Learn Claude Code: MCP Mastery Scopes and Where Configuration Lives

Scopes and Where Configuration Lives

Advanced 🕐 12 min Lesson 3 of 12
What you'll learn
  • Select the right scope for any MCP server — local for personal tooling, project for team sharing, user for cross-project access
  • Understand how claude.ai connectors load, when they silently disappear, and the any-source-true semantics of disableClaudeAiConnectors
  • Use environment variable expansion in .mcp.json to share team configuration without embedding credentials or machine-specific paths

Three scopes, one question: who needs this server?

Every MCP server you add lives in exactly one configuration scope. That scope controls whether the server is visible only to you in the current project, shared with your whole team, or available to you across every project on your machine. Choosing the wrong scope is a common source of confusion — a server you added in one project appears nowhere else, or a server you wanted to keep private ends up in the repository.

Three scopes, two configuration files

Claude Code organizes MCP servers across three scopes, stored in two files:

Local (default)
Private to you, current project only. Stored in ~/.claude.json under that project's path. Other projects on your machine do not see it.
Project
Shared with the team via .mcp.json in the project root. Designed to be committed to version control. All team members see the same servers after accepting the workspace trust dialog.
User
Available to you across all projects. Stored in ~/.claude.json under the top-level mcpServers key. Private to your user account.

Add a server at a specific scope with the --scope flag:

claude mcp add --transport http stripe --scope project https://mcp.stripe.com

Omitting --scope defaults to local. Note that "local scope" for MCP uses ~/.claude.json (your home directory), while general local settings use .claude/settings.local.json (the project directory) — they are different files serving different purposes.

Scope precedence and deduplication

When the same server name is defined in more than one scope, Claude Code connects to it once, using the definition from the highest-precedence source. The order is: local > project > user > plugin-provided servers > claude.ai connectors. The entire entry from the winning source is used — fields are not merged across scopes.

This precedence lets you override a team server with your own local version without touching the shared configuration. Add a local-scope entry with the same name and Claude Code uses your version in that project while your teammates use the shared one.

Project scope and workspace trust

Project-scoped servers from .mcp.json need your approval before Claude Code connects them. This exists because a repository you clone could define servers that run arbitrary processes on your machine — the trust dialog is the gate. The first time you start Claude Code in a project with .mcp.json, Claude Code shows a prompt listing the pending servers. Approve them, and they connect. Reject them, and they stay at "Pending approval" in claude mcp list.

Approvals from your user settings (~/.claude/settings.json), managed settings, --settings, and .claude/settings.local.json apply in untrusted folders. Approvals from the project's .claude/settings.json do not — a cloned repository cannot pre-approve its own servers. To reset approval choices and re-evaluate, run claude mcp reset-project-choices.

How claude.ai connectors fit in — and when they vanish

If you authenticate Claude Code with a claude.ai subscription, MCP servers you have added at claude.ai/customize/connectors load automatically in every session. They appear in /mcp below your manually configured servers with a claude.ai indicator.

Here is the critical catch: connectors only load when your active authentication method is your claude.ai subscription. If you are using ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, apiKeyHelper, or a third-party provider like Amazon Bedrock or Google Cloud's Agent Platform, connectors are silently absent — even if you previously ran /login. Run /status inside a session to confirm which authentication method is active. If connectors are missing, that is the first place to check.

A locally configured server takes precedence over a claude.ai connector pointing at the same URL. When this happens, /mcp lists the connector as hidden and shows you how to remove the duplicate if you prefer the connector version.

Disabling connectors: any-source-true semantics

The disableClaudeAiConnectors setting uses any-source-true semantics: if any settings source sets it to true, connectors are disabled — regardless of what other sources say. A project-level false cannot re-enable connectors that a user- or policy-level true has disabled. This is the opposite of the usual override direction. Use it intentionally:

  • A project that should never load cloud connectors can set it to true in .claude/settings.json — and that wins for everyone who opens that project, even if their user settings leave it unset.
  • A policy-level true blocks connectors for the entire organization regardless of what projects or users configure.

For a per-session alternative without touching settings files, set the environment variable before launching:

ENABLE_CLAUDEAI_MCP_SERVERS=false claude

Environment variable expansion in .mcp.json

Project-scope .mcp.json files are committed to version control, which means they should not contain API keys, tokens, or machine-specific paths. Claude Code solves this with environment variable expansion. Two forms are supported:

  • ${VAR} — expands to the value of VAR; fails to parse if VAR is unset
  • ${VAR:-default} — expands to VAR if set, otherwise uses the default

Expansion works in the command, args, env, url, and headers fields. A typical pattern keeps the server URL in the file and reads per-user credentials from the environment:

{"type": "http", "url": "${API_BASE_URL:-https://api.example.com}/mcp", "headers": {"Authorization": "Bearer ${API_KEY}"}}

Each developer sets their own API_KEY in their shell profile. The shared .mcp.json contains no secrets.

Key takeaways
  • Local scope (the default) stores a server in ~/.claude.json under your current project's path — private to you, invisible in other projects even on the same machine
  • Project scope writes to .mcp.json in the project root for version control — every team member gets the same servers after accepting the workspace trust dialog
  • claude.ai connectors load automatically only when your active auth is a claude.ai subscription — they silently disappear when ANTHROPIC_API_KEY or a third-party provider is active, so check /status when connectors go missing
  • disableClaudeAiConnectors uses any-source-true semantics — true in any settings source wins, and a project-level false cannot override a user- or policy-level true
  • Environment variable expansion (${VAR} and ${VAR:-default}) in .mcp.json lets teams share configuration without embedding credentials or machine-specific paths in version-controlled files