hetzner-mcp

hetzner-mcp

Model Context Protocol server for full Hetzner Cloud + Storage API automation. Exposes all official Hetzner operations as MCP tools so AI agents can manage servers, networking, load balancers, firewalls, volumes, DNS zones, and storage boxes from one server.

Category
访问服务器

README

<div align="center">

Hetzner MCP

Model Context Protocol server for full Hetzner Cloud + Storage API automation

Expose all official Hetzner operations as MCP tools so AI agents can manage servers, networking, load balancers, firewalls, volumes, DNS zones, and storage boxes from one server.

PyPI Python MCP License

</div>


Install

pipx install hetzner-mcp
hetzner-mcp install

Then set your token and restart your MCP client:

export HETZNER_TOKEN="your_token_here"

Or configure it once via CLI (persisted local config):

hetzner-mcp auth set --token "your_token_here"

What It Does

hetzner-mcp loads official OpenAPI specs from Hetzner and exposes operations as MCP tools.

  • Full Cloud API coverage: https://api.hetzner.cloud/v1
  • Full Storage API coverage: https://api.hetzner.com/v1
  • Dynamic tool generation from operation IDs
  • Helper tools for discovery, search, and operation schema inspection
  • Action polling helper for async action workflows

Core helper tools

Tool What it does
list_api_operations List all operations with filters (domain/tag/method/query)
search_api_operations Search operations by keyword
get_api_operation_details Inspect full operation details and input schema
list_api_categories List all API categories/tags with docs descriptions
get_api_category_details Explain one category in depth with all endpoints inside
list_api_projects Show configured project profiles and active credential context
set_active_api_project Switch active project profile for agent execution context
wait_for_action Poll cloud/storage actions until completion

All API operations are also exposed directly as tools using the official operation ID names (for example create_server, get_action, create_storage_box).

For agent-friendly documentation, every endpoint and category also has dedicated guide tools:

  • Endpoint guide tool pattern: guide_<operation_id>
    • Example: guide_create_server
  • Category guide tool pattern: category_guide_<api_domain>_<category_slug>
    • Example: category_guide_cloud_servers

These guide tools include docs text from the OpenAPI documentation, explicit purpose, parameter explanations, and example tool arguments.

Docs-first execution lock (required)

This server enforces a docs-first workflow for endpoint execution:

  1. Call guide_<operation_id> first for the endpoint you want to execute.
  2. Then call the endpoint tool itself (for example create_server).

If you skip step 1, execution is rejected with a docs_required error.

Unlocking is based on context freshness (interaction distance in the current session), not wall-clock time:

  • Docs must be read before execution.
  • Recently executed endpoints remain trusted while context is still fresh.
  • After enough unrelated tool interactions (context drift), docs must be read again.

Full Coverage

Current generated operation coverage:

  • Total operations: 221
  • Cloud operations: 189
  • Storage operations: 32

You can verify this locally:

python scripts/verify_operation_coverage.py

Example Prompts

"List all Hetzner operations related to firewalls"
"Create a CX22 server in fsn1-dc14 with my SSH key"
"Attach volume 12345 to server 67890"
"Create a load balancer and add target server 1001"
"Enable rescue mode on server 123 and wait for action completion"
"Create a storage box and reset its password"
"Show operation details for update_storage_box_access_settings"

Authentication

You can configure auth in two ways:

  1. Environment variables (recommended for CI/ephemeral environments)
  2. Local CLI config file (recommended for local workstation use)

Environment variables (highest precedence):

  • HETZNER_TOKEN for both Cloud and Storage APIs
  • HETZNER_CLOUD_TOKEN to override cloud auth token
  • HETZNER_STORAGE_TOKEN to override storage auth token
  • HETZNER_PROJECT to choose one configured local project profile for this session

Base URL safety:

  • Default API targets are locked to the official Hetzner HTTPS endpoints.
  • HETZNER_CLOUD_BASE_URL and HETZNER_STORAGE_BASE_URL are validated before any token is attached.
  • Custom base URLs are blocked by default to prevent credential exfiltration to non-Hetzner hosts.
  • For controlled test environments only, opt in explicitly with HETZNER_ALLOW_CUSTOM_BASE_URLS=true.

Local CLI config examples:

# set default token
hetzner-mcp auth set --token "your_token_here"

# auth set auto-probes what the provided key can do
# (cloud/storage + read/write capability hints)

# set per-domain overrides
hetzner-mcp auth set --cloud-token "cloud_token" --storage-token "storage_token"

# inspect effective token sources (env/file/unset)
hetzner-mcp auth show

# open full local config in your editor
hetzner-mcp config edit

Multi-project profile examples:

# create per-environment profiles
hetzner-mcp project add prod --description "Production Hetzner" --token "prod_token" --activate
hetzner-mcp project add staging --description "Staging Hetzner" --token "staging_token"

# project add also auto-detects capability hints for entered keys

# see which profile is active and what each one is for
hetzner-mcp project list

# switch active profile
hetzner-mcp project use staging

Capability probing notes:

  • auth set and project add automatically probe entered keys and print capability hints.
  • Report format includes per-domain read/write level plus probe status codes (for example cloud:read+write, storage:no-access).
  • Detection uses safe representative GET/POST checks and is best-effort guidance, not a formal permission matrix.

Config file location:

  • ~/.config/hetzner-mcp/config.json (macOS/Linux)
  • %APPDATA%\\hetzner-mcp\\config.json (Windows)
  • Override path with HETZNER_MCP_CONFIG_PATH

Optional runtime controls:

  • HETZNER_CLOUD_BASE_URL
  • HETZNER_STORAGE_BASE_URL
  • HETZNER_TIMEOUT_SECONDS
  • HETZNER_MAX_RETRIES
  • HETZNER_BACKOFF_BASE_SECONDS

Supported MCP Clients

Auto-configuration is included for:

Client Auto-config
Claude Desktop Yes
Claude Code Yes
Cursor Yes
Cline Yes
Windsurf Yes
OpenCode Yes

Run:

hetzner-mcp install

OpenCode integration note:

  • This installer writes OpenCode MCP config to the global OpenCode config file (opencode.jsonc) under the mcp key.
  • Legacy ~/.opencode/mcp.json is not used.

Manual Configuration

{
  "mcpServers": {
    "hetzner-mcp": {
      "command": "hetzner-mcp-server",
      "args": []
    }
  }
}

CLI Commands

Command Description
hetzner-mcp status Show effective runtime config + registry + client status
hetzner-mcp doctor [--json] Print detailed diagnostics
hetzner-mcp server run [--refresh-specs] Run stdio MCP server
hetzner-mcp update Refresh specs and re-apply client integration
hetzner-mcp client install Configure supported MCP clients
hetzner-mcp client status Show client config installation state
hetzner-mcp client repair Re-apply configuration entries
hetzner-mcp client uninstall Remove MCP config entries
hetzner-mcp auth set ... Configure API keys directly from CLI and auto-detect key capabilities
hetzner-mcp auth show Show token status and source
hetzner-mcp auth clear [--all] Clear stored token entries
hetzner-mcp project add/list/show/use/remove Manage multiple project credential profiles (with capability probing on add)
hetzner-mcp config show Show stored + effective config
hetzner-mcp config get/set/unset <key> Read/write persisted config keys
hetzner-mcp config edit Edit persisted config file in $EDITOR

Legacy aliases still work: install, repair, uninstall, diagnose.

Development

git clone https://github.com/devinoldenburg/hetzner-mcp.git
cd hetzner-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

# Validate quality
ruff check .
mypy src
pytest

# Refresh specs and inspect counts
python scripts/sync_specs.py
python scripts/verify_operation_coverage.py

Security Notes

  • Never commit API tokens.
  • Tokens can be read from environment variables or persisted local config, but outbound API targets are validated before Authorization headers are sent.
  • Official Hetzner HTTPS base URLs are enforced by default; custom base URLs require explicit opt-in with HETZNER_ALLOW_CUSTOM_BASE_URLS=true.
  • Dynamic endpoint calls now validate path, query, and JSON body inputs against the loaded OpenAPI schema before making HTTP requests.
  • MCP tool responses redact common secret fields such as token, password, secret, and authorization to avoid leaking credentials into transcripts.
  • set_active_api_project now switches the active project for the current MCP session by default; use persist=true only when you intentionally want to update local config.
  • Server logs are routed to stderr to keep stdio JSON-RPC clean.
  • Network retries are limited and capped.

Troubleshooting

ModuleNotFoundError: hetzner_mcp in local scripts

  • Install editable package: pip install -e .

No operations listed in MCP client

  • Run hetzner-mcp status
  • Verify config file includes hetzner-mcp
  • Restart the client process after installation

Auth failures (401 unauthorized)

  • Ensure HETZNER_TOKEN or domain-specific token is exported in the client runtime environment

Rate limiting (429)

  • The client retries transient failures automatically; reduce request burst and retry later

License

MIT

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选