MCP server for ioBroker
This adapter exposes ioBroker as an MCP (Model Context Protocol) server, so MCP-capable clients (e.g. Claude Desktop) can read and control your installation through a well-defined set of tools.
- MCP server over the Streamable HTTP transport (
/mcpendpoint) - Configurable HTTP/HTTPS web server
- Configurable port and bind address
- Optional authentication
- Optional SSL/TLS support
- Network diagnostics (ICMP ping / TCP probe) to troubleshoot adapter connections
- Adapter repository search to recommend installable adapters
The adapter can run in two ways:
-
Standalone (default) – it starts its own web server on the configured port. The MCP endpoint is
http(s)://<host>:<port>/mcp. -
Web extension – it runs inside an existing
webadapter instance and shares its web server (port, authentication, SSL). Select the target web instance in the admin configuration ("Extend WEB adapter"). The MCP endpoint is then served under the web adapter, e.g.http(s)://<host>:8082/mcp/.When a web instance is selected, the standalone server settings (port, bind address, authentication, SSL) are hidden because they are inherited from the chosen
webinstance.
The adapter can be configured through the ioBroker admin interface using JSONConfig:
- Extend WEB adapter: Select a
webinstance to run as its extension. Leave empty to run standalone. - Port: The port on which the web server will listen (default: 8093) – standalone only
- Bind Address: IP address to bind the server to (0.0.0.0 for all interfaces) – standalone only
- Enable Authentication: When enabled (standalone mode), every request to the
/mcpendpoint must present valid ioBroker credentials, otherwise it is rejected with401 Unauthorized. When disabled, the endpoint is reachable without credentials — only use that on a trusted network or behind a reverse proxy that provides its own authentication. As a web extension the hostwebinstance's authentication applies instead, so this switch has no effect there. - Default User: The ioBroker user whose permissions every MCP request runs with (default:
admin). All object/state reads and writes performed by the tools are executed in the name of this user, so the user's ACLs are enforced. A plain name likeoperatoris automatically expanded tosystem.user.operator. When running as a web extension and no user is set here, the hostwebinstance's default user is used.
Clients may authenticate in either of two ways:
-
HTTP Basic auth — send an
Authorization: Basic <base64(user:password)>header with every request (e.g.curl -u mcpserver:secret ...). Simplest for headless/script clients. -
Bearer access token — obtain a token once and send it as
Authorization: Bearer <access_token>:curl -X POST https://HOST:PORT/oauth/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=password&client_id=ioBroker&username=mcpserver&password=secret' # → { "access_token": "...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "..." }
Note that authentication only gates access to the endpoint; the tools still run with the Default User's permissions regardless of which user authenticated. Give the Default User an ioBroker account with exactly the ACLs the MCP client should have.
- Allow setting states: Allow MCP clients to write state values (the
set_stateandset_statestools). Default: on. - Allow object/file changes: Allow MCP clients to create/modify/delete objects and files (the
set_object,delete_object,create_state,create_scene,write_file,delete_file,rename_fileandmkdirtools). Default: off. When off, these tools are not exposed at all.
- Enable HTTPS: Enable HTTPS/SSL for secure connections
- Public Certificate: Path to the public certificate file
- Private Key: Path to the private key file
- Chained Certificate: Path to the chained certificate file (optional)
The MCP server is served at POST/GET/DELETE /mcp using the Streamable HTTP transport with per-session
state (tracked via the Mcp-Session-Id header). Point your MCP client at:
- standalone:
http(s)://<host>:<port>/mcp - web extension:
http(s)://<host>:<webPort>/mcp/
| Tool | Description |
|---|---|
get_states |
Retrieve the current value of one or multiple states; IDs may contain wildcards (e.g. hue.0.*.brightness) |
get_object |
Read a single object by its ID |
search_objects |
Search objects/states by keyword (matched against ID and name); optional filters for object type, role, room and source adapter instance |
list_devices |
List detected devices grouped by room (uses the ioBroker type-detector to expose functional devices with named controls); optional language and room filter |
list_instances |
List adapter instances with their status |
list_adapters |
List installed adapters with metadata (version, title, description, keywords) |
search_adapter_repository |
Search the ioBroker adapter repository (all installable adapters, not just installed ones) by keyword; optional type category, onlyNotInstalled and language filters — use it to recommend which adapter to install for a device/service |
list_hosts |
List ioBroker hosts with their status |
list_rooms |
List rooms (enum.rooms.*) with localized names and member details; optional language and withIcons |
list_functions |
List functions (enum.functions.*) with localized names and member details; optional language and withIcons |
history_query |
Query historical values (requires a history adapter); aggregations: raw, min, max, avg, sum, count, minmax, percentile, quantile, integral |
read_file |
Read a file from an adapter file storage (optional base64) |
list_files |
List a directory in an adapter file storage |
file_exists |
Check whether a file exists in an adapter file storage |
get_logs |
Retrieve recent ioBroker log lines; optional filters by level (error/warn/info/debug), source adapter and start time (from_ts) |
write_log |
Write a message to the ioBroker log |
system_info |
Get system and js-controller information |
ping_host |
Diagnose connectivity to a network device: ICMP ping to host plus an optional TCP connect to port — useful to investigate adapter ETIMEDOUT/connection errors |
set_state |
Set the value of a state (value coerced to the state type) — requires Allow setting states |
set_states |
Set multiple states in one call (for scenes/group actions like "all lights off") — requires Allow setting states |
set_object |
Create/update an object (merges common/native) — requires Allow object/file changes |
delete_object |
Delete an object, optionally with all children — requires Allow object/file changes |
create_state |
Create a new state object with type/role/unit/min/max and optional initial value — requires Allow object/file changes |
create_scene |
Create or update a scene for the ioBroker scenes adapter (state/value pairs applied together) — requires Allow object/file changes |
write_file |
Write a file to an adapter file storage — requires Allow object/file changes |
delete_file |
Delete a file from an adapter file storage — requires Allow object/file changes |
rename_file |
Rename/move a file within the same adapter file storage — requires Allow object/file changes |
mkdir |
Create a directory in an adapter file storage — requires Allow object/file changes |
All object/state access runs with the permissions of the configured Default User. The write tools are only registered when their respective permission option is enabled.
States and objects are also exposed as MCP resources using the canonical ioBroker URI scheme, so clients
can read and subscribe to them. The server pushes changes over the Streamable HTTP SSE stream
(notifications/resources/updated).
- States:
iobstate://<id>(e.g.iobstate://javascript.0.temperature) –resources/readreturns{ id, val, ack, ts, lc, q }. - Objects:
iobobject://<id>(e.g.iobobject://system.adapter.admin.0) –resources/readreturns the object. - Logs:
ioblog://all(every source) orioblog://<source>(e.g.ioblog://admin.0) –resources/readreturns the recent log lines ({ source, logs: [{ ts, level, source, message }] }). Subscribing enables log forwarding for the adapter; each new matching line triggers anotifications/resources/updated. resources/subscribesubscribes to the underlying ioBroker state/object/log; on every change the client receives anotifications/resources/updatedfor that URI and re-reads it.resources/unsubscribestops it.
Subscriptions are tracked per session and ref-counted, so the adapter subscribes to a state/object only once regardless of how many clients/sessions watch it, and unsubscribes when the last one leaves.
(Files use iobfile://<adapter>/<path> in the same scheme; they are available via the read_file/write_file
tools rather than as subscribable resources.)
GET /- Basic server informationGET /status- Server status, uptime and active session countGET /api/info- Adapter information
- (@GermanBluefox) Better rooms and name resolution
- (@GermanBluefox) Fixed authentication: with "Enable Authentication" on, the standalone MCP endpoint now
requires valid ioBroker credentials (Bearer token or HTTP Basic auth) and rejects anonymous requests with
401 Unauthorized(#44)
- (@GermanBluefox) Initial development
MIT License
Copyright (c) 2026 ioBroker
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.