How to Connect External AI Tools to Lookout
Private Beta
Let approved external AI tools call a curated set of Lookout’s tools through MCP.
Lookout exposes a curated set of its tools to external AI tools through the Model Context Protocol (MCP). This lets an approved external assistant or agent call into your workspace programmatically, for example, to run a warehouse query or read a dashboard, using the same connections your team already set up.
What it exposes
External tools get a curated, mostly read-only subset of Lookout’s capabilities. For the exact, current tool list, see the in-app MCP reference in your workspace.
| Tool | Permissions | Description |
|---|
| Warehouse | Read | Query a connected warehouse, list tables, describe a table, and list warehouses |
| Dashboards | Read | List dashboards, get a dashboard, and run a single dashboard panel |
| Source documentation | Read | List and read Lookout’s AI-generated instrumentation documentation for your sources. This is the generated documentation in the Context Hub, not your RudderStack source catalog |
| Dashboards | Write | save_dashboard creates or updates a dashboard.
It is the only write tool and is gated behind the mcp:write scope (see below) |
Scopes
When an external tool authorizes via OAuth, or when you create a named programmatic token, the default scope is mcp:read mcp:write, which includes the save_dashboard write capability.
To grant read-only access, explicitly request the mcp:read scope only.
Because the default scope includes mcp:write, an external tool that doesn’t narrow its scope can save dashboards in your workspace. If a tool only needs to read, grant it mcp:read only.
How access is secured
- Access uses OAuth 2.1 (with PKCE, dynamic client registration, and a consent screen) or named programmatic tokens.
- Programmatic tokens are stored hashed and are prefix-identified so they can be revoked.
- Tokens used for external access are separate from your web session.
Setup
Any member can create clients and tokens for external access from the MCP area in the sidebar (also reachable from Settings > Integrations). External tools then call into the workspace using those credentials.
External AI tool access is enabled at the deployment level, not per workspace. If you don’t see the MCP area, it may not be enabled for your deployment — check with your admin.
See also
- RudderStack MCP: Connect an AI assistant to your RudderStack workspace directly — this is a separate capability from Lookout’s external tool access.
Questions? We're here to help.
Join the RudderStack Slack community or email us for support
