Install Sentry MCP Server now to streamline setup and ensure stable migrations. The setup includes a concise runbook, a clear list of preflight checks, and migration templates that map services to host environments. Validate connectivity using http and the httpsmcpsentrydevmcp endpoint to verify data routing.
In building your environment, the platform exposes modular blocks like supabases and ampmcpservers, with exposing endpoints for monitoring. The guide shows how to assemble settingsjson templates and keep stdio logs readable while you create a migration plan that aligns operations across services and teams.
Optimization tips: run with --read-only in production to lock configuration, then implement a migration workflow that pins each service to its host mapping. Maintain ampmcpservers alongside supabases configurations, and use http health probes with the httpsmcpsentrydevmcp endpoint for external validation.
Prerequisites: System, Network, and Software Requirements
Recommandation: Provision a Linux host with at least 2 vCPU, 4 GB RAM, and 40 GB storage; for production workloads, allocate 4 vCPU, 8 GB RAM, and 100 GB for logs and data; ensure a 1 Gbps network link when anticipating higher traffic.
System requirements: Use 64-bit Linux distributions such as Ubuntu 22.04 LTS, Debian 11+, or RHEL 8+. Ensure kernel 5.4+ and a compatible filesystem (ext4 or XFS). Enable time synchronization (NTP) and keep the host updated with security patches. Some deployments run on hardened images from your organization to reduce drift.
Networking: Ensure DNS reliability with stable hostnames; outbound access for updates; TLS certificates managed by your CA; open port 443 for API access; 80 is optional if you use redirects; place the service behind a reverse proxy with TLS termination; avoid exposing admin endpoints to the public internet without a private management network where possible. Some setups require a dedicated management VLAN or VPN for admin sessions.
Software prerequisites: Run in containerized mode or as a native binary. If you choose containers, install Docker 20.10+ or Podman and a compatible compose tool (Docker Compose 1.29+). When starting, pass startup args and environment variables; ensure required dependencies are present. You can reference the internal image or binary store at httpsmcpsentrydevmcp for baseline components.
Account and organization: Create at least one organization and an administrator account; enable MFA; define roles and permissions; for multi-tenant deployments, map projects to teams and control access accordingly.
Data handling and backups: Use persistent volumes for data; schedule regular backups to an external store; manage log rotation; enable streamable output to downstream systems for audits and analytics. The architecture supports scalable storage and ensures survivors in case of node failure.
Automation and reference: For automated setup, refer to the table of available protocole and output formats; the workflows guide covers the steps and session lifecycles; claude can assist with verification of script arguments and results, keeping configuration clean and auditable.
Install Options: Docker, Kubernetes, and Native Install Paths
Choose Docker for most deployments to get fast setup and reliable isolation. It connects mcpservers components in a single runtime, outputs logs to stdout, leverages automated health checks, and uses a default security baseline that protects privacy while offering enterprise controls. In a case where orchestration is essential, Kubernetes adds scale and resilience, while native install paths give full control and minimal layers over networking and storage.
Container-based Install Options
Docker
- Overview: Use a single source of truth with a docker-compose file that defines mcpservers, data volumes, and a reverse proxy. The server enters a stable context where configurations are portable between hosts, and outputs streamable logs suitable for your SIEM or log aggregator.
- What to deploy: pull the latest mcpservers image, create a persistent volume for configuration and data, and define environment variables that tune authentication, storage, and audit logging. This creates a repeatable, automated path for updates without downtime.
- Networking and security: expose only the needed ports and route external traffic through a reverse proxy. Run containers with a non-root user, enable read-only file systems where possible, and pin image tags to verified releases. Avoid exposing admin interfaces directly to the internet; use context-aware access controls and private registries to reduce exposure.
- Operational tips: use docker-compose up -d to bring up the stack, then monitor with docker logs -f and your chosen output sink. Use a dedicated network namespace so the application connects cleanly to databases or message queues without cross-tenant leakage.
- Tips for reliability: enable automatic restarts, set restart: unless-stopped, and consider a small rolling update strategy to minimize downtime. In most cases, the default logging driver provides streamable output that can feed your centralized observability.
- Case notes: if you already have a registry, point Docker to it to avoid ai-generated image drift and to keep builds verified before deployment. If you need to enter maintenance mode, pause the stack and apply configuration changes without halting other services.
Kubernetes
- Overview: Deploy with Helm or plain manifests to leverage orchestration, auto-scaling, and rolling updates. The server runs as a set of pods that share a persistent volume and a Service exposing a stable DNS name. This setup overcomes node failures and maintains a consistent output stream for logs and metrics.
- Helm-based path: enable the MCP chart, customize values.yaml for resources, securityContext, and readiness/liveness probes. The chart creates namespaces, RBAC roles, and configmaps that keep configuration centralized and auditable.
- Networking and exposure: place the MCP API behind a Ingress with TLS termination, and restrict external access with network policies. These steps reduce exposure and preserve privacy while allowing authorized clients to prompt requests to the server.
- Security and compliance: enforce pod security standards, limit capabilities, and run containers with readOnlyRootFS where feasible. Use a private image registry and imagePullSecrets to verify provenance and keep ai-generated or unverified images out of production.
- Observability: enable stdout/stderr streaming to a log collector, and configure metrics export to Prometheus. The most important signals–latency, error rate, and saturation–appear in your dashboards for quick action in case of anomalies.
- Case notes: for large fleets, Kubernetes delivers automated rollouts while preserving privacy and data integrity. If you use custom networking, document the context in your runbooks so operators can enter changes safely without impacting other workloads.
Native Install Paths
- Overview: Native installs provide full control over package sources, system user namespaces, and startup timing. Install from your OS package manager and configure systemd services to manage the MCP server as a first-class, fully standalone component.
- Package installation: install the mcpservers package from your repository, create a dedicated user, and place configuration files in /etc/mcpservers. This path binds closely to the host environment and enables fast, deterministic startup without an orchestration layer.
- Service management: create a systemd unit that starts the server, reloads on config changes, and restarts automatically if a watchdog detects a fault. This gives you full control over resource limits, cgroup constraints, and startup order with other local services.
- Networking and exposure: bind the server to a private interface by default, and expose only what you need through a reverse proxy or firewall rules. If you require external access, implement a carefully scoped ingress route with TLS and strict access controls to preserve security and privacy.
- Updates and patches: rely on your package manager for verified updates, and test in a staging environment before applying to production. Maintain a changelog to track what changed between versions, and document any prompts you see during upgrade steps.
- Case notes: native installs suit environments with restricted networking, custom storage backends, or strict compliance requirements. They also avoid extra layers, enabling the most direct control over server behavior and performance tuning.
Quick Start: First Run and Basic Configuration
Run the built-in setup wizard to achieve a working baseline in under 15 minutes. This initialization configures the core panel, creates a minimal workflow with two interactions, and applies a secure default configuration so you can move fast without losing control. It means you can verify the setup successfully and spot friction points early.
Connect oauth provider: in the panel, enter the oauth client id, client secret, and the redirect URL. Know that the oauth client id and secret must match your provider, and enable token validation. Set the scope accordingly to your needs to ensure smooth user sessions.
Define a specific, custom deployment profile using args to tailor to your case. Use a lightweight prototyping plan first and keep migration steps simple and reversible.
Set up some basic test interactions: create a test route to exercise authentication flows, verify access rights, and reproduce a controlled injection attempt in a sandbox environment. Use the security controls to observe how the system responds.
Migration guidance: if you bring existing data, run the migration script, verify data integrity in a dedicated test environment, and review the resulting logs. In the panel, use debugging tools to trace any failing steps and fix them quickly.
Observability and validation: turn on telemetry for some events, capture a simple table of key settings, and monitor response times. Aim for lower friction by trimming fields you do not need and validating the most frequent interactions.
Next steps: iterate on the configuration, migrate to production, and document the changes to help your team develop new integrations. Use the panel to manage those workflows and adjust security policies as needed.
Security: Access Control, Authentication, and TLS
Enable TLS 1.3 by default on live endpoints and disable legacy protocols (TLS 1.0/1.1). Enforce HTTP Strict Transport Security (HSTS) with max-age=31536000 and includeSubDomains. Use certificates from a trusted CA and rotate them on a fixed cadence (for example, every 90 days) to maintain full certificate hygiene. For inter-service calls, enable mutual TLS (mTLS) to verify both sides and ensure full end-to-end security. Test the setup across your mcpservers, including supabasemcp-server-supabaselatest images, and ensure no plaintext traffic remains in transit.
Access control relies on RBAC and per-resource ACLs. Define roles such as admin, operator, and user, each with a least-privilege set of actions. This policy applies to all access across the cluster. Select these roles to apply to API endpoints, chat channels, and transactions paths. Store access tokens in a secure vault and rotate secrets on a standardised schedule. Integrate with an external identity provider via OIDC to simplify auditing and reduce local credential handling.
Authentication relies on short-lived tokens and mutual authentication between services. Use opaque tokens or JWTs with a short TTL and a revocation mechanism. Enforce device or IP-bound constraints for admin accounts and require MFA where feasible. Ensure youve configured proper token scopes and audit trails so you can correlate sign-ins with specific roles and actions.
Configure TLS with strong defaults and forbid deprecated suites. Prefer TLS 1.3 exclusively where possible; disable TLS 1.0/1.1 on all public interfaces. For TLS 1.2 fallbacks, use ECDHE_RSA with AES-256-GCM or ChaCha20-Poly1305. Enable TLS session resumption with secure caches and enable OCSP stapling to reduce latency during revocation checks. Pin certificates in client apps where supported and maintain a documented certificate lifecycle. Schedule updates to these settings and verify changes in time.
Enable centralized logging for TLS handshakes and authentication events. Use a standardised set of tools to collect metrics on failed logins, token refresh errors, and access denials. Maintain a list of allowed origins and publish clear instructions for credential rotation and policy updates. Follow a step checklist for onboarding new keys and tokens. This approach creates a traceable audit trail and supports compliance. Set alerts for abnormal transactions or exposure in chat endpoints, and run a daily live simulation to verify defenses.
In standardised deployments, reference images like supabasemcp-server-supabaselatest ensure consistent security configurations across different environments. Further hardening steps ensure resilience as you scale. Validate changes in a sandbox before live rollout to avoid exposing credentials or misconfigured endpoints. Record results and improvements so audits capture the evolution of access controls and TLS hardening.
Observability: Metrics, Logs, and Dashboards
Enable zero-friction observability by exporting metrics, logs, and traces from every ampmcpservers instance into a single project-scoped backend, so you can search across environments and execute quick triage without leaving your workflow. This means you gain immediate visibility into how Next.js components and servers interact, with clear signals that prevent injection or latency from cascading into user-facing friction.
Metrics you should track
- Request rate (RPS) per server and per route, with a separate view for frontend (Next.js) vs. backend
- Error rate and error taxonomy by service, including 4xx vs 5xx and OAuth flow failures
- Latency percentiles (p50, p95, p99) by environment and by route, with alert thresholds
- Resource saturation indicators: CPU, memory, open file descriptors, and queue depth
- Dependency timings: database calls, cache hits, external API calls, and their cascade effects
- Throughput and cache miss rate for project-scoped features, visualized through a single icon-backed dashboard
- Correlation keys: request_id, trace_id, and span_id to stitch stdio-style logs with traces
Logs and dashboards
- Adopt structured JSON logs with fields: timestamp, level, service, environment, route, status_code, duration, trace_id, user_id, and request_id
- Use a unified backend (with OAuth-enabled access) to centralize logs from servers, image rendering nodes, and frontend routes
- Correlate logs with traces to surface root causes quickly; keep a seer-like perspective to spot recurring fault patterns
- Dashboards should be project-scoped and support different views: per-environment heatmaps, per-route latency charts, and per-server health cards
- Include a search-driven panel to filter by environment, route, or user segment, enabling rapid triage across multiple servers
- Store raw logs in a durable store (e.g., Supabase-backed or your object store) and surface summarized views in the main dashboard
- Design dashboards with seamless navigation between metrics, logs, and traces; use micro-interactions (icon badges, tooltips) to convey status at a glance
- Provide environment-specific imagery and instance icons for quick recognition, like a small server cluster icon next to each host
- Ensure dashboards render consistently across different frontend stacks, including Next.js pages and API routes, so teams can collaborate without context switching
Performance and Scaling: Memory, Threads, and Horizontal Scaling
Step 1 recommendation: run Sentry MCP Server on a 4-core VM with 8 GB RAM, allocate 2 GB to the runtime and caches, and configure 64 worker threads. This baseline keeps latency predictable while leaving headroom for spikes. Treat the default values as a starting point and verify with real load tests; if you see pressure, adjust up or down. A seer monitors latency, queue depth, and memory pressure to guide tuning decisions. If you haven't profiled under peak load, you will hit issues in production.
Memory budgeting: reserve about 60% of RAM for in‑process work, 30% for the database pool, and keep 1–2 GB headroom for spikes. With 8 GB, this translates to roughly 4–5 GB for work and caches, 2–3 GB for the DB pool, and room to breathe. Watch modelcontextprotocolserver-postgres connections and adjust the DB pool accordingly to avoid saturation. If you see OOM or paging, lower in‑process caches and consider a larger node. Check the readme for default limits and guidance; replace oversized caches with data that serves your actual access patterns. Different workloads may require different allocations; existing caches often become too large for bursts, so lower them to reduce paging.
Threads and concurrency: align the thread pool with CPU and I/O characteristics rather than maxing out lanes. Start with 64 threads on 4-core, 128 on 8-core, and 256 on 16-core. If you observe high context switching or long tail latency, adjust the pool and enable asynchronous paths for authentication and DB calls. Instead, route authentication and DB calls asynchronously to prevent blocking. Ensure authentication work is non‑blocking; use the supabase_access_token workflow and avoid blocking during token verification. For external calls, prefer asynchronous routes and cache friendly paths. In multi‑tenant setups, you may have existing clients in different regions; place work by client segments and keep calls to modelcontextprotocolserver-postgres and Supabase as lean as possible. If a person on your team reports latency, test with a different tenant to confirm per‑person versus global bottlenecks. If needed, scale out by adding another instance in front of supabasemcp-server-supabase and distributing load. See the readme for token rotation and connection pool recommendations.
Horizontal scaling: architecture should be stateless to enable rapid growth. Run multiple MCP server nodes behind a load balancer, and avoid per‑node state. If you need sessions, implement a shared session store or rely on the token path via supabasemcp-server-supabase. Ensure each node can reconnect to modelcontextprotocolserver-postgres and to Supabase with refreshed tokens; rotate tokens via supabase_access_token as needed. When adding a node, duplicate environment variables, verify connected clients are balanced, and monitor cross‑node latency. A different traffic profile may demand tuned DB pool sizes or cache partitions to keep headroom. Replace brittle stateful paths with a stateless design, and read the readme for deployment steps and scaling examples.
| Scenario | CPU | RAM | Max threads | DB pool | Cache | |
|---|---|---|---|---|---|---|
| Baseline | 4 cores | 8 GB | 64 | 10 | 256 MB | Use default values; monitor with readme guidance |
| Scaled up | 8 cores | 16 GB | 128 | 20–30 | 1 GB | Ajouter un nœud derrière l'équilibreur de charge |
| Forte concurrence | 16 curs | 32 GB | 256 | 40–60 | 2–3 GB | Stateless ; rotation de jetons via Supabase |
Maintenance et mises à niveau : sauvegarde, migrations et procédures de restauration
Activez les sauvegardes automatisées et effectuez un test de restauration régulier dans un environnement de staging ; ces étapes offrent ce niveau de contrôle et visual confirmation de rétablissement.
Les sauvegardes doivent inclure les fichiers provenant de config directory et le table qui stocke transactions.
During migrations, lancez un essai à blanc, mettez à jour le image version, cascade les modifications à travers les services connectés, et authentifier credentials avant de passer à autre chose external endpoints. Coordonner via github workflows and enable contrles automatis s.
Procédures de rembobinage : définir un fallback plan, maintenir un table of actions and limits, et avoir means to revert to the previous image and config rapidement.
Contrôles qualités : analyze sauvegardes avec tools, vérifiez que la sauvegarde environment variables restent consistantes, et confirmez le transactions s’aligner sur les résultats attendus. Inclure un useful checklist.
Sécurité et visibilité : utilisez un visual tableau de bord pour surveiller l'état de sauvegarde et les taux de réussite ; garder todos dans le suivi de projet et utilisez chat channels to notify the team when a rollback is needed. Ensure sentrys les données restent connecté à travers les environnements.
Exercices post-incident : prompted mises à jour des runbooks, affinez les déclencheurs dans votre workflows, et documenter les leçons pour l'avenir migrations.
Documentation : créer un guide concis et exploitable renvoyant vers le directory of config, et gardez un table of actions et tests.
