Clockify MCP Server

clockify-mcp

A Model Context Protocol server for the Clockify time-tracking API.

Give your AI assistant access to your Clockify data — query workspaces, projects, and time entries, generate reports, log hours, and manage clients, invoices, and more — all through natural language.

112 tools across 18 domains. Read-only by default, with optional write operations behind explicit opt-in.

What can it do?

48 read-only tools are available today (Phase 0–8b — 18 domains). 64 write tools (create/update/delete across clients, projects, tasks, tags, time entries, holidays, expenses, and expense categories, plus time-off policy/request management, approval submit/resubmit/update, custom-field create/update/delete and project assignment, scheduling assignment management, invoice and payment management, shared-report management, and webhook create/update/delete/token) register when you set CLOCKIFY_ACCESS_MODE=full (or the back-compat CLOCKIFY_ENABLE_WRITES=true). A middle time-tracking mode exposes only the time-entry writes for logging hours — see Access modes.

† Time off, Holidays, Expenses, Approvals, Custom fields, Scheduling, Invoices, and Webhooks are paid Clockify features — these tools error (HTTP 402/403/404) on plans without them. ‡ generate_attendance_report and generate_expense_report (and export_report for those two types) need the workspace's attendance/Expenses add-ons; the time-based reports (detailed/summary/weekly) and shared reports work on the free plan.

Write tools (opt-in — set CLOCKIFY_ENABLE_WRITES=true):

† Time off, Holidays, Expenses, Approvals, Custom fields, Scheduling, Invoices, and Webhooks are paid Clockify features — these tools error (HTTP 402/403/404) on plans without them.

create_expense and update_expense accept an optional local receipt file, uploaded via multipart.

Quick start

1. Install

pip install clockify-mcp

Or run without installing (requires uv):

uvx clockify-mcp

2. Connect to Claude Desktop

Add this to your claude_desktop_config.json:

{
  "mcpServers": {
    "clockify": {
      "command": "uvx",
      "args": ["clockify-mcp"],
      "env": {
        "CLOCKIFY_API_KEY": "your-api-key"
      }
    }
  }
}

Restart Claude Desktop. Ask: "What workspaces do I have in Clockify?"

{
  "mcpServers": {
    "clockify": {
      "command": "clockify-mcp",
      "env": {
        "CLOCKIFY_API_KEY": "your-api-key"
      }
    }
  }
}

By default the server is read-only. Opt into writes with CLOCKIFY_ACCESS_MODE:

{
  "mcpServers": {
    "clockify": {
      "command": "uvx",
      "args": ["clockify-mcp"],
      "env": {
        "CLOCKIFY_API_KEY": "your-api-key",
        "CLOCKIFY_ACCESS_MODE": "full"
      }
    }
  }
}

Compatibility: the legacy CLOCKIFY_ENABLE_WRITES=true still works and maps to full. If both are set, CLOCKIFY_ACCESS_MODE wins. In time-tracking mode, duplicate/bulk always act on the authenticated user; for update/delete by id the assistant is told to confirm before touching an entry that may belong to someone else.

Warning: write mode lets the connected agent create, modify, and delete real data through your Clockify credential. delete_* tools and withdraw_time_off_request are irreversible.

3. Get your API key

Log into Clockify → Profile Settings → API → copy your API key.

Configuration

Configuration resolves in this order (highest priority first):

1. Environment variables (always win)
2. TOML config at ~/.config/clockify-mcp/config.toml

Access modes: read exposes only read tools. time-tracking adds the time-entry write tools (create/update/delete/duplicate/bulk) for logging hours and nothing else — duplicate/bulk always act on the authenticated user, and for update/delete by id the assistant is told to confirm before touching an entry that may belong to someone else. full exposes all write tools. This gates which MCP tools the server registers; it is not a replacement for the API key's own permissions.

See config.toml.example for a copy-paste template.

# ~/.config/clockify-mcp/config.toml
api_key = "your-clockify-api-key"
# region = "global"
# default_workspace_id = ""
# access_mode = "read"   # read | time-tracking | full

Tip: create the config directory first: mkdir -p ~/.config/clockify-mcp

Running the server

clockify-mcp                       # STDIO transport (default)
clockify-mcp --transport sse       # SSE/HTTP transport

Security note: STDIO (the default) keeps everything local. The sse and streamable-http transports have no built-in authentication — only use them bound to loopback or behind an authenticated reverse proxy.

Notes

• Workspace scope: Almost every Clockify operation is scoped to a workspace (/workspaces/{workspaceId}/...). Tools accept an optional workspace_id; when omitted they fall back to CLOCKIFY_DEFAULT_WORKSPACE_ID. If neither is set, the tool asks you to resolve one first via list_workspaces.
• Pagination: list tools take optional page/page_size and return one page. The high-volume lists (list_time_entries, list_projects, list_clients, list_tasks, list_tags, list_users) also accept fetch_all=true to follow pagination and return every page concatenated (may make several API calls).
• Errors: failures carry a category — PLAN_REQUIRED, ACCESS_DENIED, or AUTH — so the assistant knows whether to ask you to upgrade the plan, enable a module, or fix the key. See Paid features.

Paid features & enabling them in Clockify

Many domains are gated by two independent things — both must be true for the tools to work:

1. The workspace plan must include the feature. Otherwise the API returns 402 (or a "subscription" message) and the server raises ClockifyAPIError with category PLAN_REQUIRED.

2. The module must be enabled in the workspace. Even on the right plan, an admin must turn these on in Clockify → Workspace Settings: Time off, Expenses, Approval, Invoicing, Scheduling. Until enabled, the API returns 403 "Access Denied" and the server raises ClockifyAPIError with category ACCESS_DENIED. (Custom fields, webhooks, and reports need no separate toggle.)

When an operation fails, the error category says what to do:

• PLAN_REQUIRED — upgrade the workspace plan (Standard/Pro).
• ACCESS_DENIED — enable the feature in Workspace Settings, or check the API key user's role/permission.
• AUTH — the API key is missing, invalid, or revoked.

Observability (optional)

The server can emit OpenTelemetry traces, metrics, and logs — completely opt-in and vendor-neutral. Export to any OTLP-compatible backend (Dynatrace, Grafana, Datadog, Jaeger, etc.). When disabled, opentelemetry is never imported.

pip install "clockify-mcp[telemetry]"

export CLOCKIFY_TELEMETRY=1

OTLP endpoint and headers are configured via standard OpenTelemetry env vars (not in the TOML file). CLOCKIFY_TELEMETRY_DETAIL controls how much argument/payload data is attached (metadata default → ids → full); the API key is always redacted.

export OTEL_EXPORTER_OTLP_ENDPOINT="https://<your-env>.live.dynatrace.com/api/v2/otlp"
export OTEL_EXPORTER_OTLP_HEADERS="Authorization=Api-Token <YOUR_DT_TOKEN>"
export OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE=delta
export OTEL_SERVICE_NAME=clockify-mcp

Token scopes needed: openTelemetryTrace.ingest, metrics.ingest, logs.ingest. Dynatrace's OTLP metrics ingest requires delta temporality — without that env var, metric export fails with 400 Bad Request.

export OTEL_EXPORTER_OTLP_ENDPOINT="http://localhost:4318"
export OTEL_SERVICE_NAME=clockify-mcp

Signals emitted:

• Traces — a span per MCP tool call (execute_tool <name>) and per Clockify API request
• Metrics — mcp.tool.duration, mcp.tool.errors, and Clockify client request durations
• Logs — tool errors and unexpected API response shapes, correlated to traces (OTLP only, never stdout)

Development

git clone https://github.com/tracegazer/clockify-mcp
cd clockify-mcp
uv sync --extra dev

CLOCKIFY_API_KEY=dummy uv run clockify-mcp --help
uv run pytest -q
uv run ruff check src/ tests/

License

MIT