Hetzner Cloud MCP Server — Cloud API + SSH management (60 tools)
Manages Hetzner Cloud infrastructure including servers, power operations, metrics, snapshots, backups, firewalls, DNS zones and records, rescue mode, and server rebuilds via the Hetzner Cloud API, plus comprehensive SSH-based server management for services, logs, and system monitoring.
Provides SSH-based MySQL database management capabilities including listing databases, monitoring process lists, and executing read-only SQL queries on managed servers.
Provides SSH-based Nginx web server management including configuration syntax testing, reloading, listing enabled sites, viewing site configurations, and accessing error and access logs.
Hetzner Cloud MCP Server
The only Hetzner MCP with SSH server management. API + SSH in one tool.
Manage your Hetzner Cloud infrastructure from Claude.ai, Claude Desktop, VS Code, Cursor, or any MCP-compatible client. Two management layers give you complete control:
Layer 1 — Hetzner Cloud API: Server power, metrics, snapshots, backups, firewalls, DNS zones and records, rescue mode, server rebuild and rescale. Works even when the server OS is unresponsive.
Layer 2 — SSH: Services, logs, Nginx, MySQL, supervisor, cron, UFW, disk/memory/CPU monitoring. Real sysadmin tools, not just API wrappers.
60 tools. Dynamic multi-server configuration. Self-hosted and open source.
Why This MCP?
Every existing Hetzner MCP only wraps the Cloud API. This one adds a full SSH management layer — the tools you actually need when managing production servers. Two layers, 60 tools, self-hosted.
Feature | Included |
Cloud API (server power, metrics, snapshots, backups, firewalls, rescue, rebuild) | Yes |
SSH Management (services, logs, Nginx, MySQL, system health) | Yes |
DNS Management (zones, records, CRUD) | Yes |
Multi-Server (1 to N servers from a single instance) | Yes |
Destructive Guards (confirm required for dangerous ops) | Yes |
Transport | SSE + Streamable HTTP |
Language | PHP 8.1+ |
Quick Start
Prerequisites
PHP 8.1+ with
curlextensionComposer
A Hetzner Cloud API token (Console > Security > API Tokens)
An SSH key for server access (Layer 2 tools)
1. Clone and install
git clone https://github.com/wbf-solutions/hetzner-cloud-mcp.git
cd hetzner-cloud-mcp
composer install2. Configure
cp .env.example .envEdit .env with your details:
HETZNER_API_TOKEN=your-cloud-api-token
SERVERS=web
SERVER_WEB_ID=12345678
SERVER_WEB_IP=1.2.3.4
SERVER_WEB_SSH_USER=root
SSH_KEY_PATH=/root/.ssh/id_ed25519
MCP_API_KEY=your-random-key # generate with: openssl rand -hex 323. Set up the SSH key
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
ssh-copy-id -i /root/.ssh/id_ed25519.pub root@1.2.3.44. Configure Nginx
server {
listen 443 ssl;
server_name mcp.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/mcp.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mcp.yourdomain.com/privkey.pem;
root /var/www/hetzner-cloud-mcp;
index api.php;
location / {
try_files $uri /api.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffering off;
fastcgi_read_timeout 600;
}
}5. Connect to Claude.ai
Settings > Connectors > Add custom connector:
Name: Hetzner Cloud MCP
URL:
https://mcp.yourdomain.com/api.php
If you set MCP_API_KEY, pass it via the URL: ?mcp=sse&key=YOUR_MCP_API_KEY
or configure the API key in the connector's Advanced Settings as a Bearer token.
Available Tools (60)
Layer 1 — Hetzner Cloud API (25 tools)
Tool | Description | Destructive |
| Server details: status, IP, type, datacenter | |
| CPU, disk, or network metrics | |
| Power on | |
| Hard power off | Confirm |
| Graceful ACPI shutdown | |
| Soft reboot | |
| Hard reset | Confirm |
| Reset root password | Confirm |
| Enable rescue mode | |
| Disable rescue mode | |
| Rebuild from image (wipes data) | Confirm |
| Rescale server plan | Confirm |
| Create snapshot | |
| List snapshots | |
| Delete snapshot | Confirm |
| Enable backups (+20% cost) | |
| Disable backups | Confirm |
| List firewalls | |
| Get firewall rules | |
| Replace all firewall rules | Confirm |
| Apply firewall to server | |
| Remove firewall from server | |
| List all servers | |
| List SSH keys | |
| Check async action status |
DNS (8 tools, requires HETZNER_DNS_TOKEN)
Tool | Description | Destructive |
| List DNS zones | |
| Get zone details | |
| Create DNS zone | |
| Delete DNS zone | Confirm |
| List records in zone | |
| Add DNS record | |
| Update DNS record | |
| Delete DNS record | Confirm |
Layer 2 — SSH (27 tools)
Tool | Description |
| Check systemd service status |
| Start a service |
| Stop a service |
| Restart a service |
| List running services |
| Disk space ( |
| RAM usage ( |
| CPU load + top processes |
| Top processes by mem/CPU |
| Server uptime |
| Test Nginx config syntax |
| Reload Nginx (tests first) |
| List enabled sites |
| View site Nginx config |
| Tail Nginx error log |
| Tail Nginx access log |
| Tail system log |
| View systemd journal |
| View supervisor logs |
| List MySQL databases |
| Show MySQL processes |
| Read-only SQL query |
| List crontab entries |
| Supervisor program statuses |
| Restart supervisor program |
| Check UFW firewall |
| Run command (dangerous cmds blocked) |
Authentication
Choose the mode that fits your deployment:
Mode | Config | Best for |
No auth |
| Behind VPN/firewall, local dev |
API key |
| Self-hosted, single user/team |
API key + OAuth | Set | Multi-user, Connectors Directory |
API Key (recommended for self-hosting)
Generate a key and set it in .env:
openssl rand -hex 32Clients pass the key as ?key=XXX or Authorization: Bearer XXX.
OAuth 2.1 (optional)
For advanced deployments or Anthropic Connectors Directory submission, you can add OAuth 2.1 token introspection alongside the static API key. This requires an external OAuth authorization server with an introspection endpoint (RFC 7662). See .env.example for the OAUTH_* variables.
Security
Authentication: API key via query param or
Authorization: Bearerheader. Optional OAuth 2.1 introspection. Timing-safe validation.Destructive guards: All dangerous operations require
confirm=true.Tool annotations: All tools include
readOnlyHintanddestructiveHintper MCP spec.SSH safety: 29 blocked command patterns (rm -rf, dd, mkfs, curl|sh, passwd, fdisk, etc.).
Read-only SQL: Only SELECT, SHOW, DESCRIBE, EXPLAIN allowed.
Rate limiting: Per-IP with atomic
flock().
Configuration
Define any number of servers in .env:
SERVERS=web,staging
SERVER_WEB_ID=12345678
SERVER_WEB_IP=1.2.3.4
SERVER_WEB_SSH_USER=root
SERVER_WEB_ALIASES=production,prod
SERVER_STAGING_ID=87654321
SERVER_STAGING_IP=5.6.7.8
DEFAULT_SERVER=webSSH and DNS are optional — tools are auto-disabled when not configured.
See .env.example for the full reference.
Client Configuration
Client | Connection |
Claude.ai | Settings > Connectors > Add custom connector with SSE URL |
Claude Desktop | Add to |
Claude Code |
|
VS Code / Cursor | VS Code extension — coming soon |
Deployment
Works with VitoDeploy or manual Nginx + PHP-FPM setup. Requires fastcgi_buffering off for SSE streaming. See the full deployment guide in the Quick Start section.
Contributing
See CONTRIBUTING.md. Security vulnerabilities: labs@wbf.solutions.
Links
Landing page: hetzner-cloud-mcp.wbf.tools
Built by: WBF Solutions
Contact: labs@wbf.solutions
License
MIT — WBF Solutions | labs@wbf.solutions
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wbf-solutions/hetzner-cloud-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server