Datadog MCP Server

Instructions

{
  "data": [
    "unknown_type"
  ],
  "included": [
    "unknown_type"
  ],
  "meta": "unknown_type"
}

{
  "errors": [
    "Bad Request"
  ]
}

{
  "errors": [
    "Bad Request"
  ]
}

{
  "errors": [
    "Bad Request"
  ]
}

{
  "errors": [
    "Bad Request"
  ]
}

{
  "errors": [
    "Bad Request"
  ]
}

Implementation Reference

• datadog_mcp/server.py:75-146 (registration)

  Registers the ListIncidentIntegrations tool by including the /api/v2/incidents.* pattern in the safe read-only endpoints whitelist. This enables FastMCP to generate and expose the tool based on the Datadog OpenAPI spec's operationId 'listIncidentIntegrations' for GET /api/v2/incidents/{incident_id}/integrations.

  def _get_route_filters(self) -> list[RouteMap]:
      """Get route filtering rules for safe observability-focused tools.
  
      Security Model:
      1. DENY ALL destructive operations (POST, PUT, PATCH, DELETE)
      2. ALLOW ONLY specific read-only GET endpoints
      3. DEFAULT DENY everything else
  
      This whitelist approach ensures only safe, read-only operations
      are exposed through the MCP interface.
      """
      # Define safe read-only endpoints for observability workflows
      safe_endpoints = [
          # Metrics and time-series data
          r"^/api/v2/metrics.*",  # Query metrics data
          r"^/api/v2/query/.*",  # Time-series queries
          # Dashboards and visualizations
          r"^/api/v2/dashboards.*",  # Dashboard configurations
          r"^/api/v2/notebooks.*",  # Notebook data
          # Monitoring and alerts
          r"^/api/v2/monitors.*",  # Monitor configurations
          r"^/api/v2/downtime.*",  # Scheduled downtimes
          r"^/api/v2/synthetics.*",  # Synthetic tests
          # Logs and events
          r"^/api/v2/logs/events/search$",  # Search logs
          r"^/api/v2/logs/events$",  # List log events
          r"^/api/v2/logs/config.*",  # Log pipeline configs
          # APM and traces
          r"^/api/v2/apm/.*",  # APM data
          r"^/api/v2/traces/.*",  # Trace data
          r"^/api/v2/spans/.*",  # Span data
          # Infrastructure
          r"^/api/v2/hosts.*",  # Host information
          r"^/api/v2/tags.*",  # Tag management (read)
          r"^/api/v2/usage.*",  # Usage statistics
          # Service management
          r"^/api/v2/services.*",  # Service catalog
          r"^/api/v2/slos.*",  # Service level objectives
          r"^/api/v2/incidents.*",  # Incident management
          # Security and compliance
          r"^/api/v2/security_monitoring.*",  # Security signals
          r"^/api/v2/cloud_workload_security.*",  # CWS data
          # Teams and organization (read-only)
          r"^/api/v2/users.*",  # User information
          r"^/api/v2/roles.*",  # Role information
          r"^/api/v2/teams.*",  # Team structure
          # API metadata
          r"^/api/v2/api_keys$",  # List API keys (no create/delete)
          r"^/api/v2/application_keys$",  # List app keys (no create/delete)
      ]
  
      filters = [
          # SECURITY: Block ALL destructive operations first
          RouteMap(
              methods=["POST", "PUT", "PATCH", "DELETE"], mcp_type=MCPType.EXCLUDE
          ),
      ]
  
      # Add whitelisted read-only endpoints
      filters.extend(
          RouteMap(
              pattern=pattern,
              methods=["GET"],
              mcp_type=MCPType.TOOL,
          )
          for pattern in safe_endpoints
      )
  
      # SECURITY: Default deny everything else
      filters.append(RouteMap(pattern=r".*", mcp_type=MCPType.EXCLUDE))
  
      return filters