wasabi-wacm-connect-mcp

wasabi-wacm-connect-mcp

MCP server for the Wasabi WACM Connect API, enabling management of account hierarchy, storage, and billing data through Claude with 18 read-only and 12 opt-in write tools.

Category
访问服务器

README

WACM Connect MCP Server

A Model Context Protocol (MCP) server for the Wasabi WACM Connect API. Provides 18 read-only tools out of the box, with 12 opt-in write tools behind tiered access controls. Designed for Managed Service Providers (MSPs) who need to manage their Wasabi account hierarchy, storage usage, and billing data through Claude.

[!WARNING] This MCP server has write access to your Wasabi account management infrastructure.

This tool can create, modify, and delete sub-accounts, members, channel accounts, and other resources in your live WACM environment. Actions taken through this MCP are real and may be irreversible.

Disclaimer

This is an independent, community-maintained project. It is not affiliated with, endorsed by, or supported by Wasabi Technologies. "Wasabi" and "WACM" are trademarks of Wasabi Technologies, Inc. Wasabi Technologies is not responsible for unintended changes made through this integration.

AI-Specific Risks

This server is designed to be operated by an AI assistant (LLM). AI models can and do make mistakes — they may misinterpret instructions, hallucinate parameter values, or take actions you did not intend. In the context of account management, this means an AI could accidentally:

  • Create unwanted accounts with incorrect configurations or storage quotas
  • Modify existing accounts by changing settings, roles, or permissions you didn't ask to change
  • Delete accounts, members, or channel accounts that were not meant to be removed
  • Perform bulk operations across multiple resources when you intended a single change
  • Act on the wrong resource by confusing similarly named accounts or IDs

These are real API calls against your real Wasabi infrastructure unless you are using a dedicated test account. There is no sandbox, staging layer, or undo button between the AI and your environment.

Before Use

  • Understand your API credentials — the API key's permission scope determines what the AI can reach
  • Test in a non-production environment if possible before enabling write access on production accounts
  • Start read-only — write tools are disabled by default; only enable the minimum tier you need
  • Use dry-run mode — every write tool supports dryRun: true to preview the exact HTTP request before execution
  • Review all AI-suggested actions before confirming, especially bulk operations or deletions
  • Prefer the operation allowlist over broad tier access to limit exposure to only the tools you actually need

Liability

Use at your own risk. The authors assume no liability for data loss, service disruption, unintended account modifications, or other damages resulting from use of this software — whether caused by AI error, misconfiguration, or any other reason. See the Apache 2.0 license for full terms.

Prerequisites

  • Node.js 24+ (uses native fetch)
  • WACM Connect API credentials — generate an API key in WACM under My Profile > WACM Connect (Wasabi docs)

Installation

git clone https://github.com/myst3k/wasabi-wacm-connect-mcp.git
cd wasabi-wacm-connect-mcp
pnpm install
pnpm build

Configuration

Claude Code (.mcp.json)

Read-only (default):

{
  "mcpServers": {
    "wasabi-wacm-connect-mcp": {
      "command": "node",
      "args": ["/path/to/wasabi-wacm-connect-mcp/dist/index.js"],
      "env": {
        "WACM_USERNAME": "your-username",
        "WACM_API_KEY": "your-api-key"
      }
    }
  }
}

With write access (create + update):

{
  "mcpServers": {
    "wasabi-wacm-connect-mcp": {
      "command": "node",
      "args": ["/path/to/wasabi-wacm-connect-mcp/dist/index.js"],
      "env": {
        "WACM_USERNAME": "your-username",
        "WACM_API_KEY": "your-api-key",
        "WACM_WRITE_ACCESS": "true",
        "WACM_WRITE_LEVEL": "manage"
      }
    }
  }
}

With specific write operations only:

{
  "mcpServers": {
    "wasabi-wacm-connect-mcp": {
      "command": "node",
      "args": ["/path/to/wasabi-wacm-connect-mcp/dist/index.js"],
      "env": {
        "WACM_USERNAME": "your-username",
        "WACM_API_KEY": "your-api-key",
        "WACM_WRITE_ACCESS": "true",
        "WACM_WRITE_ALLOWED_OPERATIONS": "create_sub_account,delete_member"
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "wasabi-wacm-connect-mcp": {
      "command": "node",
      "args": ["/path/to/wasabi-wacm-connect-mcp/dist/index.js"],
      "env": {
        "WACM_USERNAME": "your-username",
        "WACM_API_KEY": "your-api-key",
        "WACM_WRITE_ACCESS": "true",
        "WACM_WRITE_LEVEL": "full"
      }
    }
  }
}

Environment Variables

Variable Description Required
WACM_USERNAME WACM Connect username Yes
WACM_API_KEY WACM Connect API key Yes
WACM_WRITE_ACCESS Set to true to enable write operations (kill switch) No
WACM_WRITE_LEVEL Write access tier: create, manage, or full (see below) No
WACM_WRITE_ALLOWED_OPERATIONS Comma-separated list of write operation names to enable No

CLI flags --username and --api-key override environment variables.

Write Access Tiers

Write operations are disabled by default. To enable them, you must set WACM_WRITE_ACCESS=true and at least one of WACM_WRITE_LEVEL or WACM_WRITE_ALLOWED_OPERATIONS. The kill switch (WACM_WRITE_ACCESS) must be explicitly set — without it, no write tools are registered regardless of other settings.

Tier Tools Enabled Count
create All 5 POST (create) tools 5
manage create + 3 PUT (update) tools 8
full manage + 4 DELETE tools 12

When both env vars are set, the resolved operations are the union of both:

  • WACM_WRITE_LEVEL=manage + WACM_WRITE_ALLOWED_OPERATIONS=delete_member → 9 write tools
  • WACM_WRITE_ALLOWED_OPERATIONS=create_sub_account,delete_member (no level) → just those 2

Unknown level values or operation names are logged as warnings and ignored.

Valid Operation Names

create_sub_account, update_sub_account, delete_sub_account, create_member, update_member, delete_member, create_channel_account, update_channel_account, delete_channel_account, create_channel_account_user, delete_channel_account_user, create_standalone_account

Available Tools (up to 30)

Control Accounts (read-only)

Tool Description
list_control_accounts List all Control Accounts with storage allocation and sub-account counts
get_control_account Get a specific Control Account by ID
list_control_account_usages List aggregate usage data (storage, egress, ingress, API calls)
get_control_account_usage Get a specific usage record by utilization ID
list_control_account_buckets List bucket-level utilization for a Control Account

Sub-Accounts

Tool Description Access
list_sub_accounts List all Sub-Accounts (Wasabi Console accounts) Read
get_sub_account Get a specific Sub-Account by ID Read
list_sub_account_buckets List bucket-level utilization for a Sub-Account Read
create_sub_account Create a new Sub-Account under a Control Account Write (create)
update_sub_account Update an existing Sub-Account Write (manage)
delete_sub_account Delete a Sub-Account Write (full)

Channel Accounts

Tool Description Access
list_channel_accounts List all Channel Accounts (third-party access tier) Read
get_channel_account Get a specific Channel Account by ID Read
create_channel_account Create a new Channel Account Write (create)
update_channel_account Update an existing Channel Account Write (manage)
delete_channel_account Delete a Channel Account Write (full)

Channel Account Users

Tool Description Access
create_channel_account_user Create a user for a Channel Account Write (create)
delete_channel_account_user Delete a Channel Account user Write (full)

Members

Tool Description Access
list_members List Sub-Account members with roles and MFA status Read
get_member Get a specific member by ID Read
create_member Create a new member in a Sub-Account Write (create)
update_member Update an existing member Write (manage)
delete_member Delete a member Write (full)

Invoices (read-only)

Tool Description
list_invoices List invoices with cost breakdowns by sub-account
get_invoice Get a specific invoice by ID

Usages (read-only)

Tool Description
list_usages List Sub-Account level daily usage metrics
get_usage Get a specific usage record by utilization ID

Standalone Accounts

Tool Description Access
list_standalone_accounts List Standalone Accounts (not in WACM hierarchy) Read
get_storage_amounts Get available storage amount options Read
create_standalone_account Create a new Standalone Account Write (create)

Guardrails

Write operations are protected by multiple safety layers:

  1. Kill switchWACM_WRITE_ACCESS=true must be explicitly set to enable any write operations. Without this, all other write settings are ignored and the server is strictly read-only.

  2. Tiered access controlWACM_WRITE_LEVEL controls which categories of write tools are registered. Unregistered tools are completely invisible to the LLM.

  3. Operation allowlistWACM_WRITE_ALLOWED_OPERATIONS provides fine-grained control over exactly which write tools are available, independent of or combined with tier levels.

  4. MCP tool annotations — Each write tool carries metadata hints for the LLM:

    • Create (POST): readOnlyHint: false
    • Update (PUT): readOnlyHint: false, idempotentHint: true
    • Delete (DELETE): readOnlyHint: false, destructiveHint: true
  5. Dry-run mode — Every write tool accepts a dryRun boolean parameter (default: false). When true, the tool returns a preview of the HTTP request (method, URL, headers, body) without executing it. Auth credentials are redacted in the preview.

Available Resources (4)

Resource URI Description
Account Hierarchy wacm://hierarchy Markdown documentation of the 4-tier account structure
Control Account wacm://control-accounts/{id} Dynamic resource for Control Account details
Sub-Account wacm://sub-accounts/{id} Dynamic resource for Sub-Account details
Countries wacm://reference/countries Available country codes for account creation

Available Prompts (5)

Prompt Description Parameters
storage-summary Summarize storage usage, highlight accounts near quota controlAccountId (optional)
billing-report Monthly billing breakdown by sub-account from, to, controlAccountId (optional)
account-audit Audit hierarchy for deactivated/insecure accounts controlAccountId (optional)
usage-trend Analyze usage trends over time for a sub-account subAccountId, from, to
bucket-analysis Analyze bucket utilization, find largest/most active accountId, accountType

Example Conversations

Check Storage Across All Accounts

"Show me a summary of storage usage across all my control accounts"

Claude will use the storage-summary prompt to call list_control_accounts and list_sub_accounts, then present a table comparing active storage against quotas.

Investigate Monthly Costs

"What were my top costs last month? Break it down by sub-account."

Claude will call list_invoices with the previous month's date range, group by sub-account, and identify the highest-cost accounts and categories.

Security Audit

"Audit my account hierarchy for any security concerns"

Claude will use the account-audit prompt to enumerate all accounts and members, checking for missing MFA, deactivated accounts, and misconfigured quotas.

Create a Sub-Account with Dry Run

"Create a new sub-account called 'Acme Corp' under control account 5 — but show me the request first"

Claude will call create_sub_account with dryRun: true and show the full HTTP request preview. After you confirm, it will execute the actual request.

Troubleshooting

Authentication Errors

  • Verify your credentials: curl -u "$WACM_USERNAME:$WACM_API_KEY" https://api.wacm.wasabisys.com/api/v1/control-accounts
  • API keys are shown only once at generation time — regenerate if lost
  • Check that you're using the correct key type (Account API Key vs Personal API Key)

Rate Limiting

  • The API allows 5 GET requests per second per API key
  • The client automatically retries once on HTTP 429 responses
  • For bulk operations, expect automatic throttling by the built-in rate limiter

Missing Data

  • Check your user permissions — visibility depends on your tier in the account hierarchy
  • Governance users see all accounts; Control Account users see only their own
  • Use includeDeleted: true to see deleted sub-accounts

Write Tools Not Appearing

  • Verify WACM_WRITE_LEVEL or WACM_WRITE_ALLOWED_OPERATIONS is set in your MCP config
  • Check stderr for warning messages about unknown level values or operation names
  • Restart the MCP server after changing environment variables

Security

  • Credentials are stored in memory only — never written to disk or logs
  • Sensitive fields hidden by defaultincludeKeys and includeApiKey default to false
  • Write tools are opt-in — no write operations are available unless explicitly enabled via env vars
  • Dry-run previews redact credentialsbuildRequestPreview replaces the auth header with Basic [REDACTED]
  • CLI arg visibility--api-key via CLI is visible in ps output; prefer environment variables for production
  • Cloud LLM considerations — data retrieved through this server may be processed by cloud AI services; review your organization's data handling policies
  • Key rotation — regenerate API keys periodically in WACM under My Profile > WACM Connect

Development

pnpm install
pnpm dev             # Run with tsx (auto-reload)
pnpm build           # Compile TypeScript
pnpm test            # Run tests
pnpm lint            # Lint code
pnpm format          # Format code
pnpm check           # Type-check without emitting

License

Apache-2.0

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选