io.github.davidlandais/ovh-api-mcp
MCP server for the OVH API. Explore and call any OVH endpoint via sandboxed JS.
Ask AI about io.github.davidlandais/ovh-api-mcp
Powered by Claude Β· Grounded in docs
I know everything about io.github.davidlandais/ovh-api-mcp. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
ovh-api-mcp
A native Model Context Protocol (MCP) server that gives LLMs full access to the OVH API (v1 and v2). Built in Rust for minimal footprint (~19 MB Docker image, ~1.2 MiB RAM).
Early Release β Designed for local development use. Security hardening has been applied (sandboxed execution, spec validation, secret protection), but the server has not been battle-tested at scale. Do not expose it to the public internet. Feedback and bug reports are welcome.
How it works
The server exposes two MCP tools:
| Tool | Description |
|---|---|
search | Explore the OVH OpenAPI spec using JavaScript β find endpoints, inspect schemas, read parameters |
execute | Call any OVH API endpoint using JavaScript β authentication is handled transparently |
The LLM writes JavaScript that runs inside a sandboxed QuickJS engine with resource limits (memory, CPU timeout, stack size). Every API call is validated against the loaded OpenAPI spec before execution.
The server supports two transport modes:
- HTTP (Streamable HTTP) β for web-based clients and Docker deployments
- stdio β for direct integration with Claude Desktop, Cursor, and MCP inspectors
OVH credentials are optional at startup: the server starts and exposes its tools even without API keys. Tools return a clear error when called without credentials.
Quick start
With stdio (Claude Desktop / Cursor)
Add to your MCP client configuration:
{
"mcpServers": {
"ovh-api": {
"command": "ovh-api-mcp",
"args": ["--transport", "stdio"],
"env": {
"OVH_APPLICATION_KEY": "your_app_key",
"OVH_APPLICATION_SECRET": "your_app_secret",
"OVH_CONSUMER_KEY": "your_consumer_key"
}
}
}
}
With Docker
docker run -d --name ovh-api \
-e OVH_APPLICATION_KEY=your_app_key \
-e OVH_APPLICATION_SECRET=your_app_secret \
-e OVH_CONSUMER_KEY=your_consumer_key \
-p 3104:3104 \
ghcr.io/davidlandais/ovh-api-mcp:latest
From source
cargo install --git https://github.com/davidlandais/ovh-api-mcp
export OVH_APPLICATION_KEY=your_app_key
export OVH_APPLICATION_SECRET=your_app_secret
export OVH_CONSUMER_KEY=your_consumer_key
ovh-api-mcp --port 3104
Pre-built binaries
Download from GitHub Releases β available for macOS (x86_64, aarch64) and Linux (x86_64 musl).
Claude Code configuration (HTTP mode)
{
"mcpServers": {
"ovh-api": {
"type": "http",
"url": "http://localhost:3104/mcp",
"headers": {
"Authorization": "Bearer local"
}
}
}
}
The
Authorizationheader is required to bypass Claude Code's OAuth discovery. See claude-code#2831.
OVH credentials
You need three values: an application key, an application secret, and a consumer key.
Go to the token creation page for your region, log in with your OVH account, set the permissions and validity, and you'll get all three keys at once:
| Region | URL |
|---|---|
| Europe | https://auth.eu.ovhcloud.com/api/createToken |
| Canada | https://auth.ca.ovhcloud.com/api/createToken |
| US | https://auth.us.ovhcloud.com/api/createToken |
For full API access, set all four methods (GET, POST, PUT, DELETE) with path /*.
OAuth2 authentication (service accounts)
As an alternative to API keys, you can use OVH service accounts with OAuth2 client credentials:
| Variable | Description |
|---|---|
OVH_CLIENT_ID | Service account ID |
OVH_CLIENT_SECRET | Service account secret |
Service accounts are created via the OVH API (POST /me/api/oauth2/client with flow: CLIENT_CREDENTIALS). You must then create an IAM policy (POST /v2/iam/policy) to grant API permissions to the service account. See the OVHcloud documentation for details.
The server auto-detects the auth mode from environment variables. Do not set both API keys and OAuth2 credentials at the same time.
CLI options
Options:
--transport <TRANSPORT> Transport mode: http, stdio [env: OVH_TRANSPORT] [default: http]
--port <PORT> Port to listen on [env: PORT] [default: 3104]
--host <HOST> Host to bind to [default: 127.0.0.1]
--endpoint <ENDPOINT> OVH API endpoint: eu, ca, us [env: OVH_ENDPOINT] [default: eu]
--app-key <APP_KEY> OVH application key [env: OVH_APPLICATION_KEY]
--app-secret <APP_SECRET> OVH application secret [env: OVH_APPLICATION_SECRET]
--consumer-key <CONSUMER_KEY> OVH consumer key [env: OVH_CONSUMER_KEY]
--client-id <CLIENT_ID> OVH OAuth2 client ID [env: OVH_CLIENT_ID]
--client-secret <CLIENT_SECRET> OVH OAuth2 client secret [env: OVH_CLIENT_SECRET]
--services <SERVICES> Services to load, comma-separated or "*" [env: OVH_SERVICES] [default: *]
--cache-dir <PATH> Directory to cache the merged spec [env: OVH_CACHE_DIR]
--cache-ttl <SECONDS> Cache TTL in seconds, 0 to disable [env: OVH_CACHE_TTL] [default: 86400]
--no-cache Disable spec caching entirely
--max-code-size <BYTES> Maximum code input size [env: OVH_MAX_CODE_SIZE] [default: 1048576]
Usage examples
Once connected, the LLM can use the tools like this:
Search for DNS endpoints:
// search tool
(spec) => {
const results = [];
for (const [path, methods] of Object.entries(spec.paths)) {
if (path.includes("/domain/zone")) {
for (const [method, op] of Object.entries(methods)) {
results.push({ method: method.toUpperCase(), path, summary: op.summary });
}
}
}
return results;
}
List your domain zones:
// execute tool
async () => await ovh.request({ method: "GET", path: "/v1/domain/zone" })
Get DNS records for a domain:
// execute tool
async () => {
const records = await ovh.request({
method: "GET",
path: "/v1/domain/zone/example.com/record"
});
const details = [];
for (const id of records.slice(0, 10)) {
details.push(await ovh.request({
method: "GET",
path: `/v1/domain/zone/example.com/record/${id}`
}));
}
return details;
}
Security
- Sandboxed execution β JavaScript runs in QuickJS with memory limit (64 MiB), stack limit (1 MiB), and execution timeout (10s for search, 30s for execute)
- Spec-validated API calls β every
ovh.request()call is matched against the loaded OpenAPI spec; unknown endpoints or wrong HTTP methods are rejected - Path injection prevention β API paths containing
?,#, or..are rejected - Secret protection β
app_secretandconsumer_keyare stored usingsecrecy(zeroized on drop) - No HTTP redirects β prevents credential leakage to third-party domains
- Non-root container β Docker image runs as unprivileged user
Architecture
src/
main.rs CLI, logging, transport selection (HTTP/stdio), graceful shutdown
tools.rs MCP tool definitions (search, execute) via rmcp macros
sandbox.rs QuickJS sandboxed JS execution with resource limits
auth.rs OVH API client with signature, clock sync, request handling
spec.rs OpenAPI spec fetching, caching, merging, and path validation
types.rs Input types for MCP tool parameters
License
MIT β David Landais