Integrates with Cloudflare Access for OAuth 2.1 identity verification and Cloudflare Tunnels for secure remote connectivity to the UniFi management interface.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@UniFi MCP ServerList all connected devices and check the overall network health"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
UniFi MCP Server
A Model Context Protocol server for managing UniFi networks through Claude Desktop or other MCP clients.
Features
18 MCP Tools - Comprehensive network management capabilities
OAuth 2.1 + PKCE - Secure authentication with Cloudflare Access
API Key Authentication - Uses official UniFi API with X-API-KEY
MCP 2025-11-25 Compliant - Full specification compliance
Remote Ready - Designed for access via Cloudflare Tunnel
Quick Start
1. Generate UniFi API Key
In your UniFi Controller/UDM:
Go to Settings → Control Plane → Integrations
Click Generate API Key
Copy the key
2. Configure Environment
Edit .env:
3. Start with Docker
4. Configure Cloudflare
Create a Cloudflare Tunnel pointing to your server
Create an Access for SaaS application in Zero Trust:
Protocol: OIDC
Redirect URL:
https://your-domain.com/callback
Connect with Claude Desktop using your tunnel URL
Available Tools
Client Management
Tool | Description |
| List all connected devices |
| Get details for a specific client by MAC |
| Search by name, IP, or MAC |
| Block a device from the network |
| Unblock a device |
| Force a client to reconnect |
| List blocked devices |
Device Management
Tool | Description |
| List all UniFi devices (APs, switches, gateways) |
| List access points with status |
| Restart an AP or switch |
Network Configuration
Tool | Description |
| List VLANs and subnets |
| List wireless SSIDs |
| List port forwarding rules |
Monitoring
Tool | Description |
| Network health statistics |
| Recent network events |
| Active and recent alarms |
Architecture
Authentication Flow
This server implements OAuth 2.1 with Cloudflare Access as the identity provider:
MCP client discovers OAuth endpoints via
/.well-known/oauth-authorization-serverClient initiates OAuth flow to
/authorizewith PKCEUser authenticates via Cloudflare Access (supports Entra ID, Google, etc.)
Upon approval, client exchanges code for tokens at
/tokenClient accesses
/mcpwith Bearer token
OAuth Endpoints
Endpoint | Description |
| Authorization server metadata |
| Protected resource metadata (RFC 9728) |
| Authorization endpoint (auto-registers clients) |
| Token endpoint |
| Dynamic client registration |
| Cloudflare OAuth callback |
Configuration
Variable | Required | Description |
| No | Server port (default: 3000) |
| Yes | Public URL for OAuth redirects |
| Yes | Cloudflare Access team name |
| Yes | From Access for SaaS app |
| Yes | From Access for SaaS app |
| Yes | UniFi controller IP |
| No | Controller port (default: 443) |
| Yes | API key from UniFi |
| No | Site name (default: "default") |
Security
OAuth 2.1 + PKCE - Secure token exchange
Cloudflare Tunnel - No direct IP exposure
Cloudflare Access - Identity verification at the edge
API Key Auth - No passwords stored, scoped access
Recommended WAF Rules
Consider blocking non-essential paths:
Allow:
/.well-known/*,/register,/authorize,/callback,/token,/mcpBlock or protect:
/,/health
Tech Stack
Node.js 22 with ES Modules
Express.js
Docker with Alpine Linux
Development
License
MIT