P4A Documentation
MCP Server

What the client can do

The read, documentation, and write tools the P4A MCP server exposes, and how token scopes gate them.

What the client can do

The tools the server exposes mirror what you can do in the portal, scoped to your account and gated by your token's scopes. Read tools require api:read; write tools require api:write. Documentation search needs only a valid token. See Connecting a client for how to mint a token with the right scopes.

Read tools (api:read)

ToolWhat it does
search_policiesSearch the policy catalog. Pass source: "mulesoft" to search MuleSoft's out-of-the-box Omni Gateway policies instead of the community catalog; with that source, direction: "inbound" / "outbound" filters by enforcement leg.
get_policyFetch one community policy by id.
get_install_commandGet the manual install/deploy commands for a policy.
get_mulesoft_policyFetch one MuleSoft out-of-the-box policy by slug, including its full documentation.
list_deploymentsList your deployments, newest first.
get_deploymentGet one deployment plus its latest build progress.
get_deployment_logsGet a deployment's build-log lines — the same output you see live in My Deployments — to diagnose a failed or in-flight deploy.
list_my_connectionsList your Anypoint connections (no secrets returned).
list_my_submissionsList your policy submissions, optionally filtered by status.
list_my_workspacesList your workspace memberships and your role in each.
get_connectionGet one Anypoint connection by id (no secrets returned).
list_connection_business_groupsList the Anypoint business groups a connection can reach — the deploy targets for deploy_policy.
get_workspaceGet one workspace, your role, and its members.
list_ideasList Policy Ideas, optionally filtered by query or category.
get_ideaFetch one Policy Idea by id, including its reviewer feedback_history (each round the idea was sent back or rejected, newest-first) when you can see it.
get_policy_commentsList the discussion comments on a policy (flat, oldest-first; replies carry a parent id).

Documentation tools

ToolWhat it does
search_docsFull-text search across this documentation site.
get_docFetch one documentation page by slug.

Write tools (api:write)

ToolWhat it does
submit_policySubmit a policy for review from a public GitHub repository. Optionally declare an approved Policy Idea it delivers.
submit_ideaSubmit a Policy Idea for review.
vote_ideaToggle your vote on a Policy Idea.
post_policy_commentPost a comment, or a single-level reply, on a policy's discussion.
deploy_policyDeploy a policy to your Anypoint business groups. Asks you to confirm before enqueuing. Returns a deployment id per target so you can track progress with get_deployment.
delete_deploymentPermanently delete one of your failed deployments. Asks you to confirm first; only failed deployments can be deleted.
delete_failed_deploymentsPermanently delete all your failed deployments, optionally just for one policy. Asks you to confirm first.
rename_connectionRename an Anypoint connection.
delete_connectionDelete an Anypoint connection. Asks you to confirm before deleting.
create_workspaceCreate a shared workspace (you become its owner).
rename_workspaceRename a shared workspace you own.
add_workspace_memberAdd or re-enable a member of a workspace you administer.
update_workspace_memberChange a member's role, or re-enable a disabled member.
remove_workspace_memberRemove a member from a workspace. Asks you to confirm before removing.

The destructive and outward-facing tools — deploy_policy, delete_connection, remove_workspace_member, delete_deployment, delete_failed_deployments — ask you to confirm before acting. If your client supports interactive confirmation (MCP elicitation), it will pop up a prompt and the action runs only if you accept. Clients that don't support it fall back to running the action under your write access — so only grant api:write to clients you trust.

Some clients (Claude Code among them) advertise interactive confirmation but can't actually show you the prompt, so the call would just stall. For those, pass confirm: true in the tool arguments to authorize the action explicitly — the client confirms with you in its own UI first, then re-runs the tool with that flag. Your api:write access plus the audit log remain the security boundary either way.

If a deploy_policy call times out, the deployment may still have been queued. Check list_deployments (or get_deployment with the id from the response) before trying again — don't blindly re-deploy. If you do re-run the same deploy within 5 minutes, it's recognized as a retry and returns the original deployment instead of starting a duplicate. When a deploy ends in failed, fetch get_deployment_logs for the same id to read the build output and see what went wrong.

References

On this page