Skip to main content

Ubiquiti UniFi MCP Server — monitoring, security, and full Integration-API resource management (networks/VLANs, WiFi, firewall, ACL, DNS, vouchers)

Project description

ubiquiti-unifi-blade-mcp

An MCP server that gives AI agents structured access to Ubiquiti UniFi network controllers. Built for the Model Context Protocol with security visibility and token efficiency as first-class design goals.

Why this exists

UniFi controllers expose a rich but undocumented REST API behind cookie-based auth with CSRF tokens and optional 2FA. The aiounifi library (MIT, powers the Home Assistant integration) handles the protocol complexity — UniFi OS vs classic controller detection, TOTP 2FA, websocket events. This MCP wraps it with the guardrails that automated agents need:

  • Security-first tool set — 18 tools focused on what network security agents actually need: device health, client visibility, firewall state, traffic rules, DPI restrictions, port forwards. Not 161 tools for every possible configuration change.
  • Token-efficient output — compact pipe-delimited format. A 30-device network in ~50 tokens per device. Client listings with signal strength, experience score, and blocked status at a glance.
  • Write-gated mutations — client blocking, WLAN toggling, device restart, and traffic route changes require explicit opt-in via UNIFI_WRITE_ENABLED=true. Destructive operations (block, restart) additionally require per-call confirm=true.
  • Multi-controller — manage home and office networks from a single MCP instance. Each controller authenticates independently with separate sessions.

How this differs from other UniFi MCPs

ubiquiti-unifi-blade-mcp sirkirby/unifi-mcp enuno/unifi-mcp-server
Focus Monitoring + security + Integration-API resource mgmt (28 tools) Full management (161 tools) Full management (74 tools)
Design for LLM agents (token-efficient) Claude Code (lazy loading) General MCP clients
Multi-controller Native (env var config) Single controller Multi-mode (local/cloud)
Write safety Dual-gated (env + confirm) Preview-then-confirm Permission model
2FA support TOTP via aiounifi TOTP support API key option
Output Pipe-delimited, compact Full JSON Full JSON
Marketplace Sidereal certified Claude Code plugin Standalone

Use this blade-MCP for agent-driven monitoring and security. Use sirkirby/unifi-mcp (available as a community listing in the Sidereal marketplace) when you need full network configuration management.

Quick start

# Install
uv pip install -e .

# Configure (monitoring tools — username/password)
export UNIFI_HOST="192.168.1.1"
export UNIFI_USERNAME="admin"
export UNIFI_PASSWORD="your-password"
export UNIFI_VERIFY_SSL="false"  # Common for self-signed certs

# Configure (network/VLAN tools — Integration API key)
# Generate in UniFi Network → Settings → Control Plane → Integrations
export UNIFI_API_KEY="your-x-api-key"

# Run
ubiquiti-unifi-blade-mcp

Authentication: two modes

Mode Env Drives Endpoint Support status
API key UNIFI_API_KEY (X-API-KEY) Networks/VLANs + all unifi_resource_* tools (WiFi, firewall, ACL, DNS, vouchers, …) Official Integration API (/proxy/network/integration/v1) — stateless Official & supported by Ubiquiti
Session UNIFI_USERNAME + UNIFI_PASSWORD (+ optional UNIFI_TOTP_SECRET) Monitoring/security read tools (devices, clients, firewall view, WLANs, DPI, traffic, port forwards) Legacy private controller API via aiounifi (cookie/CSRF) ⚠️ Unofficial / unsupported

Either or both may be set. The Integration-API tools require the API key (the only path that supports writes); the monitoring read tools require username/password.

⚠️ The session-mode (monitoring) tools use an UNOFFICIAL API

The aiounifi-backed monitoring tools talk to UniFi's private, undocumented controller API (/api/s/{site}/...). Ubiquiti does not support, document, or guarantee this surface — it can change or break without notice across firmware updates (UniFi Network majors have repeatedly altered it). It works today via the community aiounifi library (which also powers Home Assistant), but treat these tools as best-effort.

The official, supported path is the Integration API (X-API-KEY). Everything reachable through unifi_networks / unifi_network / the unifi_resource_* tools rides that surface. Prefer API-key mode wherever a capability exists on both. As Ubiquiti expands the Integration API, the unofficial session tools should be migrated onto it and eventually retired.

Generating an API key

The API key is generated on the UniFi console UI (not via this MCP). Ubiquiti relabels the Settings tree fairly often, so the exact wording drifts between releases.

As of UniFi Network 10.4 (June 2026):

  1. Open the UniFi Network application (the local console UI at https://<controller-ip>, or via unifi.ui.com → your console).
  2. Settings (gear icon) → Control PlaneIntegrations. (On some 10.x builds this appears as Settings → SystemIntegrations, or Admins & UsersAPI Keys — if "Control Plane" isn't present, look for "Integrations" or "API" anywhere under Settings → System.)
  3. Click Create API Key, give it a name (e.g. blade-mcp), and copy the key immediately — it is shown only once.
  4. The key is account- and site-scoped; store it in your secrets manager and set it as UNIFI_API_KEY.

Verify scope before relying on writes: the key inherits your admin role. A read-only/viewer admin yields a key that will 403 on create/update/delete. Use a Full-Management / Super Admin account if you need VLAN/firewall writes.

If the menu doesn't match: open the console's built-in API reference (linked from the Integrations page) — it always reflects your installed version, and is the authoritative source when this doc has aged. Requires UniFi Network 9.0+ (full network/VLAN/firewall CRUD confirmed on 10.x).

28 tools, 7 categories

Info & Sites (2 tools)

Tool Purpose Token cost
unifi_info Health check — controller version, hostname, device/client counts, write gate ~60
unifi_sites List sites on the controller ~20/site

Networks & VLANs (2 read tools — require UNIFI_API_KEY)

Tool Purpose Token cost
unifi_networks List networks/VLANs — name, VLAN id, enabled, purpose, subnet ~25/network
unifi_network Full detail — VLAN id, subnet, gateway, purpose ~60

Devices (2 tools) — ⚠️ unofficial API

Tool Purpose Token cost
unifi_devices List APs, switches, gateways — model, state, clients, uptime, firmware ~50/device
unifi_device Full detail — port table with PoE, firmware, upgrade status ~150

Clients (2 tools) — ⚠️ unofficial API

Tool Purpose Token cost
unifi_clients Connected clients — name, IP, SSID, signal, experience, blocked ~40/client
unifi_client Full detail — TX/RX, vendor (OUI), AP association ~120

Firewall & Security (5 tools) — ⚠️ unofficial API (read-only)

These read views ride the unofficial private API (see the auth warning above). For managed firewall, use the official unifi_resource_* tools with firewall_policies / firewall_zones / acl_rules.

Tool Purpose Token cost
unifi_firewall Firewall policies — name, action, enabled/disabled ~30/policy
unifi_traffic_routes Traffic routes — description, enabled/disabled, target ~25/route
unifi_traffic_rules Traffic rules — description, action, enabled/disabled ~25/rule
unifi_port_forwards Port forwards — name, protocol, external → internal ~30/fwd
unifi_dpi DPI restriction groups and apps ~20/item

Write Operations (10 tools, gated)

The first six ride the unofficial private API (⚠️); the three *_network tools use the official Integration API (✅).

Tool Gate API Purpose
unifi_block_client write + confirm ⚠️ unofficial Block a client from the network
unifi_unblock_client write ⚠️ unofficial Unblock a previously blocked client
unifi_reconnect_client write ⚠️ unofficial Force a wireless client to reconnect
unifi_toggle_wlan write ⚠️ unofficial Enable or disable an SSID
unifi_toggle_traffic_route write ⚠️ unofficial Enable or disable a traffic route
unifi_restart_device write + confirm ⚠️ unofficial Restart an AP, switch, or gateway
unifi_create_network write + confirm + API key ✅ official Create a network/VLAN
unifi_update_network write + confirm + API key ✅ official Update a network/VLAN (supplied fields)
unifi_delete_network write + confirm + API key ✅ official Delete a network/VLAN

Integration-API resources (5 generic tools — require UNIFI_API_KEY)

Beyond the dedicated network tools, a generic CRUD surface covers the rest of the official UniFi Integration API resources. Writes take a raw JSON body per the on-console schema; reads/lists work for all.

Tool Gate Purpose
unifi_resource_list API key List items of any resource below
unifi_resource_get API key Full detail for one item
unifi_resource_create write + confirm + API key Create an item (raw body)
unifi_resource_update write + confirm + API key Update (PUT) an item (raw body)
unifi_resource_delete write + confirm + API key Delete an item

resource values → Integration-API path:

Resource Path (/proxy/network/integration/v1/sites/{id}/…) Writable
networks networks
wifi wifi/broadcasts
firewall_policies firewall/policies
firewall_zones firewall/zones
acl_rules acl-rules
dns_policies dns/policies
traffic_matching_lists traffic-matching-lists
vouchers hotspot/vouchers
wan_interfaces wans read-only
radius_profiles radius/profiles read-only
vpn_servers vpn/servers read-only
vpn_tunnels vpn/site-to-site-tunnels read-only
device_tags device-tags read-only

Paths verified against the Art-of-WiFi v10 client + UniFi developer docs (Network 10.1.84 baseline). Port forwards, traffic routes/rules, and QoS are not in the official Integration API — those stay on the legacy read tools (unifi_port_forwards, unifi_traffic_routes, unifi_traffic_rules). Confirm exact write payloads against Settings → Control Plane → Integrations on your console.

Output format

Office AP | uap | model=U6-Pro | ip=192.168.1.10 | connected | clients=12 | up=10d0h | mac=aa:bb:cc:dd:ee:01
Core Switch | usw | model=USW-Pro-48-PoE | ip=192.168.1.2 | connected | up=30d0h | UPGRADE_AVAILABLE | mac=aa:bb:cc:dd:ee:02
Gateway | ugw | model=UDM-Pro | ip=192.168.1.1 | connected | up=60d0h | mac=aa:bb:cc:dd:ee:03
MacBook Pro | ip=192.168.1.100 | ssid=HomeNet | rssi=-55 | exp=98% | up=12h0m | mac=11:22:33:44:55:01
NAS | ip=192.168.1.50 | wired | exp=100% | up=30d0h | mac=11:22:33:44:55:02
Unknown Device | ip=192.168.1.200 | ssid=IoT-Net | rssi=-72 | exp=65% | BLOCKED | mac=11:22:33:44:55:03

Multi-controller support

export UNIFI_CONTROLLERS="home,office"
export UNIFI_HOME_HOST="192.168.1.1"
export UNIFI_HOME_USERNAME="admin"
export UNIFI_HOME_PASSWORD="home-password"
export UNIFI_OFFICE_HOST="10.0.0.1"
export UNIFI_OFFICE_USERNAME="admin"
export UNIFI_OFFICE_PASSWORD="office-password"

Pass controller="office" to any tool. Omit for the first configured controller.

Security model

Layer Mechanism
Write gate UNIFI_WRITE_ENABLED=true required for any mutation
Destructive confirm unifi_block_client, unifi_restart_device, and all unifi_*_network write tools require confirm=true
Credential scrubbing Passwords, cookies, CSRF tokens, X-API-KEY, session IDs stripped from errors
Controller API key UNIFI_API_KEY (X-API-KEY) — scoped Integration API key for network/VLAN tools
HTTP transport auth UNIFI_MCP_API_TOKEN bearer token; HTTP transport refuses to start without it (loopback-only, stdio is the default)
Session isolation Each controller authenticates independently
SSL configurable UNIFI_VERIFY_SSL=true for environments with proper certs
2FA support TOTP via UNIFI_TOTP_SECRET (base32 encoded)

Sidereal integration

{
  "mcpServers": {
    "unifi": {
      "type": "stdio",
      "command": "uv",
      "args": ["--directory", "~/src/ubiquiti-unifi-blade-mcp", "run", "ubiquiti-unifi-blade-mcp"],
      "env": {
        "UNIFI_HOST": "192.168.1.1",
        "UNIFI_USERNAME": "admin",
        "UNIFI_PASSWORD": "...",
        "UNIFI_VERIFY_SSL": "false",
        "UNIFI_WRITE_ENABLED": "false"
      }
    }
  }
}

Webhook trigger patterns

  • Device state changesunifi_devices returns state (connected/disconnected/upgrading), enabling alerts on AP/switch failures
  • New/unknown clientsunifi_clients with blocked status for intrusion detection workflows
  • Firmware availabilityunifi_devices flags UPGRADE_AVAILABLE for maintenance scheduling
  • Firewall auditunifi_firewall + unifi_port_forwards for periodic security posture checks

Development

make install-dev    # Install with dev + test dependencies
make test           # Unit tests (mocked, no controller needed)
make check          # Lint + format + type-check
make run            # Start MCP server (stdio)

Architecture

src/ubiquiti_unifi_blade_mcp/
├── server.py       — FastMCP server, 28 @mcp.tool decorators
├── client.py       — UniFiClient: aiounifi session auth + Integration API (X-API-KEY) generic resource layer, multi-controller, credential scrubbing
├── formatters.py   — Token-efficient output (pipe-delimited, null omission, human units)
├── models.py       — Controller config, auth modes, write gate, network payload builder
└── auth.py         — Bearer token middleware for HTTP transport

Built with FastMCP 2.0 and aiounifi.

Acknowledgements

  • Kane610/aiounifi — the async UniFi library that powers this and the Home Assistant integration
  • sirkirby/unifi-mcp — comprehensive UniFi MCP for full network management (available as community listing)

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ubiquiti_unifi_blade_mcp-0.4.0.tar.gz (136.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ubiquiti_unifi_blade_mcp-0.4.0-py3-none-any.whl (27.8 kB view details)

Uploaded Python 3

File details

Details for the file ubiquiti_unifi_blade_mcp-0.4.0.tar.gz.

File metadata

  • Download URL: ubiquiti_unifi_blade_mcp-0.4.0.tar.gz
  • Upload date:
  • Size: 136.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ubiquiti_unifi_blade_mcp-0.4.0.tar.gz
Algorithm Hash digest
SHA256 119790ce09fa937da2991cfe53470db29a65fe88e71314eb4784965323650fc4
MD5 d59a069fc97246c0b59bc3a98f67b499
BLAKE2b-256 3cb269cf8a1efc90ffec9e741d9aedfabc8e2adc4c012782786ecb161b7aef98

See more details on using hashes here.

Provenance

The following attestation bundles were made for ubiquiti_unifi_blade_mcp-0.4.0.tar.gz:

Publisher: publish.yml on Groupthink-dev/ubiquiti-unifi-blade-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ubiquiti_unifi_blade_mcp-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ubiquiti_unifi_blade_mcp-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7874b8a9d775be04fe670461bf42c95d57fb1174349364c960ebe10bbd18bc4f
MD5 579ac6947ee790b5cf03220d4031c0e8
BLAKE2b-256 b7e712ae3f6236629efc56bb9d295c340de78e4ceca3c4b0d3b976ae4633147b

See more details on using hashes here.

Provenance

The following attestation bundles were made for ubiquiti_unifi_blade_mcp-0.4.0-py3-none-any.whl:

Publisher: publish.yml on Groupthink-dev/ubiquiti-unifi-blade-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page