WorkSpaces Applications MCP server
The WorkSpaces Applications MCP server is a fully managed service that provides AI agents with Model Context Protocol (MCP) tools to interact with desktop applications during streaming sessions. Agents can click buttons, enter text, scroll, and take screenshots of the desktop.
Overview
When you enable agent access on a stack, agents can connect to the managed MCP server to interact with desktop applications. The MCP server handles the communication between your agent and the streaming session. Your agent sends MCP tool requests, and the server executes them on the desktop.
The MCP server is hosted in the AWS cloud. You don't need to install or maintain any server components. The server uses Streamable HTTP as its transport protocol.
Agent access supports both non-domain-joined and domain-joined fleets. The connection method differs by fleet type. Non-domain-joined fleets authenticate the session with a streaming URL, while domain-joined fleets authenticate through SAML federation. For the path that matches your fleet, see Connecting to the MCP server.
Connecting to the MCP server
Agents connect to the MCP server at the following endpoint:
https://agentaccess-mcp.region.api.aws/mcp
The MCP server is hosted in the AWS cloud and uses Streamable HTTP as its transport protocol. You don't need to install or maintain any server components.
Every request must be SigV4-signed using IAM credentials with the service
name agentaccess-mcp. The following Python example shows the
general connection pattern using mcp-proxy-for-aws:
from mcp_proxy_for_aws import aws_iam_streamablehttp_client async with aws_iam_streamablehttp_client( endpoint="https://agentaccess-mcp.region.api.aws/mcp", aws_service="agentaccess-mcp", aws_region="region", headers={ # Fleet-type-specific headers (see the following subsections) }, metadata={ # Fleet-type-specific metadata (see the following subsections) }, ) as (read, write, _): # Use read/write streams with your MCP client ...
For other languages, write your own SigV4 signing logic for outgoing MCP
requests or use a library that supports SigV4 signing. For more information
about mcp-proxy-for-aws, see
mcp-proxy-for-aws
How you authenticate the streaming session depends on your fleet type:
-
Non-domain-joined fleets — Pass a streaming URL as a header. See Connecting with non-domain-joined fleets.
-
Domain-joined fleets — Pass a signed SAML assertion as metadata. See Connecting with domain-joined fleets.
Note
At any given time, only one agent can connect to a unique session.
Named users, specified through the UserId parameter, can
have only one active session per fleet at a time. To run multiple agents
concurrently, each agent must connect to its own unique session.
Connecting with non-domain-joined fleets
For non-domain-joined fleets, generate a streaming URL using the
CreateStreamingURL API and pass it as the
X-Amzn-AgentAccess-Streaming-Session-Url header on every
request. No agent-specific parameters are required. The agent behavior is
determined by the stack's agent access configuration.
import boto3 from mcp_proxy_for_aws import aws_iam_streamablehttp_client # Generate streaming URL appstream = boto3.client("appstream", region_name="region") response = appstream.create_streaming_url( StackName="stack-name", FleetName="fleet-name", UserId="user-id", ) streaming_url = response["StreamingURL"] # Connect to MCP server async with aws_iam_streamablehttp_client( endpoint="https://agentaccess-mcp.region.api.aws/mcp", aws_service="agentaccess-mcp", aws_region="region", headers={ "X-Amzn-AgentAccess-Streaming-Session-Url": streaming_url, }, ) as (read, write, _): ...
For more information about the CreateStreamingURL API, see
CreateStreamingURL
in the Amazon WorkSpaces Applications 2.0 API Reference.
Connecting with domain-joined fleets
When agents access domain-joined streaming instances, the connection must be federated through a SAML provider. This requirement applies to both traditional and agent sessions. For agent sessions, Certificate-Based Authentication is required.
Because domain-joined streaming instances require access through SAML,
your MCP client must provide a signed SAML assertion instead of a
streaming URL. Encoded SAML assertions exceed HTTP header size limits. To
avoid this, use the metadata field in
mcp-proxy-for-aws:
from mcp_proxy_for_aws import aws_iam_streamablehttp_client # saml_response: your signed, base64-encoded SAML assertion # stack_arn: the ARN of the AppStream stack for the AD user async with aws_iam_streamablehttp_client( endpoint="https://agentaccess-mcp.region.api.aws/mcp", aws_service="agentaccess-mcp", aws_region="region", metadata={ "saml_response": saml_response, "stack_arn": stack_arn, }, ) as (read, write, _): ...
Note
The metadata parameter was added in
mcp-proxy-for-aws version 1.6.1. Earlier versions cannot
inject the _meta field without additional development. To
upgrade, run pip install -U mcp-proxy-for-aws.
For more information about setting up SAML federation with WorkSpaces Applications, see
Setting
up SAML in the Amazon WorkSpaces Applications Administration
Guide. For more information and a complete working example, see
the
sample-code-for-workspaces-agent-access
Connection modes
You can control how your agent waits for the desktop session to become
available by setting the X-Amzn-AgentAccess-Connect-Mode header
on your MCP requests.
Note
Connection modes apply to both non-domain-joined and domain-joined
fleets. Set the X-Amzn-AgentAccess-Connect-Mode header
alongside whichever authentication mechanism your fleet type uses (the
streaming-URL header for non-domain-joined fleets, or the SAML assertion
metadata for domain-joined fleets).
The following modes are available:
-
BLOCKING (default) — The MCP server waits until the desktop connection is fully established before responding. When
tools/listreturns, all tools are immediately available. -
POLLING — The MCP server responds immediately without waiting for the desktop connection. Initially, only the
connection_statustool is available. Your agent polls this tool until the connection is established, at which point the full tool set becomes available.
Use POLLING mode when you want your agent to perform other work while waiting for the desktop connection, or when you need more control over connection timeout behavior.
The following example shows how to use POLLING mode:
# Pass the header when creating the MCP connection headers = { "X-Amzn-AgentAccess-Streaming-Session-Url": streaming_url, # non-domain-joined fleets "X-Amzn-AgentAccess-Connect-Mode": "POLLING", } # After initialize, tools/list returns immediately with connection_status tools = await session.list_tools() # tools = [connection_status] # Poll connection_status until the desktop is ready while True: result = await session.call_tool("connection_status", {}) status = json.loads(result.content[0].text) if status["state"] == "CONNECTED": break time.sleep(2) # Now tools/list returns the full set (screenshot, left_click, type_text, etc.) tools = await session.list_tools()
Session cleanup
You can control whether the streaming session is expired when your agent
ends its connection by setting the
X-Amzn-AgentAccess-Expire-Streaming-Session-On-Delete header on
your MCP requests. The following values are available:
-
true — When your agent sends an explicit HTTP
DELETErequest, the MCP server expires the WorkSpaces Applications streaming session as part of cleanup. Expiring the session terminates the underlying streaming instance and triggers the fleet's configured autoscaling policy. For more information, see Fleet Auto Scaling for Amazon WorkSpaces Applications. -
false (default) — The streaming session continues running until the disconnect timeout is reached. For more information about the disconnect timeout, see Create a Fleet in Amazon WorkSpaces Applications.
Note
By default, an mcp-proxy-for-aws MCP client automatically
handles the DELETE request when you properly end the client
lifecycle.
Available tools
The MCP server provides the following tools for agents to interact with
the desktop during a streaming session. All tool names use the
agentaccess___ prefix.
Mouse tools
left_click-
Perform a left click at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional, for examplectrlorctrl+shift). double_click-
Perform a double click at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). triple_click-
Perform a triple click at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). right_click-
Perform a right click at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). middle_click-
Perform a middle click at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). left_click_drag-
Perform a left click drag from start coordinates to end coordinates.
Parameters:
start_x(required),start_y(required),end_x(required),end_y(required). left_mouse_down-
Press and hold the left mouse button at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). left_mouse_up-
Release the left mouse button at the given coordinates.
Parameters:
x(required),y(required),modifiers(optional). move_pointer-
Move the pointer to the given coordinates.
Parameters:
x(required),y(required). scroll-
Scroll the mouse wheel at the given coordinates.
Parameters:
x(required),y(required),scroll_direction(required —Up,Down,Left, orRight),scroll_amount(required — in ticks, where 120 ticks equals one wheel notch),modifiers(optional).
Keyboard tools
type_text-
Type text by simulating keyboard events for each character.
Parameters:
text(required — up to 10,000 characters). key-
Press a key or key combination.
Parameters:
keys(required — a single key or combination joined by+, for examplea,ctrl+c, orctrl+shift+s). hold_key-
Hold a key or key combination for a specified duration.
Parameters:
keys(required),duration(required — 1 to 30 seconds).
Screen tools
screenshot-
Capture a screenshot of the desktop. The returned image dimensions define the coordinate space for all mouse tools.
Parameters:
include_cursor(optional — defaults tofalse).
MCP tool forwarding
MCP tool forwarding allows agents to interact with applications and the desktop operating system through direct MCP calls rather than using computer use tools. When you enable tool forwarding, the MCP server forwards tools configured on the WorkSpaces application session to your agent.
Setting up tool forwarding
To set up MCP tool forwarding:
-
Enable tool forwarding — Turn on the
FORWARD_MCP_TOOLSagent action through the API or console settings. -
Verify that the MCP server configuration file is present — The service looks for a configuration file at the following path:
C:\ProgramData\NICE\dcv\mcp_server_redirection_config.json -
Configure the MCP server on the WorkSpace image — The configuration file is JSON with a single top-level
mcpServersobject. Each key is a unique name that you choose for a server. Each value specifies how to launch that server.{ "mcpServers": { "filesystem": { "command": "C:/path/to/python.exe", "args": ["C:/mcpServerPath/filesystem.py", "C:/UserName/Documents"] }, "weather": { "command": "C:/Program Files/my-mcp/weather.exe" } } }Field Required Type Description commandYes String Absolute path to the executable to launch. argsNo Array of strings Arguments passed to the executable. -
Verify tool availability — If the configuration file is present, the service connects to the MCP servers configured in the file and forwards the tools. The forwarded tools appear when the agent lists its available tools.
Note
Both IAM access and the service setting must be enabled for tool forwarding to work. IAM permissions do not override the service setting.
MCP tool forwarding considerations
Note the following considerations when you configure MCP tool forwarding:
-
Transport is standard I/O (stdio) only. Each entry must launch a process that speaks MCP over its standard input and output. Remote HTTP or SSE MCP endpoints are not supported. To use a remote endpoint, wrap it in a local stdio server.
-
Only
commandandargsare supported. There is no field for environment variables or working directory. Each server inherits the environment of the streaming session and runs as the session user. Use absolute paths forcommandand for any path arguments. -
Use forward slashes in paths (for example,
C:/Program Files/my-mcp/server.exe). JSON treats the backslash as an escape character, so a Windows-style path written with single backslashes is invalid. Windows accepts forward slashes for absolute paths, which avoids the need to escape every separator as\\. -
Tool-call timeout. Each forwarded tool call must complete within 5 seconds. The MCP server cancels calls that take longer and returns an error to the agent. Design forwarded tools to return quickly.
How forwarded tools appear to the agent
To prevent collisions between servers, the MCP server renames each forwarded tool in the agent's tool list using the following pattern:
forwarded___server-name___original-tool-name
The server-name is the key from your
configuration file. For example, a get_forecast tool from the
weather server is listed as
forwarded___weather___get_forecast. When the agent calls the
forwarded name, the MCP server routes the request to the original tool on
the owning server. Agent code that matches on tool names must expect this
prefix.
IAM permissions for tool forwarding
The IAM action for calling forwarded tools is
CallForwardedTool. You can scope access to specific stacks
using the StackArn condition key:
{ "Action": "agentaccess-mcp:*", "Resource": "*", "Condition": { "ArnLike": { "agentaccess-mcp:StackArn": "arn:aws:appstream:region:account-id:stack/stack-name" } } }
Compatible frameworks
You can connect to the WorkSpaces Applications MCP server from any MCP-compatible agent framework that supports Streamable HTTP and SigV4 signing. The following frameworks have been tested:
-
Strands Agents SDK
— Provides native MCP client support. -
mcp-proxy-for-aws
— A lightweight transport that handles SigV4 signing for MCP requests in Python.
Monitoring
You can monitor agent activity through the following services:
-
AWS CloudTrail — Agent session events are logged in CloudTrail. You can view when agents connect, which tools they use, and when sessions end. Tool calls are data events and require that you set up a trail to log data events. For more information, see Logging data events in the CloudTrail User Guide.
-
CloudWatch — Operational metrics for agent sessions are available in CloudWatch.
-
Amazon S3 — If you configure screenshot storage, screenshots captured during agent sessions are available in the Amazon S3 bucket that you specify. Screenshots are stored with the following key format:
agentaccess/screenshots/year=YYYY/month=MM/day=DD/session-id/timestamp.pngThe UUID in the path is the WorkSpaces Applications streaming session ID.
Get started
To get started with the WorkSpaces Applications MCP server, see Get started providing agents with access to WorkSpaces Applications.