Zammad MCP Server — Configuration
Environment variables, authentication, and access control for the Zammad MCP Server.
Configuration
The server is configured through environment variables (.env file or MCP client env block).
Required
| Variable | Description |
|---|---|
ZAMMAD_URL | Base URL of your Zammad instance, e.g. https://helpdesk.example.com |
ZAMMAD_HTTP_TOKEN | Personal access token from Zammad Profile → Token Access — see the Quick Start token walkthrough |
Authentication alternatives
| Variable | When to use |
|---|---|
ZAMMAD_HTTP_TOKEN | Default — recommended for MCP and automation |
| OAuth2 client settings | As documented in the GitHub DEPLOYMENT guide |
| Basic auth | Legacy environments only — prefer tokens |
Refer to Zammad API authentication for authoritative token behavior.
Access control
The MCP server enforces permissions before executing tools.
Permission levels
| Level | Behavior |
|---|---|
DENIED | Tool not exposed to the client |
READ_ONLY | View data only |
WRITE | Create and update |
ADMIN | Includes delete operations |
Environment variables
# Allow all tool categories (default)
MCP_ALLOWED_CATEGORIES=all
# Restrict to specific categories
MCP_ALLOWED_CATEGORIES=tickets,groups,system
# Deny dangerous tools (recommended for agents)
MCP_DENIED_TOOLS=delete_ticket,delete_user,delete_organization
# Optional: limit to Zammad groups the token can see
MCP_ALLOWED_GROUPS=Support,SalesInspect effective policy
Ask your MCP client to call get_allowed_tools — it returns the tools available under the current policy.
Programmatic policies
For embedded or multi-tenant setups, see AccessController and AccessPolicy in the
GitHub architecture doc.
Caching
Static Zammad metadata (states, priorities, groups) is cached to reduce API load. Cache behavior is automatic; no configuration required for typical deployments.
Logging
Structured logging via structlog is enabled by default. Set log level through standard environment
conventions in your process manager or container orchestrator.