BambooHR Managed MCP Server
The BambooHR managed MCP server lets agents read BambooHR employee directory, time-off, and performance data with the calling user’s OAuth identity. The BambooHR configuration stores the company subdomain and the name of the BambooHR OAuth Provider to authenticate against. OAuth credentials and user tokens come from that provider and the token vault.
After reading this page, you will be able to:
-
Configure the BambooHR managed MCP server with a BambooHR subdomain and user-delegated OAuth
-
Identify the BambooHR tools available to agents
-
Test BambooHR tool calls with an authorized user’s connection
What this MCP server does
Use BambooHR when an agent needs HR context from BambooHR without sharing one upstream API key across every caller. Each caller authorizes with BambooHR, and tool calls run with the BambooHR permissions available to that caller.
| Tool | What it does |
|---|---|
|
Fetches a single employee by ID. Use employee ID |
|
Lists all employee directory entries visible to the authenticated user. |
|
Queries time-off requests by date range. You can filter by employee ID, status, or time-off type. Supported statuses are |
|
Returns absences and holidays in a date range. If you omit dates, the server starts with today and ends 14 days later. |
|
Returns peer or manager feedback for an employee. You can filter by |
Prerequisites
-
A BambooHR workspace where you can create an OAuth 2.0 application.
-
A BambooHR OAuth Provider in Redpanda ADP. BambooHR OAuth authorize and token endpoints include your company subdomain.
-
A BambooHR company subdomain, such as
mycompanyformycompany.bamboohr.com. The managed config accepts letters, numbers, and hyphens. -
BambooHR users with the permissions required to read the employee, time-off, or performance data your agent needs.
Configure BambooHR OAuth
In BambooHR, create an OAuth 2.0 application in the BambooHR developer settings. Use the OAuth callback URL for your AI Gateway deployment.
Register a BambooHR OAuth Provider in ADP with tenant-specific endpoints:
Authorization endpoint: https://api.bamboohr.com/api/gateway.php/<subdomain>/v1/oauth2/authorize
Token endpoint: https://api.bamboohr.com/api/gateway.php/<subdomain>/v1/oauth2/tokenStore the BambooHR client secret in the ADP secret store, then reference that secret from the OAuth Provider.
Create the managed MCP server
Create a managed MCP server with the BambooHR type. Set the subdomain field and reference the BambooHR OAuth Provider under the userOauth auth variant. BambooHR supports per-user OAuth only, so the userOauth block is required.
The BambooHR managed config holds the company subdomain and the OAuth provider to authenticate against:
{
"@type": "type.googleapis.com/redpanda.mcps.bamboohr.v1.BambooHRMCPConfig",
"subdomain": "mycompany",
"userOauth": {
"providerName": "bamboohr"
}
}userOauth.providerName is the resource name of the BambooHR OAuth Provider you registered. The provider’s stored per-user token is injected on each tool call.
Authorize and test
Before a caller can use BambooHR tools, the caller must authorize the BambooHR OAuth Provider. After authorization, Redpanda stores the user’s access token in the token vault and subsequent tool calls use that token automatically.
Test the server in the Inspector before you connect it to an agent. Start with get_employee_directory or get_employee with employee ID 0, because both calls confirm that the user’s OAuth connection resolves and BambooHR returns data visible to that user.
Troubleshooting
| Symptom | What to check |
|---|---|
Tool calls return permission errors |
Confirm the BambooHR user can access the requested HR data. Restricted BambooHR roles can return permission errors, especially for performance data. |
OAuth succeeds, but tool calls fail |
Confirm the OAuth Provider endpoints use the same BambooHR subdomain as the MCP server configuration. |
The server cannot find the BambooHR company |
Confirm |
