# Traefik Hub MCP

> Traefik Hub MCP Server manages API gateways, proxy topologies, and Kubernetes integrations. It lets your agent discover active APIs, monitor latency metrics, map running agents, and revoke suspicious access tokens without manual cluster edits. If you run complex microservices on K8s and need centralized visibility into traffic flow or user access, this is what you use.

## Overview
- **Category:** ship-it
- **Price:** Free
- **Tags:** api-management, kubernetes, ingress-proxy, traffic-monitoring, gateway, observability

## Description

When you run complex microservices on **Kubernetes**, you don't wanna be manually editing YAML files or praying your deployment doesn't break. Your AI client uses this MCP Server to govern traffic, monitor performance, and enforce security boundaries across all your services. This server lets your agent manage API gateways and proxy topologies without ever touching the cluster configuration directly.

To map out what you have running, start with a complete inventory. You can pull a directory listing of every internal or external **HTTP API** that's routed through the Gateway using `traefik_list_apis`. This gives you the full scope of endpoints available. If you need to see how your services are organized logically, run `traefik_list_workspaces`; this enumerates all active logical scopes, including namespaces or entire **API Portals** within your Hub.

Finding out what's actually running is crucial. To locate every deployed Traefik Ingress pod currently mapped onto the hub, you call `traefik_list_active_agents`. This shows which services are actively serving traffic. When it comes to performance checks, your agent collects structured telemetry data using `traefik_get_api_metrics`. This metric gathering gives you detailed API latencies and accurate error counts for every endpoint. You can also check the operational health of the ingress hubs by running liveness probes across the cluster with `traefik_get_agent_health`, telling you immediately if all your worker nodes are up.

For identity management, you need to know who's accessing what. Running `traefik_list_subscriptions` maps out every external identity that’s currently trying to reach resources over the proxy portals. If an application needs network traversal access, you grant it by approving its specific logic binding token using `traefik_approve_subscription`. Conversely, if you detect a problem or suspect unauthorized activity, you can instantly ban and tear down an existing consumer token with `traefik_revoke_subscription`.

This combination of tools lets your agent treat the entire gateway infrastructure like a simple command line. You don't write complex routing rules; you just ask your client to list APIs, check metrics, or revoke tokens. It handles all that complexity behind the scenes for you.

## Tools

### traefik_approve_subscription
Grants network traversal to an external application by approving its specific logic binding token.

### traefik_get_agent_health
Checks the operational status of ingress hubs by running liveness probes across the cluster.

### traefik_get_api_metrics
Returns structured telemetry data, including error counts and specific API latencies.

### traefik_list_active_agents
Finds all deployed Traefik Ingress pods that are currently mapped onto the hub.

### traefik_list_apis
Pulls a directory listing of every published internal and external HTTP API routing through the Gateway.

### traefik_list_subscriptions
Maps out all external identities that are currently attempting to access resources over proxy portals.

### traefik_list_workspaces
Lists and organizes active logical scopes, such as namespaces or API Portals within the Hub.

### traefik_revoke_subscription
Instantly bans and tears down an existing external application consumer token.

## Prompt Examples

**Prompt:** 
```
Scan explicitly active logic bounds listing all deployed Kubernetes Traefik Agents across our namespace hubs completely.
```

**Response:** 
```
Processing trace limits targeting agents natively (`list_active_agents`). Hub mapped boundaries extracting safely explicitly online cluster instances running optimally effectively isolating 3 pods successfully.
```

**Prompt:** 
```
Deny active third party application logic limits explicitly mapping the execution onto subscription ID 'uuid-abc-123' natively.
```

**Response:** 
```
Triggering restriction execution limits targeting identity explicitly naturally via `revoke_subscription`. Traefik Gateway SaaS successfully completely suspended logical mapping isolating external connections efficiently natively.
```

**Prompt:** 
```
Dump explicit gateway latencies bounding logic usage limits across the deployed API instance mapping.
```

**Response:** 
```
Routing exact native query limitations securely onto `get_api_metrics`. Execution trace exposed logical distribution bounds verifying active successful requests gracefully isolating error clusters naturally.
```

## Capabilities

### List all available APIs
The agent pulls a directory of every internal and external HTTP API routed through the Gateway.

### Check for deployed agents' health
It runs liveness probes to test if all ingress hubs are operational across your cluster.

### Gather performance metrics
The agent collects aggregated error traces and detailed API latency data points.

### Find active services
It locates all running Traefik Ingress deployment pods mapped dynamically onto the hub.

### Map current scopes
The agent enumerates all logical namespaces and API Portals defined within your workspace boundaries.

### View external identities
It lists every tracked external identity attempting to access resources via the proxy portals.

## Use Cases

### Investigating an API slowdown
A user notices the `/v2/data` endpoint is slow. They ask their agent to run `traefik_get_api_metrics`. The agent runs the query, pulling back latency data and error traces that point directly to a specific upstream service struggling under load. Problem solved in minutes.

### Decommissioning an external client
A partner application is shut down. Instead of logging into the cluster and manually deleting resources, the user tells their agent to run `traefik_revoke_subscription` against that partner's token ID. The access is instantly severed, preventing any further unauthorized calls.

### Onboarding a new microservice
A dev team finishes a new service and needs it exposed. They ask the agent to run `traefik_list_apis` first to see existing endpoints, then use `traefik_list_workspaces` to ensure they deploy into the correct logical scope before making the API public.

### Security audit of active agents
The security team needs a full report on what's currently running. They run `traefik_list_active_agents` and then cross-reference that list with `traefik_get_agent_health` to get both the count and the operational status of every ingress pod.

## Benefits

- Audit performance with `traefik_get_api_metrics`. Instead of checking dashboards manually, your agent collects error traces and detailed latencies in one call. You see exactly where traffic bottlenecks are forming.
- Control access instantly using `traefik_revoke_subscription`. If an external app gets compromised or retired, you don't need to SSH into a node; the token is banned immediately via the tool.
- Gain full visibility with `traefik_list_apis`. You can dump every published API endpoint in one query. This saves hours of manual discovery when onboarding new services.
- Monitor infrastructure health using `traefik_get_agent_health` and `traefik_list_active_agents`. It provides a pass/fail status on your ingress hubs, letting you know if something broke before production users do.
- Manage scope with `traefik_list_workspaces`. You can map out all logical boundaries (namespaces) in the system. This helps prevent accidental cross-pollination of traffic between services.
- Streamline security review by using `traefik_list_subscriptions` to see who's trying to get in. It lists every external identity attempting access, making compliance checks a simple query.

## How It Works

The bottom line is: it lets your AI client manage complex API routing and security using natural language commands instead of platform CLI tools.

1. First, your agent acquires your platform tokens directly from the Hub configuration. You pass this credential into the prompt.
2. Next, the agent orchestrates Kubernetes ingress interactions by hitting the SaaS endpoints to evaluate logic bounds downstream and execute commands.
3. Finally, you get real-time telemetry audits back—latencies, portal health matrices, and cost estimates—without having to write a single `kubectl` command.

## Frequently Asked Questions

**How do I find out which APIs are active using traefik_list_apis?**
Run `traefik_list_apis`. This command dumps the central directory of all published internal and external HTTP API routes across the gateway. It's your definitive source of truth for what endpoints exist.

**What should I use if an external app starts acting weird? Should I use traefik_revoke_subscription?**
Yes, `traefik_revoke_subscription` is the direct fix. It instantly bans and tears down a specific API consumer token. This stops any unauthorized or compromised access immediately.

**Is `traefik_get_api_metrics` better than checking Prometheus?**
It's faster, especially for ad-hoc checks. While Prometheus gives you all the data, `traefik_get_api_metrics` aggregates error traces and latencies into a structured report directly through your agent conversation.

**How do I check if my agents are running correctly? Do I use traefik_list_active_agents or traefik_get_agent_health?**
Use both. `traefik_list_active_agents` shows you *which* pods are mapped. Then, run `traefik_get_agent_health` to verify the operational status and check for liveness probe failures on those listed agents.

**How do I see all the different logical scopes or API portals using traefik_list_workspaces?**
It enumerates all active logic scopes, helping you organize and manage which API Portals are governed inside your overall setup. This gives a clear view of how namespaces are structured within Traefik Hub.

**If I need an audit of external users connecting to the APIs, what does traefik_list_subscriptions show me?**
It maps every tracked external identity attempting logic access over your proxy portals. You get details on who is trying to connect and which credentials are accessing the gateway.

**If a new third-party app needs temporary access, how do I use traefik_approve_subscription?**
Running this command manually grants the necessary ingress traversal tokens to an application. You use it when you need to explicitly bridge an external service downstream after manual verification.

**How do I verify that all my Kubernetes agents are properly mapped using traefik_list_active_agents?**
This command maps and lists every Traefik Ingress deployment pod currently running on the hub. It confirms exactly which clusters are connected to the gateway for routing purposes.

**Can I explicitly track proxy traffic analytics natively using the Traefik MCP integration?**
Yes! Utilize `get_api_metrics` providing target APIs resolving strict analytic latency loops isolated.

**How do I explicitly approve or ban active third-party token portals natively?**
Target UUID logic limits explicitly inside `approve_subscription` or natively utilizing `revoke_subscription` avoiding manual CRD bounding errors natively secure.

**What orchestrates the physical Kubernetes deployments bounds mapped transparently?**
Yes, native traces executing explicitly under `get_agent_health` resolve infrastructure matrix states naturally avoiding SaaS panics inherently completely mapped.