UniFi MCP

Leverage agents and agentic AI workflows to manage your UniFi deployment.

Servers

Cloud Relay

The relay bridges your local MCP servers to a Cloudflare Worker, letting cloud agents access your UniFi tools without exposing local ports. Supports multi-location with annotation-based fan-out for read-only tools. Deploy the worker with npm install -g unifi-mcp-worker && unifi-mcp-worker install, then see the relay README for connecting your local servers.

REST + GraphQL API (non-MCP)

unifi-api-server is a standalone HTTP service exposing the same UniFi capabilities as the MCP servers, but as a REST + GraphQL API for desktop apps, dashboards, and any consumer that doesn't speak MCP. It runs independently of the MCP servers — both share the unifi-core manager packages, neither depends on the other being running. See [apps/api/README.md](apps/api/README.md) for quick-start and deployment patterns.

What is this?

UniFi MCP is a collection of Model Context Protocol servers that let AI assistants and automation tools interact with Ubiquiti UniFi controllers. Each server targets a specific UniFi application (Network, Protect, Access) and exposes its functionality as MCP tools — queryable, composable, and safe by default.

MCP Discovery

UniFi MCP keeps the standard MCP path primary: capable clients discover currently registered tools with tools/list and invoke them with tools/call. The default lazy mode keeps initial context small by exposing UniFi meta-tools first, while eager mode registers all selected domain tools directly for clients that prefer a full standard tool list.

The *_tool_index, *_execute, *_batch, and *_load_tools surfaces are UniFi compatibility extensions for large catalogs, lazy loading, and relay workflows. See MCP Discovery and UniFi Meta-Tools for mode-by-mode behavior.

Quick Start

Claude Code (recommended)

Install via the plugin marketplace — includes the MCP server, an agent skill, and guided setup:

/plugin marketplace add sirkirby/unifi-mcp
/plugin install unifi-network@unifi-plugins
/unifi-network:unifi-network-setup

Repeat for Protect or Access if needed:

/plugin install unifi-protect@unifi-plugins
/plugin install unifi-access@unifi-plugins

Each plugin's setup command walks you through connecting to your controller and configuring permissions.

Codex

Register the UniFi MCP marketplace, then install the plugins from Codex's /plugins UI:

codex plugin marketplace add sirkirby/unifi-mcp

Launch codex, run /plugins, open the UniFi MCP marketplace, and install unifi-network, unifi-protect, or unifi-access. After installing, ask Codex to run the plugin's setup skill, for example:

Use the unifi-network-setup skill to configure this for Codex.

The setup skill registers the MCP server with codex mcp add, stores the selected environment values in Codex's MCP configuration, and keeps the same preview-before-confirm safety model as Claude Code.

UniFi account requirements

The MCP servers authenticate to the local UniFi controller APIs with a local admin/service account. Do not use a Ubiquiti SSO cloud account for MCP setup. For Network MCP today, accounts that require SSO MFA or local 2FA are not supported through configuration; use a dedicated local admin account without MFA for the service account, scoped to the permissions you are comfortable giving the MCP server.

OpenClaw

OpenClaw can install the same UniFi plugin bundles from the marketplace and map their skills plus MCP server definitions into embedded Pi sessions:

openclaw plugins install unifi-network --marketplace https://github.com/sirkirby/unifi-mcp
openclaw gateway restart

Then run the matching setup skill from OpenClaw (unifi-network-setup, unifi-protect-setup, or unifi-access-setup), or configure the server directly:

openclaw mcp set unifi-network '{
  "command": "uvx",
  "args": ["--python-preference", "system", "unifi-network-mcp@latest"],
  "env": {
    "UNIFI_NETWORK_HOST": "192.168.1.1",
    "UNIFI_NETWORK_USERNAME": "admin",
    "UNIFI_NETWORK_PASSWORD": "your-password"
  }
}'

Repeat with unifi-protect or unifi-access as needed. Restart the OpenClaw Gateway after changing MCP server configuration.

Other MCP clients

Run the servers directly:

uvx unifi-network-mcp@latest
uvx unifi-protect-mcp@latest
uvx unifi-access-mcp@latest

For Claude Desktop, add to your claude_desktop_config.json:

{
  "mcpServers": {
    "unifi-network": {
      "command": "uvx",
      "args": ["unifi-network-mcp@latest"],
      "env": {
        // Server-specific vars take priority; UNIFI_* is the fallback
        "UNIFI_NETWORK_HOST": "192.168.1.1",
        "UNIFI_NETWORK_USERNAME": "admin",
        "UNIFI_NETWORK_PASSWORD": "your-password"
      }
    },
    "unifi-protect": {
      "command": "uvx",
      "args": ["unifi-protect-mcp@latest"],
      "env": {
        "UNIFI_PROTECT_HOST": "192.168.1.1",
        "UNIFI_PROTECT_USERNAME": "admin",
        "UNIFI_PROTECT_PASSWORD": "your-password"
      }
    },
    "unifi-access": {
      "command": "uvx",
      "args": ["unifi-access-mcp@latest"],
      "env": {
        "UNIFI_ACCESS_HOST": "192.168.1.1",
        "UNIFI_ACCESS_USERNAME": "admin",
        "UNIFI_ACCESS_PASSWORD": "your-password"
      }
    }
  }
}

Tip: If all servers connect to the same controller, you can use the shared UNIFI_HOST / UNIFI_USERNAME / UNIFI_PASSWORD variables instead of repeating them per server.

Usage Examples

Once connected, just ask your AI agent in natural language:

Network

"Show me all clients on the Guest VLAN with their signal strength and data usage"

"Create a firewall rule that blocks IoT devices from reaching the internet between midnight and 6 AM"

"Audit my firewall policies — are there any redundant or conflicting rules?"

"Show me the top traffic flows from the last hour and group them by destination"

Protect

"List all cameras that detected motion in the last hour"

"Show me smart detection events from the front door camera today — people and vehicles only"

"Find driveway detections for white vans this week"

Access

"Who badged into the office today? Show me a timeline of all door access events"

"Create a visitor pass for John Smith with access to the main entrance tomorrow 9-5"

Cross-Product (requires relay for full experience)

"Show me everything that happened at the front entrance in the last hour" — correlates Network clients, Protect camera events, and Access badge scans in a single timeline

"A switch went offline at 2 AM — was there physical activity nearby?"

All mutations use a preview-then-confirm flow — you see exactly what will change before anything is applied.

Configuration

Set these environment variables (or use a .env file):

Multi-controller setups

Each server supports its own prefixed environment variables that take priority over the shared UNIFI_* variables. This lets you point the Network and Protect servers at different controllers (or different credentials) while keeping a single .env file:

Single controller? Just set the shared UNIFI_* variables -- all servers will use them. Server-specific variables are only needed when the servers talk to different controllers or use different credentials.

For the full configuration reference including permissions, transports, and advanced options, see the Network server docs, Protect server docs, or Access server docs.

Secret redaction

Tool and API responses redact known controller secret fields by default — Wi-Fi passphrases, VPN private/preshared keys, API tokens, SNMP community strings, and Access credential token/PIN values come back as ***REDACTED***. This keeps secrets out of agent context and logs.

When you genuinely need a raw value for local administration, pass include_sensitive=true to the MCP tool (or to the REST action endpoint). To keep an existing secret during an update, simply omit the field — do not pass the ***REDACTED*** marker back; doing so is rejected so the placeholder can never be written as a real secret. See [PRIVACY.md](PRIVACY.md) for the full list of redacted fields.

Agent Skills

Each plugin ships with agent skills that go beyond raw tool access — they teach agents how to perform common tasks effectively:

Skills include reference documentation (device states, alarm types, firewall schemas, event catalogs) and Python scripts for deterministic operations (auditing, config export/diff, template application).

Architecture

This is a monorepo with shared packages:

apps/
  network/          # UniFi Network MCP server (stable, 177 tools)
  protect/          # UniFi Protect MCP server (beta, 58 tools)
  access/           # UniFi Access MCP server (beta, 34 tools)
  worker/           # Cloudflare Worker gateway + npm CLI
packages/
  unifi-core/       # Shared UniFi connectivity (auth, detection, retry)
  unifi-mcp-shared/ # Shared MCP patterns (permissions, tools, diagnostics, config)
  unifi-mcp-relay/  # Cloud relay sidecar (bridges local servers to Cloudflare Worker)
plugins/
  unifi-network/    # Claude Code/Codex/OpenClaw plugin: MCP server + agent skills + setup
  unifi-protect/    # Claude Code/Codex/OpenClaw plugin: MCP server + agent skills + setup
  unifi-access/     # Claude Code/Codex/OpenClaw plugin: MCP server + setup
skills/
  _shared/          # Shared utilities for skill scripts (MCP client, config)
docs/               # Ecosystem-level documentation

Each Python server in apps/ is an independent package that depends on the shared packages. apps/worker/ is intentionally separate: it is a self-contained TypeScript/Node app for the Cloudflare Worker gateway and npm CLI. Keeping it in this repo lets relay protocol changes and worker contract tests move together.

See docs/ARCHITECTURE.md for details.

Development

make sync   # Install Python workspace + worker npm dependencies
make check  # Format check + lint + generated drift checks + tests + worker typecheck
make build  # Build deployable artifacts, including worker typecheck

Contributing

See CONTRIBUTING.md for the development workflow, including how to work with the monorepo, run tests, and submit PRs.

Support the Project

UniFi MCP is maintained as an independent open-source project. Sponsorship helps cover the ongoing AI costs behind building, testing, and maintaining the project, plus live controller compatibility testing, release maintenance, documentation, and issue triage across the Network, Protect, Access, API, relay, and plugin packages.

• Sponsor on GitHub
• See what sponsorship funds

License

MIT