Quilt Connect
Connect Server requires Quilt Platform version 1.68 or later.
Quilt Connect Server is an identity provider and gateway that enables external services to securely interact with your Quilt data and perform actions on behalf of your users. Connect Server:
Authenticates requests using your organization's identity provider
Issues session tokens scoped to individual user permissions
Routes requests to authorized services within your AWS environment
One such service is the Quilt Platform MCP Server (below), which lets you use web-based AI assistants — like Claude.ai — to interact with your Quilt data through natural language and the Model Context Protocol (MCP).
Admin Setup
Connect Server is disabled by default. To enable it, set the ConnectAllowedHosts CloudFormation parameter to a non-empty value.
CloudFormation Parameters
ConnectAllowedHosts
(empty)
Comma-separated hostnames allowed as OAuth
redirect_uri. Empty = disabled. Set to AI
client domains
(e.g. claude.ai, claude.com, your-tenant.benchling.com).
ConnectSecurityGroup
(empty)
Optional EC2 security group ID for Connect ALB
IP allowlisting. Empty = allow all.
CertificateArnConnect
(empty)
Optional ACM certificate ARN for the Connect ALB.
Empty = reuses main stack TLS certificate.
DNS Configuration
After deploying with Connect enabled, create a DNS alias record for your Connect subdomain (typically <stack-name>-connect.<your-domain>):
Record type
A (alias)
Alias target
ConnectLoadBalancerDNSName CloudFormation output
Hosted zone ID
ConnectLoadBalancerCanonicalHostedZoneID output
The final Connect Server hostname is available in the ConnectHost CloudFormation output.
IP Allowlisting (Optional)
To restrict which IP ranges can reach the Connect Server, create an EC2 security group with inbound rules on port 443 for your trusted CIDR ranges, then pass the security group ID as ConnectSecurityGroup. If omitted, the Connect ALB accepts traffic from any IP.
Platform MCP Server
The Platform MCP Server is a service that runs behind Connect Server. It allows web-based AI assistants like Claude.ai to search packages, browse buckets, and retrieve data on your behalf, all within your organization's AWS environment and subject to your existing Quilt permissions — no local installation required.
MCP Client Setup
Your Quilt administrator will provide a Connect Server URL of the form https://<stack-name>-connect.<your-domain>. Typically, your Organization's administrator will use this URL to add Quilt as an MCP server in your AI assistant. For example:
Go to Claude.ai's Organization Settings -> Connectors
Click Add Custom Connector.
Enter your Connect Server URL:
https://<connect-host>/mcp/platform/mcp
MCP User Authorization
Next, each user will need to individually authorize their MCP connection, so it runs using their credentials.
Login to your Quilt stack as usual (e.g., via Okta SSO)
Go to, e.g., Claude.ai Settings -> Connectors
Click Connect
The first time your AI assistant connects to Quilt, you will be redirected to the Quilt catalog authorization page at /connect/authorize. This page shows:
The name of the AI client requesting access
What the client is allowed to do (read access, scoped to your Quilt role)
Click Continue to grant access, or Cancel to deny it. After authorizing, the AI assistant receives a session token scoped to your Quilt user — it cannot access data beyond what your assigned Quilt role permits.
You do not need to re-authorize the same client unless your session expires or the Quilt stack is redeployed.
Once authenticated, you may also need to authorize individual tools when used. You can pre-authorize them by clicking Configure on the connector page.
Last updated
Was this helpful?