Skip to main content
mcpSource-backedReview first Safety Privacy
OpenSearch MCP Server logo

OpenSearch MCP Server

The official OpenSearch Project MCP server (opensearch-mcp-server-py) that lets AI assistants query and operate OpenSearch clusters — listing indices, reading mappings, running Query DSL and PPL searches, inspecting shards and cluster health — over stdio or streaming transports, with basic-auth, AWS IAM, and header-based authentication.

HarnessClaude CodeCodexCursorClaude Desktop
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://github.com/opensearch-project/opensearch-mcp-server-py/blob/main/USER_GUIDE.md, https://github.com/opensearch-project/opensearch-mcp-server-py, https://opensearch.org/
Brand
OpenSearch MCP Server
Brand domain
opensearch.org
Brand asset source
brandfetch
Safety notes
Core tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions., Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments., Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously., Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent., In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it.
Privacy notes
The server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices., Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings., Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it., Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data.
Author
opensearch-project
Submitted by
davion-knight
Claim status
unclaimed
Last verified
2026-07-07

Safety notes

  • Core tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions.
  • Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments.
  • Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously.
  • Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent.
  • In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it.

Privacy notes

  • The server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices.
  • Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings.
  • Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it.
  • Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data.

Prerequisites

  • Python 3.10 or newer and the `uv`/`uvx` package manager (or `pip install opensearch-mcp-server-py`)
  • A reachable OpenSearch cluster — self-managed, Amazon OpenSearch Service, or OpenSearch Serverless
  • Credentials for the chosen auth method — basic auth (username/password), AWS IAM role/profile, or header-based auth
  • An MCP-compatible client (Claude Desktop, Claude Code, Cursor, Kiro, VS Code, etc.)

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Tool listing metadata
Full copyable content
{
  "mcpServers": {
    "opensearch-mcp-server": {
      "command": "uvx",
      "args": ["opensearch-mcp-server-py"],
      "env": {
        "OPENSEARCH_URL": "<your_opensearch_domain_url>",
        "OPENSEARCH_USERNAME": "<your_username>",
        "OPENSEARCH_PASSWORD": "<YOUR_PASSWORD>"
      }
    }
  }
}

About this resource

Content

The OpenSearch MCP Server is the official Model Context Protocol server maintained by the OpenSearch Project. It bridges AI assistants and OpenSearch clusters — self-managed, Amazon OpenSearch Service, or OpenSearch Serverless — so an agent can list indices, read mappings, run Query DSL and PPL searches, inspect shards and cluster health, and call arbitrary OpenSearch APIs over both stdio and streaming (SSE / Streamable HTTP) transports.

The project is written in Python, distributed as the PyPI package opensearch-mcp-server-py (v0.10.0, Python >=3.10), and licensed under Apache 2.0. It supports single- and multi-cluster configurations and multiple authentication methods (basic auth, AWS IAM roles, AWS credentials/profiles, and header-based auth). Full documentation lives in the USER_GUIDE.md.

Source Review

The following real repository and package sources were fetched and reviewed for this entry:

  • README.md — install command, zero-config and env-var client config blocks, the core/opt-in tool catalog, tool categories, and transport support.
  • USER_GUIDE.md — stdio vs streaming modes, single/multi-cluster (--mode) setup, authentication methods, and per-cluster config.
  • PyPI: opensearch-mcp-server-py — package name and version (0.10.0) and requires_python >=3.10.
  • LICENSE.txt — Apache License 2.0.

Repository facts confirmed at review time: official opensearch-project organization, default branch main, not archived, actively maintained, and released as opensearch-mcp-server-py v0.10.0 on PyPI.

Features

  • Index discoveryListIndexTool lists indices with docs counts and store sizes; IndexMappingTool returns mappings and settings.
  • SearchSearchIndexTool runs Query DSL, MsearchTool batches multiple searches, CountTool counts matches, and ExplainTool explains why a document matches.
  • Cluster inspectionGetShardsTool and ClusterHealthTool report shard and cluster health; opt-in tools cover nodes, cluster state, segments, allocation, tasks, and query insights.
  • Generic API accessGenericOpenSearchApiTool calls any OpenSearch API endpoint with a custom path, method, query params, and body, reducing tool explosion.
  • Observability (opt-in)PPLQueryTool runs Piped Processing Language queries with jdbc/csv/raw output.
  • Search relevance (opt-in) — tools to create, search, and delete search configurations, query sets, judgment lists, and experiments (PAIRWISE_COMPARISON, POINTWISE_EVALUATION, HYBRID_OPTIMIZER).
  • Agent memory (opt-in) — memory and agentic-memory tools give the agent persistent, semantically indexed memory backed by OpenSearch.
  • Tool filtering — enable categories via OPENSEARCH_ENABLED_CATEGORIES or a config file; only core tools are on by default.
  • Multiple transports & clustersstdio (default) or streaming (SSE / Streamable HTTP), and single- or multi-cluster via --mode single|multi.
  • Flexible auth — basic auth, AWS IAM roles, AWS credentials/profiles, header-based auth, and OpenSearch Serverless.

Installation

Run the published package with uvx (no clone required):

uvx opensearch-mcp-server-py

Add it to an MCP client (e.g. Claude Desktop's claude_desktop_config.json) with basic auth:

{
  "mcpServers": {
    "opensearch-mcp-server": {
      "command": "uvx",
      "args": ["opensearch-mcp-server-py"],
      "env": {
        "OPENSEARCH_URL": "<your_opensearch_domain_url>",
        "OPENSEARCH_USERNAME": "<your_username>",
        "OPENSEARCH_PASSWORD": "<YOUR_PASSWORD>"
      }
    }
  }
}

Or run zero-config and let the agent pass connection details per tool call (useful for multi-cluster sessions):

{
  "mcpServers": {
    "opensearch": {
      "command": "uvx",
      "args": ["opensearch-mcp-server-py"]
    }
  }
}

Key environment variables

Variable Required Purpose
OPENSEARCH_URL Yes (unless passed per call) Cluster endpoint, e.g. https://localhost:9200
OPENSEARCH_USERNAME / OPENSEARCH_PASSWORD For basic auth Basic-auth credentials
AWS_REGION For AWS IAM auth AWS region of the managed domain
AWS_IAM_ARN / AWS_PROFILE For AWS IAM auth IAM role ARN or named AWS profile
AWS_OPENSEARCH_SERVERLESS For Serverless Target OpenSearch Serverless
OPENSEARCH_ENABLED_CATEGORIES No Enable opt-in tool categories (e.g. observability, search_relevance)

Every connection parameter can also be supplied per tool call (opensearch_url, opensearch_username, etc.), which overrides the environment — see the User Guide's Dynamic Connection Parameters.

Use Cases

  • Conversational search — ask natural-language questions and have the agent build Query DSL or PPL against your indices.
  • Index and mapping exploration — let an LLM enumerate indices, fields, and settings before writing queries or ingest pipelines.
  • Cluster operations — inspect shard allocation, cluster health, nodes, and long-running tasks during triage.
  • Search-relevance tuning (opt-in) — create query sets, judgment lists, and experiments to evaluate and optimize search configurations.
  • Multi-cluster workflows — run one server in --mode multi and let the agent target different clusters per request.

Safety and Privacy

  • Generic API tool is powerful. GenericOpenSearchApiTool can call any OpenSearch endpoint, including write/delete operations, within the credential's permissions — treat it like direct cluster API access.
  • Opt-in tools mutate data. Memory/agentic-memory and search-relevance tools can create and delete stored objects (including delete-by-query); enable categories deliberately.
  • RBAC is the boundary. Scope the OpenSearch user/role to least privilege; tool naming is not access control. Prefer a non-production cluster for autonomous agents.
  • Data flows to the model. Documents, mappings, and search results are returned to the LLM/MCP client and can include PII; cluster-introspection tools expose infrastructure metadata.
  • Credential hygiene. Basic-auth passwords, AWS IAM ARNs, and AWS profiles live in the client config or per-call parameters — keep config out of version control and restrict access.
  • Network exposure. In streaming mode the server opens a port; do not bind it to a public interface without authentication in front of it.

Duplicate Check

No existing entry in the directory matches this server. A search of all directory entries for "opensearch" across slugs, titles, repository URLs, and install commands returned no dedicated entry (the term appears only inside unrelated servers that list OpenSearch as one supported datasource), and there is no prior entry pointing at github.com/opensearch-project/opensearch-mcp-server-py or the PyPI package opensearch-mcp-server-py. This is therefore a net-new, non-duplicate entry.

Source citations

Add this badge to your README

Show that OpenSearch MCP Server is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/opensearch-mcp-server.svg)](https://heyclau.de/entry/mcp/opensearch-mcp-server)

How it compares

OpenSearch MCP Server side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

The official OpenSearch Project MCP server (opensearch-mcp-server-py) that lets AI assistants query and operate OpenSearch clusters — listing indices, reading mappings, running Query DSL and PPL searches, inspecting shards and cluster health — over stdio or streaming transports, with basic-auth, AWS IAM, and header-based authentication.

Open dossier

An MCP server from the official Couchbase-Ecosystem org that lets LLMs interact directly with Couchbase clusters — running SQL++/N1QL queries, performing document CRUD, discovering schema and data models, and analyzing query performance, with a read-only mode enabled by default.

Open dossier

Official CircleCI MCP server that lets LLMs query build and test failures, detect flaky tests, check pipeline status, fetch build logs, and validate config in CircleCI through natural language.

Open dossier

Django extension that exposes MCP endpoints and stdio transport for Django apps, with declarative model query tools, custom toolsets, DRF create/list/ update/delete tool publishing, serializer output, and MCP inspection.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersdavion-knightoktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
BrandOpenSearch MCP Server logoOpenSearch MCP ServerDjango MCP Server logoDjango MCP Server
Categorymcpmcpmcpmcp
Sourcesource-backedsource-backedsource-backedsource-backed
Authoropensearch-projectCouchbase-EcosystemCircleCI-PublicSmart GTS
Added2026-07-072026-06-112026-06-112026-06-06
Platforms
Claude CodeCodexCursorClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Source repo
Safety notesCore tools are read/query-oriented, but the default-enabled GenericOpenSearchApiTool can call ANY OpenSearch API endpoint with a custom path, method, and body — including write and delete operations within the credential's permissions. Opt-in categories add mutating tools; for example the memory and agentic-memory tools can create and delete stored memories (including delete-by-query), and search-relevance tools can create and delete configurations, query sets, judgments, and experiments. Access is bounded by the OpenSearch credential and cluster RBAC, not by tool naming — scope the user/role to least privilege and prefer a non-production cluster when an agent acts autonomously. Dynamic connection parameters let an agent pass `opensearch_url` and auth values per tool call, so a single running server can be pointed at multiple clusters; restrict which endpoints and credentials are available to the agent. In streaming (SSE/Streamable HTTP) mode the server listens on a network port; do not expose it on a public interface without authentication in front of it.Read-only mode is ON by default (`CB_MCP_READ_ONLY_MODE=true`), which disables all KV write tools (upsert, insert, replace, delete) and blocks SQL++ modification queries. Setting `CB_MCP_READ_ONLY_MODE=false` exposes write tools that can insert, replace, upsert, and delete documents — and SQL++ statements can run arbitrary mutations within the user's permissions. SQL++/N1QL is a full query language; a sufficiently privileged connection can read, modify, or drop data, so scope database RBAC roles tightly to what the agent should touch. Tool gating via `CB_MCP_DISABLED_TOOLS` / `CB_MCP_CONFIRMATION_REQUIRED_TOOLS` is, per the README, an additional layer to guide LLM behavior and reduce attack surface — not the sole security control. Database RBAC is the authoritative boundary. In HTTP/SSE transport modes the server listens on a network port (default `127.0.0.1:8000`); avoid binding it to a public interface without authentication in front of it.The server runs locally via npx and is spawned by your MCP client; the published bin entrypoint is dist/index.js. Several tools take write/execution actions on your CI — run_pipeline, rerun_workflow, and run_rollback_pipeline can trigger pipelines, re-run workflows, and roll back deployed component versions. Review tool calls before approving them. In remote (HTTP/SSE) mode the server listens on a network port (default 8000); set REQUIRE_REQUEST_TOKEN=true to reject unauthenticated requests and avoid exposing it on untrusted networks. MAX_MCP_OUTPUT_LENGTH (default 50000) bounds response size; large log/artifact pulls are truncated rather than streamed in full.Django MCP Server can expose Django model querysets, custom Python methods, DRF create/list/update/delete views, serializers, resources, and low-level FastMCP tools to an MCP client. Published DRF create, update, and delete tools can mutate application data if their serializers, views, and authentication rules permit it. The README notes that built-in DRF authentication classes, permission classes, filter backends, and pagination are disabled for published DRF tools in favor of MCP authentication; review this carefully before reusing production views. Query tools can evaluate QuerySets and return database records; restrict queryset scope and fields before exposing sensitive models. Require confirmation and application-level authorization before exposing write tools, email-sending methods, admin-like actions, or tools that touch customer, employee, financial, health, or regulated data.
Privacy notesThe server connects to your OpenSearch cluster with the credentials you supply; index documents, mappings, and search results it returns are passed to the LLM/MCP client and can include sensitive or PII fields stored in your indices. Cluster-introspection tools (shards, nodes, cluster state/health, allocation, hot threads, tasks) can expose infrastructure metadata such as node hosts, system metrics, and index settings. Credentials are provided via environment variables or per-call parameters — basic-auth passwords, AWS IAM role ARNs, and AWS profiles/keys — so keep client config out of version control and restrict access to it. Memory and agentic-memory tools persist agent-authored statements into OpenSearch; treat that stored content and any semantic enrichment as retained data.The server connects to your live Couchbase cluster with the credentials you supply; any document data, schema, and query results it returns are passed to the LLM/MCP client. Schema-discovery and CRUD tools can surface real records, including any sensitive or PII fields stored in your buckets, scopes, and collections. Performance-analysis tools read from the query monitoring catalog (e.g. completed/running queries), which can expose query text and parameters processed by the cluster. Credentials (connection string, username/password, or cert/key paths) are provided via environment variables in your MCP client config — store that config securely and avoid committing it.CIRCLECI_TOKEN is a personal API token that grants the LLM access to your CircleCI projects, build logs, test results, artifacts, and usage data — treat it as a secret and scope it appropriately. Build failure logs, test output, and artifacts retrieved by the tools are passed to your LLM/model provider; avoid exposing pipelines containing sensitive secrets or data. download_usage_api_data and find_underused_resource_classes surface organization-level CircleCI usage and resource metrics. Telemetry is collected by default; set DISABLE_TELEMETRY=true to opt out.Django sessions, request headers, model names, field names, primary keys, QuerySet results, serializer output, DRF request bodies, custom tool arguments, and tool responses can be exposed to the MCP client. Exposed models may contain user accounts, permissions, customer records, orders, messages, files, logs, internal notes, audit trails, or application-specific secrets. Remote streamable HTTP deployments can move application data outside the original Django UI and audit path if MCP auth, OAuth metadata, and retention are not configured correctly. Stdio usage can still expose data through local MCP client logs, transcripts, and tool traces. Keep MCP endpoint access, serializer fields, queryset filters, and tool docstrings intentionally narrow for each app.
Prerequisites
  • Python 3.10 or newer and the `uv`/`uvx` package manager (or `pip install opensearch-mcp-server-py`)
  • A reachable OpenSearch cluster — self-managed, Amazon OpenSearch Service, or OpenSearch Serverless
  • Credentials for the chosen auth method — basic auth (username/password), AWS IAM role/profile, or header-based auth
  • An MCP-compatible client (Claude Desktop, Claude Code, Cursor, Kiro, VS Code, etc.)
  • Python 3.10+ (the package supports >=3.10,<3.15)
  • The `uv`/`uvx` package manager (or Docker as an alternative runtime)
  • A running Couchbase cluster (self-managed or Couchbase Capella, including the free tier)
  • Cluster credentials — either username/password or an mTLS client certificate and key
  • Node.js >= 18.0.0
  • A CircleCI Personal API token from https://app.circleci.com/settings/user/tokens
  • An MCP-compatible client (Cursor, VS Code, Claude Desktop, Windsurf, Copilot, or similar)
  • CircleCI projects you follow / have access to with the supplied token
  • Django 4 or 5 application with Python 3.10 or newer.
  • mcp_server added to INSTALLED_APPS and mcp_server.urls included in the Django URL configuration.
  • Review of which Django models, querysets, custom methods, DRF views, serializers, and request context should be exposed to MCP clients.
  • Authentication classes configured through DJANGO_MCP_AUTHENTICATION_CLASSES before exposing non-public data over streamable HTTP.
Install
uvx opensearch-mcp-server-py
uvx couchbase-mcp-server
npx -y @circleci/mcp-server-circleci@latest
pip install django-mcp-server
Config
{
  "mcpServers": {
    "opensearch": {
      "command": "uvx",
      "args": ["opensearch-mcp-server-py"]
    }
  }
}
{
  "mcpServers": {
    "couchbase": {
      "command": "uvx",
      "args": ["couchbase-mcp-server"],
      "env": {
        "CB_CONNECTION_STRING": "couchbases://connection-string",
        "CB_USERNAME": "username",
        "CB_PASSWORD": "password",
        "CB_MCP_READ_ONLY_MODE": "true",
        "CB_MCP_TRANSPORT": "stdio",
        "CB_MCP_DISABLED_TOOLS": "upsert_document_by_id,delete_document_by_id"
      }
    }
  }
}
{
  "mcpServers": {
    "circleci-mcp-server": {
      "command": "npx",
      "args": ["-y", "@circleci/mcp-server-circleci@latest"],
      "env": {
        "CIRCLECI_TOKEN": "your-circleci-token",
        "CIRCLECI_BASE_URL": "https://circleci.com"
      }
    }
  }
}
{
  "mcpServers": {
    "django": {
      "command": "python",
      "args": [
        "manage.py",
        "stdio_server"
      ],
      "type": "stdio"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.