Authentication¶

Configure authentication for the F5XC API MCP Server.

Operating Modes¶

The server operates in two modes based on authentication status:

Documentation Mode (Default)¶

No credentials required. The server provides:

• API documentation and schema information
• Parameter descriptions and validation
• CURL command examples
• Dependency and prerequisite guidance

This mode is ideal for exploring the API and understanding available operations.

Execution Mode¶

Requires valid credentials. Adds:

• Direct API execution against your tenant
• Resource creation, reading, updating, deletion
• Real-time status queries
• Configuration deployment

Authentication Methods¶

API Token¶

The simplest authentication method. Get a token from the F5XC Console.

Getting an API Token¶

1. Log into F5 Distributed Cloud Console
2. Navigate to Administration → Personal Management → Credentials
3. Click Add Credentials
4. Select API Token
5. Set expiration and copy the token

Configuration¶

Set environment variables:

export F5XC_API_URL="https://your-tenant.console.ves.volterra.io"
export F5XC_API_TOKEN="your-api-token-here"

Or in MCP configuration:

{
  "mcpServers": {
    "f5xc-api": {
      "command": "npx",
      "args": ["@robinmordasiewicz/f5xc-api-mcp"],
      "env": {
        "F5XC_API_URL": "https://your-tenant.console.ves.volterra.io",
        "F5XC_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Or via claude mcp add:

claude mcp add --transport stdio f5xc-api \
  --env F5XC_API_URL=https://your-tenant.console.ves.volterra.io \
  --env F5XC_API_TOKEN=your-api-token-here \
  -- npx @robinmordasiewicz/f5xc-api-mcp

P12 Certificate (mTLS)¶

More secure, certificate-based authentication.

Getting a P12 Certificate¶

1. Log into F5 Distributed Cloud Console
2. Navigate to Administration → Personal Management → Credentials
3. Click Add Credentials
4. Select API Certificate
5. Download the .p12 file and note the password

Configuration¶

export F5XC_API_URL="https://your-tenant.console.ves.volterra.io"
export F5XC_P12_BUNDLE="/path/to/certificate.p12"
export F5XC_P12_PASSWORD="your-certificate-password"

Or in MCP configuration:

{
  "mcpServers": {
    "f5xc-api": {
      "command": "npx",
      "args": ["@robinmordasiewicz/f5xc-api-mcp"],
      "env": {
        "F5XC_API_URL": "https://your-tenant.console.ves.volterra.io",
        "F5XC_P12_BUNDLE": "/absolute/path/to/certificate.p12",
        "F5XC_P12_PASSWORD": "your-certificate-password"
      }
    }
  }
}

Or via claude mcp add:

claude mcp add --transport stdio f5xc-api \
  --env F5XC_API_URL=https://your-tenant.console.ves.volterra.io \
  --env F5XC_P12_BUNDLE=/absolute/path/to/certificate.p12 \
  --env F5XC_P12_PASSWORD=your-certificate-password \
  -- npx @robinmordasiewicz/f5xc-api-mcp

URL Normalization¶

The server automatically normalizes various URL formats:

You can use any of these formats - the server handles the conversion.

Profile-Based Configuration¶

For managing multiple F5XC tenant credentials, use profiles stored in ~/.config/f5xc/profiles/.

Using the Configure Auth Tool¶

The easiest way to configure authentication is through Claude. Ask Claude to configure authentication:

"Configure F5XC authentication with my tenant"

Claude will use the f5xc-api-configure-auth tool to:

1. Check current authentication status
2. Prompt you for tenant URL and API token
3. Save credentials to a profile
4. Set the profile as active

MCP Tool Actions¶

Example - Configure Credentials:

Ask Claude:

"Use the configure-auth tool with action='configure', tenantUrl='https://tenant.console.ves.volterra.io', apiToken='your-token', profileName='production'"

Example - Switch Profiles:

"Use configure-auth to switch to the 'staging' profile"

Profile Storage¶

Profiles are stored in ~/.config/f5xc/profiles/ (XDG Base Directory compliant):

~/.config/f5xc/
├── active_profile          # Name of the active profile
└── profiles/
    ├── default.json        # Default profile
    ├── production.json     # Production tenant
    └── staging.json        # Staging tenant

Credential Priority¶

The server loads credentials in this order:

1. Environment variables (highest priority) - Always override profiles
2. Active profile - From ~/.config/f5xc/
3. No credentials - Documentation mode (lowest priority)

See Security Best Practices for credential storage and management guidance.

Environment Variables Reference¶

Security Best Practices¶

Never Commit Credentials¶

Add to .gitignore:

.env
*.p12
*.pem

Use Environment Files¶

Create .env (not committed):

F5XC_API_URL=https://your-tenant.console.ves.volterra.io
F5XC_API_TOKEN=your-token

Reference in configuration:

{
  "mcpServers": {
    "f5xc-api": {
      "command": "npx",
      "args": ["f5xc-api-mcp"],
      "envFile": "${workspaceFolder}/.env"
    }
  }
}

Rotate Credentials Regularly¶

• API tokens: Rotate every 90 days
• Certificates: Use short-lived certificates when possible

Least Privilege¶

Create service accounts with minimal required permissions for automation.

Verifying Authentication¶

Check authentication status:

"Get the F5XC API server info"

Response shows:

{
  "mode": "execution",
  "authenticated": true,
  "authMethod": "token",
  "tenantUrl": "https://your-tenant.console.ves.volterra.io/api"
}

Or for unauthenticated:

{
  "mode": "documentation",
  "authenticated": false,
  "authMethod": "none"
}

Troubleshooting¶

"Invalid API Token"¶

1. Check token hasn't expired
2. Verify token was copied completely (no truncation)
3. Ensure no extra whitespace

"Certificate Error"¶

1. Verify P12 file path is absolute
2. Check password is correct
3. Ensure certificate hasn't expired

"Connection Refused"¶

1. Check URL format
2. Verify network connectivity to F5XC
3. Check firewall rules

"Unauthorized"¶

1. Verify credentials have required permissions
2. Check namespace access rights
3. Ensure tenant URL matches credential's tenant

Next Steps¶

• MCP Configuration Reference
• Environment Variables
• Tools Reference