# BambooHR Managed MCP Server

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [agentic-data-plane-full.txt](https://docs.redpanda.com/agentic-data-plane-full.txt)

---
title: BambooHR Managed MCP Server
latest-operator-version: v26.1.5
latest-console-tag: v3.7.4
latest-connect-version: 4.96.1
latest-redpanda-tag: v26.1.10
docname: managed/bamboohr
page-component-name: agentic-data-plane
page-version: master
page-component-version: master
page-component-title: Agentic Data Plane
page-relative-src-path: managed/bamboohr.adoc
page-edit-url: https://github.com/redpanda-data/adp-docs/edit/main/modules/connect/pages/managed/bamboohr.adoc
description: Let agents read BambooHR employee, time-off, and performance data with each caller's BambooHR OAuth identity.
page-topic-type: how-to
personas: agent_builder, platform_engineer
learning-objective-1: Configure the BambooHR managed MCP server with a BambooHR subdomain and user-delegated OAuth
learning-objective-2: Identify the BambooHR tools available to agents
learning-objective-3: Test BambooHR tool calls with an authorized user's connection
page-git-created-date: "2026-05-28"
page-git-modified-date: "2026-06-10"
---

<!-- Source: https://docs.redpanda.com/agentic-data-plane/connect/managed/bamboohr.md -->

The **BambooHR** managed MCP server lets agents read BambooHR employee directory, time-off, and performance data with the calling user’s OAuth identity. The BambooHR configuration stores the company subdomain and the name of the BambooHR [OAuth Provider](https://docs.redpanda.com/agentic-data-plane/reference/glossary/#oauth-provider) to authenticate against. OAuth credentials and user tokens come from that provider and the [token vault](https://docs.redpanda.com/agentic-data-plane/reference/glossary/#token-vault).

After reading this page, you will be able to:

-   Configure the BambooHR managed MCP server with a BambooHR subdomain and user-delegated OAuth

-   Identify the BambooHR tools available to agents

-   Test BambooHR tool calls with an authorized user’s connection


## [](#what-this-mcp-server-does)What this MCP server does

Use BambooHR when an agent needs HR context from BambooHR without sharing one upstream API key across every caller. Each caller authorizes with BambooHR, and tool calls run with the BambooHR permissions available to that caller.

| Tool | What it does |
| --- | --- |
| get_employee | Fetches a single employee by ID. Use employee ID 0 to return the authenticated user’s own record. You can pass a comma-separated fields list, or leave it empty to return all fields the caller can access. |
| get_employee_directory | Lists all employee directory entries visible to the authenticated user. |
| get_time_off_requests | Queries time-off requests by date range. You can filter by employee ID, status, or time-off type. Supported statuses are approved, denied, superceded, requested, and canceled. |
| whos_out | Returns absences and holidays in a date range. If you omit dates, the server starts with today and ends 14 days later. |
| get_performance_feedback | Returns peer or manager feedback for an employee. You can filter by completed, pending, or all feedback. |

## [](#prerequisites)Prerequisites

-   A BambooHR workspace where you can create an OAuth 2.0 application.

-   A BambooHR OAuth Provider in Redpanda ADP. BambooHR OAuth authorize and token endpoints include your company subdomain.

-   A BambooHR company subdomain, such as `mycompany` for `mycompany.bamboohr.com`. The managed config accepts letters, numbers, and hyphens.

-   BambooHR users with the permissions required to read the employee, time-off, or performance data your agent needs.


## [](#configure-bamboohr-oauth)Configure BambooHR OAuth

In BambooHR, create an OAuth 2.0 application in the BambooHR developer settings. Use the OAuth callback URL for your AI Gateway deployment.

Register a BambooHR OAuth Provider in ADP with tenant-specific endpoints:

```text
Authorization endpoint: https://api.bamboohr.com/api/gateway.php/<subdomain>/v1/oauth2/authorize
Token endpoint:         https://api.bamboohr.com/api/gateway.php/<subdomain>/v1/oauth2/token
```

Store the BambooHR client secret in the ADP secret store, then reference that secret from the OAuth Provider.

## [](#create-the-managed-mcp-server)Create the managed MCP server

Create a managed MCP server with the BambooHR type. Set the `subdomain` field and reference the BambooHR OAuth Provider under the `userOauth` auth variant. BambooHR supports per-user OAuth only, so the `userOauth` block is required.

The BambooHR managed config holds the company subdomain and the OAuth provider to authenticate against:

```json
{
  "@type": "type.googleapis.com/redpanda.mcps.bamboohr.v1.BambooHRMCPConfig",
  "subdomain": "mycompany",
  "userOauth": {
    "providerName": "bamboohr"
  }
}
```

`userOauth.providerName` is the resource name of the BambooHR OAuth Provider you registered. The provider’s stored per-user token is injected on each tool call.

## [](#authorize-and-test)Authorize and test

Before a caller can use BambooHR tools, the caller must authorize the BambooHR OAuth Provider. After authorization, Redpanda stores the user’s access token in the token vault and subsequent tool calls use that token automatically.

Test the server in the Inspector before you connect it to an agent. Start with `get_employee_directory` or `get_employee` with employee ID `0`, because both calls confirm that the user’s OAuth connection resolves and BambooHR returns data visible to that user.

## [](#troubleshooting)Troubleshooting

| Symptom | What to check |
| --- | --- |
| Tool calls return permission errors | Confirm the BambooHR user can access the requested HR data. Restricted BambooHR roles can return permission errors, especially for performance data. |
| OAuth succeeds, but tool calls fail | Confirm the OAuth Provider endpoints use the same BambooHR subdomain as the MCP server configuration. |
| The server cannot find the BambooHR company | Confirm subdomain contains only the part before .bamboohr.com, such as mycompany. |

## [](#next-steps)Next steps

-   [Configure User-Delegated OAuth](https://docs.redpanda.com/agentic-data-plane/connect/user-delegated-oauth/)

-   [Test an MCP Server’s Tools with the Inspector](https://docs.redpanda.com/agentic-data-plane/connect/test-tools/)

-   [Create an Agent](https://docs.redpanda.com/agentic-data-plane/connect/create-agent/)