A community Model Context Protocol (MCP) server for Cisco Secure Access.
It exposes the Secure Access REST API to MCP-compatible AI clients (Cursor, Claude Desktop, VS Code GitHub Copilot, etc.) as a curated catalog of tools grouped by Cisco's own resource categories: Admin, Deployments, Investigate, Policies, and Reports.
Status: v1 in development. See
install.mdfor the build journal and per-phase progress.
This repo is structured to be hosted as a Cisco DevNet community MCP server, following
the CiscoDevNet/devnet-template
layout. The standard template files (AGENTS.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md,
LICENSE, README.md, SECURITY.md) are present and conform to that template.
In addition, install.md is a working journal that captures every step
taken to build the server, troubleshooting notes, and any tools we add as enhancements.
It is intentionally kept in-tree so future contributors can see the reasoning trail.
# 1. Clone and install (using uv)
git clone https://github.com/sdntechforum/Secure_Access.git
cd Secure_Access
uv sync
# 2. Provide your Cisco Secure Access API credentials via environment variables
# (Admin > API Keys in the Secure Access dashboard)
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# 3. Run the server (stdio transport, default)
uv run cisco-secure-access-mcpFor client configuration (Cursor / Claude Desktop / VS Code), Docker usage, the full
list of tools, and the list of supported environment variables, see
AGENTS.md.
- OAuth 2.0 Client Credentials Flow against
POST https://api.sse.cisco.com/auth/v2/token. - Bearer token cached in memory and refreshed shortly before its 1-hour expiry.
- Credentials read from environment variables only — never from CLI flags or committed files.
- Multi-org / MSSP supported via
SECURE_ACCESS_ORG_ID(sent asX-Umbrella-OrgId). - A separate, optional Key Admin credential pair gates the small set of tools that manage other API keys.
See Cisco Secure Access — API Authentication for how to mint API keys.
.
├── AGENTS.md # Install + tool catalog + env vars (read this first if you're an AI agent)
├── CODE_OF_CONDUCT.md # Cisco DevNet template (unchanged)
├── CONTRIBUTING.md # Cisco DevNet template (project name filled in)
├── LICENSE # Apache-2.0 (Cisco DevNet template)
├── README.md # this file
├── SECURITY.md # Cisco DevNet template (project name filled in)
├── install.md # Build journal — phases, troubleshooting, enhancements
├── pyproject.toml # Package metadata + entry point
├── Dockerfile # Optional secondary distribution
├── .env.example # Documented env vars; NEVER real secrets
├── src/cisco_secure_access_mcp/
│ ├── server.py # FastMCP entrypoint (stdio default)
│ ├── auth.py # OAuth2 client-credentials + token cache
│ ├── client.py # httpx-based REST client (TLS-only, retry-aware)
│ ├── config.py # Env-var loading + validation
│ ├── errors.py # SDK / HTTP errors → MCP errors
│ ├── logging.py # Structured JSON logs with secret redaction
│ ├── registry.py # Discovers and registers tools from each category
│ └── tools/
│ ├── admin/ # admin_* — Admin Resources
│ ├── deployments/ # deploy_* — Deployments Resources
│ ├── investigate/ # investigate_* — Investigate Resources (v1.1)
│ ├── policies/ # policy_* — Policies Resources
│ └── reports/ # report_* — Reports Resources (v1.1)
└── tests/
├── unit/ # Offline; mock HTTP and clock
└── integration/ # Opt-in; requires real DevNet sandbox credentials
This repo follows the security rules in .cursor (parameterization, no hardcoded
credentials, structured logging with redaction, TLS 1.2+ enforcement, distroless-style
container hardening, etc.). To report a vulnerability, see SECURITY.md.
Apache License 2.0 — see LICENSE.