Server data from the Official MCP Registry
IT Glue MCP server for MSPs — documents, flexible assets, semantic vector search, RBAC, and BYOK
IT Glue MCP server for MSPs — documents, flexible assets, semantic vector search, RBAC, and BYOK
Valid MCP server (2 strong, 1 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
6 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: ITGLUE_API_KEY
Environment variable: ITGLUE_REGION
Environment variable: ITGLUE_BASE_URL
Environment variable: OPENAI_API_KEY
Environment variable: AZURE_OPENAI_API_KEY
Environment variable: AZURE_OPENAI_ENDPOINT
Environment variable: EMBEDDING_MODEL
Environment variable: VECTOR_INDEX_PATH
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-selic-mcp-itglue": {
"env": {
"ITGLUE_REGION": "your-itglue-region-here",
"ITGLUE_API_KEY": "your-itglue-api-key-here",
"OPENAI_API_KEY": "your-openai-api-key-here",
"EMBEDDING_MODEL": "your-embedding-model-here",
"ITGLUE_BASE_URL": "your-itglue-base-url-here",
"VECTOR_INDEX_PATH": "your-vector-index-path-here",
"AZURE_OPENAI_API_KEY": "your-azure-openai-api-key-here",
"AZURE_OPENAI_ENDPOINT": "your-azure-openai-endpoint-here"
},
"args": [
"-y",
"mcp-itglue"
],
"command": "npx"
}
}
}From the project's GitHub README.
An MCP (Model Context Protocol) server for the IT Glue API, built for MSPs that want AI assistants to read — and safely write — their documentation.
You need an IT Glue API key (IT Glue → Account → Settings → API Keys). Non-US accounts set ITGLUE_REGION to eu or au.
Claude Desktop (claude_desktop_config.json) or Claude Code (.mcp.json):
{
"mcpServers": {
"itglue": {
"command": "npx",
"args": ["-y", "mcp-itglue"],
"env": { "ITGLUE_API_KEY": "ITG.xxxx" }
}
}
}
Claude Code one-liner:
claude mcp add itglue --env ITGLUE_API_KEY=ITG.xxxx -- npx -y mcp-itglue
Claude Desktop users can instead grab mcp-itglue.mcpb from the latest release — open it with Claude Desktop and fill in the API key when prompted.
stdio always runs with the full tool surface — it is a local, single-user transport using your own key.
The container image defaults to the HTTP transport (for shared deployments):
docker run --rm -p 3000:3000 \
-e ITGLUE_API_KEY=ITG.xxxx \
ghcr.io/selic/mcp-itglue
For local stdio use under Docker:
{
"mcpServers": {
"itglue": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "ITGLUE_API_KEY", "ghcr.io/selic/mcp-itglue", "--transport", "stdio"],
"env": { "ITGLUE_API_KEY": "ITG.xxxx" }
}
}
}
git clone https://github.com/selic/mcp-itglue.git && cd mcp-itglue
npm install && npm run build
ITGLUE_API_KEY=ITG.xxxx node dist/index.js
ITGLUE_API_KEY=ITG.xxxx \
MCP_TOKENS_VIEWER="alice:$(openssl rand -hex 32)" \
MCP_TOKENS_EDITOR="automation:$(openssl rand -hex 32)" \
MCP_TOKENS_ADMIN="ops:$(openssl rand -hex 32)" \
npx -y mcp-itglue --transport http --port 3000
Or with Docker:
docker run --rm -p 3000:3000 \
-e ITGLUE_API_KEY -e MCP_TOKENS_VIEWER -e MCP_TOKENS_EDITOR -e MCP_TOKENS_ADMIN \
ghcr.io/selic/mcp-itglue
Endpoints:
| Route | Purpose |
|---|---|
POST/GET/DELETE /mcp | MCP streamable-http endpoint |
GET /health | Liveness probe |
POST /webhook/itglue | IT Glue webhook → incremental index update |
POST /index/refresh | Manual index refresh (shared secret or admin token) |
Sessions are held in memory — run a single instance (or add sticky sessions) behind your load balancer.
Three env vars hold comma-separated label:token lists:
MCP_TOKENS_VIEWER="alice:tokA,bob:tokB" # read-only tools
MCP_TOKENS_EDITOR="hatz:tokC" # + create/update/publish, delete section
MCP_TOKENS_ADMIN="ops:tokD" # + delete documents / flexible assets
Clients authenticate with Authorization: Bearer <token>. The label appears in the audit log ([rbac] session … for alice (viewer)) and lets you revoke one person's token without rotating everyone's.
Tools a role cannot use are not registered for that session — a viewer doesn't even see itglue_create_document in tools/list — and a runtime guard re-checks the role on every call as defense in depth. Session ids never carry privilege: every request re-authenticates, and presenting a different principal against an existing session returns 403.
If no tokens are configured, the server runs in dev mode: all requests get admin access and a loud startup warning. Don't do this in production.
Clients may send their own IT Glue API key in the x-itglue-api-key header on the initialize request. The session then talks to IT Glue with that key and gets the full tool surface — IT Glue's own key permissions are the effective access control. CLIENT_ITGLUE_KEYS controls the policy:
| Value | Behavior |
|---|---|
with-token (default) | BYOK allowed, but a valid bearer token is still required — protects your server from being an open proxy |
open | An IT Glue key alone authenticates (trusted networks / local use) |
disabled | The header is rejected; only the server-wide key is used |
With BYOK enabled the server-wide ITGLUE_API_KEY becomes optional: sessions without a client key are rejected with a clear error. Client keys are never logged; sessions are bound to a SHA-256 hash of the key and audit-labeled byok:<hash-prefix>.
| Tool | Tier |
|---|---|
itglue_list_organizations, itglue_get_organization | read |
itglue_list_documents, itglue_get_document | read |
itglue_list_document_sections, itglue_get_document_section | read |
itglue_list_flexible_asset_types, itglue_get_flexible_asset_type | read |
itglue_list_flexible_assets, itglue_get_flexible_asset | read |
itglue_vector_search, itglue_vector_index_status | read |
itglue_create_document, itglue_update_document, itglue_publish_document | write |
itglue_create_document_section, itglue_update_document_section | write |
itglue_delete_document_section † | write |
itglue_create_flexible_asset, itglue_update_flexible_asset | write |
itglue_build_vector_index | write |
itglue_delete_documents | destructive |
itglue_delete_flexible_asset | destructive |
Viewer = read. Editor = read + write. Admin = everything. † Permanent, but editor-tier: editors need it to restructure documents and can already blank section content via update.
Vector tools appear only when an embedding provider is configured.
Set OPENAI_API_KEY (or AZURE_OPENAI_API_KEY + AZURE_OPENAI_ENDPOINT, where EMBEDDING_MODEL is your deployment name), then run itglue_build_vector_index per organization. The index is a JSON file at VECTOR_INDEX_PATH (default ./vector-index.json) — on ephemeral hosts, point it at a persistent volume.
The index stays fresh three ways:
IT Glue webhook — in IT Glue, webhooks are sent by Workflows (Admin → Workflows): add a Document trigger (created/updated) with a Webhook action. Workflow actions cannot send custom headers, so put the shared secret in the URL:
https://<host>/webhook/itglue?secret=<ITGLUE_WEBHOOK_SECRET>
and use a JSON payload template like:
| Key | Value |
|---|---|
event | [trigger_name] |
resource_url | [resource_url] |
resource_name | [resource_name] |
organization_name | [organization_name] |
The document id is parsed from resource_url; the trigger name maps to created/updated/deleted by keyword. Classic JSON:API-style payloads with an x-itglue-webhook-signature HMAC-SHA256 header are also accepted.
Self-refresh — documents created/updated/published/deleted through this server's tools are re-indexed automatically in the background.
Manual refresh — POST /index/refresh with Authorization: Bearer <ITGLUE_WEBHOOK_SECRET> (or an x-refresh-secret header, or an admin token). Body {"document_id": "123"} refreshes one document; an empty body re-crawls every indexed organization. Returns 202 and processes in the background.
| Variable | Default | Purpose |
|---|---|---|
ITGLUE_API_KEY | — | Server-wide IT Glue API key |
ITGLUE_REGION | us | us, eu, or au |
ITGLUE_BASE_URL | per region | Override the API base URL |
TRANSPORT | stdio | stdio or http |
PORT | 3000 | HTTP port |
MCP_TOKENS_VIEWER/EDITOR/ADMIN | — | label:token,label:token per role |
CLIENT_ITGLUE_KEYS | with-token | BYOK policy: disabled, with-token, open |
ITGLUE_WEBHOOK_SECRET | — | Webhook signature + /index/refresh secret |
VECTOR_INDEX_PATH | ./vector-index.json | Vector index file |
OPENAI_API_KEY | — | Enables vector search (OpenAI) |
AZURE_OPENAI_API_KEY / AZURE_OPENAI_ENDPOINT / AZURE_OPENAI_API_VERSION | — | Enables vector search (Azure OpenAI) |
EMBEDDING_MODEL | text-embedding-3-small | Embedding model / Azure deployment |
CLI flags --transport, --port, --region, --base-url override the environment. Run mcp-itglue --help for details.
npm install
npm run dev # stdio via tsx
npm run dev:http # http via tsx
npm test # vitest
npm run build # tsc → dist/
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
by Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
by mcp-marketplace · Developer Tools
Search and install MCP servers from inside your AI client.