# Hetzner Cloud MCP Server — 123 tools via DADL

The Hetzner Cloud DADL turns Hetzner Cloud's API into an MCP server that Claude, GPT or any MCP-compatible agent can consume directly. One YAML file declares all 123 tools — server, load, floating, primary, volume, firewall, and more — and ToolMesh serves them at runtime. No Python boilerplate, no per-endpoint code, no separate MCP server process.

Below: the endpoint coverage matrix, a two-block ToolMesh setup, the full tool reference grouped by Hetzner Cloud feature area, required credential scopes.

**Source:** [Hetzner Cloud API](https://docs.hetzner.cloud)

**Updated:** 2026-04-01

**Tags:** cloud, devops, security, crud, metrics, file-management, auth:bearer

## Which Hetzner Cloud endpoints are covered?

**61%** (122 of ~200 endpoints).

**Focus:** servers, server actions, server metrics, volumes, networks, firewalls, load balancers, load balancer metrics, floating IPs, primary IPs, images, SSH keys, placement groups, certificates, datacenters, locations, server types, ISOs, pricing

**Missing:** storage boxes (separate API at api.hetzner.com), DNS zones/rrsets (separate API), S3 credential management

*Last reviewed: 2026-04-01*

## How do you configure the Hetzner Cloud DADL?

1. Log in to Hetzner Cloud Console at https://console.hetzner.cloud
2. Select or create a project
3. Navigate to Security -> API Tokens
4. Click 'Generate API Token'
5. Enter a description and select Read or Read & Write permissions
6. Copy the token immediately -- it is shown only once

**Environment variable:** `CREDENTIAL_HETZNER_CLOUD_TOKEN`

[Authentication docs](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/)

*API tokens are scoped to a single project. To manage multiple projects, create one token per project. Tokens have either Read or Read & Write permission -- there are no per-resource scopes.*

## How do you install the Hetzner Cloud MCP server with ToolMesh?

Add to your `backends.yaml`:

```yaml
- name: hetzner-cloud
  transport: rest
  dadl: /app/dadl/hetzner-cloud.dadl

```

Set the credential:

```
CREDENTIAL_HETZNER_CLOUD_TOKEN=your-token-here
```

## What 123 tools does the Hetzner Cloud DADL expose?

- **GET** `list_servers` — List all servers. Supports label_selector, name, sort, and status filtering.
- **GET** `get_server` — Get details of a specific server
- **POST** `create_server` — Create a new server. Returns server object and root_password (if no SSH keys). Action is async -- poll the returned action.
- **PUT** `update_server` — Update a server's name or labels
- **DELETE** `delete_server` — Delete a server immediately. All data on the server is lost. Irreversible.
- **POST** `power_on_server` — Power on a server
- **POST** `power_off_server` — Hard power off a server (like pulling the power cord). Use shutdown for graceful stop.
- **POST** `reboot_server` — Soft reboot a server (sends ACPI signal)
- **POST** `reset_server` — Hard reset a server (like pressing the reset button). Use reboot for graceful restart.
- **POST** `shutdown_server` — Gracefully shut down a server (sends ACPI shutdown signal)
- **POST** `enable_rescue_server` — Enable rescue mode. Returns root_password for the rescue system. Reboot to enter rescue.
- **POST** `disable_rescue_server` — Disable rescue mode
- **POST** `rebuild_server` — Rebuild a server from an image. All data is destroyed. Irreversible.
- **POST** `change_server_type` — Change server type (resize). Server must be off. Disk can only be upgraded, not downgraded.
- **POST** `create_image_from_server` — Create a snapshot image from a server
- **POST** `attach_iso_to_server` — Attach an ISO to a server
- **POST** `detach_iso_from_server` — Detach any ISO from a server
- **POST** `change_server_protection` — Change delete and rebuild protection for a server
- **POST** `change_server_dns_ptr` — Change reverse DNS entry for a server IP
- **POST** `attach_server_to_network` — Attach a server to a network
- **POST** `detach_server_from_network` — Detach a server from a network
- **POST** `enable_server_backup` — Enable automatic backups for a server
- **POST** `disable_server_backup` — Disable automatic backups for a server. Existing backups are kept until their expiry.
- **POST** `add_server_to_placement_group` — Add a server to a placement group. Server must be stopped.
- **POST** `remove_server_from_placement_group` — Remove a server from its placement group
- **GET** `list_server_actions` — List all actions for a server
- **GET** `get_server_action` — Get details of a specific server action
- **GET** `get_server_metrics` — Get metrics (time series) for a server. Returns Prometheus-style data points for the requested metric types within the given time range.
- **GET** `get_load_balancer_metrics` — Get metrics for a load balancer. Returns time series for open connections, connections/s, requests/s, and bandwidth.
- **GET** `list_volumes` — List all volumes
- **GET** `get_volume` — Get details of a specific volume
- **POST** `create_volume` — Create a new volume. Set server to auto-attach, or leave unattached.
- **PUT** `update_volume` — Update a volume's name or labels
- **DELETE** `delete_volume` — Delete a volume. Must be detached first.
- **POST** `attach_volume` — Attach a volume to a server
- **POST** `detach_volume` — Detach a volume from a server
- **POST** `resize_volume` — Resize a volume. Can only increase size, not decrease.
- **POST** `change_volume_protection` — Change delete protection for a volume
- **GET** `list_networks` — List all networks
- **GET** `get_network` — Get details of a specific network
- **POST** `create_network` — Create a new network with an RFC 1918 IP range
- **PUT** `update_network` — Update a network's name or labels
- **DELETE** `delete_network` — Delete a network. All subnets and routes are removed.
- **POST** `add_subnet_to_network` — Add a subnet to a network
- **POST** `delete_subnet_from_network` — Delete a subnet from a network
- **POST** `add_route_to_network` — Add a route to a network
- **POST** `delete_route_from_network` — Delete a route from a network
- **POST** `change_network_protection` — Change delete protection for a network
- **GET** `list_firewalls` — List all firewalls
- **GET** `get_firewall` — Get details of a specific firewall including its rules
- **POST** `create_firewall` — Create a new firewall with optional initial rules and resource assignments
- **PUT** `update_firewall` — Update a firewall's name or labels
- **DELETE** `delete_firewall` — Delete a firewall. Must be unapplied from all resources first.
- **POST** `set_firewall_rules` — Overwrite all rules of a firewall. This replaces all existing rules.
- **POST** `apply_firewall_to_resources` — Apply a firewall to servers or label selectors
- **POST** `remove_firewall_from_resources` — Remove a firewall from servers or label selectors
- **GET** `list_load_balancers` — List all load balancers
- **GET** `get_load_balancer` — Get details of a specific load balancer
- **POST** `create_load_balancer` — Create a new load balancer
- **PUT** `update_load_balancer` — Update a load balancer's name or labels
- **DELETE** `delete_load_balancer` — Delete a load balancer
- **POST** `add_load_balancer_service` — Add a service (listener) to a load balancer
- **POST** `update_load_balancer_service` — Update a service on a load balancer
- **POST** `delete_load_balancer_service` — Delete a service from a load balancer
- **POST** `add_load_balancer_target` — Add a target to a load balancer
- **POST** `remove_load_balancer_target` — Remove a target from a load balancer
- **POST** `change_load_balancer_type` — Change the type of a load balancer
- **POST** `change_load_balancer_protection` — Change delete protection for a load balancer
- **POST** `attach_load_balancer_to_network` — Attach a load balancer to a network
- **POST** `detach_load_balancer_from_network` — Detach a load balancer from a network
- **POST** `change_load_balancer_algorithm` — Change the balancing algorithm
- **POST** `change_load_balancer_dns_ptr` — Change reverse DNS entry for a load balancer IP
- **GET** `list_floating_ips` — List all floating IPs
- **GET** `get_floating_ip` — Get details of a specific floating IP
- **POST** `create_floating_ip` — Create a new floating IP
- **PUT** `update_floating_ip` — Update a floating IP's name, description, or labels
- **DELETE** `delete_floating_ip` — Delete a floating IP. Must be unassigned first.
- **POST** `assign_floating_ip` — Assign a floating IP to a server
- **POST** `unassign_floating_ip` — Unassign a floating IP from a server
- **POST** `change_floating_ip_protection` — Change delete protection for a floating IP
- **POST** `change_floating_ip_dns_ptr` — Change reverse DNS entry for a floating IP
- **GET** `list_primary_ips` — List all primary IPs
- **GET** `get_primary_ip` — Get details of a specific primary IP
- **POST** `create_primary_ip` — Create a new primary IP
- **PUT** `update_primary_ip` — Update a primary IP's name, labels, or auto_delete setting
- **DELETE** `delete_primary_ip` — Delete a primary IP. Must be unassigned first.
- **POST** `assign_primary_ip` — Assign a primary IP to a server
- **POST** `unassign_primary_ip` — Unassign a primary IP from a server
- **POST** `change_primary_ip_protection` — Change delete protection for a primary IP
- **POST** `change_primary_ip_dns_ptr` — Change reverse DNS entry for a primary IP
- **GET** `list_images` — List all images (system, snapshot, backup, app)
- **GET** `get_image` — Get details of a specific image
- **PUT** `update_image` — Update an image's description, type, or labels. Only for snapshot/backup images.
- **DELETE** `delete_image` — Delete an image. Only snapshot and backup images can be deleted.
- **POST** `change_image_protection` — Change delete protection for an image
- **GET** `list_ssh_keys` — List all SSH keys
- **GET** `get_ssh_key` — Get details of a specific SSH key
- **POST** `create_ssh_key` — Create (upload) a new SSH key
- **PUT** `update_ssh_key` — Update an SSH key's name or labels
- **DELETE** `delete_ssh_key` — Delete an SSH key
- **GET** `list_certificates` — List all certificates
- **GET** `get_certificate` — Get details of a specific certificate
- **POST** `create_certificate` — Create a certificate (upload or request managed via Let's Encrypt)
- **PUT** `update_certificate` — Update a certificate's name or labels
- **DELETE** `delete_certificate` — Delete a certificate
- **GET** `list_placement_groups` — List all placement groups
- **GET** `get_placement_group` — Get details of a specific placement group
- **POST** `create_placement_group` — Create a new placement group
- **PUT** `update_placement_group` — Update a placement group's name or labels
- **DELETE** `delete_placement_group` — Delete a placement group. Must have no servers assigned.
- **GET** `list_actions` — List all actions across all resources
- **GET** `get_action` — Get details of a specific action
- **GET** `list_server_types` — List all available server types with specs and pricing
- **GET** `get_server_type` — Get details of a specific server type
- **GET** `list_locations` — List all available locations
- **GET** `get_location` — Get details of a specific location
- **GET** `list_datacenters` — List all available datacenters
- **GET** `get_datacenter` — Get details of a specific datacenter
- **GET** `list_isos` — List all available ISO images
- **GET** `get_iso` — Get details of a specific ISO image
- **GET** `list_load_balancer_types` — List all available load balancer types
- **GET** `get_load_balancer_type` — Get details of a specific load balancer type
- **GET** `get_pricing` — Get all pricing information for server types, images, volumes, floating IPs, load balancers, and traffic

## Which DADLs are related to Hetzner Cloud?

- [NetBox](https://www.dadl.ai/d/netbox/) — NetBox DCIM/IPAM API -- full v4 coverage: sites, racks, devices, modules, interfaces, cables, power, IPAM (prefixes, IPs, VLANs, VRFs, route-targets, VLAN translation), virtualization, circuits (including virtual circuits), tenants, contacts, VPN (IKE/IPSec/L2VPN), wireless, extras (webhooks, event-rules, scripts, config-templates, bookmarks, notifications), users/permissions/tokens, and core data sources & jobs
- [Tailscale](https://www.dadl.ai/d/tailscale/) — Tailscale API -- devices, users, auth keys, DNS, ACL/policy, webhooks, contacts, posture integrations, log streaming, and tailnet settings
- [Xen Orchestra](https://www.dadl.ai/d/xen-orchestra/) — Xen Orchestra REST API (XO 6.4+, current through 6.5) -- complete coverage: VMs (incl. PATCH update + snapshot revert), VM controllers, hosts, pools, storage (SR/VDI/VBD), networks (VIF/PIF/PBD), VM/VDI snapshots, VM templates, hardware (PCI/PGPU/SM), tasks, backups (jobs/logs/repositories/restore), schedules, messages, alarms, events (SSE), RBAC v2 (users/groups/acl-roles/acl-privileges), proxies, servers, dashboards, auth tokens, SDN traffic rules, health check
- [Cloudflare](https://www.dadl.ai/d/cloudflare/) — Cloudflare API -- DNS, Pages, Workers, KV, R2, D1, Zones, SSL/TLS, Cache, Load Balancers, Firewall/WAF, Page Rules, Access (Zero Trust), and account management
- [DeepL](https://www.dadl.ai/d/deepl/) — DeepL REST API — text translation (with style profiles, translation memory, glossaries and improved tag handling), document translation, multilingual glossary management, style rules CRUD, text improvement (Write), language metadata and usage tracking. Mixes /v2 and /v3 endpoints.

- [Mempool](https://www.dadl.ai/d/mempool/) — mempool.space — Bitcoin block explorer, mempool visualizer, fee estimator, Lightning Network explorer, and transaction accelerator

---

**Canonical URL:** https://www.dadl.ai/d/hetzner-cloud/
**Raw DADL:** https://github.com/DunkelCloud/dadl-registry/blob/main/hetzner-cloud.dadl