
Jenkins MCP Server Plugin
OfficialOfficial Jenkins plugin that turns your controller into an MCP server — agents query jobs, trigger builds, read logs.
Add to your client
Copy the config for your MCP client and paste it into its config file.
claude mcp add jenkins http://jenkins-host/mcp-server/mcp --transport http --header "Authorization: Basic <user:token base64>"Paste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"jenkins-mcp-server-plugin": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://<your-jenkins-host>/mcp-server/mcp",
"--header",
"Authorization: Basic <base64 of username:api-token>"
]
}
}
}Claude Desktop connects to remote servers through the `mcp-remote` proxy (installed on first run via npx). Restart Claude Desktop after saving.
Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- Jenkins 2.533 or newer with the MCP Server plugin installed from the Plugin Manager
- A Jenkins API token: user icon → Security → Add new token
- Base64-encode username:token for the Authorization header (echo -n "<username>:<token>" | base64)
About Jenkins MCP Server Plugin
The plugin embeds an MCP server directly in the Jenkins controller: an Endpoint component handles transport and routing, DefaultMcpServer contributes the built-in tools, and McpToolWrapper turns annotated Java methods into MCP tools. Installation is the whole setup — endpoints and tools register automatically, and behavior is tuned through system properties (log-line limits, keep-alive interval, per-transport disable flags).
Three transports ship enabled: streamable HTTP at /mcp-server/mcp (recommended — handles connection issues most gracefully), SSE at /mcp-server/sse (the README notes GitHub Copilot currently works better here), and a stateless endpoint at /mcp-server/stateless for clients that make independent requests without sessions. Connection resilience got real engineering attention: 30-second keep-alives, an unauthenticated /mcp-health endpoint returning 503 with Retry-After during shutdown, an authenticated /mcp-server/metrics endpoint, and documented Jetty (--httpKeepAliveTimeout=600000) and Nginx timeout settings to avoid proxies killing long-lived streams.
The build-log tooling is the standout for agent use: getBuildLog reads non-blocking snapshots of in-progress builds with cursor pagination (every response carries a nextCursor bound to that job+build), supports end-relative reads via negative skip/limit, and searchBuildLog scans for string or regex matches with a maxMatches cap — practical when an agent needs the failing stanza of a 100k-line log without blowing its context. rebuildBuild, getReplayScripts, and replayBuild close the loop by letting the agent re-run a Pipeline with an edited script.
Trade-offs: it runs inside the controller, so a misconfigured agent hits your CI directly with the token user's permissions — scope a dedicated user if you can. Origin-header validation is off by default (for agent compatibility) and must be enabled explicitly for production. There's no job create/delete tooling, which is arguably a feature.
Tools & capabilities (18)
getJobGet a Jenkins job by its full path
getJobsPaginated list of Jenkins jobs sorted by name
triggerBuildTrigger a build, with JSON parameters for parameterized jobs
getQueueItemGet information about a queued item by ID
getBuildRetrieve a specific build or the last build of a job
updateBuildUpdate a build's display name and/or description
getBuildLogRead build log lines with cursor pagination and end-relative reads
searchBuildLogSearch build logs for a string or regex pattern
rebuildBuildRe-run a build with the same parameters
getReplayScriptsGet main and loaded scripts of a replayable Pipeline build
replayBuildRun a Pipeline build again with a modified script
getTestResultsRetrieve test results of a specific or last build
getJobScmSCM configuration of a Jenkins job
getBuildScmSCM configuration of a specific build
getBuildChangeSetsChange log sets of a specific build
findJobsWithScmUrlFind jobs using a specific git repository URL
whoAmIInformation about the current authenticated user
getStatusHealth and readiness status of the Jenkins instance
When to use it
- Debug a failing build in chat: fetch the build, search its log for the error, pull test results and change sets
- Trigger parameterized builds with branch/env parameters from your IDE agent
- Replay a Pipeline with an agent-edited Jenkinsfile script to verify a fix before committing
- Map which jobs build a given repository with findJobsWithScmUrl during migrations
Quick setup
- 1Install the "MCP Server" plugin from the Jenkins Plugin Manager (requires Jenkins 2.533+); no further configuration is needed
- 2Generate an API token: user icon → Security → Add new token, and copy it immediately
- 3Encode credentials: echo -n "<username>:<token>" | base64
- 4Point your MCP client at https://<jenkins-host>/mcp-server/mcp with header Authorization: Basic <encoded> (use /mcp-server/sse for GitHub Copilot)
- 5Test with "get the last build status of job <name>"
Security notes
Endpoints honor normal Jenkins authentication — the base64 user:token in the Authorization header is encoding, not encryption, and grants that user's full permissions including triggering builds and replaying Pipeline scripts. In production, enable Origin validation (requireOriginMatch / requireOriginHeader system properties) and raise keep-alive and reverse-proxy timeouts per the README; the /mcp-health endpoint is intentionally unauthenticated but exposes only status counts.
Jenkins MCP Server Plugin FAQ
Is the Jenkins MCP plugin official and safe to expose?
It's maintained in the jenkinsci GitHub org under MIT and reuses Jenkins' own authentication — nothing is anonymous except the lightweight /mcp-health status endpoint. Treat the base64 Authorization value like a password, use a least-privilege Jenkins user for the token, and turn on the Origin-validation system properties in production.
Which endpoint should my client use — streamable HTTP, SSE, or stateless?
Streamable HTTP at /mcp-server/mcp for almost everything — the README recommends it for connection reliability. Use /mcp-server/sse for GitHub Copilot (known issues with streamable there) and /mcp-server/stateless for clients that make independent, sessionless requests.
Can it modify my Jenkins instance?
It can trigger, rebuild, and replay builds and update build display names/descriptions — all as the API-token user, so Jenkins permissions are the control point. It has no tools to create or delete jobs, change system configuration, or manage credentials.
Alternatives to Jenkins MCP Server Plugin
Compare all alternatives →GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote.
Official AWS Labs server that lets agents call any AWS API via the AWS CLI surface.
Bulk Kubernetes port forwarding with an MCP server that lets AI assistants forward services, inspect pods, and monitor traffic.
Compare Jenkins MCP Server Plugin with: