A copy-paste checklist for wiring the Model Context Protocol into n8n without leaving a hole. Pick a direction (Server Trigger vs Client Tool vs the native server), default the transport to Streamable HTTP, authenticate every server, scope tools to the job, put human-in-the-loop on anything irreversible, and keep PII-touching tools self-hosted. Full walkthrough in the n8n + MCP playbook.
Print it, tick the boxes, ship safely. Each phase maps to a section of the full MCP playbook. US-first compliance notes, then UK/EU, then AU.
Phase 0 · Prerequisites
- ☐ n8n v2.18.4+ if you want the native instance MCP server (Public Preview since April 2026; Cloud, Enterprise, or self-hosted Community).
- ☐ Decide your transport: Streamable HTTP for anything new. SSE is deprecated — keep it only as a fallback for legacy servers.
- ☐ A credentials store ready (n8n credentials, not hard-coded tokens).
Phase 1 · Pick the direction
- ☐ MCP Server Trigger — you want Claude / Cursor / ChatGPT (or another agent) to call your workflows as tools. n8n is the server.
- ☐ MCP Client Tool — you want an n8n AI Agent to use tools from a system you already run. n8n is the client.
- ☐ Native instance MCP server — you want an assistant to build and deploy workflows inside n8n itself.
- ☐ One-click managed connection — for Notion, Linear, monday.com, Apify, PostHog you may not need to wire anything by hand.
Phase 2 · Build the server / wire the client
- ☐ Server: add an MCP Server Trigger, set a
Path, attach only the tool nodes you intend to expose. - ☐ Client: drop an MCP Client Tool on the AI Agent's
Toolsport, paste the external server URL, setserverTransport=httpStreamable. - ☐ Write tool descriptions like you're briefing a new hire — vague descriptions are the #1 reason an agent ignores a tool.
Phase 3 · Authenticate (never skip)
- ☐ Never expose a server with
authentication: none. - ☐ Use Bearer or header auth; store the token in n8n credentials, never in the URL.
- ☐ Confirm an unauthenticated request is refused. Rotate the token on your normal secret cadence.
Phase 4 · Scope tools to the job
- ☐ Whitelist only the tools a role needs (
include: selected+ an explicitincludeToolslist). - ☐ A read-only support agent gets
get_order_status, notissue_refund. - ☐ Re-check scope whenever the upstream server adds tools.
Phase 5 · Human-in-the-loop on anything irreversible
- ☐ Require explicit human approval (n8n's 2026 tool-level HITL) before any tool that moves money, sends an external message, or deletes data.
- ☐ Wire the approval prompt to Slack or Telegram ("Approve / Reject").
- ☐ Test it: inject a sample input each month and confirm it lands in the human queue.
Phase 6 · Data residency & logging (US → UK/EU → AU)
- ☐ Log every tool call (timestamp, tool, redacted input, output, approver) to an append-only store.
- ☐ US: data routed through a third-party MCP server is a disclosure under CCPA/CPRA — prefer no-train vendors with SOC 2, or self-host the tool.
- ☐ EU/UK: sending personal data to a US-hosted server/model is a Chapter V transfer under GDPR/UK GDPR; if MCP tools power a user-facing agent, the EU AI Act Article 50 disclosure duty applies from 2 Aug 2026.
- ☐ AU: APP 8 cross-border disclosure. Keep PII-touching tools on infrastructure you host; redact before any prompt leaves the network.
Want this done for you?
NexFlow wires MCP into your stack with scoped tools, authenticated transport, human-in-the-loop, and an audit log. Custom workflow (cloud, keep your subscriptions) — from $750 / £560 / €650 / A$1,100. Local self-hosted setup (removes the monthly subscriptions) — from $1,500 / £1,120 / €1,290 / A$2,250 one-off.
Sources & method
- n8n Docs — MCP Server Trigger and MCP Client Tool.
- n8n release notes (2026) — native instance MCP server (Community v2.18.4+); tool-level human-in-the-loop. SSE→Streamable HTTP transport.
- Full walkthrough: n8n + MCP playbook. Export-ready JSON: workflow snippets.