A Model Context Protocol (MCP) server for seamless integration with Commvault environments. This server enables AI agents to securely access and manage job details, commcell metrics, client and storage information, user permissions, plan configurations, and backup schedules.
The Commvault MCP Server enables seamless integration with Commvault environments, offering the following:
| Category | Features |
|---|---|
| Job Management | • View job details and history • Control jobs (suspend, resume, resubmit, kill) • Monitor job status and performance |
| Commcell Management | • Retrieve SLA status and compliance • View security posture and scores • Access storage space utilization metrics • Get commcell details and entity counts |
| Client Management | • Access client groups and client information • Manage subclients and client properties • View client associations |
| Storage Management | • View storage policies and configurations • Access storage pool information • Monitor storage resources |
| User Management | • List users and user groups • Access security associations |
| Plan Management | • View plan configurations and details • Access plan components and settings |
| Schedule Management | • Access backup schedules • View schedule configurations • Monitor schedule performance |
| DocuSign Integration | • Setup Docusign Vault & Workflow • Backup envelopes to Commvault S3 vault • List & restore DocuSign envelope backups |
| Salesforce Integration | • Resolve Salesforce org ID to Commvault client • Browse backed-up Salesforce object records from latest snapshot • Filter records with optional WHERE-clause queries • Paginated access to large record sets |
Before running the Commvault MCP Server, ensure the following requirements are met:
- Python 3.11 or higher
uvpackage manager (used for dependency management and running the server)
The Commvault MCP Server supports two authentication methods:
Option 1: OAuth Authentication
Note: OAuth authentication is only supported for Commvault environments running SP42 CU 27 and above. OAuth must be properly configured in the CommServe before using this option.
When using OAuth authentication, you'll need:
- Discovery Endpoint URL: The OAuth discovery/metadata endpoint
- Client ID: Your OAuth application's client identifier
- Client Secret: Your OAuth application's client secret
- Required Scopes: Required OAuth scopes
- Base URL: Base URL of the MCP Server
Important: The redirect URI must be set to
OAUTH_BASE_URL/auth/callbackin your OAuth provider's app/client configuration.
Option 2: Traditional Token-Based Authentication
The following values will be collected during the setup process:
-
Commvault Access Credentials: You need a valid
access_tokenandrefresh_tokento authenticate with the Commvault API. Learn how to generate these tokens here: Creating an Access Token – Commvault Docs -
Secret Key: This secret must be included by the MCP Client in the
Authorizationheader of all tool requests. It acts as a security layer for tool access in remote server. You can set your own.
Important: When using traditional token-based authentication, the setup script requires a secure, OS-native keyring backend to store sensitive credentials securely. Only secure backends are allowed for security reasons.
Running multiple MCP servers on the same host? The OS keyring is per-user, so by default every install writes to the same keyring slots and the most recent
setup.pyrun overwrites the previous install's credentials. Set a uniqueMCP_INSTANCE_IDper install — see Running Multiple Instances on the Same Host under Additional Configuration.
| Platform | Supported Backends | Description |
|---|---|---|
| Windows | WinVaultKeyring, WinCredentialStore |
Uses Windows Credential Manager (Windows Vault) for secure storage |
| macOS | macOS Keyring |
Uses the native macOS Keychain for secure storage |
| Linux | SecretService (GNOME), KWallet (KDE) |
Uses Freedesktop Secret Service API (GNOME) or KWallet (KDE) for secure storage |
git clone https://github.com/Commvault/commvault-mcp-server.git
cd commvault-mcp-serverThe setup script will guide you through configuration options including:
- Metallic or on-premise deployment — for Metallic setups, the gateway URL is configured automatically
- Transport mode (stdio, streamable-http, or sse)
- Server connection details (for remote modes)
- Authentication method (traditional tokens or OAuth)
- OAuth configuration (if selected)
- Secure token storage
uv run setup.pyMetallic (Cloud) Setup
When prompted "Is this a Metallic setup?", select yes. The setup script will automatically configure:
- Gateway URL:
https://api.metallic.io
No additional configuration is needed for the server URL; all other setup steps (transport mode, authentication, etc.) proceed as normal.
uv run -m src.serverSecure Production Deployment
For production deployments, it is recommended to use a reverse proxy with TLS/HTTPS and security headers. The MCP server should bind to 127.0.0.1 (localhost only) to prevent direct public access.
- Configure MCP Server for localhost: Set
MCP_HOST=127.0.0.1in your.envfile - Install reverse proxy: Choose nginx or Caddy
- Configure TLS: Use Let's Encrypt for automatic certificate management
- Add security headers: Configure OWASP-recommended headers (HSTS, X-Frame-Options, CSP, etc.)
- Update client config: Use
https://your-domain.com/mcpinstead ofhttp://HOST:PORT/mcp
The Docker image runs the server in OAuth mode only.
Prerequisites: Docker installed, and a Commvault environment running SP42 CU 27 or above with OAuth configured.
Run the interactive setup script on your host machine. When prompted for the authentication method, select OAuth.
uv run setup.pyThis produces a .env file with all required variables, including the OAuth endpoints and credentials.
docker build -t commvault-mcp-server .Pass the generated .env file to the container at runtime:
docker run --rm -p 9090:9090 --env-file .env commvault-mcp-serverNote:
npxis required while using Token-Based Authentication. You can get it by installing Node.js which includesnpxby default.
While using OAuth
Refer to your AI client’s documentation for integration steps. For example, Claude requires specifying a server name and the MCP server URL in its connector configuration.
Remote MCP Server (Streamable HTTP / SSE)
{
"mcpServers": {
"Commvault": {
"command": "npx",
"args": ["mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>"]
}
}
}
Remote MCP Server (Client on Windows)
{
"mcpServers": {
"Commvault": {
"command": "cmd",
"args": ["/c", "npx", "mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>"]
}
}
}
Remote MCP Server (HTTP)
{
"mcpServers": {
"Commvault": {
"command": "npx",
"args": ["mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>", "--allow-http"]
}
}
}
Local MCP Server (STDIO) - Unix
{
"mcpServers": {
"Commvault": {
"command": "C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\.venv\\bin\\python",
"args": [
"C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\src\\server.py"
]
}
}
}
Local MCP Server (STDIO) - Windows
{
"mcpServers": {
"Commvault": {
"command": "C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\.venv\\Scripts\\python.exe",
"args": [
"C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\src\\server.py"
]
}
}
}
Note: These are optional configurations that extend the MCP server's capabilities.
Running Multiple Instances on the Same Host
The OS keyring used to store the server secret and Commvault API tokens is per-user. By default every install of the MCP server on a given host writes to the same keyring entries under the service name commvault-mcp-server. If you run two or more MCP server installs under the same OS user, each rerun of setup.py silently overwrites the other instances' credentials, which typically surfaces as a 401 Invalid token after a restart or reboot of the unaffected instance.
To run multiple MCP server instances on the same host under the same OS user, set a unique MCP_INSTANCE_ID per install. The setup script prompts for it at the start; you can also set it directly in each install's .env:
# Instance A's .env
MCP_INSTANCE_ID=prod
# Instance B's .env
MCP_INSTANCE_ID=drWith an instance ID set, the keyring service name becomes commvault-mcp-server:<MCP_INSTANCE_ID>, isolating each install's server_secret, server_secret_expiry, access_token, and refresh_token.
- Allowed characters: letters, digits,
.,-,_(max 32 chars). - Leaving
MCP_INSTANCE_IDunset (or setting it todefault) preserves the original behaviour and reuses the existingcommvault-mcp-serverkeyring entries, so existing single-instance installs do not need to do anything. - Each install should still live in its own directory with its own
.envso transport mode, port,CC_SERVER_URL, etc. don't collide. The instance ID only namespaces the keyring. - After changing
MCP_INSTANCE_IDfor an existing install, rerunuv run setup.pyso the secret and tokens are written under the new namespaced service name. - Alternative isolation strategies that also work: run each instance under a dedicated OS user, or in its own host/VM/container.
Trusted Proxy Configuration
When deployed behind a reverse proxy or load balancer, configure TRUSTED_PROXY_IPS environment variable with comma-separated proxy IP addresses to enable per-client rate limiting using the X-Forwarded-For header. For example:
export TRUSTED_PROXY_IPS="10.0.0.1,10.0.0.2,192.168.1.100"Salesforce Backup Integration
The Salesforce integration enables browsing of backed-up Salesforce records stored in Commvault. It provides two tools:
| Tool | Description |
|---|---|
get_salesforce_client |
Resolves a Salesforce Organisation ID (15- or 18-character) to the corresponding Commvault clientId |
get_salesforce_records |
Fetches backed-up records for a Salesforce object (e.g. Account, Contact, Opportunity) from the latest backup snapshot |
- Environment Variable: Set
ENABLE_SALESFORCE_TOOLS=truein your environment - Commvault Salesforce Backup: At least one Salesforce organisation must be configured and backed up in Commvault
To browse backed-up Account records for a Salesforce org:
Get all backed-up Account records for Salesforce org 00D2w000005mBCpEAM
The tool will automatically resolve the org ID to a Commvault client and return the latest backed-up records.
| Parameter | Required | Description |
|---|---|---|
salesforce_org_id |
Yes | Salesforce Organisation ID (15 or 18 characters) |
object_name |
Yes | Salesforce API object name (e.g. Account, Contact) |
limit |
No | Max records to return (default 50, max 1000) |
offset |
No | Pagination offset (default 0) |
free_query |
No | Optional WHERE-clause filter (e.g. "Name = 'Acme'") |
DocuSign Backup Integration
The DocuSign backup integration enables backup of completed DocuSign envelopes to a Commvault S3 vault. This integration provides comprehensive document management capabilities including backup, listing, and restore operations.
- Environment Variable: Set
ENABLE_DOCUSIGN_TOOLS=truein your environment - Commvault S3 Vault: Configure an S3 endpoint in Commvault
- Learn more: Getting Started with S3 Vault
- DocuSign API Access: Valid DocuSign integration credentials
Create the following files in the config/ directory:
Based on the template file config/docusign_config_template.json:
{
"docusign": {
"integrationKey": "YOUR_INTEGRATION_KEY_HERE",
"userId": "YOUR_USER_ID_HERE",
"authServer": "account-d.docusign.com",
"scopes": "signature impersonation",
"basePath": "https://demo.docusign.net/restapi"
},
"fromDate": "2024-07-01T00:00:00Z"
}Place your DocuSign private key file in the config/ directory as docusign_key.pem.
We do not recommend using LiteLLM as an MCP client. LiteLLM's per-turn session lifecycle triggers cosmetic ClosedResourceError tracebacks in the server terminal due to a race condition in the upstream mcp Python SDK — these are harmless but noisy.
- We're continuing to add more functionality to this MCP server. If you'd like to leave feedback, file a bug or provide a feature request, please open an issue on this repository.
- Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.
This project is licensed under the Apache License. See the LICENSE file for details.