearch APIs over both stdio and streaming (SSE / Streamable HTTP) transports.
The project is written in Python, distributed as the PyPI package
opensearch-mcp-server-py (v0.10.0, Python
>=3.10), and licensed under Apache 2.0. It supports single- and multi-cluster configurations and
multiple authentication methods (basic auth, AWS IAM roles, AWS credentials/profiles, and
header-based auth). Full documentation lives in the
USER_GUIDE.md.
Source Review
The following real repository and package sources were fetched and reviewed for this entry:
- README.md — install command, zero-config and env-var client config blocks, the core/opt-in tool catalog, tool categories, and transport support.
- USER_GUIDE.md — stdio vs streaming modes, single/multi-cluster (
--mode) setup, authentication methods, and per-cluster config. - PyPI: opensearch-mcp-server-py — package name and version (
0.10.0) andrequires_python >=3.10. - LICENSE.txt — Apache License 2.0.
Repository facts confirmed at review time: official opensearch-project organization, default branch
main, not archived, actively maintained, and released as opensearch-mcp-server-py v0.10.0 on PyPI.
Features
- Index discovery —
ListIndexToollists indices with docs counts and store sizes;IndexMappingToolreturns mappings and settings. - Search —
SearchIndexToolruns Query DSL,MsearchToolbatches multiple searches,CountToolcounts matches, andExplainToolexplains why a document matches. - Cluster inspection —
GetShardsToolandClusterHealthToolreport shard and cluster health; opt-in tools cover nodes, cluster state, segments, allocation, tasks, and query insights. - Generic API access —
GenericOpenSearchApiToolcalls any OpenSearch API endpoint with a custom path, method, query params, and body, reducing tool explosion. - Observability (opt-in) —
PPLQueryToolruns Piped Processing Language queries withjdbc/csv/rawoutput. - Search relevance (opt-in) — tools to create, search, and delete search configurations, query sets, judgment lists, and experiments (PAIRWISE_COMPARISON, POINTWISE_EVALUATION, HYBRID_OPTIMIZER).
- Agent memory (opt-in) — memory and agentic-memory tools give the agent persistent, semantically indexed memory backed by OpenSearch.
- Tool filtering — enable categories via
OPENSEARCH_ENABLED_CATEGORIESor a config file; only core tools are on by default. - Multiple transports & clusters —
stdio(default) or streaming (SSE / Streamable HTTP), and single- or multi-cluster via--mode single|multi. - Flexible auth — basic auth, AWS IAM roles, AWS credentials/profiles, header-based auth, and OpenSearch Serverless.
Installation
Run the published package with uvx (no clone required):
uvx opensearch-mcp-server-py
Add it to an MCP client (e.g. Claude Desktop's claude_desktop_config.json) with basic auth:
{
"mcpServers": {
"opensearch-mcp-server": {
"command": "uvx",
"args": ["opensearch-mcp-server-py"],
"env": {
"OPENSEARCH_URL": "<your_opensearch_domain_url>",
"OPENSEARCH_USERNAME": "<your_username>",
"OPENSEARCH_PASSWORD": "<YOUR_PASSWORD>"
}
}
}
}
Or run zero-config and let the agent pass connection details per tool call (useful for multi-cluster sessions):
{
"mcpServers": {
"opensearch": {
"command": "uvx",
"args": ["opensearch-mcp-server-py"]
}
}
}
Key environment variables
| Variable | Required | Purpose |
|---|---|---|
OPENSEARCH_URL |
Yes (unless passed per call) | Cluster endpoint, e.g. https://localhost:9200 |
OPENSEARCH_USERNAME / OPENSEARCH_PASSWORD |
For basic auth | Basic-auth credentials |
AWS_REGION |
For AWS IAM auth | AWS region of the managed domain |
AWS_IAM_ARN / AWS_PROFILE |
For AWS IAM auth | IAM role ARN or named AWS profile |
AWS_OPENSEARCH_SERVERLESS |
For Serverless | Target OpenSearch Serverless |
OPENSEARCH_ENABLED_CATEGORIES |
No | Enable opt-in tool categories (e.g. observability, search_relevance) |
Every connection parameter can also be supplied per tool call (opensearch_url, opensearch_username,
etc.), which overrides the environment — see the User Guide's Dynamic Connection Parameters.
Use Cases
- Conversational search — ask natural-language questions and have the agent build Query DSL or PPL against your indices.
- Index and mapping exploration — let an LLM enumerate indices, fields, and settings before writing queries or ingest pipelines.
- Cluster operations — inspect shard allocation, cluster health, nodes, and long-running tasks during triage.
- Search-relevance tuning (opt-in) — create query sets, judgment lists, and experiments to evaluate and optimize search configurations.
- Multi-cluster workflows — run one server in
--mode multiand let the agent target different clusters per request.
Safety and Privacy
- Generic API tool is powerful.
GenericOpenSearchApiToolcan call any OpenSearch endpoint, including write/delete operations, within the credential's permissions — treat it like direct cluster API access. - Opt-in tools mutate data. Memory/agentic-memory and search-relevance tools can create and delete stored objects (including delete-by-query); enable categories deliberately.
- RBAC is the boundary. Scope the OpenSearch user/role to least privilege; tool naming is not access control. Prefer a non-production cluster for autonomous agents.
- Data flows to the model. Documents, mappings, and search results are returned to the LLM/MCP client and can include PII; cluster-introspection tools expose infrastructure metadata.
- Credential hygiene. Basic-auth passwords, AWS IAM ARNs, and AWS profiles live in the client config or per-call parameters — keep config out of version control and restrict access.
- Network exposure. In streaming mode the server opens a port; do not bind it to a public interface without authentication in front of it.
Duplicate Check
No existing entry in the directory matches this server. A search of all directory entries for
"opensearch" across slugs, titles, repository URLs, and install commands returned no dedicated entry
(the term appears only inside unrelated servers that list OpenSearch as one supported datasource), and
there is no prior entry pointing at github.com/opensearch-project/opensearch-mcp-server-py or the
PyPI package opensearch-mcp-server-py. This is therefore a net-new, non-duplicate entry.
Source citations
Add this badge to your README
How it compares
OpenSearch MCP Server side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | The official OpenSearch Project MCP server (opensearch-mcp-server-py) that lets AI assistants query and operate OpenSearch clusters — listing indices, reading mappings, running Query DSL and PPL searches, inspecting shards and cluster health — over stdio or streaming transports, with basic-auth, AWS IAM, and header-based authentication. Open dossier | An MCP server from the official Couchbase-Ecosystem org that lets LLMs interact directly with Couchbase clusters — running SQL++/N1QL queries, performing document CRUD, discovering schema and data models, and analyzing query performance, with a read-only mode enabled by default. Open dossier | Official CircleCI MCP server that lets LLMs query build and test failures, detect flaky tests, check pipeline status, fetch build logs, and validate config in CircleCI through natural language. Open dossier | Django extension that exposes MCP endpoints and stdio transport for Django apps, with declarative model query tools, custom toolsets, DRF create/list/ update/delete tool publishing, serializer output, and MCP inspection. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | davion-knight | — | — | oktofeesh1 |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | mcp | mcp | mcp | mcp |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | opensearch-project | Couchbase-Ecosystem | CircleCI-Public | Smart GTS |
| Added | 2026-07-07 | 2026-06-11 | 2026-06-11 | 2026-06-06 |
| Platforms | Claude CodeCodexCursorClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop |
| Source repo | — | — | — | — |
| Safety notes | ✓Core tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions. Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments. Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously. Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent. In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it. | ✓Read-only mode is ON by default (`CB_MCP_READ_ONLY_MODE=true`), which disables all KV write tools (upsert, insert, replace, delete) and blocks SQL++ modification queries. Setting `CB_MCP_READ_ONLY_MODE=false` exposes write tools that can insert, replace, upsert, and delete documents — and SQL++ statements can run arbitrary mutations within the user's permissions. SQL++/N1QL is a full query language; a sufficiently privileged connection can read, modify, or drop data, so scope database RBAC roles tightly to what the agent should touch. Tool gating via `CB_MCP_DISABLED_TOOLS` / `CB_MCP_CONFIRMATION_REQUIRED_TOOLS` is, per the README, an additional layer to guide LLM behavior and reduce attack surface — not the sole security control. Database RBAC is the authoritative boundary. In HTTP/SSE transport modes the server listens on a network port (default `127.0.0.1:8000`); avoid binding it to a public interface without authentication in front of it. | ✓The server runs locally via npx and is spawned by your MCP client; the published bin entrypoint is dist/index.js. Several tools take write/execution actions on your CI — run_pipeline, rerun_workflow, and run_rollback_pipeline can trigger pipelines, re-run workflows, and roll back deployed component versions. Review tool calls before approving them. In remote (HTTP/SSE) mode the server listens on a network port (default 8000); set REQUIRE_REQUEST_TOKEN=true to reject unauthenticated requests and avoid exposing it on untrusted networks. MAX_MCP_OUTPUT_LENGTH (default 50000) bounds response size; large log/artifact pulls are truncated rather than streamed in full. | ✓Django MCP Server can expose Django model querysets, custom Python methods, DRF create/list/update/delete views, serializers, resources, and low-level FastMCP tools to an MCP client. Published DRF create, update, and delete tools can mutate application data if their serializers, views, and authentication rules permit it. The README notes that built-in DRF authentication classes, permission classes, filter backends, and pagination are disabled for published DRF tools in favor of MCP authentication; review this carefully before reusing production views. Query tools can evaluate QuerySets and return database records; restrict queryset scope and fields before exposing sensitive models. Require confirmation and application-level authorization before exposing write tools, email-sending methods, admin-like actions, or tools that touch customer, employee, financial, health, or regulated data. |
| Privacy notes | ✓The server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices. Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings. Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it. Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data. | ✓The server connects to your live Couchbase cluster with the credentials you supply; any document data, schema, and query results it returns are passed to the LLM/MCP client. Schema-discovery and CRUD tools can surface real records, including any sensitive or PII fields stored in your buckets, scopes, and collections. Performance-analysis tools read from the query monitoring catalog (e.g. completed/running queries), which can expose query text and parameters processed by the cluster. Credentials (connection string, username/password, or cert/key paths) are provided via environment variables in your MCP client config — store that config securely and avoid committing it. | ✓CIRCLECI_TOKEN is a personal API token that grants the LLM access to your CircleCI projects, build logs, test results, artifacts, and usage data — treat it as a secret and scope it appropriately. Build failure logs, test output, and artifacts retrieved by the tools are passed to your LLM/model provider; avoid exposing pipelines containing sensitive secrets or data. download_usage_api_data and find_underused_resource_classes surface organization-level CircleCI usage and resource metrics. Telemetry is collected by default; set DISABLE_TELEMETRY=true to opt out. | ✓Django sessions, request headers, model names, field names, primary keys, QuerySet results, serializer output, DRF request bodies, custom tool arguments, and tool responses can be exposed to the MCP client. Exposed models may contain user accounts, permissions, customer records, orders, messages, files, logs, internal notes, audit trails, or application-specific secrets. Remote streamable HTTP deployments can move application data outside the original Django UI and audit path if MCP auth, OAuth metadata, and retention are not configured correctly. Stdio usage can still expose data through local MCP client logs, transcripts, and tool traces. Keep MCP endpoint access, serializer fields, queryset filters, and tool docstrings intentionally narrow for each app. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | | | | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Related guides
Source-backed guides for putting this to work.
Auditing MCP Client Configuration Before Team Rollout
Audit MCP client configuration before sharing it with a team.
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.