Manage Access to the Real-Time Context Engine in Confluent Cloud

You control access to the Real-Time Context Engine through Confluent Cloud role-based access control (RBAC) and authentication credentials. You use Confluent Cloud roles to control who can enable topics and who can query data.

Roles and permissions

You need different permissions for managing topics and querying data.

Managing topics

Managing topics includes enabling and disabling the Real-Time Context Engine on a topic and editing the topic’s table description. You need one of the following roles to manage topics:

• OrganizationAdmin

• EnvironmentAdmin

• CloudClusterAdmin

These roles also grant permissions to query data.

Querying data

Querying data includes listing topics, running queries, and retrieving topic metadata. The following table shows which query operations each role can perform.

Role	Scope	List topics	Query data	Get metadata
OrganizationAdmin	Organization	Yes	Yes	Yes
EnvironmentAdmin	Environment	Yes	Yes	Yes
CloudClusterAdmin	Cluster	Yes	Yes	Yes
DeveloperRead	Cluster	Yes	Yes	Yes
DeveloperRead	Topic	No	Yes	No
SchemaRegistryRead	Schema Registry	Yes	No	Yes
ResourceOwner	Topic	Yes	No	No
OrganizationOperator	Organization	Yes	No	No
EnvironmentOperator	Environment	Yes	No	No
CloudClusterOperator	Cluster	Yes	No	No
DeveloperManage	Cluster	Yes	No	No

These operations correspond to the following MCP tools:

• List topics: list_topics

• Query data: query_data

• Get metadata: get_metadata

You can only query data from topics you already have permission to read in Kafka.

Authentication

You can authenticate with the Real-Time Context Engine using a Global API key or OAuth.

Use a Global API key

You can use a Global API key to access the Real-Time Context Engine with HTTP Basic authentication. A Global API key supports both managing topics and querying data.

If you only need to manage topics (enable, disable, or edit topic table descriptions), you can use a Cloud API key instead of a Global API key.

Note

You can use Global API keys with the Real-Time Context Engine on all supported cluster types, including Basic and Standard. Although Global API keys do not support direct Kafka authentication on Basic and Standard clusters, this limitation does not apply to the Real-Time Context Engine because the Real-Time Context Engine authenticates with Kafka internally.

To create a Global API key and generate the Base64 token for authentication, see Get Started.

Use OAuth

You can authenticate with the Real-Time Context Engine MCP server using OAuth 2.0 with the client credentials flow. With OAuth, your MCP client authenticates with an identity provider instead of a static API key.

Prerequisites

Before you configure OAuth for the Real-Time Context Engine, you need the following:

• An OAuth identity provider configured in Confluent Cloud. For setup instructions, see Add an identity provider.

• An identity pool created for the identity provider. For setup instructions, see Add an identity pool.

• The DeveloperRead role granted to the identity pool on the Kafka cluster.

• The SchemaRegistryRead role granted to the identity pool on the Schema Registry cluster.

Configure an MCP client with OAuth

Connecting with OAuth requires two steps: register the Real-Time Context Engine MCP server with your identity pool ID, and then complete the OAuth token exchange to obtain a bearer token.

Step 1: Register the MCP server

Register the Real-Time Context Engine MCP server with your MCP client and include the Confluent-Identity-Pool-Id header.

The following command registers the server in Claude Code, using confluent-rtce as the server name:

claude mcp add --transport http confluent-rtce \
  "https://mcp.<REGION>.aws.confluent.cloud/mcp/v1/context-engine/organizations/<ORG_ID>/environments/<ENV_ID>/kafka-clusters/<LKC_ID>" \
  --header "Confluent-Identity-Pool-Id: <IDENTITY_POOL_ID>"

For MCP clients that use a JSON configuration file, add the following entry:

{
  "mcpServers": {
    "confluent-rtce": {
      "url": "https://mcp.<REGION>.aws.confluent.cloud/mcp/v1/context-engine/organizations/<ORG_ID>/environments/<ENV_ID>/kafka-clusters/<LKC_ID>",
      "headers": {
        "Confluent-Identity-Pool-Id": "<IDENTITY_POOL_ID>"
      }
    }
  }
}

Replace the following values:

• <REGION>: The AWS region of your cluster (for example, us-east-1).

• <ORG_ID>: Your Confluent Cloud organization ID.

• <ENV_ID>: Your Confluent Cloud environment ID.

• <LKC_ID>: Your Kafka cluster ID.

• <IDENTITY_POOL_ID>: The ID of the identity pool to use for authentication.

Step 2: Complete the OAuth token exchange

After you register the MCP server, you need to obtain a bearer token from your identity provider and add it to the MCP server configuration. The token exchange uses the following flow:

1. Send a request to the Real-Time Context Engine MCP server.

2. The server responds with a 401 status and a WWW-Authenticate header that contains the authorization server URL.

3. Exchange your client credentials (client_id and client_secret) with the authorization server for a bearer token.

4. Add the bearer token to the Authorization header in your MCP server configuration.

How you complete this flow depends on your MCP client.

For more information about OAuth in Confluent Cloud, see OAuth overview.

Related content

• Get Started - API key creation and first query.

• Manage Topics - Enable, disable, and configure topics.

• OAuth overview - Full OAuth documentation for Confluent Cloud.

• Add an identity provider - Configure an OAuth identity provider.

• Add an identity pool - Create and configure identity pools.

Note

This website includes content developed at the Apache Software Foundation under the terms of the Apache License v2.