MCP Server

Connect Claude, Cursor, and any other MCP-capable agent to your HostStack team. 60 tools cover projects, services, deploys, environments, databases (incl. read-only SQL + HA cluster ops), volumes, domains and authoritative DNS records, env vars, cron, notification channels, alert events, runtime and build logs, and the team activity audit.

Two ways to run it

Hosted — point your client at https://hoststack.dev/api/mcp with a Bearer API key. Nothing to install.

Local stdio — npx -y @hoststack.dev/mcp runs the same server on your machine and talks JSON-RPC over stdin/stdout. Identical tool surface; no telemetry sent back.

Get an API key

Open /dashboard/settings/api-keys and create a key with full_access permission. The key is bound to a single team, so agents never need to pass teamId — every tool call operates on that team automatically.

Wire it into your client

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

json

{
  "mcpServers": {
    "hoststack": {
      "command": "npx",
      "args": ["-y", "@hoststack.dev/mcp"],
      "env": {
        "HOSTSTACK_API_KEY": "hs_live_..."
      }
    }
  }
}

Cursor

Edit ~/.cursor/mcp.json or use Settings → MCP:

json

{
  "hoststack": {
    "command": "npx",
    "args": ["-y", "@hoststack.dev/mcp"],
    "env": {
      "HOSTSTACK_API_KEY": "hs_live_..."
    }
  }
}

Claude Code

claude mcp add hoststack --env HOSTSTACK_API_KEY=hs_live_... -- npx -y @hoststack.dev/mcp

Hosted (any client)

POST https://hoststack.dev/api/mcp
Authorization: Bearer hs_live_...
Content-Type: application/json

The endpoint speaks the streamable-HTTP MCP transport. Stateless — every request is independent; no session bookkeeping.

Generate config snippets

The CLI knows the shape each client expects, so you don't have to memorise it:

npx @hoststack.dev/mcp --print-config claude-desktop
npx @hoststack.dev/mcp --print-config cursor
npx @hoststack.dev/mcp --print-config claude-code

If HOSTSTACK_API_KEY is set in your shell, it gets baked into the snippet; otherwise you'll see a placeholder.

Tool inventory

projects

read: list_projects, get_project

write: create_project, update_project

services

read: list_services, get_service, get_service_metrics, get_service_metrics_history, get_service_logs, get_service_logs_bulk

write: create_service, create_dev_environment, update_service, update_service_config, suspend_service, resume_service

deploys

read: list_deploys, get_deploy, get_deploy_logs, diagnose_deploy

write: trigger_deploy, cancel_deploy

environments

read: list_environments

write: create_environment, delete_environment, promote_deploy

databases

read: list_databases, get_database, get_database_cluster, query_database

write: update_database, upgrade_database_to_ha (dashboard for create/delete/credentials)

volumes

read: list_volumes

write: create_volume, update_volume, delete_volume

domains

read: list_domains

write: add_domain, verify_domain, remove_domain

dns

read: list_dns_zones, list_dns_records, get_dns_record

write: create_dns_record, update_dns_record, delete_dns_record

env-vars

read: list_env_vars (secret values masked)

write: set_env_var, delete_env_var, bulk_set_env_vars

cron

read: list_cron_executions, get_cron_execution

write: —

notifications

read: list_notification_channels

write: create_notification_channel, update_notification_channel, delete_notification_channel, test_notification_channel

alerts

read: list_alerts

write: —

activity-log

read: list_activity_log

write: —

meta

read: get_me

write: —

Design notes

Key-based env-var ops. set_env_var and delete_env_var take a key, not an ID — the MCP looks up the existing var by key first, then patches or deletes.
Secret values stay masked. list_env_vars returns •••••• for any row stored as a secret. Masking happens on the API server, so secrets never reach the agent.
Logs are snapshots. get_service_logs and get_deploy_logs return a tail (default 200 lines, max 1000); re-call to get newer entries. For live tails, use the dashboard's logs page.
No destructive cascade tools. delete_project and delete_service are dashboard-only — too risky for an agent to call. (Creating is fine: create_service and create_dev_environment are both available.)

Telemetry

When you use the hosted transport, we record one row per tool call: tool name, duration, ok/error, and a non-reversible hash of the input args — never the args themselves. Used for the analytics page and on-call alerts on tool error spikes. Retained 30 days, then deleted by a daily cron.

The local stdio install records nothing on our side. Set HOSTSTACK_MCP_TRACE=1 to emit NDJSON traces to your own stderr for local debugging.

Environment variables

HOSTSTACK_API_KEY — required. hs_live_… for prod, hs_test_… for the test team.

HOSTSTACK_BASE_URL — optional override. Default https://hoststack.dev.

HOSTSTACK_MCP_TRACE — set to 1 for NDJSON per-tool-call traces on stderr (local only, never sent to HostStack).

Next: SDK Reference · CLI Reference