Scalr MCP Server

Overview

Managing infrastructure through an API is powerful, but it requires knowing the right endpoints, structuring the right payloads, and writing the right scripts. For most requests, that means significant time spent before a single resource is touched.

The Scalr MCP Server removes that friction by connecting your AI assistant directly to the Scalr API. Instead of compiling API calls manually, you describe what you need in plain language, and the MCP server handles the translation. Requests that would have taken hours or days of scripting now take minutes.


Choose Your Setup

MethodBest forRequirements
Remote MCP (OAuth)Everyone: Easiest setup, no Docker, no token managementAccount admin must enable the integration
Local stdio (Docker)Personal use on your own machine; works in air-gapped or offline environmentsDocker installed locally, personal API token
Local HTTP (Docker)Team or org-wide deployment where multiple users share one serverDocker, a server or VM to host it, a reverse proxy for TLS in production

Jump to your role:

For Developers

Connect your AI assistant (Claude, Cursor, VS Code) to Scalr and interact with your infrastructure in plain language. You can explore workspaces, investigate failing runs, query variables, review IAM policies, and more.

What MCP can and can't do: Most tools are read-only. Write operations are currently limited to creating workspaces and variables. Triggering runs, approving applies, and modifying existing resources are not yet supported via MCP.

Quickstart: Remote MCP (Recommended)

The fastest way to connect: no Docker, no token management. Your AI client authenticates using your own Scalr identity, so MCP inherits your existing permissions. It cannot access anything you cannot.

Prerequisite: Your account administrator must enable the integration first. If you get a connection error, ask them to go to Account Settings → Integrations → AI Assistant and toggle on Enable Scalr MCP.

Point your MCP client at https://your-account.scalr.io/mcp (replace your-account with your Scalr account name). When you connect for the first time, your client opens a browser window and redirects you to Scalr to approve access. After you approve, the connection is maintained automatically.

Claude

In Claude, go to Settings → Connectors and click Add custom connector. Enter https://your-account.scalr.io/mcp and click Connect. Complete the Scalr login and consent flow in the browser.

If you are using Claude Code, run in your terminal:

claude mcp add --transport http scalr https://your-account.scalr.io/mcp

Then start a Claude session and run:

/mcp

Select:
scalr → Authenticate

Cursor

In Cursor, go to Settings → Tools & MCP, click New MCP Server, and add the following to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "scalr-remote": {
      "url": "https://your-account.scalr.io/mcp",
      "headers": {
        "Content-Type": "application/json"
      }
    }
  }
}

Save the file, go back to settings, and click Connect. You will be redirected to Scalr to authenticate.

Alternative: Local stdio (Docker)

Use this if the Remote MCP is not enabled in your account, or if you need to work in an air-gapped environment.

Prerequisites: Docker installed and running on your machine, and a Scalr API token (Personal Access Token or Service Account Token). Learn how to generate a token here.

  1. Open Claude Settings
    2. Navigate to Developer
    3. Click Add MCP Server
    4. Add the following to the config file.

    {
      "mcpServers": {
        "scalr": {
          "command": "docker",
          "args": [
            "run",
            "--rm",
            "-i",
            "--pull=always",
            "--env",
            "SCALR_API_TOKEN=your_api_token_here",
            "--env",
            "SCALR_API_URL=https://your-account.scalr.io",
            "scalr/mcp-server:latest"
          ]
        }
      }
    }

    Replace your_api_token_here with your Scalr API token and your-account.scalr.io with your instance URL. Ensure Docker is running, then close and reopen Claude Desktop.

Example Prompts for Developers

Start with a simple question like "List all of my Scalr environments" to confirm the connection, then try these:

Investigating a failed run (the AI chains these tools automatically)

  • "Show me the most recent failed run in the production environment and explain what went wrong."
  • "Get the plan log for run run-abc123 and summarize the proposed changes."
  • "Find all runs that failed in the last 24 hours and group them by workspace."

Exploring your infrastructure

  • "Show me all workspaces in the production environment."
  • "Which workspaces have detected drift in the staging environment?"
  • "What versions of Terraform are running across my infrastructure?"
  • "Show me all variables set at the environment scope in production."

Creating resources

  • "Create a workspace named 'new-app-staging' in the dev environment."
  • "Add a Terraform variable named 'instance_type' with value 't3.medium' to workspace ws-abc123."

For Platform Administrators

Platform admins control whether MCP is available to their organization, how it is deployed, and what security boundaries are in place.

Enable the Remote MCP for Your Organization

The Remote MCP is the recommended option for teams. Each user authenticates with their own Scalr identity, so the AI assistant inherits that user's existing permissions, and it cannot access anything the user cannot. No shared credentials are required, and access is revoked automatically when a user's Scalr account is removed.

Required permission: integrations:manage at account scope.

To enable:

  1. Go to Account Settings → Integrations → AI Assistant
  2. Toggle on Enable Scalr MCP

Once enabled, users can connect their AI clients directly to https://your-account.scalr.io/mcp using OAuth — no Docker or token distribution required on your end.

To disable the integration account-wide or revoke an individual user's access, remove their Scalr account access. The OAuth session will no longer be valid.

Deploy an HTTP Server for Your Team

Use this option when users need to connect AI agents that cannot use OAuth (e.g., Amazon Q, GitHub Copilot, headless CI agents), or when you want to manage the connection centrally.

Single-user vs. multi-user token strategy

ScenarioRecommended approach
One developer, personal machineSet SCALR_API_TOKEN globally, a simpler setup
Multiple users sharing one serverDo not set a global token. Require each user to provide their own Authorization: Bearer <token> header. This ensures each session is scoped to the user's own permissions.
Automated/CI workloadsUse a Service Account token with the minimum required permissions

Starting the server

docker run -d \
  --pull always \
  --name scalr-mcp-server \
  -p 8000:8000 \
  -e SCALR_API_URL=https://your-account.scalr.io \
  -e MCP_TRANSPORT=http \
  -e MCP_HTTP_HOST=0.0.0.0 \
  -e MCP_LOG_FILE=/var/log/mcp/server.log \
  -v ~/mcp-logs:/var/log/mcp \
  scalr/mcp-server:latest

Omit -e SCALR_API_TOKEN=... for multi-user deployments. Users will provide their own tokens via the Authorization: Bearer header in their client configuration.

Hardening for production

SettingDefaultRecommendation
MCP_CORS_ORIGINS* (all origins)Set to your client domain(s), e.g. https://cursor.your-company.com
MCP_HTTP_ALLOWED_HOSTSlocalhost,127.0.0.1,::1Set to your actual hostname — must change for any external access
TLSNot includedDeploy behind nginx or Caddy to terminate HTTPS
Image version:latestPin to a specific version (e.g. scalr/mcp-server:0.0.10) for stability

Configuring user clients for the HTTP server

Share this snippet with your team. They replace <your token> with their own Scalr API token.

Cursor (~/.cursor/mcp.json):

{
  "mcpServers": {
    "scalr": {
      "url": "https://mcp.your-company.com/mcp",
      "headers": {
        "Authorization": "Bearer <your token>",
        "Content-Type": "application/json"
      }
    }
  }
}

Example Prompts for Platform Administrators

Access and security audits

  • "Review token usage in my account. Show tokens that don't have owners, have never been rotated, and don't have a description. Separate it into three outputs."
  • "Pull all users in my Scalr account that have an admin access policy."
  • "How many tokens have not been rotated in the last 30 days?"
  • "List all service accounts without an owner."
  • "Suggest ways to tighten my Scalr account security."
  • "List all users who are allowed to bypass SSO."

Usage and billing

  • "Extract all billing usage for this month with breakdowns by workspace and environment."
  • "Which Terraform provider versions are in use across the account?"
  • "Show me module usage by namespace."
  • "What versions of Terraform are running across my infrastructure?"

Drift and compliance

  • "Which workspaces in the production environment have detected drift?"
  • "What policy checks have failed recently?"
  • "Show me pull request policy check results for the last week."

Available MCP Tools

All endpoints marked with x-mcp-tool: true in the Scalr Public OpenAPI Specification are available as MCP tools.

Write operations are limited. Creating workspaces and variables are the only write operations currently supported. Triggering runs, approving applies, and modifying existing resources are not yet available.

CategoryFunctionDescription
Environmentslist_environmentsList all environments
get_environmentGet details of a specific environment
Workspaceslist_workspacesList all workspaces (with filtering and pagination)
get_workspaceGet details of a specific workspace
create_workspaceCreate a new workspace
Runslist_runsList Terraform/OpenTofu runs
get_runGet details of a specific run
get_plan_logGet the plan console output for a run
get_apply_logGet the apply console output for a run
Policy Groupslist_policy_groupsList policy groups
get_policy_groupGet details of a specific policy group
list_pull_request_policy_check_resultsList policy check results for pull requests
Moduleslist_modulesList Terraform modules in the registry
get_moduleGet details of a specific module
VCS Providerslist_vcs_providersList VCS (Version Control System) providers
get_vcs_providerGet details of a specific VCS provider
Variableslist_variablesList variables
get_variableGet detailed info about a specific variable
create_variableCreate a variable in Scalr
Drift Reportslist_drifted_workspaces_for_environmentList workspaces with detected drift in an environment
Token Usagelist_access_token_usageView access token usage statistics
Module Usagelist_module_usage_namespacesList unique module namespaces
list_terraform_module_sourcesList unique Terraform module sources
list_terraform_module_usagesList module usage across workspaces
list_terraform_module_usageGet detailed usage for a specific module
list_terraform_module_versions_usageList module versions in use
Provider Usagelist_terraform_provider_sourcesList unique Terraform provider sources
list_terraform_provider_usagesList provider usage across workspaces
list_terraform_provider_usageGet detailed usage for a specific provider
list_terraform_provider_versions_usageList provider versions in use
Resource Usagelist_terraform_resource_providersList unique resource provider types
list_terraform_resource_usagesList Terraform resource usage
list_terraform_resource_instances_usageList resource instances with details
Version Usagelist_terraform_versions_usage_versionsList Terraform/OpenTofu versions in use
Billing Reportslist_billing_usageReturns information from the billing report
IAMget_access_policyGet details of a specific IAM access policy
get_accountGet information about the current Scalr account
get_permissionGet details of a specific IAM permission
get_roleGet details of a specific IAM role and its permissions
get_service_accountGet details of a specific service account
get_teamGet details of a specific team
get_userGet details of a specific user
get_workload_identity_providerGet details of a specific workload identity provider
list_access_policiesList all IAM access policies
list_permissionsList all available IAM permissions
list_rolesList all IAM roles
list_security_rulesList account-level security rules and settings
list_service_accountsList all service accounts
list_sso_bypass_usersList users allowed to bypass SSO
list_teamsList all teams
list_usersList all users
list_workload_identity_providersList all configured workload identity providers

Troubleshooting

Remote MCP: connection fails immediately

  • Confirm your account administrator has enabled the integration under Account Settings → Integrations → AI Assistant.
  • Verify the URL includes your account name: https://your-account.scalr.io/mcp — not https://scalr.io/mcp.

Claude Desktop doesn't show Scalr tools

  • Check your JSON config syntax (use a JSON validator).
  • Completely quit and reopen Claude Desktop.
  • Confirm Docker is running: docker ps.
  • Check logs:
    • macOS: ~/Library/Logs/Claude/mcp-server-scalr.log
    • Windows: %APPDATA%\Claude\Logs\mcp-server-scalr.log
    • Linux: ~/.config/Claude/logs/mcp-server-scalr.log

Authentication errors

Test your token directly:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://your-account.scalr.io/api/iacp/v3/account

Docker pull errors

docker pull scalr/mcp-server:latest
docker images | grep scalr/mcp-server

HTTP server: 401 Unauthorized

  • Add Authorization: Bearer <token> to your client's request headers.
  • Confirm SCALR_API_TOKEN is set if you are relying on the global fallback.

HTTP server: connection refused

  • Set MCP_HTTP_HOST=0.0.0.0 — the default 127.0.0.1 only accepts local connections.
  • Test with: curl http://localhost:8000/health.

HTTP server: CORS errors

  • Add your client's origin to MCP_CORS_ORIGINS, e.g. -e MCP_CORS_ORIGINS='https://your-app.com'.

Support & Resources

Demo