Nembl
Developer Guide
MCP Server

MCP Server

Nembl provides a Model Context Protocol (MCP) server that enables AI models and agents to interact with the platform programmatically. The MCP server exposes Nembl's functionality as tools that AI agents can discover and call, with full policy enforcement.

What Is MCP?

The Model Context Protocol is a standard for connecting AI models to external tools and data sources. Instead of building custom integrations for each AI model, MCP provides a universal interface that any MCP-compatible client can use.

Nembl's MCP server allows AI agents -- both Nembl's built-in agents and external AI tools -- to:

  • Query services, requests, and workflows
  • Submit and update requests
  • Manage inbox items
  • Execute workflow actions
  • Access company data within policy boundaries

Connecting to the MCP Server

Server URL

https://mcp.nembl.com/v1

Authentication

Authenticate using an API key passed in the MCP connection configuration:

{
  "server": "https://mcp.nembl.com/v1",
  "auth": {
    "type": "api_key",
    "key": "nmbl_live_abc123xyz"
  }
}

The API key determines which company the agent operates in and what permissions it has. Use scoped API keys to limit agent access to specific resources.

Claude Desktop Configuration

To connect Nembl's MCP server to Claude Desktop:

{
  "mcpServers": {
    "nembl": {
      "url": "https://mcp.nembl.com/v1",
      "headers": {
        "x-api-key": "nmbl_live_abc123xyz"
      }
    }
  }
}

Available Tools

The MCP server exposes the following tools that AI agents can discover and call:

Service & Request Tools

ToolDescription
list_servicesList available services and their offerings
get_serviceGet details of a specific service
create_requestSubmit a new request to a service offering
get_requestGet the status and details of a request
update_requestUpdate request fields, priority, or status
list_requestsList requests with filters (status, priority, assignee)
add_commentAdd a comment to a request

Inbox & Task Tools

ToolDescription
list_inbox_itemsList items in a team or user inbox
accept_requestAccept a request from the inbox
reject_requestReject a request with a reason
assign_taskAssign a task to a user or agent
complete_taskMark a task as complete
set_priorityChange the priority of an inbox item

Workflow Tools

ToolDescription
list_workflowsList workflows in the company
get_workflowGet workflow details and current phase
get_executionGet the status of a running workflow execution

Organization Tools

ToolDescription
list_teamsList teams and their members
list_usersList company members
get_userGet user details and current assignments

Search & Query Tools

ToolDescription
searchFull-text search across requests, services, and workflows
get_audit_logQuery audit log entries for a resource or user

Policy Enforcement

Every tool call is subject to the same policy engine that governs the web UI and API. The MCP server evaluates the API key's associated user or service account against the company's policies before executing any action.

How Policies Apply

  1. The AI agent calls a tool (e.g., accept_request).
  2. The MCP server identifies the user associated with the API key.
  3. The policy engine evaluates whether the user has permission to perform the action on the target resource.
  4. If allowed, the action executes. If denied, the tool returns an error.
{
  "error": "permission_denied",
  "message": "User does not have 'requests:update' permission on this resource.",
  "resource": "req_abc123"
}

Limiting Agent Access

To restrict what an AI agent can do via MCP:

  1. Create a dedicated service account for the agent.
  2. Create an API key scoped to that service account.
  3. Assign a custom role with only the permissions the agent needs.
  4. Optionally, add ABAC policies to restrict access to specific tagged resources.

For example, an agent that triages incoming IT requests might have:

  • requests:read and requests:update (to read and prioritize)
  • inbox:read and inbox:update (to manage inbox items)
  • No workflows:write or users:write permissions

Tool Call Examples

Listing Open Requests

{
  "tool": "list_requests",
  "arguments": {
    "status": "PENDING",
    "priority": "HIGH",
    "limit": 10
  }
}

Accepting a Request

{
  "tool": "accept_request",
  "arguments": {
    "requestId": "req_abc123",
    "comment": "Accepted based on priority and team capacity."
  }
}

Creating a Request

{
  "tool": "create_request",
  "arguments": {
    "serviceId": "svc_xyz789",
    "offeringId": "off_def456",
    "title": "Provision new development environment",
    "priority": "MEDIUM",
    "fields": {
      "developer": "Jane Smith",
      "projectName": "Project Alpha"
    }
  }
}

Best Practices

  • Use scoped API keys. Create dedicated keys for MCP connections with minimal permissions.
  • Monitor agent activity. Review the audit log for actions taken by MCP-connected agents.
  • Start with read-only access. Give new agents read permissions first, then add write permissions after validating their behavior.
  • Use ABAC for boundaries. Tag resources that agents should not touch and create Deny policies for those tags.
  • Test in development. Use test API keys (nmbl_test_ prefix) when developing and testing MCP integrations.
WebhooksIntegrations