Commvault
Interact with Commvault software to access job details, security posture, and SLA status of the commcell.
Commvault MCP Server
A Model Context Protocol (MCP) server for seamless integration with Commvault environments. This server enables AI agents to securely access and manage job details, commcell metrics, client and storage information, user permissions, plan configurations, and backup schedules.
Features
The Commvault MCP Server enables seamless integration with Commvault environments, offering the following:
| Category | Features |
|---|---|
| Job Management | • View job details and history • Control jobs (suspend, resume, resubmit, kill) • Monitor job status and performance |
| Commcell Management | • Retrieve SLA status and compliance • View security posture and scores • Access storage space utilization metrics • Get commcell details and entity counts |
| Client Management | • Access client groups and client information • Manage subclients and client properties • View client associations |
| Storage Management | • View storage policies and configurations • Access storage pool information • Monitor storage resources |
| User Management | • List users and user groups • Access security associations |
| Plan Management | • View plan configurations and details • Access plan components and settings |
| Schedule Management | • Access backup schedules • View schedule configurations • Monitor schedule performance |
| DocuSign Integration | • Setup Docusign Vault & Workflow • Backup envelopes to Commvault S3 vault • List & restore DocuSign envelope backups |
| Salesforce Integration | • Resolve Salesforce org ID to Commvault client • Browse backed-up Salesforce object records from latest snapshot • Filter records with optional WHERE-clause queries • Paginated access to large record sets |
Prerequisites
Before running the Commvault MCP Server, ensure the following requirements are met:
1. Python Environment
- Python 3.11 or higher
uvpackage manager (used for dependency management and running the server)
2. Authentication & Security Configuration
The Commvault MCP Server supports two authentication methods:
Option 1: OAuth Authentication
Note: OAuth authentication is only supported for Commvault environments running SP42 CU 27 and above. OAuth must be properly configured in the CommServe before using this option.
When using OAuth authentication, you'll need:
- Discovery Endpoint URL: The OAuth discovery/metadata endpoint
- Client ID: Your OAuth application's client identifier
- Client Secret: Your OAuth application's client secret
- Required Scopes: Required OAuth scopes
- Base URL: Base URL of the MCP Server
Important: The redirect URI must be set to
OAUTH_BASE_URL/auth/callbackin your OAuth provider's app/client configuration.
Option 2: Traditional Token-Based Authentication
The following values will be collected during the setup process:
-
Commvault Access Credentials: You need a valid
access_tokenandrefresh_tokento authenticate with the Commvault API. Learn how to generate these tokens here: Creating an Access Token – Commvault Docs -
Secret Key: This secret must be included by the MCP Client in the
Authorizationheader of all tool requests. It acts as a security layer for tool access in remote server. You can set your own.
Important: When using traditional token-based authentication, the setup script requires a secure, OS-native keyring backend to store sensitive credentials securely. Only secure backends are allowed for security reasons.
Supported Secure Backends by Platform
| Platform | Supported Backends | Description |
|---|---|---|
| Windows | WinVaultKeyring, WinCredentialStore | Uses Windows Credential Manager (Windows Vault) for secure storage |
| macOS | macOS Keyring | Uses the native macOS Keychain for secure storage |
| Linux | SecretService (GNOME), KWallet (KDE) | Uses Freedesktop Secret Service API (GNOME) or KWallet (KDE) for secure storage |
Setup
1. Clone the repository
git clone https://github.com/Commvault/commvault-mcp-server.git
cd commvault-mcp-server
2. Run the Setup Script
The setup script will guide you through configuration options including:
- Metallic or on-premise deployment — for Metallic setups, the gateway URL is configured automatically
- Transport mode (stdio, streamable-http, or sse)
- Server connection details (for remote modes)
- Authentication method (traditional tokens or OAuth)
- OAuth configuration (if selected)
- Secure token storage
uv run setup.py
Metallic (Cloud) Setup
When prompted "Is this a Metallic setup?", select yes. The setup script will automatically configure:
- Gateway URL:
https://api.metallic.io
No additional configuration is needed for the server URL; all other setup steps (transport mode, authentication, etc.) proceed as normal.
3. Start the MCP Server
uv run -m src.server
Secure Production Deployment
For production deployments, it is recommended to use a reverse proxy with TLS/HTTPS and security headers. The MCP server should bind to 127.0.0.1 (localhost only) to prevent direct public access.
Quick Setup
- Configure MCP Server for localhost: Set
MCP_HOST=127.0.0.1in your.envfile - Install reverse proxy: Choose nginx or Caddy
- Configure TLS: Use Let's Encrypt for automatic certificate management
- Add security headers: Configure OWASP-recommended headers (HSTS, X-Frame-Options, CSP, etc.)
- Update client config: Use
https://your-domain.com/mcpinstead ofhttp://HOST:PORT/mcp
Running with Docker
The Docker image runs the server in OAuth mode only.
Prerequisites: Docker installed, and a Commvault environment running SP42 CU 27 or above with OAuth configured.
1. Generate a .env file
Run the interactive setup script on your host machine. When prompted for the authentication method, select OAuth.
uv run setup.py
This produces a .env file with all required variables, including the OAuth endpoints and credentials.
2. Build the image
docker build -t commvault-mcp-server .
3. Run the container
Pass the generated .env file to the container at runtime:
docker run --rm -p 9090:9090 --env-file .env commvault-mcp-server
Configuring Clients
Note:
npxis required while using Token-Based Authentication. You can get it by installing Node.js which includesnpxby default.
While using OAuth
Refer to your AI client’s documentation for integration steps. For example, Claude requires specifying a server name and the MCP server URL in its connector configuration.
Remote MCP Server (Streamable HTTP / SSE)
{
"mcpServers": {
"Commvault": {
"command": "npx",
"args": ["mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>"]
}
}
}
Remote MCP Server (Client on Windows)
{
"mcpServers": {
"Commvault": {
"command": "cmd",
"args": ["/c", "npx", "mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>"]
}
}
}
Remote MCP Server (HTTP)
{
"mcpServers": {
"Commvault": {
"command": "npx",
"args": ["mcp-remote", "HOST:PORT/mcp", "--header", "Authorization: <secret stored in server keyring>", "--allow-http"]
}
}
}
Local MCP Server (STDIO) - Unix
{
"mcpServers": {
"Commvault": {
"command": "C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\.venv\\bin\\python",
"args": [
"C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\src\\server.py"
]
}
}
}
Local MCP Server (STDIO) - Windows
{
"mcpServers": {
"Commvault": {
"command": "C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\.venv\\Scripts\\python.exe",
"args": [
"C:\\YOUR\\PATH\\TO\\commvault-mcp-server\\src\\server.py"
]
}
}
}
Additional Configuration
Note: These are optional configurations that extend the MCP server's capabilities.
Trusted Proxy Configuration
When deployed behind a reverse proxy or load balancer, configure TRUSTED_PROXY_IPS environment variable with comma-separated proxy IP addresses to enable per-client rate limiting using the X-Forwarded-For header. For example:
export TRUSTED_PROXY_IPS="10.0.0.1,10.0.0.2,192.168.1.100"
Salesforce Backup Integration
The Salesforce integration enables browsing of backed-up Salesforce records stored in Commvault. It provides two tools:
| Tool | Description |
|---|---|
get_salesforce_client | Resolves a Salesforce Organisation ID (15- or 18-character) to the corresponding Commvault clientId |
get_salesforce_records | Fetches backed-up records for a Salesforce object (e.g. Account, Contact, Opportunity) from the latest backup snapshot |
Prerequisites
- Environment Variable: Set
ENABLE_SALESFORCE_TOOLS=truein your environment - Commvault Salesforce Backup: At least one Salesforce organisation must be configured and backed up in Commvault
Usage Example
To browse backed-up Account records for a Salesforce org:
Get all backed-up Account records for Salesforce org 00D2w000005mBCpEAM
The tool will automatically resolve the org ID to a Commvault client and return the latest backed-up records.
Parameters for get_salesforce_records
| Parameter | Required | Description |
|---|---|---|
salesforce_org_id | Yes | Salesforce Organisation ID (15 or 18 characters) |
object_name | Yes | Salesforce API object name (e.g. Account, Contact) |
limit | No | Max records to return (default 50, max 1000) |
offset | No | Pagination offset (default 0) |
free_query | No | Optional WHERE-clause filter (e.g. "Name = 'Acme'") |
DocuSign Backup Integration
The DocuSign backup integration enables backup of completed DocuSign envelopes to a Commvault S3 vault. This integration provides comprehensive document management capabilities including backup, listing, and restore operations.
Prerequisites
- Environment Variable: Set
ENABLE_DOCUSIGN_TOOLS=truein your environment - Commvault S3 Vault: Configure an S3 endpoint in Commvault
- Learn more: Getting Started with S3 Vault
- DocuSign API Access: Valid DocuSign integration credentials
Configuration Files
Create the following files in the config/ directory:
1. DocuSign Configuration (docusign_config.json)
Based on the template file config/docusign_config_template.json:
{
"docusign": {
"integrationKey": "YOUR_INTEGRATION_KEY_HERE",
"userId": "YOUR_USER_ID_HERE",
"authServer": "account-d.docusign.com",
"scopes": "signature impersonation",
"basePath": "https://demo.docusign.net/restapi"
},
"fromDate": "2024-07-01T00:00:00Z"
}
2. DocuSign Private Key (docusign_key.pem)
Place your DocuSign private key file in the config/ directory as docusign_key.pem.
Note on LiteLLM
We do not recommend using LiteLLM as an MCP client. LiteLLM's per-turn session lifecycle triggers cosmetic ClosedResourceError tracebacks in the server terminal due to a race condition in the upstream mcp Python SDK — these are harmless but noisy.
Contributing
- We're continuing to add more functionality to this MCP server. If you'd like to leave feedback, file a bug or provide a feature request, please open an issue on this repository.
- Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.
License
This project is licensed under the Apache License. See the LICENSE file for details.
Related Servers
local-pinboard-mcp
A local-only, secure MCP server to connect your AI assistant to your Pinboard bookmarks
Name.com
Manage domains using the Name.com API.
Vast Storage MCP Server
An MCP (Model Context Protocol) server that enables LLMs to interact with VAST Data storage APIs. This server exposes VAST Data management endpoints as tools for comprehensive storage infrastructure management and automation.
Yandex Cloud
An unofficial server for interacting with the Yandex Cloud API.
Zuora Product Catalog
An MCP server for accessing a Zuora product catalog, deployable on Cloudflare Workers.
MCP Gemini CLI
An MCP server for Google's Gemini CLI, allowing AI assistants to leverage Gemini's capabilities.
deepidv MCP
MCP server for AI-native Identity Verification & Anti-Fraud
Kubernetes MCP
A read-only MCP server for retrieving information and diagnosing issues in Kubernetes clusters.
Metrx MCP Server
Track AI agent costs, detect waste, optimize models, and prove ROI. 23 MCP tools for LLM cost tracking, provider arbitrage, budget enforcement, and revenue attribution.
Shopify MCP Server
Interact with Shopify store data using the GraphQL API.