Overview/Home
v7.17.58
Integrations

MCP Server

LAN only

Control NexoralDNS from any AI agent on your local network — Claude Code, Codex, Copilot, Antigravity, and more — through the same login and permissions as the dashboard.

The MCP tool server (`tools/`) is a fifth, independent NexoralDNS process that speaks the Model Context Protocol (MCP) — the open standard that lets an LLM call external tools. It is a thin protocol translator: every tool call becomes a real HTTP request against the same authenticated REST API the dashboard uses, so no new authorization model exists anywhere. Whatever role and permissions your dashboard account has are exactly what your AI agent can do — nothing more.

LAN-only, like everything else in NexoralDNS
The MCP server binds across your local network (0.0.0.0:4774), not the public internet. It has no TLS and no per-request API-key auth beyond a Host-header allowlist — never port-forward it, tunnel it, or expose it outside your LAN. Every configuration below points an AI agent at a local or LAN address only.
Setup

Already running — no setup needed

The MCP tool server ships as part of the standard Docker install, alongside the DNS engine, dashboard, and DHCP server — the install script already starts it for you as a 5th managed process (ecosystem.config.js / PM2). There's nothing to install or run separately.

Endpointhttp://<your-machine-IP>:4774/mcp
Health checkcurl http://localhost:4773/api/health (the REST API it talks to)
💡
Only for contributors running from source
If you're developing against a non-Docker checkout: cd tools && npm install && npm run build && npm start (server/ must also be running — tools/ is only a client of its REST API, it has no database connection of its own).
Auth

Logging in

Connecting to the MCP server does not authenticate you — that only happens when the login tool is explicitly called with a dashboard username and password, exactly like the dashboard's own login form. Every other tool checks for an active session first and refuses with "Not logged in — call the login tool first" until you do.

Tokens are cached in the tools/ process's memory, keyed to that one MCP connection — closing the session (or restarting tools/) means logging in again next time.
server/ allows exactly one active session per user account — logging in again with the same username invalidates whatever session (dashboard or another MCP client) was previously active for that account.
Raw tokens are never exposed to the model — tool results only ever contain a success message or the REST response body.
⚠️
One session per account
If you are also logged into the dashboard as the same user, logging in via an MCP tool will silently sign that dashboard session out, and vice versa. Use a dedicated account for AI-agent access if you want both running at once.
Reliability

Health-gated, always

Every tool call checks GET /api/health first (cached ~3s to stay cheap). If MongoDB, Redis, RabbitMQ, or the API itself is down, you get a clear "server is not healthy" error instead of a confusing connection failure. check_server_health and get_server_info work without logging in at all, so they double as a first diagnostic step.

Reference

56 tools across 8 groups

GroupToolsCovers
Auth4login, logout, change_password, verify_session
Domains & DNS7Domain and DNS record (A/CNAME/AAAA) CRUD
Users & Roles12User accounts, roles, and the permission catalog
Access Control17Blocking policies, domain groups, IP groups — the largest group
DHCP2List / refresh connected LAN IP addresses
Settings6DNS service toggle, default TTL, cache management
Analytics & Logs5Dashboard stats, query logs, async log export
Meta3get_server_info & check_server_health (no login) — get_service_info (login required)
Integrations

Connecting AI agents

Every client below uses http://localhost:4774/mcp — that only works if the agent runs on the same machine as tools/. Verified against each tool's current docs.

ℹ️
Connecting from a different device? Find your server's own LAN IP first
There is no fixed IP — every install is on a different network. On the machine running tools/, run hostname -I (or ip -4 addr show) and use whatever address it prints instead of localhost. No extra setup needed: the Host-header allowlist already auto-discovers every LAN IP assigned to that machine at startup, so replacing localhost with it just works.
run on the OTHER device, from step 1 above
claude mcp add --transport http nexoraldns http://<your-server-LAN-IP>:4774/mcp
Change the default password — highly recommended
Every "say this" prompt below uses admin / admin, the seed default for a fresh install. Leaving it unchanged means anyone who can reach 4774 or 4773 on your LAN can log in with a widely-known password. Change it immediately — right from your agent, after logging in:
say this, right after logging in
Use the change_password tool: current password admin, new password <your new password>

Then swap your new username and password into every "say this" prompt below.

Claude Code

bash
$ claude mcp add --transport http nexoraldns http://localhost:4774/mcp

Verify with claude mcp get nexoraldns — should show Status: ✔ Connected. Then open Claude Code and type:

say this in Claude Code
Login to the nexoraldns MCP server with username admin and password admin

Codex CLI

bash
$ codex mcp add nexoraldns --url http://localhost:4774/mcp

Real CLI add command, config stored in ~/.codex/config.toml. Then open Codex and type:

say this in Codex
Login to the nexoraldns MCP server with username admin and password admin

GitHub Copilot CLI

No documented single-line flag command — use one of these two instead.

inside a copilot session
/mcp add

Fill the form: Name = nexoraldns, Type = HTTP, URL = http://localhost:4774/mcp. Or edit the config file directly:

~/.copilot/mcp-config.json
{
  "mcpServers": {
    "nexoraldns": {
      "type": "http",
      "url": "http://localhost:4774/mcp"
    }
  }
}

Then open Copilot CLI and type:

say this in Copilot CLI
Login to the nexoraldns MCP server with username admin and password admin

Antigravity (IDE)

Settings → Customizations tab → "Open MCP Config". Note the key is serverUrl, not url — different from every other client here.

mcp_config.json
{
  "mcpServers": {
    "nexoraldns": {
      "serverUrl": "http://localhost:4774/mcp"
    }
  }
}

Save, hit refresh in the Installed MCP Servers panel, then open a chat and type:

say this in Antigravity
Login to the nexoraldns MCP server with username admin and password admin

Antigravity CLI

Same serverUrl format, shared or CLI-specific config file (no add command):

Unified (IDE + CLI)~/.gemini/config/mcp_config.json
CLI-specific~/.gemini/antigravity-cli/mcp_config.json
Project-scoped.agents/mcp_config.json

Confirm with /mcp inside a session, then type:

say this in Antigravity CLI
Login to the nexoraldns MCP server with username admin and password admin

OpenCode

⚠️
Likely won't connect yet
OpenCode's "remote" MCP type currently implements the older SSE transport, not the Streamable HTTP transport tools/ uses — there's an open OpenCode feature request for Streamable HTTP support. This config is what OpenCode documents today; test before relying on it.
opencode.json
{
  "mcp": {
    "nexoraldns": {
      "type": "remote",
      "url": "http://localhost:4774/mcp"
    }
  }
}

If it connects, the same prompt logs you in:

say this in OpenCode
Login to the nexoraldns MCP server with username admin and password admin

Any other MCP client

If it supports the Streamable HTTP transport (the current MCP spec standard), the same URL works the same way — including the login flow, since that's implemented once in tools/'s own tool logic, not per-client.

See also