The AI doesn't just read your analytics — it operates them. Create charts, build dashboards, run SQL, explore datasets. All governed by the same permissions as the user making the request.

That's what Preset MCP delivers. But getting there required solving a problem the open-source spec never had to address: how do you take a single-tenant MCP service and make it work for a multi-tenant managed platform — without forking the open-source code or losing the clean architecture?

The answer: wrap, don't fork. Preset's MCP implementation is a set of middleware layers, authentication providers, and infrastructure components that sit around the open-source MCP service. Every tool, every DAO call, every RBAC check from the OSS service works identically — Preset just ensures the right workspace context, the right user identity, and the right database connection are in place before the tool executes.

This means:

• Zero divergence — OSS improvements flow directly to Preset customers
• Same security guarantees — RBAC, RLS, and column-level security apply identically
• Additive, not replacement — enterprise capabilities on top, not instead of

What Preset Adds: Layer by Layer

1. Multi-Tenant Workspace Isolation

This is the foundational difference. In open-source Superset, the MCP service connects to one database, serves one set of users. In Preset, every MCP request must be routed to the correct workspace with complete data isolation.

How it works:

1. The WorkspacePermissionMiddleware validates the JWT and confirms the user has access to the requested workspace via the Preset Manager API
2. The PresetWorkspaceMiddleware extracts the workspace from the hostname or X-Forwarded-Host header, binds the correct database connection, and loads the authenticated user into Flask's g.user
3. From this point forward, the OSS MCP tools execute normally — they see only the data in that workspace, with that user's permissions

The middleware stack processes every request in this order:

2. Enterprise Authentication

Open-source Superset MCP supports JWT authentication with several algorithm choices (RS256, HS256, static keys). Preset extends this with two production authentication modes that integrate with the Preset Manager control plane:

JWT Mode (API Integrations)

• Token issued by Preset Manager
• Validated via Manager's JWKS endpoint
• Includes JWT lifecycle verification with token revocation checks
• Authorization: Bearer <JWT> + X-Workspace-Id header
• Best for: programmatic access, CI/CD, server-to-server

OAuth 2.0 Mode (Interactive)

• Auth0 as OAuth provider
• Authorization Code + PKCE flow
• Dynamic Client Registration (DCR) for mcp-remote
• Session validation with Preset Manager
• Best for: Claude Desktop, Claude Code, interactive tools

The OAuth flow is particularly important for the MCP ecosystem. Tools like Claude Desktop use mcp-remote to connect to remote MCP servers, and the OAuth 2.0 + PKCE flow provides a secure, browser-based authentication experience:

Redis-backed state management ensures OAuth flows work across multiple MCP pods:

• OAuth transaction storage with 10-minute TTL
• Authorization code caching
• DCR client registration caching (30-day TTL)
• Session validation caching (5-minute TTL)

3. Built-In Chatbot: MCP Meets the UI

While the OSS MCP service is designed for external clients (Claude Desktop, Claude Code, custom integrations), Preset adds a built-in Chatbot experience directly inside the Superset UI — powered by the same MCP tools under the hood.

What users see:

• A floating bubble in the bottom-right corner of Superset
• Click to open a slide-out chat drawer
• Ask questions in natural language: "Show me sales trends by region" or "Create a dashboard for Q3 metrics"
• Watch as the agent discovers datasets, generates charts, and builds dashboards — all in real time

What happens under the hood:

• A LangGraph agent orchestrates the conversation, using an LLM to decide which MCP tools to call
• The agent connects to Preset's MCP service via langchain-mcp-adapters, discovering available tools dynamically
• Tool results are cached with a 5-minute TTL to avoid redundant discovery
• Conversations are persisted with AsyncPostgresSaver checkpointing — users can resume where they left off
• SSE streaming delivers real-time responses: token-by-token output, tool call notifications, and structured events

Streaming event types:

4. Production Deployment

The OSS MCP service can run as a standalone process or Docker container. Preset deploys it as a dedicated Kubernetes service with production-grade infrastructure:

Key deployment features:

• Separate MCP pod — scales independently from the Superset web app
• Horizontal Pod Autoscaler — auto-scales based on CPU and memory metrics
• Session affinity — ensures OAuth sessions route to the same pod
• Health probes — liveness and readiness checks for Kubernetes orchestration
• APM instrumentation — Datadog tracing for request-level visibility
• ConfigMap-based secrets — secure credential management in K8s

5. Observability and Metrics

Preset instruments every MCP tool call with dual reporting:

• Superset Event Logger — audit trail with user context, workspace, tool name, parameters, and duration
• Datadog StatsD — real-time metrics for monitoring dashboards and alerting

Example metrics emitted:

• mcp.tool.list_charts.success / mcp.tool.list_charts.failure
• mcp.tool.generate_chart.success / mcp.tool.generate_chart.failure
• chatbot.sse.boundary_error

6. Per-Workspace Feature Gating

Preset uses feature flags to control MCP and Chatbot availability:

• MCP_SERVICE_ENABLED — global gate for the MCP service
• MCP_OAUTH_ENABLED — global gate for OAuth authentication mode
• MCP_OAUTH_WORKSPACE_ENABLED — per-workspace OAuth enablement (Split-evaluated)
• CHATBOT_ENABLED — per-workspace gate for the built-in Chatbot

This enables controlled rollouts: start with internal workspaces, expand to beta customers, then general availability — all without code changes or redeployments.

Architecture Summary

Why Build It This Way

The Problem We Solved

When Anthropic released the Model Context Protocol, the promise was clear: a universal interface between AI and tools. But for managed analytics platforms, the gap between "protocol spec" and "production-ready" was significant:

• Multi-tenancy — MCP had no concept of workspace isolation. Every example assumed a single database, a single set of users.
• Enterprise auth — The spec supported bearer tokens, but OAuth flows for tools like Claude Desktop required careful integration with existing identity providers.
• Managed deployment — Running MCP in a Kubernetes-orchestrated, multi-tenant environment required solving session management, scaling, and observability.
• User experience — Not every analyst wants to configure Claude Desktop. The protocol needed to be accessible from within the product itself.

The Open-Source-First Bet

We made an early bet: build the foundation in open source, then layer enterprise capabilities on top.

The open-source Superset MCP service (SIP-187) was designed from day one with extensibility in mind:

• Library-first architecture — the MCP service imports Superset as a library, not as a web app, making it possible to wrap with additional context
• Auth hook pattern — a pluggable authentication system that Preset replaces with its own JWT + OAuth pipeline
• Factory pattern — create_mcp_app() accepts custom middleware and auth providers, so Preset composes its own stack without modifying OSS code
• Core classes — ModelListCore, ModelGetInfoCore, and others provide standardized tool behavior that works identically in both environments

By contributing the MCP service upstream, we ensured:

1. Community validation — the tool design, security model, and middleware patterns were reviewed and hardened by the open-source community
2. Ecosystem growth — any MCP client that works with open-source Superset works with Preset out of the box
3. Faster iteration — bug fixes and new tools contributed by the community benefit Preset customers immediately

Getting Started

Claude Desktop / Claude Code

Add your workspace URL to your MCP config:

{
  "mcpServers": {
    "preset": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://YOUR_WORKSPACE.us1a.app.preset.io/mcp"
      ]
    }
  }
}

On first connection, you'll be prompted to authenticate via your browser — the OAuth 2.0 + PKCE flow handles the rest.

Built-In Chatbot

No configuration needed. If your workspace has Chatbot enabled, look for the floating bubble in the bottom-right corner of Superset. Click it, start asking questions.

API Integrations

Use JWT bearer tokens from the Preset Manager for programmatic access:

curl -H "Authorization: Bearer $JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {"name": "list_dashboards"}, "id": 1}' \
  https://YOUR_WORKSPACE.us1a.app.preset.io/mcp

What Comes Next

• More tools — as the open-source community adds tools (alerts, reports, annotations), they'll be available in Preset automatically
• Expanded Chatbot capabilities — deeper integration with Preset-specific features like workspace management and team collaboration
• Custom tool registration — enable teams to register their own MCP tools that leverage their specific data and business logic
• Enhanced analytics on AI usage — understand how your team uses AI-assisted analytics, which tools are most valuable, and where to invest

Contact our team to set up a demo and see what AI-native analytics looks like in practice.

Part of a series: Apache Superset MCP Service: A Technical Deep Dive covers the open-source architecture, all 20 tools, security model, and deployment guide.

Source code: github.com/apache/superset · MCP Protocol: modelcontextprotocol.io · Join the community: Superset Slack