Spacelift MCP server
Spacelift's official hosted MCP server exposes the entire Spacelift GraphQL API so agents can discover, query, and manage IaC stacks.
The Spacelift MCP server is Spacelift's official integration that puts your infrastructure-as-code management platform behind a small, powerful set of tools. Rather than hard-coding one tool per Spacelift feature, it exposes the entire Spacelift GraphQL API through a discover-then-act pattern: the agent first browses the schema to learn which queries and mutations exist and how their types are shaped, then runs the exact read or write it needs. That means the full breadth of Spacelift, stacks, runs, policies, contexts, spaces, modules, and more, is reachable without you teaching the agent each endpoint.
The canonical deployment is a hosted, remote MCP server at the /mcp path of your account, https://<account-name>.app.spacelift.io/mcp. Authentication is browser-based OAuth by default (recommended for interactive use) or a bearer token exported with spacectl for headless environments; either way the assistant is scoped by your Spacelift session permissions, RBAC, and login policies, so it can only do what you can. Beyond discover, query, and mutate, it includes a provider tool to inspect Terraform and OpenTofu provider schemas read-only, and an intent tool to create, update, delete, refresh, and import Intent-controlled cloud resources. Because mutate can change real infrastructure state, scope your account permissions deliberately.
Quick install
Copy-paste configs are provided for all 8 supported clients. Pick your client below.
Available tools
| Tool | Description |
|---|---|
| discover | Browses the Spacelift GraphQL API schema: lists available queries and mutations and inspects types and their fields. |
| query | Executes read-only GraphQL queries against Spacelift with the specified return fields. |
| mutate | Executes GraphQL mutations to modify Spacelift resources. |
| provider | Inspects Terraform and OpenTofu provider schemas and resources (read-only). |
| intent | Manages Intent-controlled cloud resources with create, update, delete, refresh, and import operations. |
Required configuration
- SPACELIFT_API_TOKENOptional
Bearer token exported with `spacectl profile export-token`, used for headless or remote authentication. Not needed for browser-based OAuth.
What you can do with it
Audit and inspect infrastructure state
Let the agent discover the schema, then run query to read stacks, runs, and policies across spaces, summarizing the current state of your IaC without you writing any GraphQL.
Drive changes through one API
Have the agent use mutate to trigger runs or update stack configuration and the intent tool to provision and reconcile cloud resources, all scoped by your Spacelift RBAC and login policies.
FAQ
- Is it free?
- The MCP server is provided as part of Spacelift; usage is governed by your Spacelift plan. No separate package is required for the hosted endpoint, and spacectl is open source.
- Does it support remote/OAuth?
- Yes. The canonical deployment is a hosted remote MCP server at https://<account-name>.app.spacelift.io/mcp. It uses browser-based OAuth by default, or a bearer token exported via spacectl for headless use.
- Can it change my infrastructure?
- Yes. The mutate and intent tools can modify Spacelift resources and provision cloud resources. The assistant is scoped by your session permissions, RBAC, and login policies, so grant least privilege.