Datadog MCP Server

Instructions

Implementation Reference

• datadog_mcp/server.py:175-178 (registration)

  Registers the MCP tools from the filtered Datadog OpenAPI specification. The ListServiceDefinitions tool is generated from the 'listServiceDefinitions' operationId in the Datadog API spec for GET /api/v2/services/definitions, which is whitelisted by the route filters.
  openapi_spec=openapi_spec, client=auth_client, route_maps=route_maps, )
• datadog_mcp/server.py:75-146 (helper)

  Defines security filters that whitelist the /api/v2/services.* endpoint (including /api/v2/services/definitions for ListServiceDefinitions) as read-only GET MCP tools, while excluding destructive methods and other unsafe endpoints.
  def _get_route_filters(self) -> list[RouteMap]: """Get route filtering rules for safe observability-focused tools. Security Model: 1. DENY ALL destructive operations (POST, PUT, PATCH, DELETE) 2. ALLOW ONLY specific read-only GET endpoints 3. DEFAULT DENY everything else This whitelist approach ensures only safe, read-only operations are exposed through the MCP interface. """ # Define safe read-only endpoints for observability workflows safe_endpoints = [ # Metrics and time-series data r"^/api/v2/metrics.*", # Query metrics data r"^/api/v2/query/.*", # Time-series queries # Dashboards and visualizations r"^/api/v2/dashboards.*", # Dashboard configurations r"^/api/v2/notebooks.*", # Notebook data # Monitoring and alerts r"^/api/v2/monitors.*", # Monitor configurations r"^/api/v2/downtime.*", # Scheduled downtimes r"^/api/v2/synthetics.*", # Synthetic tests # Logs and events r"^/api/v2/logs/events/search$", # Search logs r"^/api/v2/logs/events$", # List log events r"^/api/v2/logs/config.*", # Log pipeline configs # APM and traces r"^/api/v2/apm/.*", # APM data r"^/api/v2/traces/.*", # Trace data r"^/api/v2/spans/.*", # Span data # Infrastructure r"^/api/v2/hosts.*", # Host information r"^/api/v2/tags.*", # Tag management (read) r"^/api/v2/usage.*", # Usage statistics # Service management r"^/api/v2/services.*", # Service catalog r"^/api/v2/slos.*", # Service level objectives r"^/api/v2/incidents.*", # Incident management # Security and compliance r"^/api/v2/security_monitoring.*", # Security signals r"^/api/v2/cloud_workload_security.*", # CWS data # Teams and organization (read-only) r"^/api/v2/users.*", # User information r"^/api/v2/roles.*", # Role information r"^/api/v2/teams.*", # Team structure # API metadata r"^/api/v2/api_keys$", # List API keys (no create/delete) r"^/api/v2/application_keys$", # List app keys (no create/delete) ] filters = [ # SECURITY: Block ALL destructive operations first RouteMap( methods=["POST", "PUT", "PATCH", "DELETE"], mcp_type=MCPType.EXCLUDE ), ] # Add whitelisted read-only endpoints filters.extend( RouteMap( pattern=pattern, methods=["GET"], mcp_type=MCPType.TOOL, ) for pattern in safe_endpoints ) # SECURITY: Default deny everything else filters.append(RouteMap(pattern=r".*", mcp_type=MCPType.EXCLUDE)) return filters