itglue-mcp
The itglue-mcp server provides Claude with comprehensive access to IT Glue's documentation and asset management platform, enabling read and write operations across organizations, devices, passwords, documents, and more.
Organizations: Search by name, type, status, or PSA ID; retrieve full details for a specific organization.
Configurations (Devices/Assets): Search by organization, name, type, status, serial number, RMM ID, or PSA ID; retrieve full details for a specific configuration.
Locations (Addresses/Sites): Search by organization, name, city, region, or country; retrieve, create, and update locations (partial updates supported), including full address and phone details.
Passwords: Search password entries (metadata only); retrieve actual password values for a specific entry by ID.
Documents: Search by organization, name, or folder; list document folders; get, create, archive, and unarchive documents; manage document sections (list, create, update, delete); publish documents to make section changes visible.
Flexible Assets: List available flexible asset types; search flexible assets by type, name, or organization.
Utility: Health check to verify connectivity to the IT Glue API.
IT Glue MCP Server
A Model Context Protocol (MCP) server that provides Claude with access to IT Glue documentation and asset management.
One-Click Deployment
Unlike the other Wyre MCP servers, this one talks to the IT Glue API directly and
hasno private @wyre-technology/* runtime dependency, so the one-click build
does not need a GitHub Packages token — the cloud builder's npm ci only pulls
public packages. (A read:packages token is only needed to install the published
@wyre-technology/itglue-mcp package itself; see Installation.)
The DigitalOcean target builds the full Docker image and runs the complete MCP
server over HTTP and is the recommended path; this repo does not ship a Workers
entrypoint (src/worker.ts), so prefer DigitalOcean or the prebuilt container
image (ghcr.io/wyre-technology/itglue-mcp).
Related MCP server: MCP Outline Server
Installation
This package is published to the GitHub Packages npm registry, which requires a token even for public packages. Authenticate npm once, then install:
# Authenticate npm to GitHub Packages (token needs the read:packages scope)
export NODE_AUTH_TOKEN=$(gh auth token) # or a PAT with read:packages
npm install @wyre-technology/itglue-mcpThe repo's .npmrc already points the @wyre-technology scope at GitHub Packages and
reads the token from NODE_AUTH_TOKEN, so no further config is needed. The same applies
to npx @wyre-technology/itglue-mcp.
Or use the Docker image:
docker pull ghcr.io/wyre-technology/itglue-mcp:latestConfiguration
The server accepts credentials via environment variables:
Variable | Description | Required |
| Your IT Glue API key (format: ITG.xxx) | Yes (env mode) |
| A user-session JWT used as an optional fallback for document-folder operations on tenants whose API key cannot access the Document Folders resource yet. See JWT fallback for document-folder operations. | No |
| API region: | No |
| Override the IT Glue API base URL (advanced) | No |
| Transport: | No |
| Port for HTTP transport (default: | No |
| Bind address for HTTP transport (default: | No |
|
| No |
Alternative: When AUTH_MODE=gateway, the MCP Gateway injects credentials per request via HTTP headers instead of environment variables. See Remote Deployment.
JWT fallback for document-folder operations
A JWT is optional — it is only needed if your tenant's API key can't access Document Folders yet. Every folder-related path tries your API key first:
search_documents— defaults to a folder-inclusive listing (filter[document_folder_id]=nullreturns all documents, foldered ones included; each result carries itsdocumentFolderId). If the tenant's API rejects that filter, the server retries the[ne]filter form and finally degrades to the legacy root-only listing, saying so in the result. No JWT is involved at any layer.list_document_folders— IT Glue's public (API-key) API now documents a Document Folders resource, which is rolling out across tenants through 2026. The server tries the API key first (on the organization-relationship path, then the top-level/document_folderspath) and only falls back to a JWT if the key is rejected.create_document— the name-based folder picker uses the same API-key-first enumeration, then a configured JWT; if neither can list folders, it prompts for a folder URL / sibling-document URL / numeric folder ID as the last resort.
If you do need the JWT fallback, provide it in whichever way matches your deployment:
Mode | How to supply the JWT |
Local / env ( | Set the |
Remote gateway ( | Send the |
Interactive clients (Claude Desktop/Code) | Leave it unset — the server prompts you to paste a JWT on first use and caches it for the session. |
Headless deployments (Docker, cloud): there is no one to answer the interactive prompt, so if your tenant's API key cannot enumerate folders you must set
ITGLUE_JWT(env mode) or sendX-ITGlue-JWT(gateway mode) for folder enumeration to work.
Retrieving a JWT from your browser:
Sign in to IT Glue in your browser.
Open DevTools → Network tab.
Click any request to
itg-api-*.itglue.com.Copy the value of the
Authorization: Bearer <token>request header — the<token>part is your JWT.
Expiry: IT Glue JWTs are short-lived (~2 hours). A JWT placed in
ITGLUE_JWTon a long-running container will go stale and the JWT fallback will start failing until it is refreshed. Interactive clients are simply re-prompted on expiry. API-key operations are unaffected.
Available Tools
Organizations
search_organizations - Search for organizations with optional filtering by name, type, status, or PSA ID
get_organization - Get a specific organization by ID
Configurations (Devices/Assets)
search_configurations - Search for configurations with filtering by organization, name, type, status, serial number, RMM ID, or PSA ID
get_configuration - Get a specific configuration by ID
Locations (Addresses/Sites)
search_locations - Search an organization's locations (built-in address/site records), filtering by organization, name, city, region, or country. Results include the address fields and phone number.
get_location - Get a specific location by ID, including its full address and phone number
create_location - Create a new location for an organization (requires
name, typicallycountry_id)update_location - Update an existing location; only the fields you supply are changed
Passwords
search_passwords - Search for password entries (metadata only, no actual passwords in results)
get_password - Get a specific password entry including the actual password value
Documents
search_documents - Search for documents with filtering by organization, name, or folder. Defaults to a folder-inclusive listing (each result carries its
documentFolderId), degrading gracefully to a root-only listing on tenants whose API rejects the folder filterlist_document_folders - List an organization's document folders (names and IDs). Works with an API key on tenants where IT Glue exposes the Document Folders resource; falls back to a JWT otherwise — see JWT fallback for document-folder operations
Flexible Assets
search_flexible_assets - Search for flexible assets (requires flexible_asset_type_id)
Utility
itglue_health_check - Verify connectivity to IT Glue API
Usage with Claude Code
Add to your .mcp.json:
{
"mcpServers": {
"itglue": {
"command": "npx",
"args": ["@wyre-technology/itglue-mcp"],
"env": {
"ITGLUE_API_KEY": "${ITGLUE_API_KEY}",
"ITGLUE_REGION": "us"
}
}
}
}Or with Docker (local stdio):
{
"mcpServers": {
"itglue": {
"command": "docker",
"args": [
"run", "--rm", "-i",
"-e", "MCP_TRANSPORT=stdio",
"-e", "ITGLUE_API_KEY",
"ghcr.io/wyre-technology/itglue-mcp:latest"
],
"env": {
"ITGLUE_API_KEY": "${ITGLUE_API_KEY}"
}
}
}
}Note: The Docker image defaults to HTTP transport. The
-e MCP_TRANSPORT=stdioabove is required to run it as a local stdio server for Claude Desktop/Code. For server deployments, see Remote Deployment below.
Remote Deployment (HTTP Streamable)
For server/cloud deployments, run the server with the HTTP Streamable transport. The Docker image already defaults to MCP_TRANSPORT=http on port 8080, exposing two endpoints:
POST /mcp— MCP Streamable HTTP endpoint (stateless: a fresh server is created per request)GET /health— unauthenticated health check
Env mode (single tenant)
Credentials come from environment variables. Use this when one API key serves the deployment:
docker run -d \
--name itglue-mcp \
-p 8080:8080 \
-e ITGLUE_API_KEY="ITG.xxxxxxxx" \
-e ITGLUE_REGION="us" \
--restart unless-stopped \
ghcr.io/wyre-technology/itglue-mcp:latest
# Verify
curl http://localhost:8080/health
# {"status":"ok","transport":"http","authMode":"env",...}Clients connect to http://<host>:8080/mcp using the MCP Streamable HTTP transport.
Gateway mode (multi-tenant / hosted)
When deployed behind an MCP Gateway (e.g. mcp.wyre.ai), set AUTH_MODE=gateway. Credentials are then injected per request via HTTP headers rather than environment variables:
docker run -d \
--name itglue-mcp \
-p 8080:8080 \
-e AUTH_MODE=gateway \
--restart unless-stopped \
ghcr.io/wyre-technology/itglue-mcp:latestThe gateway supplies credentials on each request via these headers:
Header | Description | Required |
| IT Glue API key | One of API-Key or JWT |
| JWT for elevated-scope operations | One of API-Key or JWT |
| API region: | No |
| Override the IT Glue API base URL | No |
Requests missing both X-ITGlue-API-Key and X-ITGlue-JWT receive a 401. The /health endpoint reports "authMode":"gateway" in this mode.
Running without Docker
The same transport works from an installed/built copy by setting MCP_TRANSPORT=http:
MCP_TRANSPORT=http MCP_HTTP_PORT=8080 ITGLUE_API_KEY="ITG.xxxxxxxx" \
npx @wyre-technology/itglue-mcpExample Queries
Once configured, you can ask Claude:
"Search for organizations containing 'Acme' in IT Glue"
"Get the configuration details for device ID 12345"
"Find all passwords for organization ID 100"
"Search for flexible assets of type 54321"
Security Notes
Password search results do not include actual password values for security
Use
get_passwordwith explicit ID to retrieve password valuesStore your API key securely using environment variables or a secrets manager
The API key should have appropriate read permissions in IT Glue
License
Apache-2.0
Contributing
See CONTRIBUTING.md for guidelines.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wyre-technology/itglue-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server