Joining Harvey's MCP Connector Library
Learn how your MCP server can connect to Harvey for customers to power end-to-end legal work.
Last updated: Apr 21, 2026
Overview
Harvey supports MCP (Model Context Protocol), an open standard that allows external tools and data sources to connect directly into Harvey.
As a partner, you can build and integrate an MCP server that users can use without leaving Harvey, helping them work more efficiently across various legal tasks such as:
- Researching specific legal content to synthesize in drafting
- Searching and updating files and contracts
- Embedding preferred data, formats, and visualizations in documents
Harvey is used by over 140K+ legal professionals across 1,500+ law firms and in-house legal teams worldwide. Joining Harvey’s MCP Connector Library puts your tool directly inside the workflows where lawyers do their core work without requiring them to leave Harvey or switch context.
Harvey acts as the client to retrieve user credentials, make requests to your server, and surface the response inside Harvey's interface. A workspace administrator must explicitly enable your connector before any user in their organization can connect to it within Harvey.
Enabling Your Connector
To join Harvey’s MCP Connector Library, fill out this form. We’ll ask that you submit information regarding how your tool operates and is built, including security protocols, for us to review.
How the Connection Works
Once a workspace admin enables your connector within Harvey, users can authenticate with your service to connect their accounts. Harvey handles the authentication handshake, stores the user's token securely, and routes requests to your server on their behalf.
Authentication Requirements
Harvey implements the MCP Authorization Specification (2025-11-25). Harvey recommends your MCP server supports the following:
Requirement | Details |
|---|---|
OAuth 2.1 with PKCE (S256) | Required. Harvey uses PKCE for all authorization flows. Your server must support the S256 code challenge method. |
RFC 8414 — AS Metadata | Required. Harvey fetches your server's OAuth metadata before initiating any login. Publish a valid metadata document at the standard well-known endpoint. |
RFC 9728 — PRM Discovery | Required. Harvey verifies your declared authorization server before proceeding. |
HTTPS | Required. Harvey rejects any connector URL not using HTTPS. |
RFC 7591 — Dynamic Client Registration | Optional. If supported, Harvey will auto-register itself as an OAuth client, simplifying setup. |
Data Handling
Harvey's controls cover authentication, token storage, access scoping, and audit logging within Harvey. Once data reaches your MCP server, it is subject to your own privacy policy, data handling practices, and customer agreements.
Current Platform Limitations
Harvey's MCP client is actively evolving. The following Harvey limitations are relevant when designing your integration:
Harvey Limitation | What It Means |
|---|---|
No runtime write-action confirmation | Harvey does not currently prompt users before a connected tool executes a write action. Partners should design write access scope carefully and consider implementing the minimum level of scope required for intended user functionality. Harvey will assess your holistic security posture as part of evaluating Connector Library partners. |
No capability disclosure at connect time | Individual users are not shown which read vs. write operations your connector can perform before they authenticate. Partners should consider having clear admin documentation so that Harvey customer admins can properly assess the full feature set. |
Token revocation not automatic | Disconnecting in Harvey wipes the stored token but does not call your identity provider's revocation endpoint. If you require immediate revocation, surface a revocation flow on your side as well. |
Additional Information
If you’d like more information about listing your connector, you can reach out to our partnerships team at partnerships@harvey.ai.