@veeemlab/itglue-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@veeemlab/itglue-mcpsearch organizations with name Contoso"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@veeemlab/itglue-mcp
A Model Context Protocol (MCP) server for IT Glue with full read + write support. Talks JSON:API to api.itglue.com / api.eu.itglue.com / api.au.itglue.com and exposes 56 tools to any MCP-compatible client (Claude Desktop, Claude Code, MCPHub, etc.). Built-in rate limiting and retry-with-backoff keep you safely under IT Glue's 3000 req / 5min ceiling. Destructive operations require explicit confirm tokens; password reveal requires a separate acknowledgement; the HTTP transport requires a bearer token and binds to loopback by default.
Quick start
Add it to any MCP client's config (example for MCPHub's mcp_settings.json):
{
"itglue": {
"command": "npx",
"args": ["-y", "@veeemlab/itglue-mcp"],
"env": {
"ITGLUE_API_KEY": "${ITGLUE_API_KEY}",
"ITGLUE_REGION": "${ITGLUE_REGION}"
}
}
}npx resolves the latest published version from npm and caches it; subsequent runs are instant.
Alternative: run from GitHub HEAD
If you want the bleeding-edge main branch without waiting for an npm release:
"args": ["-y", "github:veeemlab/itglue-mcp"]Related MCP server: hudu-mcp
Environment
Variable | Required | Default | Notes |
| yes | – | Sent as the |
| no |
| One of |
| no |
| Set to |
| no | stdio | Set to |
| when | – | Bearer token required on |
| no |
| Only used when |
| no |
| Only used when |
Tools
All tools share the itglue_ prefix. Read-only tools accept pageSize / pageNumber for page[size] / page[number], plus typed filters that map to filter[...].
Organizations — search_organizations, get_organization
Configurations — search_configurations, get_configuration, create_configuration, update_configuration, delete_configuration, list_configuration_types, list_configuration_statuses
Passwords — search_passwords, get_password, create_password, update_password, delete_password, list_password_categories (pass showPassword: true to reveal plaintext)
Documents — search_documents, get_document, create_document, list_document_sections, create_document_section, update_document_section, delete_document_section, publish_document
Flexible Assets — list_flexible_asset_types, list_flexible_asset_fields, search_flexible_assets, get_flexible_asset, create_flexible_asset, update_flexible_asset, delete_flexible_asset
Flexible assets use a dynamic
traitsobject — always calllist_flexible_asset_fieldsfor the target type first to learn the valid keys.
Contacts — search_contacts, get_contact, create_contact, update_contact, delete_contact
Locations — list_locations, get_location, create_location, update_location, delete_location
Users — list_users, get_user
Groups — list_groups, get_group
Attachments — list_attachments, delete_attachment
Related Items — list_related_items, create_related_item, delete_related_item
Bulk — bulk_update, bulk_delete (one tool per operation across resource types)
Deduplication — find_org_match, find_contact_match, find_config_match, scan_duplicates
Health — itglue_health_check
Token-saving formatOptions
Every read tool accepts an optional formatOptions argument: format: "compact" keeps id + a small set of identifying attributes, fields: [...] whitelists specific attribute keys, omitEmpty: true drops null and empty values. Combine to reduce response tokens by up to 80%.
How it works
JSON:API request/response envelopes (
type+id+attributes) with kebab-case attribute keysGET/POST/PATCH/DELETEmap cleanly to IT Glue's CRUD verbsErrors from the API are parsed and surfaced as
isError: truetool responses with the originalerrors[]payloadTransport defaults to
StdioServerTransport; opt intoStreamableHTTPServerTransportwithITGLUE_TRANSPORT=http
Rate limiting & retry
Every outbound request goes through a serialized queue with a configurable minimum interval (100 ms by default → ~10 req/s, comfortably under IT Glue's 3000 / 5 min limit). 429 responses are retried up to 3 times with exponential backoff (1 s, 2 s, 4 s) and honor the Retry-After header. 408 and 5xx responses are retried only for GET and DELETE — POST and PATCH surface the error to the caller, since retrying them risks duplicate side effects.
LRU response cache
GET responses are kept in an in-memory LRU cache with per-resource TTLs (1 hour for reference data, 5 minutes for organizations/locations, 1 minute for configurations/contacts/documents/flexible-assets, never for passwords). Successful write operations invalidate every cache entry for the touched resource.
Security
This server can read, modify, and delete IT Glue records — including passwords. Guards built in:
ITGLUE_READ_ONLY=truedisables registration of all 25 mutating tools;listToolsnever advertises them. The intended posture for handing an LLM an inspection-only view.Confirm tokens are required on every destructive tool. Each tool refuses to run unless the caller passes a verbatim
confirmvalue matching the operation:DELETE_CONFIGURATION,DELETE_CONTACT,DELETE_DOCUMENT_SECTION,DELETE_FLEXIBLE_ASSET,DELETE_LOCATION,DELETE_ATTACHMENT,DELETE_RELATED_ITEM,DELETE_PASSWORD,PUBLISH_DOCUMENT,BULK_UPDATE,BULK_DELETE.showPassword=trueonget_password/search_passwordsis conditionally gated: passing it withoutconfirm: "SHOW_PASSWORD"is refused. The plaintext path stays available but cannot be hit by accident.Error response redaction: API error bodies pass through a redactor that masks values whose key matches
/password|secret|token|api_key|otp|private_key/i. IT Glue sometimes echoes back submitted fields on validation failure — the redactor catches that before the LLM sees them.HTTP transport: requires
ITGLUE_HTTP_TOKEN(≥ 16 chars) and binds to127.0.0.1by default./mcprequests must carryAuthorization: Bearer <token>; token comparison usestimingSafeEqual./healthis unauthenticated for liveness probes.
Passwords are never cached regardless of TTL settings.
Why dist/ is committed
npx -y github:veeemlab/itglue-mcp runs the package straight from GitHub without a build step. So the compiled output under dist/ is intentionally tracked in git. A prepare script (tsc) regenerates it as a fallback if the package is ever installed from source.
Local development
npm install
npm run build # or npm run dev for watch mode
ITGLUE_API_KEY=... ITGLUE_REGION=eu node dist/index.jsProject layout:
src/
index.ts # stdio entry (+ optional HTTP with bearer auth)
server.ts # MCP server wiring + read-only filter
client.ts # IT Glue HTTP client (throttle, retry, cache)
cache.ts # LRU cache + per-resource TTL table
format.ts # formatOptions transform
redact.ts # secret-key redaction for error responses
searchFallback.ts # diacritic / first-word variants for filter[name]
similarity.ts # Jaro-Winkler + normalize for dedup tools
tools/
organizations.ts
configurations.ts
passwords.ts
documents.ts
flexibleAssets.ts
contacts.ts
locations.ts
users.ts
groups.ts
attachments.ts
relatedItems.ts
bulk.ts
deduplication.ts
health.ts
shared.ts # tool helpers (schemas, errors, pagination, confirm)
index.ts # tool registryLicense
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/veeemlab/itglue-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server