Skip to main content
Glama
macharpe

Cisco Meraki MCP Server

by macharpe

๐ŸŒ Cisco Meraki MCP Server

TypeScript Cloudflare Workers Model Context Protocol Cisco Meraki License: GPL v3 Security

Deploy to Cloudflare Workers

A production-ready, enterprise-grade Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to Cisco Meraki network management capabilities. Built on Cloudflare Workers with Durable Objects, OAuth 2.1 authentication with PKCE, intelligent KV caching, and full RFC-compliant OAuth discovery support.

Inspiration: This implementation was inspired by Censini/mcp-server-meraki and mkutka/meraki-magic-mcp - credits to both original works for API method ideas and implementation approaches.

๐Ÿ“‘ Table of Contents


Related MCP server: Meraki MCP Server

๐Ÿ“‹ Prerequisites

Before deploying the server, ensure you have:

  1. ๐ŸŒ Cloudflare Account: Free account at cloudflare.com with a domain configured

  2. ๐Ÿ”‘ Cisco Meraki Account: With API access enabled

  3. ๐ŸŽซ Meraki API Key: Generated from your Meraki Dashboard

    • Navigate to Organization > Settings > Dashboard API access

    • Enable API access and generate a new API key

  4. ๐Ÿ’ป Node.js: Version 18 or higher

  5. ๐Ÿ“ฆ Git: For cloning the repository

  6. ๐Ÿ” Cloudflare Access for SaaS: Configured identity provider (Okta, Google Workspace, Azure AD, etc.)


โœจ Features

๐Ÿ› ๏ธ Available Tools

The server provides 27 comprehensive Meraki management tools organized across multiple categories:

๐Ÿข Organization & Network Management (6 tools)

  • get_organizations, get_organization, get_networks, get_network, get_network_traffic, get_network_events

๐Ÿ“ฑ Device Management (5 tools)

  • get_devices, get_device, get_device_statuses, get_clients, get_management_interface

๐Ÿ”— Switch Management (4 tools)

  • get_switch_ports, get_switch_port_statuses, get_switch_routing_interfaces, get_switch_static_routes

๐Ÿ“ก Wireless Management (8 tools)

  • get_wireless_radio_settings, get_wireless_status, get_wireless_latency_stats, get_wireless_rf_profiles

  • get_wireless_channel_utilization, get_wireless_signal_quality, get_wireless_connection_stats, get_wireless_client_connectivity_events

๐Ÿ›ก๏ธ Appliance Management (4 tools)

  • get_appliance_vpn_site_to_site, get_appliance_content_filtering, get_appliance_security_events, get_appliance_traffic_shaping


๐Ÿ—๏ธ Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   MCP Client     โ”‚      โ”‚  Cloudflare Worker  โ”‚      โ”‚   Meraki API     โ”‚
โ”‚  (AI Playground) โ”‚โ—„โ”€โ”€โ”€โ”€โ–บโ”‚  Durable Object MCP โ”‚โ—„โ”€โ”€โ”€โ”€โ–บโ”‚   Dashboard      โ”‚
โ”‚  (Claude)        โ”‚      โ”‚  + OAuth Handler    โ”‚      โ”‚                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚                          โ”‚
         โ”‚                          โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
               Cloudflare Access
           (OAuth 2.1 + Enterprise SSO)

Architecture Highlights:

  • Durable Objects: Stateful MCP agent with SQLite storage for session management

  • Multi-Layer Caching: KV caching for organizations, networks, clients, and JWKS keys

  • Global Edge: Deployed across 300+ Cloudflare data centers for low latency

  • Zero Trust: Every request authenticated and verified via Cloudflare Access JWT tokens


๐Ÿ” Authentication

The server implements OAuth 2.1 with PKCE integrated with Cloudflare Access for SaaS for enterprise-grade authentication and authorization. All MCP endpoints (/mcp and /sse) are protected and require valid Cloudflare Access JWT tokens.

๐Ÿ“‹ Detailed Documentation: See docs/oauth-authentication-flow.md for the complete authentication architecture with detailed sequence diagrams.

๐ŸŽฏ Authentication Flow Overview

sequenceDiagram
    participant User as User
    participant Client as MCP Client<br/>(AI Playground)
    participant Worker as Meraki MCP<br/>Worker
    participant Access as Cloudflare<br/>Access
    participant SSO as Enterprise<br/>SSO (Okta)

    Note over User,SSO: ๐Ÿ“ฑ User Connects to MCP Server

    Client->>Worker: 1. Connect to /mcp
    Worker-->>Client: 2. 401 Unauthorized<br/>(Need authentication)

    Note over User,SSO: ๐Ÿ” OAuth Flow Begins

    Client->>Worker: 3. Start OAuth flow
    Worker-->>User: 4. Show approval dialog

    User->>Worker: 5. Click "Approve"
    Worker->>Access: 6. Redirect to Access login

    Note over User,SSO: ๐Ÿ‘ค Enterprise SSO Authentication

    Access->>SSO: 7. SAML/OIDC login
    User->>SSO: 8. Enter credentials
    SSO-->>Access: 9. User authenticated

    Note over User,SSO: ๐ŸŽซ Token Exchange

    Access-->>Worker: 10. Return auth code
    Worker->>Access: 11. Exchange code for JWT
    Access-->>Worker: 12. Cloudflare Access JWT
    Worker-->>Client: 13. Return access token

    Note over User,SSO: โœ… Authenticated Access

    Client->>Worker: 14. MCP requests with Bearer token
    Worker->>Worker: 15. Verify JWT signature
    Worker-->>Client: 16. Return Meraki data

    Note over User,SSO: Subsequent requests use cached token

Key Takeaways:

  • ๐Ÿ” Users authenticate once via their enterprise SSO (Okta, Google, Azure AD, etc.)

  • ๐ŸŽซ Cloudflare Access issues a JWT token valid for 1 hour

  • โœ… All subsequent MCP requests include the Bearer token

  • โšก Token verification is cached for performance (~5ms vs ~100ms)

๐Ÿ” OAuth Infrastructure

The server provides RFC-compliant OAuth 2.1 endpoints:

Endpoint

Purpose

Specification

/.well-known/oauth-authorization-server

OAuth metadata discovery

RFC 8414

/.well-known/oauth-protected-resource

Resource server metadata

RFC 8707

/.well-known/jwks.json

JSON Web Key Set for token verification

RFC 7517

/register

Dynamic client registration

RFC 7591

/authorize

Authorization endpoint (with PKCE)

RFC 7636

/callback

OAuth callback handler

OAuth 2.1

/token

Token exchange endpoint

OAuth 2.1

/mcp

Protected MCP JSON-RPC endpoint

MCP Spec

/sse

Protected Server-Sent Events transport

MCP Spec


โšก Performance & Caching

The server implements intelligent multi-layer KV caching to optimize performance and reduce API calls to Meraki Dashboard:

๐Ÿ—„๏ธ Cache Strategy

Data Type

Cache TTL

Rationale

Organization Lists

30 minutes

Organizations rarely change

Network Lists

15 minutes

Moderate update frequency

Client Lists

5 minutes

Clients connect/disconnect frequently

JWKS Keys

1 hour

JWT verification keys are stable


๐ŸŒ Environment Variables

The server uses the following environment variables:

Required Secrets

Set these using npx wrangler secret put <SECRET_NAME>:

Secret

Description

How to Get

MERAKI_API_KEY

Cisco Meraki Dashboard API key

Generate from Meraki Dashboard โ†’ Organization > Settings > API

ACCESS_CLIENT_ID

Cloudflare Access client ID

From Access for SaaS application configuration

ACCESS_CLIENT_SECRET

Cloudflare Access client secret

From Access for SaaS application configuration

ACCESS_TOKEN_URL

Cloudflare Access token endpoint

From Access for SaaS application configuration

ACCESS_AUTHORIZATION_URL

Cloudflare Access authorization endpoint

From Access for SaaS application configuration

ACCESS_JWKS_URL

Cloudflare Access JWKS endpoint

From Access for SaaS application configuration

COOKIE_ENCRYPTION_KEY

32-byte hex key for cookie encryption

Generate with: openssl rand -hex 32


๐Ÿ“ Project Structure

meraki-mcp-cloudflare/
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ index.ts                   # Main Durable Object MCP Agent
โ”‚   โ”œโ”€โ”€ access-handler.ts          # OAuth 2.1 authentication handler
โ”‚   โ”œโ”€โ”€ oauth-helpers.ts           # OAuth utility functions
โ”‚   โ”œโ”€โ”€ workers-oauth-utils.ts     # Workers OAuth utilities
โ”‚   โ”œโ”€โ”€ middleware/
โ”‚   โ”‚   โ””โ”€โ”€ auth.ts                # Authentication middleware
โ”‚   โ”œโ”€โ”€ services/
โ”‚   โ”‚   โ”œโ”€โ”€ merakiapi.ts           # Meraki API service layer with caching
โ”‚   โ”‚   โ””โ”€โ”€ cache.ts               # KV caching service
โ”‚   โ”œโ”€โ”€ types/
โ”‚   โ”‚   โ”œโ”€โ”€ env.ts                 # Environment variable type definitions
โ”‚   โ”‚   โ””โ”€โ”€ meraki.ts              # Meraki API type definitions
โ”‚   โ””โ”€โ”€ tests/
โ”‚       โ”œโ”€โ”€ index.test.ts          # MCP agent tests
โ”‚       โ””โ”€โ”€ auth.test.ts           # Authentication tests
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ oauth-authentication-flow.md   # Complete OAuth flow documentation
โ”‚   โ””โ”€โ”€ authentication-flow.md         # Legacy authentication docs
โ”œโ”€โ”€ scripts/
โ”‚   โ””โ”€โ”€ pre-deploy.sh              # Pre-deployment validation script
โ”œโ”€โ”€ wrangler.jsonc                 # Cloudflare Workers configuration
โ”œโ”€โ”€ package.json                   # Dependencies and npm scripts
โ”œโ”€โ”€ tsconfig.json                  # TypeScript configuration
โ”œโ”€โ”€ biome.json                     # Biome linter configuration
โ”œโ”€โ”€ .claude/                       # Claude Code project instructions
โ”‚   โ””โ”€โ”€ CLAUDE.md
โ””โ”€โ”€ README.md                      # This file

๐Ÿš€ Installation & Deployment

1. Clone the Repository

git clone https://github.com/macharpe/meraki-mcp-cloudflare.git
cd meraki-mcp-cloudflare

2. Install Dependencies

npm install

3. Create a SaaS App

Follow the Cloudflare Access for SaaS MCP Server guide to create your Access for SaaS application.

Important: Make note of these values - you'll need them later:

  • โœ… Client ID

  • โœ… Client Secret

  • โœ… Token Endpoint

  • โœ… Authorization Endpoint

  • โœ… Key Endpoint (JWKS URL)

Access Control: When creating the SaaS App, configure an Access policy to control who can authenticate and access your MCP server. This policy determines which users (based on email, group membership, identity provider, etc.) are authorized to connect. Only users who match your policy will be able to authenticate via enterprise SSO and use the MCP server.

4. Create KV Namespaces

Create two KV namespaces for OAuth session storage and API response caching:

# Create OAuth session storage namespace
npx wrangler kv:namespace create "OAUTH_KV"
# Output: id = "abc123..." - SAVE THIS

# Create cache storage namespace
npx wrangler kv:namespace create "CACHE_KV"
# Output: id = "def456..." - SAVE THIS

5. Configure Custom Domain

Update wrangler.jsonc with your domain and KV namespace IDs:

{
  "name": "meraki-mcp-cloudflare",
  "main": "src/index.ts",
  "compatibility_date": "2025-03-07",

  // KV namespaces - UPDATE THESE WITH YOUR IDS FROM STEP 4
  "kv_namespaces": [
    {
      "binding": "OAUTH_KV",
      "id": "YOUR_OAUTH_KV_ID_HERE"  // From step 4
    },
    {
      "binding": "CACHE_KV",
      "id": "YOUR_CACHE_KV_ID_HERE"  // From step 4
    }
  ],

  // Custom domain routing - UPDATE WITH YOUR DOMAIN
  "routes": [
    {
      "pattern": "meraki-mcp.yourdomain.com",  // Change to your domain
      "custom_domain": true
    }
  ],

  // Security: Disable public endpoints
  "workers_dev": false,
  "preview_urls": false
}

Note: The KV namespace IDs shown above are placeholders. Replace them with the actual IDs from step 4.

6. Set Required Secrets

First, generate a cookie encryption key:

openssl rand -hex 32

Copy the output - you'll need it in the next step.

Reference: See Cloudflare's Configure a cookie encryption key documentation for more details.

Configure all required secrets using Wrangler:

# Meraki API authentication
npx wrangler secret put MERAKI_API_KEY
# Enter your Meraki API key when prompted

# Cloudflare Access for SaaS credentials (from step 3)
npx wrangler secret put ACCESS_CLIENT_ID
npx wrangler secret put ACCESS_CLIENT_SECRET
npx wrangler secret put ACCESS_TOKEN_URL
npx wrangler secret put ACCESS_AUTHORIZATION_URL
npx wrangler secret put ACCESS_JWKS_URL

# Cookie encryption key (paste the output from openssl command above)
npx wrangler secret put COOKIE_ENCRYPTION_KEY

7. Configure Local Development (Optional)

For local testing with wrangler dev, create a .dev.vars file:

echo "MERAKI_API_KEY=your_meraki_api_key_here" > .dev.vars

Note: The .dev.vars file is git-ignored for security. This is useful for local development but not required for production deployment.

8. Deploy to Cloudflare Workers

Authenticate with Cloudflare (first time only):

npx wrangler login

Deploy the server:

npx wrangler deploy

Your server will be available at: https://meraki-mcp.yourdomain.com


โš™๏ธ Claude Configuration

๐Ÿ“Š Client Compatibility Summary

The following table summarizes OAuth-protected MCP server compatibility based on testing with this server:

Client

Status

OAuth Flow

MCP Handshake

Tools Available

Notes

Workers AI Playground

โœ… Works

โœ“ Complete

โœ“ Complete

โœ“ All 27 tools

Built by Cloudflare for OAuth MCP

Claude Code (CLI)

โœ… Works

โœ“ Complete

โœ“ Complete

โœ“ All 27 tools

Recommended - Tested and verified working

Claude.ai (Web)

โš ๏ธ Partial

โœ“ Complete

โœ— Incomplete

โœ— No tools

OAuth succeeds, handshake stalls after initialize

Claude Desktop

โŒ Fails

โœ— Callback error

โœ— N/A

โœ— N/A

mcp-remote can't resolve callback URI

โœ… Claude Code (CLI)

Claude Code has full OAuth support for remote MCP servers and works reliably.

Add via CLI:

claude mcp add --transport http --scope user meraki-mcp https://meraki-mcp.yourdomain.com/mcp

Or manually add to ~/.claude.json:

{
  "mcpServers": {
    "meraki-mcp": {
      "url": "https://meraki-mcp.yourdomain.com/mcp",
      "transport": "http"
    }
  }
}

When you start a new Claude Code session, it will automatically initiate the OAuth flow via your browser.

๐Ÿ’ป Claude Desktop

โš ๏ธ Compatibility Issue: Based on testing, Claude Desktop has compatibility issues with OAuth-protected remote MCP servers. The mcp-remote package encounters callback URI resolution errors.

Error: Cannot find localhost callback URI from existing client information

Workaround: Use Workers AI Playground or Claude Code CLI instead.

  1. Locate your Claude Desktop config file:

    • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

    • Windows: %APPDATA%\Claude\claude_desktop_config.json

    • Linux: ~/.config/Claude/claude_desktop_config.json

  2. Add the Meraki MCP server configuration:

{
  "mcpServers": {
    "meraki-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://meraki-mcp.yourdomain.com/mcp"
      ]
    }
  }
}
  1. Restart Claude Desktop completely (quit and relaunch)

๐ŸŒ Claude.ai (Website)

โš ๏ธ Compatibility Issue: Based on testing, Claude.ai's web interface has compatibility issues with OAuth-protected MCP servers. OAuth authentication completes successfully, but the MCP handshake stalls after the initialize call - it never progresses to tools/list, resulting in no tools being available.

Observed Behavior:

  • โœ“ OAuth discovery works

  • โœ“ User authentication succeeds

  • โœ“ JWT token obtained

  • โœ“ initialize request completes

  • โœ— Connection reinitializes repeatedly instead of calling tools/list

Workaround: Use Workers AI Playground or Claude Code CLI, which have full OAuth MCP support.

  1. Navigate to claude.ai

  2. Click on your profile โ†’ Settings

  3. Go to Integrations โ†’ Model Context Protocol

  4. Click Add Server

  5. Enter:

    • Name: Meraki MCP Server

    • URL: https://meraki-mcp.yourdomain.com

  6. Click Connect

  7. Authenticate via your enterprise SSO when prompted

๐Ÿ”ง Claude Code (CLI)

Add to your MCP settings configuration:

{
  "mcpServers": {
    "meraki-mcp": {
      "url": "https://meraki-mcp.yourdomain.com",
      "oauth": {
        "discoveryUrl": "https://meraki-mcp.yourdomain.com/.well-known/oauth-authorization-server"
      }
    }
  }
}

๐Ÿ’ก Usage Examples

Once connected to Claude, you can use natural language to interact with your Meraki infrastructure:

๐Ÿข Organization Management

"Show me all my Meraki organizations"
"Get details for organization 123456"

๐ŸŒ Network Operations

"List all networks in my main organization"
"Get network traffic statistics for the office network"

๐Ÿ“ฑ Device Management

"Show me all devices in the SF office network"
"Get wireless status for access point Q2XX-YYYY-ZZZZ"

๐Ÿ” Client Information

"List all connected clients on the guest network"
"Show me connectivity events for MAC address XX:XX:XX:XX:XX:XX"

๐Ÿ”— Switch Configuration

"Get switch port statuses for device ABC-123-DEF"
"Show routing interfaces on the core switch"

๐Ÿงช Testing & API Endpoints

๐Ÿฅ Health Check

Test basic connectivity:

curl https://meraki-mcp.yourdomain.com/health

Expected Response:

{
  "status": "OK",
  "service": "Cisco Meraki MCP Server",
  "timestamp": "2025-01-23T10:30:00.000Z",
  "oauthEnabled": true,
  "version": "1.0.0",
  "endpoints": [...]
}

๐Ÿ” OAuth Discovery

Test OAuth metadata discovery:

curl https://meraki-mcp.yourdomain.com/.well-known/oauth-authorization-server

๐Ÿ› ๏ธ Development Commands

Local Development:

npm run dev          # Start development server
npm run build        # Compile TypeScript
npm run lint         # Run code linting
npm run lint:fix     # Auto-fix linting issues
npm run typecheck    # Type checking only
npm run pre-deploy   # Complete pre-deployment checks

Deployment:

npm run deploy       # Deploy to Cloudflare Workers
npm run types        # Generate Cloudflare types

Monitoring:

npx wrangler tail --format pretty  # Real-time logs

๐Ÿ”ง Troubleshooting

Common Issues:

  1. OAuth Authentication Failures

    • Verify Cloudflare Access configuration matches secrets

    • Check redirect URI matches exactly (no trailing slash)

    • Ensure domain is properly configured in Cloudflare

  2. KV Namespace Errors

    • Verify KV namespace IDs in wrangler.jsonc match those from kv:namespace create

    • Check KV namespaces exist in Cloudflare dashboard

  3. Meraki API Errors

    • Verify API key is valid and not expired

    • Check API key has proper organization access

    • Ensure rate limits aren't exceeded (5 req/sec)

  4. CORS Issues

    • Server includes proper CORS headers automatically

    • Check browser console for specific CORS errors

    • Verify mcp-protocol-version header is allowed

Debug Mode:

Enable detailed logging:

npx wrangler tail --format pretty | grep '\[AUTH\]'  # Authentication logs
npx wrangler tail --format pretty | grep '\[CACHE\]' # Cache performance

๐Ÿค Contributing

Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.


๐Ÿ“„ License

This project is licensed under the GPL-3.0 License - see the LICENSE file for details.


๐Ÿ™ Acknowledgments

  • Cloudflare Workers: For providing an excellent serverless platform

  • Model Context Protocol: For creating the MCP specification

  • Cisco Meraki: For their comprehensive API

  • Censini/mcp-server-meraki: Original inspiration for this implementation

  • mkutka/meraki-magic-mcp: Additional inspiration for API methods and implementation approaches


Built with โค๏ธ using Cloudflare Workers and the Model Context Protocol

A
license - permissive license
-
quality - not tested
C
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
2dRelease cycle
12Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/macharpe/meraki-mcp-cloudflare'

If you have feedback or need assistance with the MCP directory API, please join our Discord server