Zammad MCP Server — Security

API tokens, least-privilege MCP tool policies, and production security checklist for Zammad MCP.

Security

The MCP server acts as a privileged API client to your Zammad instance. Treat it like any automation integration: scope tokens, deny dangerous tools, and audit usage.

API tokens

1. Create a dedicated Zammad user or service account for MCP (not a personal admin account).
2. Issue a token under Profile → Token Access with the minimum role needed.
3. Store tokens only in environment variables or secret managers — never in git.
4. Rotate tokens on schedule or when team members leave.

Official reference: Zammad token access.

Recommended MCP policy for AI agents

MCP_DENIED_TOOLS=delete_ticket,delete_user,delete_organization
MCP_ALLOWED_CATEGORIES=tickets,users,organizations,groups,system

For read-only exploration:

MCP_ALLOWED_CATEGORIES=system
# Plus read-only ticket tools via custom AccessPolicy on GitHub — see ARCHITECTURE.md

Agents can still create or update tickets if write tools are allowed — review prompts and workflows so humans approve customer-visible articles.

Network and transport

Data residency

• Ticket content flows between your Zammad instance and your MCP client host (e.g. Claude Desktop).
• No Open Ticket AI cloud is required for the MCP server itself.
• Review your organization’s policy on sending ticket text to external LLM providers before enabling team-wide use.

Production checklist

• Dedicated Zammad user with least-privilege role
• MCP_DENIED_TOOLS includes all delete_* tools for agent configs
• HTTPS for ZAMMAD_URL in production
• Tokens stored in secrets manager, not repo
• MCP config excluded from dotfiles backups shared publicly
• Logging reviewed for accidental PII export
• Incident plan: revoke token in Zammad if leaked

Reporting vulnerabilities

Report security issues through the GitHub repository’s security policy: Softoft-Orga/zammad-mcp-server.

Related

• Configuration
• Deployment