cisco-secure-access-mcp
A community Model Context Protocol (MCP) server for Cisco Secure Access.
It exposes the Secure Access REST API to MCP-compatible AI clients (Cursor, ClaudeDesktop, VS Code GitHub Copilot, etc.) as a curated catalog of tools grouped by Cisco'sown resource categories: Admin, Deployments, Investigate, Policies, and Reports.
Status: v1 in development. See
install.mdfor the build journaland per-phase progress.
Why a community DevNet server
This repo is structured to be hosted as a Cisco DevNet community MCP server, followingthe CiscoDevNet/devnet-templatelayout. The standard template files (AGENTS.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md,LICENSE, README.md, SECURITY.md) are present and conform to that template.
In addition, install.md is a working journal that captures every steptaken to build the server, troubleshooting notes, and any tools we add as enhancements.It is intentionally kept in-tree so future contributors can see the reasoning trail.
Quick start
# 1. Clone and install (using uv)
git clone https://github.com/sdntechforum/Secure_Access.git
cd Secure_Access
uv sync
# 2. Provide your Cisco Secure Access API credentials via environment variables
# (Admin > API Keys in the Secure Access dashboard)
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# 3. Run the server (stdio transport, default)
uv run cisco-secure-access-mcp
For client configuration (Cursor / Claude Desktop / VS Code), Docker usage, the fulllist of tools, and the list of supported environment variables, seeAGENTS.md.
Authentication at a glance
- OAuth 2.0 Client Credentials Flow against
POST https://api.sse.cisco.com/auth/v2/token. - Bearer token cached in memory and refreshed shortly before its 1-hour expiry.
- Credentials read from environment variables only — never from CLI flags or committedfiles.
- Multi-org / MSSP supported via
SECURE_ACCESS_ORG_ID(sent asX-Umbrella-OrgId). - A separate, optional Key Admin credential pair gates the small set of tools thatmanage other API keys.
See Cisco Secure Access — API Authenticationfor how to mint API keys.
Repo layout
.
├── AGENTS.md # Install + tool catalog + env vars (read this first if you're an AI agent)
├── CODE_OF_CONDUCT.md # Cisco DevNet template (unchanged)
├── CONTRIBUTING.md # Cisco DevNet template (project name filled in)
├── LICENSE # Apache-2.0 (Cisco DevNet template)
├── README.md # this file
├── SECURITY.md # Cisco DevNet template (project name filled in)
├── install.md # Build journal — phases, troubleshooting, enhancements
├── pyproject.toml # Package metadata + entry point
├── Dockerfile # Optional secondary distribution
├── .env.example # Documented env vars; NEVER real secrets
├── src/cisco_secure_access_mcp/
│ ├── server.py # FastMCP entrypoint (stdio default)
│ ├── auth.py # OAuth2 client-credentials + token cache
│ ├── client.py # httpx-based REST client (TLS-only, retry-aware)
│ ├── config.py # Env-var loading + validation
│ ├── errors.py # SDK / HTTP errors → MCP errors
│ ├── logging.py # Structured JSON logs with secret redaction
│ ├── registry.py # Discovers and registers tools from each category
│ └── tools/
│ ├── admin/ # admin_* — Admin Resources
│ ├── deployments/ # deploy_* — Deployments Resources
│ ├── investigate/ # investigate_* — Investigate Resources (v1.1)
│ ├── policies/ # policy_* — Policies Resources
│ └── reports/ # report_* — Reports Resources (v1.1)
└── tests/
├── unit/ # Offline; mock HTTP and clock
└── integration/ # Opt-in; requires real DevNet sandbox credentials
Security
This repo follows the security rules in .cursor (parameterization, no hardcodedcredentials, structured logging with redaction, TLS 1.2+ enforcement, distroless-stylecontainer hardening, etc.). To report a vulnerability, see SECURITY.md.
License
Apache License 2.0 — see LICENSE.
