# NetBird MCP

> NetBird controls your Zero Trust mesh network directly through conversation. Use this MCP to manage accounts, create users, define access policies, and configure resources without logging into a dashboard. It gives your AI agent full control over identity and network infrastructure.

## Overview
- **Category:** cloud-infrastructure
- **Price:** Free
- **Tags:** zero-trust, vpn, network-management, access-control, mesh-network

## Description

You don't have to navigate multiple dashboards just to onboard one user or update a single policy. Connect your NetBird account through Vinkius to give your AI client direct administrative access to your entire private network. Your agent acts like an experienced net admin, handling complex workflows via natural language prompts.

Need to add a new subnet? You can ask for it and get the resource created instantly. Want to adjust who can talk to whom? Simply tell your agent which policies need updating. If you're managing user lifecycle—like creating service accounts or revoking access—it handles all the necessary steps, from generating invite links to changing passwords. This setup means that whether you’re working in an IDE, a terminal, or through any other AI client, you maintain full control over your network perimeter without leaving your workflow.

## Tools

### accept_user_invite
Allows an unauthenticated user to accept an invite link and set a password.

### approve_user
Approves the status of a pending user account.

### change_user_password
Resets or changes a user's password through an embedded identity provider.

### create_group
Creates a new logical group for organizing users and resources.

### create_msp_tenant
Sets up a brand new managed service provider (MSP) tenant account.

### create_nameserver
Creates a dedicated group for nameservers within the network structure.

### create_network_resource
Adds an actual resource, such as a host subnet or domain name, to a specific network.

### create_network_router
Deploys a new router device within the overall network topology.

### create_network
Establishes an entirely new, isolated virtual network environment.

### create_policy
Defines a granular rule set specifying what protocols and ports are allowed between sources and destinations.

### create_posture_check
Sets up a security check that verifies parameters like OS version or geographic location for connecting peers.

### create_route
Creates an outdated network route entry.

### create_setup_key
Generates a setup key, which can be used for one-time or reusable authentication access.

### create_temporary_access_peer
Creates temporary credentials allowing limited network access to a specific peer.

### create_user_invite
Generates a unique link that can be shared with a new user to join the system.

### create_user_token
Creates a new, secure personal access token for long-term use by an individual user.

### create_user
Registers either a service account or invites a standard human user into the system.

### delete_account
Removes an entire NetBird account and all associated resources permanently.

### delete_group
Deletes a defined logical group from the network structure.

### delete_nameserver
Removes an entire nameserver grouping from service.

### delete_network_resource
Deletes a specific host, subnet, or domain resource.

### delete_network_router
Removes a router device from the network topology.

### delete_network
Deletes an entire virtual network environment, removing all contained resources.

### delete_peer
Delete a peer

### delete_policy
Removes a specific access policy rule set.

### delete_posture_check
Takes down an existing security posture verification check.

### delete_route
Removes an outdated network route entry.

### delete_setup_key
Invalidates and removes a previously generated setup key.

### delete_user_invite
Removes an existing, unsent user invitation link.

### delete_user_token
Revokes and deletes a personal access token for a specific user.

### delete_user
Permanently removes a registered user from the network system.

### get_current_user
Retrieves detailed information about the account currently authenticated and using the service.

### get_dns_settings
Fetches global settings related to DNS management for the network.

### get_group
Retrieves detailed information about a specified group.

### get_nameserver
Fetches all details regarding a specific nameserver grouping.

### get_network_resource
Retrieves the current configuration and status of a specified network resource.

### get_network_router
Fetches detailed operational data for a specific router device.

### get_network
Retrieves the overall configuration and status of a designated network.

### get_peer
Fetches detailed information about an individual connected peer device or user.

### get_policy
Retrieves the full details of a specific access policy rule set.

### get_posture_check
Fetches the current rules and status of a security posture verification check.

### get_public_user_invite
Retrieves details about an invitation link that is publicly accessible without logging in.

### get_route
Retrieves outdated network route information.

### get_setup_key
Fetches the details of a specific setup key, confirming its status and use.

### get_user_token
Retrieves information about a specific user access token.

### invite_msp_tenant
Sends an invitation to an existing account, turning it into a managed service provider tenant.

### list_accessible_peers
Lists all the network peers that are reachable from the current peer's location.

### list_accounts
Retrieves a list of every NetBird account connected to the system.

### list_all_network_routers
Lists all routers deployed across every network in the environment.

### list_audit_events
Retrieves a chronological list of all system audit events, showing who did what and where.

### list_cities
Returns a list of city names associated with a given country code.

### list_countries
Provides all available ISO 3166-1 alpha-2 two-letter country codes.

### list_groups
Lists every defined logical group within the network structure.

### list_msp_tenants
Retrieves a list of all managed service provider tenants under the umbrella account.

### list_nameservers
Lists every dedicated nameserver group configured in the network.

### list_network_resources
Retrieves a list of all specific resources (subnets, domains) within a given network.

### list_network_routers
Lists every router device deployed in a specified network.

### list_network_traffic_events
Retrieves experimental data showing network traffic events for analysis.

### list_networks
Provides a list of every virtual network configured in the system.

### list_peers
Lists all registered and active peers connected to the mesh network.

### list_policies
Retrieves a list of every defined access policy rule set.

### list_posture_checks
Lists all currently active security posture checks on the network.

### list_proxy_events
Retrieves logs detailing access attempts through the reverse proxy layer.

### list_routes
Lists outdated network route entries.

### list_setup_keys
Shows a list of all setup keys currently active in the system.

### list_user_invites
Retrieves a queue of pending user invitation links awaiting action.

### list_user_tokens
Lists all personal access tokens associated with a specific user account.

### list_users
Retrieves the full list of every registered user in the system.

### regenerate_user_invite
Creates a fresh, new invite link for an existing user account.

### reject_user
Marks a pending user invitation as rejected without sending the notification.

### resend_user_invite
Resends an existing, previously generated user invitation link to the intended recipient.

### respond_msp_tenant_invite
Accepts or declines a formal Managed Service Provider (MSP) tenant invitation.

### unlink_msp_tenant
Separates an MSP tenant account from its current owner to assign it to someone else.

### update_account
Modifies global account settings, such as changing peer login expiration dates or network ranges.

### update_dns_settings
Adjusts the system's DNS parameters, for example, enabling or disabling management groups.

### update_group
Modifies a group by changing its name, adding peers, or assigning new resources to it.

### update_msp_tenant_subscription
Creates or updates the subscription details for an existing MSP tenant.

### update_msp_tenant
Changes the name of a tenant or modifies its associated access groups.

### update_nameserver
Updates the configuration details for an existing nameserver group.

### update_network_resource
Modifies a specific network resource, such as changing its IP range or domain name.

### update_network_router
Updates the operational status or configuration of an existing router device.

### update_network
Changes the descriptive name and details of a virtual network environment.

### update_peer
Modifies peer information, such as changing its SSH status or internal IP address.

### update_policy
Changes the rules governing an existing access policy rule set.

### update_posture_check
Modifies the criteria used in a security posture check, like requiring a specific OS version.

### update_route
Updates outdated network route information.

### update_setup_key
Modifies an existing setup key, allowing you to revoke it or change its associated groups.

### update_user
Updates a user's role, assigned resource groups, or block status without deleting the account.

### verify_msp_tenant_dns
Validates that the domain name DNS challenge for an MSP tenant is correctly configured.

## Prompt Examples

**Prompt:** 
```
List all users in my NetBird account.
```

**Response:** 
```
I've retrieved the user list. You have 3 active users: Admin (ID: user_1), Developer A (ID: user_2), and Service_Bot (ID: user_3). Would you like to manage any of them?
```

**Prompt:** 
```
Create a new user invite link.
```

**Response:** 
```
I've generated a new invite link (ID: invite_abc123). You can share this with the new user to join your network.
```

**Prompt:** 
```
Show me the details of the current authenticated user.
```

**Response:** 
```
The current user is 'Admin' with email 'admin@company.com'. Your role is 'Owner' and you have full access to the account settings.
```

## Capabilities

### Manage user identities and accounts
Using tools like list_users and create_user, your agent can track all users, invite new ones, or set up service accounts.

### Control network access policies
Your agent lets you define rules for traffic using tools like create_policy, ensuring only authorized services can communicate across the mesh network.

### Configure network resources
You can provision new infrastructure components by listing or creating networks, routers, and specific host subnets with tools like list_networks and create_network_resource.

### Handle user onboarding and offboarding
Manage the full life cycle using functions that generate user invite links (create_user_invite), approve pending accounts (approve_user), or delete users entirely (delete_user).

## Use Cases

### Offboarding a former employee
The Security Analyst needs to cut off all access for an ex-employee immediately. They prompt the agent: 'Disable user Bob and delete his credentials.' The agent executes delete_user, updates their profile using update_user (to ensure group removal), and finally deletes any associated tokens via delete_user_token.

### Adding a new service subnet
The DevOps Engineer needs to connect a newly provisioned server rack. They ask the agent to 'Add the 10.2.3.0/24 subnet and create a network resource.' The agent uses create_network_resource, then updates the relevant policy using update_policy so traffic is allowed.

### Handling pending user access requests
The IT Administrator receives an invite for a contractor. Instead of logging into the admin panel, they tell the agent to 'Approve the request from Jane Doe.' The agent runs approve_user and confirms the status change.

### Reviewing network connectivity issues
The Security Analyst suspects a rogue connection. They ask the agent to list all connected peers, running list_peers to identify the suspicious MAC address, then use get_peer to check its last reported IP and location.

## Benefits

- Stop logging into dashboards. Instead of navigating multiple UI sections to update a user's role or block status, you simply ask your agent to use the update_user tool and get it done instantly.
- Audit trail control: You no longer have to manually compile audit reports from different tabs. Simply ask your agent to list_audit_events and get a comprehensive log of every activity that happened.
- Efficient user onboarding: Instead of creating an account, then sending a link, you can use create_user_invite followed by resend_user_invite to manage the entire process without leaving your chat window.
- Network resilience: If a peer's IP changes or their SSH status needs updating, calling update_peer ensures that configuration is consistent across all records. It keeps your network running smoothly.
- Security hardening: You can enforce strict security protocols by using create_policy to define precise access rules between sources and destinations, going far beyond simple firewall rules.

## How It Works

The bottom line is that your AI client treats your network infrastructure like a backend API, letting you manage everything through conversation.

1. First, subscribe to this MCP and enter your NetBird API Token.
2. Second, send a natural language request to your AI client, specifying the action you need (e.g., 'List all users who haven't logged in').
3. Finally, your agent executes the necessary tool calls, retrieves the data, and presents it back to you for review or confirmation.

## Frequently Asked Questions

**How do I change a user’s role using NetBird MCP?**
You update the user's profile directly by calling update_user. This function allows you to manage their assigned roles, auto-groups, or block status without deleting their account.

**What if I need to create a whole new isolated network?**
You start by using the create_network tool. Once the container is established, you can then add resources and routers inside it using tools like create_network_resource or create_network_router.

**Can I see who has accessed my network recently? (list_audit_events)**
Yes. Use list_audit_events to retrieve a full, chronological list of every system activity that occurred across your NetBird account, showing the initiator and target.

**How do I revoke someone's access credentials?**
To completely remove credentials, you can use delete_user or delete_user_token. If you just need to stop them from logging in, update_user lets you change their block status.

**What is the difference between create_user and create_user_invite?**
create_user establishes an account (often for a service user), while create_user_invite generates a single, temporary link used to onboard a human user.