UiPath Documentation
orchestrator
latest
false
Importante :
A localização de um conteúdo recém-publicado pode levar de 1 a 2 semanas para ficar disponível.

Guia do usuário do Orchestrator

Última atualização 22 de mai de 2026

Ground-to-cloud authentication

When MCP Servers run locally (using uipath run), authentication happens at two separate layers:

  • Runtime to cloud: the local runtime authenticates so that it can register the MCP Server with the cloud.
  • Client to cloud: external clients authenticate when they call the cloud-facing MCP Server endpoint.

Layer 1: runtime to cloud (server registration)

The uipath run command needs its own token to register the MCP Server with the cloud. This is the developer's authentication, the identity of the person running the server locally.

# Authenticate the runtime — interactive login
uipath auth

# Or authenticate the runtime — client credentials
uipath auth --client-id "..." \
  --client-secret "..." \
  --base-url "https://cloud.uipath.com/{org}/{tenant}" \
  --scope "OR.Default"

# Start the local server
uipath run mcp-server
# Authenticate the runtime — interactive login
uipath auth

# Or authenticate the runtime — client credentials
uipath auth --client-id "..." \
  --client-secret "..." \
  --base-url "https://cloud.uipath.com/{org}/{tenant}" \
  --scope "OR.Default"

# Start the local server
uipath run mcp-server

The runtime uses this token to establish a SignalR connection to the cloud and register the server's tools.

Layer 2: client to cloud (calling the server)

External clients (such as MCP Inspector, cURL, an IDE, or any HTTP client) authenticate to the cloud through any of the four standard methods described in MCP Server authentication. The URL is the same as for any other MCP Server:

https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}
https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}

How requests flow

The client's Bearer token never reaches the local runtime. The cloud validates the token and forwards only the MCP protocol message through Redis. The local runtime and the MCP Server process do not see the token.

Applicable MCP Server types

Ground-to-cloud authentication applies to MCP Server types that have a local runtime:

  • Self-hosted: always runs locally, always uses ground-to-cloud authentication.
  • Coded and Command: use ground-to-cloud authentication when run locally through uipath run during development. Once deployed to Orchestrator, they run as cloud jobs and no local runtime is involved.

Client credentials with local servers

When using client credentials with uipath run, set the UIPATH_FOLDER_KEY environment variable. The Python SDK's GetFoldersForCurrentUser call does not support client credentials. For details, see Known limitation: GetFoldersForCurrentUser.

Esta página foi útil?

Conectar

Precisa de ajuda? Suporte

Quer aprender? Academia UiPath

Tem perguntas? Fórum do UiPath

Fique por dentro das novidades