What the client can do
The read, documentation, and write tools the P4A MCP server exposes, and how token scopes gate them.
What the client can do
The tools the server exposes mirror what you can do in the portal, scoped to your account and gated by your token's scopes. Read tools require api:read; write tools require api:write. Documentation search needs only a valid token. See Connecting a client for how to mint a token with the right scopes.
Read tools (api:read)
| Tool | What it does |
|---|---|
search_policies | Search the policy catalog. Pass source: "mulesoft" to search MuleSoft's out-of-the-box Omni Gateway policies instead of the community catalog; with that source, direction: "inbound" / "outbound" filters by enforcement leg. |
get_policy | Fetch one community policy by id. |
get_install_command | Get the manual install/deploy commands for a policy. |
get_mulesoft_policy | Fetch one MuleSoft out-of-the-box policy by slug, including its full documentation. |
list_deployments | List your deployments, newest first. |
get_deployment | Get one deployment plus its latest build progress. |
get_deployment_logs | Get a deployment's build-log lines — the same output you see live in My Deployments — to diagnose a failed or in-flight deploy. |
list_my_connections | List your Anypoint connections (no secrets returned). |
list_my_submissions | List your policy submissions, optionally filtered by status. |
list_my_workspaces | List your workspace memberships and your role in each. |
get_connection | Get one Anypoint connection by id (no secrets returned). |
list_connection_business_groups | List the Anypoint business groups a connection can reach — the deploy targets for deploy_policy. |
get_workspace | Get one workspace, your role, and its members. |
list_ideas | List Policy Ideas, optionally filtered by query or category. |
get_idea | Fetch one Policy Idea by id, including its reviewer feedback_history (each round the idea was sent back or rejected, newest-first) when you can see it. |
get_policy_comments | List the discussion comments on a policy (flat, oldest-first; replies carry a parent id). |
Documentation tools
| Tool | What it does |
|---|---|
search_docs | Full-text search across this documentation site. |
get_doc | Fetch one documentation page by slug. |
Write tools (api:write)
| Tool | What it does |
|---|---|
submit_policy | Submit a policy for review from a public GitHub repository. Optionally declare an approved Policy Idea it delivers. |
submit_idea | Submit a Policy Idea for review. |
vote_idea | Toggle your vote on a Policy Idea. |
post_policy_comment | Post a comment, or a single-level reply, on a policy's discussion. |
deploy_policy | Deploy a policy to your Anypoint business groups. Asks you to confirm before enqueuing. Returns a deployment id per target so you can track progress with get_deployment. |
delete_deployment | Permanently delete one of your failed deployments. Asks you to confirm first; only failed deployments can be deleted. |
delete_failed_deployments | Permanently delete all your failed deployments, optionally just for one policy. Asks you to confirm first. |
rename_connection | Rename an Anypoint connection. |
delete_connection | Delete an Anypoint connection. Asks you to confirm before deleting. |
create_workspace | Create a shared workspace (you become its owner). |
rename_workspace | Rename a shared workspace you own. |
add_workspace_member | Add or re-enable a member of a workspace you administer. |
update_workspace_member | Change a member's role, or re-enable a disabled member. |
remove_workspace_member | Remove a member from a workspace. Asks you to confirm before removing. |
The destructive and outward-facing tools — deploy_policy, delete_connection, remove_workspace_member, delete_deployment, delete_failed_deployments — ask you to confirm before acting. If your client supports interactive confirmation (MCP elicitation), it will pop up a prompt and the action runs only if you accept. Clients that don't support it fall back to running the action under your write access — so only grant api:write to clients you trust.
Some clients (Claude Code among them) advertise interactive confirmation but can't actually show you the prompt, so the call would just stall. For those, pass confirm: true in the tool arguments to authorize the action explicitly — the client confirms with you in its own UI first, then re-runs the tool with that flag. Your api:write access plus the audit log remain the security boundary either way.
If a deploy_policy call times out, the deployment may still have been queued. Check list_deployments (or get_deployment with the id from the response) before trying again — don't blindly re-deploy. If you do re-run the same deploy within 5 minutes, it's recognized as a retry and returns the original deployment instead of starting a duplicate. When a deploy ends in failed, fetch get_deployment_logs for the same id to read the build output and see what went wrong.
References
- Overview — the endpoint and transport.
- Connecting a client — mint a token and configure your client.
- REST API reference — the underlying endpoints these tools call, callable directly with a token.
- Personal access tokens
- Getting started