Ovh Api Mcp

authSTDIOregistry active

Summary

Gives Claude direct access to the OVH API for managing cloud infrastructure, DNS, domains, and other OVH services. Exposes two JavaScript-based tools: search to explore the OpenAPI spec and find endpoints, and execute to make authenticated API calls. All code runs in a sandboxed QuickJS engine with resource limits and spec validation. Supports both traditional API keys and OAuth2 service accounts. Built in Rust, runs via stdio for Claude Desktop or HTTP for Docker deployments. Still early release, so keep it local and don't expose it publicly. Useful when you need to script OVH operations like DNS record updates, domain management, or cloud resource provisioning without leaving your AI workflow.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

ovh-api-mcp

A native Model Context Protocol (MCP) server that gives LLMs full access to the OVH API (v1 and v2). Built in Rust for minimal footprint (~19 MB Docker image, ~1.2 MiB RAM).

Early Release — Designed for local development use. Security hardening has been applied (sandboxed execution, spec validation, secret protection), but the server has not been battle-tested at scale. Do not expose it to the public internet. Feedback and bug reports are welcome.

How it works

The server exposes two MCP tools:

Tool	Description
`search`	Explore the OVH OpenAPI spec using JavaScript — find endpoints, inspect schemas, read parameters
`execute`	Call any OVH API endpoint using JavaScript — authentication is handled transparently

The LLM writes JavaScript that runs inside a sandboxed QuickJS engine with resource limits (memory, CPU timeout, stack size). Every API call is validated against the loaded OpenAPI spec before execution.

The server supports two transport modes:

HTTP (Streamable HTTP) — for web-based clients and Docker deployments
stdio — for direct integration with Claude Desktop, Cursor, and MCP inspectors

OVH credentials are optional at startup: the server starts and exposes its tools even without API keys. Tools return a clear error when called without credentials.

Quick start

With stdio (Claude Desktop / Cursor)

Add to your MCP client configuration:

{
  "mcpServers": {
    "ovh-api": {
      "command": "ovh-api-mcp",
      "args": ["--transport", "stdio"],
      "env": {
        "OVH_APPLICATION_KEY": "your_app_key",
        "OVH_APPLICATION_SECRET": "your_app_secret",
        "OVH_CONSUMER_KEY": "your_consumer_key"
      }
    }
  }
}

With Docker

docker run -d --name ovh-api \
  -e OVH_APPLICATION_KEY=your_app_key \
  -e OVH_APPLICATION_SECRET=your_app_secret \
  -e OVH_CONSUMER_KEY=your_consumer_key \
  -p 3104:3104 \
  ghcr.io/davidlandais/ovh-api-mcp:latest

From source

cargo install --git https://github.com/davidlandais/ovh-api-mcp

export OVH_APPLICATION_KEY=your_app_key
export OVH_APPLICATION_SECRET=your_app_secret
export OVH_CONSUMER_KEY=your_consumer_key

ovh-api-mcp --port 3104

Pre-built binaries

Download from GitHub Releases — available for macOS (x86_64, aarch64) and Linux (x86_64 musl).

Claude Code configuration (HTTP mode)

{
  "mcpServers": {
    "ovh-api": {
      "type": "http",
      "url": "http://localhost:3104/mcp",
      "headers": {
        "Authorization": "Bearer local"
      }
    }
  }
}

The Authorization header is required to bypass Claude Code's OAuth discovery. See claude-code#2831.

OVH credentials

You need three values: an application key, an application secret, and a consumer key.

Go to the token creation page for your region, log in with your OVH account, set the permissions and validity, and you'll get all three keys at once:

Region	URL
Europe	https://auth.eu.ovhcloud.com/api/createToken
Canada	https://auth.ca.ovhcloud.com/api/createToken
US	https://auth.us.ovhcloud.com/api/createToken

For full API access, set all four methods (GET, POST, PUT, DELETE) with path /*.

OAuth2 authentication (service accounts)

As an alternative to API keys, you can use OVH service accounts with OAuth2 client credentials:

Variable	Description
`OVH_CLIENT_ID`	Service account ID
`OVH_CLIENT_SECRET`	Service account secret

Service accounts are created via the OVH API (POST /me/api/oauth2/client with flow: CLIENT_CREDENTIALS). You must then create an IAM policy (POST /v2/iam/policy) to grant API permissions to the service account. See the OVHcloud documentation for details.

The server auto-detects the auth mode from environment variables. Do not set both API keys and OAuth2 credentials at the same time.

CLI options

Options:
  --transport <TRANSPORT>        Transport mode: http, stdio [env: OVH_TRANSPORT] [default: http]
  --port <PORT>                  Port to listen on [env: PORT] [default: 3104]
  --host <HOST>                  Host to bind to [default: 127.0.0.1]
  --endpoint <ENDPOINT>          OVH API endpoint: eu, ca, us [env: OVH_ENDPOINT] [default: eu]
  --app-key <APP_KEY>            OVH application key [env: OVH_APPLICATION_KEY]
  --app-secret <APP_SECRET>      OVH application secret [env: OVH_APPLICATION_SECRET]
  --consumer-key <CONSUMER_KEY>  OVH consumer key [env: OVH_CONSUMER_KEY]
  --client-id <CLIENT_ID>        OVH OAuth2 client ID [env: OVH_CLIENT_ID]
  --client-secret <CLIENT_SECRET> OVH OAuth2 client secret [env: OVH_CLIENT_SECRET]
  --services <SERVICES>          Services to load, comma-separated or "*" [env: OVH_SERVICES] [default: *]
  --cache-dir <PATH>             Directory to cache the merged spec [env: OVH_CACHE_DIR]
  --cache-ttl <SECONDS>          Cache TTL in seconds, 0 to disable [env: OVH_CACHE_TTL] [default: 86400]
  --no-cache                     Disable spec caching entirely
  --max-code-size <BYTES>        Maximum code input size [env: OVH_MAX_CODE_SIZE] [default: 1048576]

Usage examples

Once connected, the LLM can use the tools like this:

Search for DNS endpoints:

// search tool
(spec) => {
  const results = [];
  for (const [path, methods] of Object.entries(spec.paths)) {
    if (path.includes("/domain/zone")) {
      for (const [method, op] of Object.entries(methods)) {
        results.push({ method: method.toUpperCase(), path, summary: op.summary });
      }
    }
  }
  return results;
}

List your domain zones:

// execute tool
async () => await ovh.request({ method: "GET", path: "/v1/domain/zone" })

Get DNS records for a domain:

// execute tool
async () => {
  const records = await ovh.request({
    method: "GET",
    path: "/v1/domain/zone/example.com/record"
  });
  const details = [];
  for (const id of records.slice(0, 10)) {
    details.push(await ovh.request({
      method: "GET",
      path: `/v1/domain/zone/example.com/record/${id}`
    }));
  }
  return details;
}

Security

Sandboxed execution — JavaScript runs in QuickJS with memory limit (64 MiB), stack limit (1 MiB), and execution timeout (10s for search, 30s for execute)
Spec-validated API calls — every ovh.request() call is matched against the loaded OpenAPI spec; unknown endpoints or wrong HTTP methods are rejected
Path injection prevention — API paths containing ?, #, or .. are rejected
Secret protection — app_secret and consumer_key are stored using secrecy (zeroized on drop)
No HTTP redirects — prevents credential leakage to third-party domains
Non-root container — Docker image runs as unprivileged user

Architecture

src/
  main.rs      CLI, logging, transport selection (HTTP/stdio), graceful shutdown
  tools.rs     MCP tool definitions (search, execute) via rmcp macros
  sandbox.rs   QuickJS sandboxed JS execution with resource limits
  auth.rs      OVH API client with signature, clock sync, request handling
  spec.rs      OpenAPI spec fetching, caching, merging, and path validation
  types.rs     Input types for MCP tool parameters

License

MIT — David Landais

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

OVH_APPLICATION_KEY*

OVH API application key

OVH_APPLICATION_SECRET*secret

OVH API application secret

OVH_CONSUMER_KEY*secret

OVH API consumer key

OVH_ENDPOINTdefault: eu

OVH API region: eu, ca, or us

OVH_SERVICESdefault: *

Comma-separated OVH API services, or * for all

OVH_CLIENT_ID

OVH OAuth2 client ID (service account, alternative to API keys)

OVH_CLIENT_SECRETsecret

OVH OAuth2 client secret (service account)

Registryactive

Packageghcr.io/davidlandais/ovh-api-mcp:0.3.0

TransportSTDIO

AuthRequired

UpdatedMar 13, 2026

View on GitHub

ovh-api-mcp

A native Model Context Protocol (MCP) server that gives LLMs full access to the OVH API (v1 and v2). Built in Rust for minimal footprint (~19 MB Docker image, ~1.2 MiB RAM).

Early Release — Designed for local development use. Security hardening has been applied (sandboxed execution, spec validation, secret protection), but the server has not been battle-tested at scale. Do not expose it to the public internet. Feedback and bug reports are welcome.

How it works

The server exposes two MCP tools:

Tool	Description
`search`	Explore the OVH OpenAPI spec using JavaScript — find endpoints, inspect schemas, read parameters
`execute`	Call any OVH API endpoint using JavaScript — authentication is handled transparently

The server supports two transport modes:

HTTP (Streamable HTTP) — for web-based clients and Docker deployments
stdio — for direct integration with Claude Desktop, Cursor, and MCP inspectors

OVH credentials are optional at startup: the server starts and exposes its tools even without API keys. Tools return a clear error when called without credentials.

Quick start

With stdio (Claude Desktop / Cursor)

Add to your MCP client configuration:

{
  "mcpServers": {
    "ovh-api": {
      "command": "ovh-api-mcp",
      "args": ["--transport", "stdio"],
      "env": {
        "OVH_APPLICATION_KEY": "your_app_key",
        "OVH_APPLICATION_SECRET": "your_app_secret",
        "OVH_CONSUMER_KEY": "your_consumer_key"
      }
    }
  }
}

With Docker

docker run -d --name ovh-api \
  -e OVH_APPLICATION_KEY=your_app_key \
  -e OVH_APPLICATION_SECRET=your_app_secret \
  -e OVH_CONSUMER_KEY=your_consumer_key \
  -p 3104:3104 \
  ghcr.io/davidlandais/ovh-api-mcp:latest

From source

cargo install --git https://github.com/davidlandais/ovh-api-mcp

export OVH_APPLICATION_KEY=your_app_key
export OVH_APPLICATION_SECRET=your_app_secret
export OVH_CONSUMER_KEY=your_consumer_key

ovh-api-mcp --port 3104

Pre-built binaries

Download from GitHub Releases — available for macOS (x86_64, aarch64) and Linux (x86_64 musl).

Claude Code configuration (HTTP mode)

{
  "mcpServers": {
    "ovh-api": {
      "type": "http",
      "url": "http://localhost:3104/mcp",
      "headers": {
        "Authorization": "Bearer local"
      }
    }
  }
}

The Authorization header is required to bypass Claude Code's OAuth discovery. See claude-code#2831.

OVH credentials

You need three values: an application key, an application secret, and a consumer key.

Go to the token creation page for your region, log in with your OVH account, set the permissions and validity, and you'll get all three keys at once:

Region	URL
Europe	https://auth.eu.ovhcloud.com/api/createToken
Canada	https://auth.ca.ovhcloud.com/api/createToken
US	https://auth.us.ovhcloud.com/api/createToken

For full API access, set all four methods (GET, POST, PUT, DELETE) with path /*.

OAuth2 authentication (service accounts)

As an alternative to API keys, you can use OVH service accounts with OAuth2 client credentials:

Variable	Description
`OVH_CLIENT_ID`	Service account ID
`OVH_CLIENT_SECRET`	Service account secret

The server auto-detects the auth mode from environment variables. Do not set both API keys and OAuth2 credentials at the same time.

CLI options

Options:
  --transport <TRANSPORT>        Transport mode: http, stdio [env: OVH_TRANSPORT] [default: http]
  --port <PORT>                  Port to listen on [env: PORT] [default: 3104]
  --host <HOST>                  Host to bind to [default: 127.0.0.1]
  --endpoint <ENDPOINT>          OVH API endpoint: eu, ca, us [env: OVH_ENDPOINT] [default: eu]
  --app-key <APP_KEY>            OVH application key [env: OVH_APPLICATION_KEY]
  --app-secret <APP_SECRET>      OVH application secret [env: OVH_APPLICATION_SECRET]
  --consumer-key <CONSUMER_KEY>  OVH consumer key [env: OVH_CONSUMER_KEY]
  --client-id <CLIENT_ID>        OVH OAuth2 client ID [env: OVH_CLIENT_ID]
  --client-secret <CLIENT_SECRET> OVH OAuth2 client secret [env: OVH_CLIENT_SECRET]
  --services <SERVICES>          Services to load, comma-separated or "*" [env: OVH_SERVICES] [default: *]
  --cache-dir <PATH>             Directory to cache the merged spec [env: OVH_CACHE_DIR]
  --cache-ttl <SECONDS>          Cache TTL in seconds, 0 to disable [env: OVH_CACHE_TTL] [default: 86400]
  --no-cache                     Disable spec caching entirely
  --max-code-size <BYTES>        Maximum code input size [env: OVH_MAX_CODE_SIZE] [default: 1048576]

Usage examples

Once connected, the LLM can use the tools like this:

Search for DNS endpoints:

// search tool
(spec) => {
  const results = [];
  for (const [path, methods] of Object.entries(spec.paths)) {
    if (path.includes("/domain/zone")) {
      for (const [method, op] of Object.entries(methods)) {
        results.push({ method: method.toUpperCase(), path, summary: op.summary });
      }
    }
  }
  return results;
}

List your domain zones:

// execute tool
async () => await ovh.request({ method: "GET", path: "/v1/domain/zone" })

Get DNS records for a domain:

// execute tool
async () => {
  const records = await ovh.request({
    method: "GET",
    path: "/v1/domain/zone/example.com/record"
  });
  const details = [];
  for (const id of records.slice(0, 10)) {
    details.push(await ovh.request({
      method: "GET",
      path: `/v1/domain/zone/example.com/record/${id}`
    }));
  }
  return details;
}

Security

Sandboxed execution — JavaScript runs in QuickJS with memory limit (64 MiB), stack limit (1 MiB), and execution timeout (10s for search, 30s for execute)
Spec-validated API calls — every ovh.request() call is matched against the loaded OpenAPI spec; unknown endpoints or wrong HTTP methods are rejected
Path injection prevention — API paths containing ?, #, or .. are rejected
Secret protection — app_secret and consumer_key are stored using secrecy (zeroized on drop)
No HTTP redirects — prevents credential leakage to third-party domains
Non-root container — Docker image runs as unprivileged user

Architecture

src/
  main.rs      CLI, logging, transport selection (HTTP/stdio), graceful shutdown
  tools.rs     MCP tool definitions (search, execute) via rmcp macros
  sandbox.rs   QuickJS sandboxed JS execution with resource limits
  auth.rs      OVH API client with signature, clock sync, request handling
  spec.rs      OpenAPI spec fetching, caching, merging, and path validation
  types.rs     Input types for MCP tool parameters

License

MIT — David Landais