Partiri Cloud MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Partiri Cloud MCP Servershow my active deployments"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Partiri Cloud MCP Server
MCP server for the Partiri Cloud PaaS platform. Allows AI agents (Claude Code, VS Code, etc.) to manage workspaces, projects, services, deployments, and metrics through the Model Context Protocol.
Transports
The server supports two transport modes:
Transport | Use case | Set via |
stdio (default) | Local CLI / direct integration |
|
HTTP | Remote access with OAuth 2.1 |
|
Related MCP server: adila-mcp
Quick Start
npm install
npm run buildstdio (local)
PARTIRI_API_KEY=your-key npx tsx src/index.tsOr point your MCP client at the built binary:
{
"partiri": {
"type": "stdio",
"command": "node",
"args": ["dist/index.mjs"],
"env": { "PARTIRI_API_KEY": "your-key" }
}
}HTTP (remote)
MCP_TRANSPORT=http \
MCP_TOKEN_SECRET=$(openssl rand -hex 32) \
MCP_BASE_URL=https://your-domain.com \
PORT=3000 \
npx tsx src/index.tsThen configure your MCP client:
{
"partiri": {
"type": "http",
"url": "https://your-domain.com/mcp"
}
}No API key in the config — the OAuth 2.1 browser flow handles authentication.
Authentication
stdio
The API key is resolved in order:
PARTIRI_API_KEYenvironment variable~/.config/partiri/keyfile (written bypartiri auth)If the process is interactive (TTY attached and no CI environment detected),
browserLogin()opens a browser and waits for the user to authorizeOtherwise, throws a descriptive error with a link to docs
Headless / CI usage: set PARTIRI_API_KEY. In CI or non-TTY contexts step 3 is skipped and the server fails fast with a clear error rather than hanging on a browser prompt.
HTTP (OAuth 2.1)
The HTTP transport implements a full OAuth 2.1 authorization server. When a client like Claude Code connects, the flow is:
Client discovers endpoints via
/.well-known/oauth-protected-resource/mcpand/.well-known/oauth-authorization-serverClient dynamically registers via
POST /registerThe client opens
/authorize, which redirects the browser to the hosted Partiri sign-in page (PARTIRI_WEB_URL/cli-auth) with a shortstateand the server's publiccallbackURLAfter the user confirms, the sign-in page mints a Partiri API key and redirects it back to the server's
GET /callback, which validates the key against the Partiri APIThe server issues an encrypted authorization code (bound to the client's PKCE challenge and redirect URI) and redirects to the client, which exchanges it for access/refresh tokens
All subsequent MCP requests use
Authorization: Bearer <token>
Tokens are stateless — the API key is AES-256-GCM encrypted inside the token itself. No token database is needed.
Legacy x-api-key header authentication is also supported for backward compatibility with curl and non-OAuth clients.
Resource binding (RFC 8707)
Issued tokens are audience-bound to this server's canonical resource, MCP_BASE_URL + /mcp (e.g. https://mcp.partiri.cloud/mcp). A resource parameter naming any other server is rejected with invalid_target, and an access token whose audience names another server fails verification. Tokens issued before this claim existed remain valid until their natural expiry and are upgraded to audience-bound tokens on their next refresh.
The protected-resource metadata (RFC 9728) is served at both /.well-known/oauth-protected-resource/mcp and /.well-known/oauth-protected-resource, and every 401 carries a WWW-Authenticate header with a resource_metadata pointer so clients can discover the authorization server.
Environment Variables
Variable | Required | Default | Description |
| stdio only | — | API key for the Partiri REST API |
| No |
| Partiri API base URL (must be HTTPS) |
| No |
| Hosted Partiri web app URL (HTTP OAuth sign-in redirect) |
| No |
| API request timeout in seconds |
| No |
| Transport mode: |
| No |
| HTTP server port |
| HTTP prod | — | 32-byte hex key (64 chars) for token encryption. Auto-generated in dev with a warning. |
| HTTP prod |
| Public URL of the MCP server |
| No | — | Persistent dir for client registrations + token secret (survives restarts; single-replica) |
| No | — | Comma-separated OAuth redirect hosts allowed in addition to loopback |
| No | claude.ai, claude.com, chatgpt.com, chat.openai.com | Comma-separated browser Origins allowed on |
| HTTP prod |
| Trusted proxy IP(s)/CIDR(s) for client-IP rate limiting; set to your ingress so X-Forwarded-For can't be spoofed |
| No |
| Max concurrent MCP sessions |
| No |
| Max sessions per API key |
| No |
| Session inactivity timeout |
| No |
| When truthy, only read-only tools are registered |
| No | — | Comma-separated tool names to enable on top of the base set |
| No | — | Comma-separated tool names to remove (wins over allowlist) |
Available Tools
Tool | Description |
| List all workspaces the user has access to |
| Get the authenticated user's profile |
| List projects in a workspace |
| Create a new project |
| List available compute pods |
| List available deployment regions |
| List services in a project |
| Get service details |
| Create a new service |
| Update service configuration |
| Preflight-validate a service config; optionally probe repo/registry reachability |
| Trigger a new deployment |
| Pause a running service |
| Resume a paused service |
| List deployment jobs for a service |
| List persistent volumes in a project |
| Get details of a single volume |
| Get CPU usage metrics |
| Get memory usage metrics |
| Get network metrics |
| Get pod and volume pricing for a region |
| Get a workspace's billing balance |
| Advisory guidance for running the |
CLI-only operations
To keep long-lived credentials out of the model context and irreversible
operations off the MCP surface, the following are not individual MCP tools.
You run them yourself with the locally-installed partiri CLI, which
authenticates independently of the MCP session. The use_partiri_cli tool does
not execute anything — it returns guidance for the command to run in your
own shell:
Workspace secrets — create / list / delete repository and registry secrets
Service environment variables —
partiri service env; values hold secrets (DB URLs, API keys), so they are never read or written through the MCP —create_service/update_servicedon't acceptenvandget_serviceomits itVolume lifecycle — create / attach / detach / delete / retry
Service teardown —
partiri service kill
Discover exact subcommands and flags at runtime (partiri llm guide,
partiri llm capabilities -j, or partiri <area> --help) rather than assuming
syntax. For credential values, pass them on stdin (e.g. --key-stdin) so they
stay out of the argument list and this context.
Project Structure
src/
index.ts Entry point (transport selection)
auth.ts API key resolution (env / file / browser login)
auth-login.ts Browser-based login flow for interactive stdio sessions
client.ts PartiriApiClient (HTTP, retry on 429)
server.ts MCP server creation, tool filtering, and tool registration
errors.ts Error formatting helpers
net-guard.ts SSRF / OAuth-redirect host classification (private/loopback/metadata)
http.ts HTTP transport (Express, OAuth, sessions)
oauth/
provider.ts OAuthServerProvider — authorize, token exchange, verification
client-store.ts Dynamic client registration (in-memory and file-backed)
crypto.ts AES-256-GCM token encryption/decryption
tools/
index.ts Tool aggregator
workspaces.ts Workspace tools
user.ts User tools
projects.ts Project tools
resources.ts Pod, region, pricing, and balance tools
services.ts Service CRUD tools
validate.ts validate_service preflight tool (SSRF-guarded reachability probe)
deployments.ts Deploy, pause, unpause, and job-list tools
storage.ts Volume read tools (list_volumes, get_volume)
metrics.ts CPU, memory, network metrics tools
cli.ts use_partiri_cli advisory tool
resources/ Embedded MCP documentation resources
index.ts Resource registration
content/ Guides (getting started, services, deployments, …)Development
npm install
npm test # run tests (vitest)
npm run test:watch # watch mode
npm run dev # run with tsx (stdio)
npm run build # bundle to dist/Adding a New Tool
Add the API method to
src/client.tsAdd a tool definition and handler in the appropriate
src/tools/<domain>.tsThe tool is automatically registered via
tools/index.tsaggregation
Deployment
For production behind a reverse proxy (Cloudflare, nginx):
Set
MCP_TRANSPORT=httpGenerate a stable token secret:
openssl rand -hex 32Set
MCP_TOKEN_SECRETto the generated valueSet
MCP_BASE_URLto the public URL (e.g.https://mcp.partiri.cloud)Set
PARTIRI_API_URLif the API is not at the defaulthttps://api.partiri.cloudSet
MCP_TRUSTED_PROXIESto your ingress/proxy IP or CIDR (e.g.10.0.0.0/8)Deploy and expose port
3000(or setPORT)
Rate limiting keys on the client IP derived from X-Forwarded-For, which is only
trusted from the proxies named in MCP_TRUSTED_PROXIES (default: loopback only).
Set it to your real ingress range and ensure the proxy overwrites inbound
X-Forwarded-For — otherwise a client able to reach the server through a
trusted/loopback proxy could spoof its IP and bypass per-IP limits. The session
and client-registration stores are independently bounded (the API key is
validated before a session is created, and stores evict oldest-first), so
resource exhaustion and lockout are prevented even if IP limiting is
misconfigured.
Usage Examples
The following examples show realistic prompts an end user might give to an AI agent connected to this MCP server, and which tools each prompt exercises.
Inspect a service and check its resource usage
"Show me CPU and memory usage for my api service over the last hour."
Exercises: list_workspaces → list_projects → list_services → get_service → get_cpu_metrics, get_memory_metrics
Deploy a service and monitor progress
"Deploy the latest commit of the frontend service in my production project, then tell me when it succeeds."
Exercises: list_workspaces → list_projects → list_services → deploy_service → list_jobs
Create a new service from a Git repository
"List all services in my staging project and create a new Node.js web service from github.com/owner/repo on the main branch."
Exercises: list_workspaces → list_projects → list_services → list_pods → list_regions → create_service
Put a service in maintenance mode
"Enable maintenance mode on the checkout service while I push a hotfix."
Exercises: list_workspaces → list_projects → list_services → update_service
Support
For questions, bug reports, or integration help: support@partiri.cloud
Full documentation is available at https://partiri.cloud/documentation/mcp.
Privacy
This connector accesses workspace, project, service, deployment, log, and metrics data from your Partiri account on behalf of the authenticated user, and only that data. Secrets never reach the model context: environment variable values and secret references (env, fk_service_secret) are stripped from every tool response, and secret management is deliberately CLI-only. It does not maintain a token database — API keys are AES-256-GCM encrypted inside stateless OAuth tokens — and server-side session state is in-memory with a 30-minute inactivity TTL.
Privacy policy: https://partiri.cloud/privacy
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Partiri-Cloud/harbor-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server