Control NexoralDNS from any AI agent on your local network — Claude Code, Codex, Copilot, Antigravity, and more — through the same login and permissions as the dashboard.
The MCP tool server (`tools/`) is a fifth, independent NexoralDNS process that speaks the Model Context Protocol (MCP) — the open standard that lets an LLM call external tools. It is a thin protocol translator: every tool call becomes a real HTTP request against the same authenticated REST API the dashboard uses, so no new authorization model exists anywhere. Whatever role and permissions your dashboard account has are exactly what your AI agent can do — nothing more.
⛔
LAN-only, like everything else in NexoralDNS
The MCP server binds across your local network (0.0.0.0:4774), not the public internet. It has no TLS and no per-request API-key auth beyond a Host-header allowlist — never port-forward it, tunnel it, or expose it outside your LAN. Every configuration below points an AI agent at a local or LAN address only.
Setup
Already running — no setup needed
The MCP tool server ships as part of the standard Docker install, alongside the DNS engine, dashboard, and DHCP server — the install script already starts it for you as a 5th managed process (ecosystem.config.js / PM2). There's nothing to install or run separately.
Endpointhttp://<your-machine-IP>:4774/mcp
Health checkcurl http://localhost:4773/api/health (the REST API it talks to)
💡
Only for contributors running from source
If you're developing against a non-Docker checkout: cd tools && npm install && npm run build && npm start (server/ must also be running — tools/ is only a client of its REST API, it has no database connection of its own).
Auth
Logging in
Connecting to the MCP server does not authenticate you — that only happens when the login tool is explicitly called with a dashboard username and password, exactly like the dashboard's own login form. Every other tool checks for an active session first and refuses with "Not logged in — call the login tool first" until you do.
▸Tokens are cached in the tools/ process's memory, keyed to that one MCP connection — closing the session (or restarting tools/) means logging in again next time.
▸server/ allows exactly one active session per user account — logging in again with the same username invalidates whatever session (dashboard or another MCP client) was previously active for that account.
▸Raw tokens are never exposed to the model — tool results only ever contain a success message or the REST response body.
⚠️
One session per account
If you are also logged into the dashboard as the same user, logging in via an MCP tool will silently sign that dashboard session out, and vice versa. Use a dedicated account for AI-agent access if you want both running at once.
Reliability
Health-gated, always
Every tool call checks GET /api/health first (cached ~3s to stay cheap). If MongoDB, Redis, RabbitMQ, or the API itself is down, you get a clear "server is not healthy" error instead of a confusing connection failure. check_server_health and get_server_info work without logging in at all, so they double as a first diagnostic step.
Meta3get_server_info & check_server_health (no login) — get_service_info (login required)
Integrations
Connecting AI agents
Every client below uses http://localhost:4774/mcp — that only works if the agent runs on the same machine as tools/. Verified against each tool's current docs.
ℹ️
Connecting from a different device? Find your server's own LAN IP first
There is no fixed IP — every install is on a different network. On the machine running tools/, run hostname -I (or ip -4 addr show) and use whatever address it prints instead of localhost. No extra setup needed: the Host-header allowlist already auto-discovers every LAN IP assigned to that machine at startup, so replacing localhost with it just works.
run on the OTHER device, from step 1 above
claude mcp add --transport http nexoraldns http://<your-server-LAN-IP>:4774/mcp
⛔
Change the default password — highly recommended
Every "say this" prompt below uses admin / admin, the seed default for a fresh install. Leaving it unchanged means anyone who can reach 4774 or 4773 on your LAN can log in with a widely-known password. Change it immediately — right from your agent, after logging in:
say this, right after logging in
Use the change_password tool: current password admin, new password <your new password>
Then swap your new username and password into every "say this" prompt below.
Claude Code
bash
$ claude mcp add --transport http nexoraldns http://localhost:4774/mcp
Verify with claude mcp get nexoraldns — should show Status: ✔ Connected. Then open Claude Code and type:
say this in Claude Code
Login to the nexoraldns MCP server with username admin and password admin
Login to the nexoraldns MCP server with username admin and password admin
OpenCode
⚠️
Likely won't connect yet
OpenCode's "remote" MCP type currently implements the older SSE transport, not the Streamable HTTP transport tools/ uses — there's an open OpenCode feature request for Streamable HTTP support. This config is what OpenCode documents today; test before relying on it.
Login to the nexoraldns MCP server with username admin and password admin
Any other MCP client
If it supports the Streamable HTTP transport (the current MCP spec standard), the same URL works the same way — including the login flow, since that's implemented once in tools/'s own tool logic, not per-client.