Connect an AI tool to Impreza Host
Talk to your infrastructure in plain language: "what do I have running?", "deploy this project to my Impreza server and give me the URL". Impreza speaks MCP (Model Context Protocol β the "USB standard" AI tools use to gain new abilities), so the AI can act for you without leaving the chat. There are two ways to connect β start with the easy one.
The idea in one sentence #
Impreza exposes your whole account through MCP β the deploy platform (servers, app catalog, custom apps, domains, Tor, git-push auto-deploy) plus domains & DNS, VPS lifecycle (power, backups, reinstall) and crypto balance top-ups. Connect once and your AI gains Impreza tools it can call on its own, mid-conversation. How you connect depends on whether you just want to look (any AI client, zero setup) or also act (a coding agent with the full toolset).
Two ways to connect #
| A Β· Remote connector + OAuth | B Β· Local impreza-mcp | |
|---|---|---|
| Best for | Any AI client with remote connectors (Claude, incl. the web app). Zero install. | Coding agents (Claude Code, Cursor, Codex CLI, Continue, Zed). Shipping local code. |
| Setup | Paste a URL, click Authorize. No install. | One npx command + an API key. |
| Credentials | None to copy β OAuth, signed in your clientarea. | X-API-Key + secret (or pair with a code). |
| Tools | Full toolset, gated by the scopes you grant (read / deploy / manage). | Full toolset β plus uploading a local project folder. |
| Runs where | Our server (mcp.imprezahost.com). | Your machine (next to the AI tool). |
A Β· Remote connector + one-click OAuth easiest #
If your AI client supports remote MCP connectors (Claude does), this is the fastest path: no install, no API key, no IP whitelist. You paste one URL, the AI sends you to your Impreza clientarea to sign in and approve, and you're connected. Authorization happens entirely inside your own account β the AI never sees a password or a secret.
Connect in 4 steps
- In your AI client, open the connector settings. In Claude: Settings β Connectors β Add custom connector. (Other MCP-capable clients have an equivalent "add remote MCP server" option.)
- Give it a name (e.g.
Impreza) and paste the server URL:https://mcp.imprezahost.com/mcp - Click Connect. The client registers itself automatically and opens an Impreza page β sign in to your clientarea if you aren't already.
- You land on a consent screen showing the app name and what it's allowed to do. Click Authorize. Done β the AI now has the Impreza tools.
What you can ask
Anything the scopes you granted allow β the same toolset as the local server. For example:
- "List my Impreza servers and what's deployed." read
- "Deploy this GitHub repo to my VPS at app.example.com with a .onion mirror." deploy
- "Tail the logs for app X and restart it." deploy
- "Uninstall the old staging app." manage
read (see), deploy (create & operate),
manage (destructive, opt-in). A call beyond your grant comes back with a clear
"scope does not permit" message; re-authorize to widen or narrow it. The one thing only the local
path does: upload a project folder straight from your machine β the hosted connector builds from a
git URL or a public image instead.
Manage & disconnect
Every app you authorize shows up in clientarea β Impreza API β Connected Apps, with its scope and last-used time. Click Disconnect to revoke its token instantly (the AI client loses access on its next call). You can also remove the connector from the AI client's own settings.
impreza-mcp path (Method B) with a key β it never
needs a browser.
B Β· Local impreza-mcp β the full deploy toolset #
For coding agents β Claude Code, Cursor, Codex CLI, Continue, Zed β install the
impreza-mcp server next to the tool. It runs on your machine (not the
VPS) and gives the AI all 31 tools, including deploy. This is the AI-native path for
shipping code.
impreza-mcp runs on your
machine (next to Claude Code), not on the VPS. It is only the bridge
between the AI and our API. The thing that actually runs your apps is the agent
inside the VPS, covered in Tutorial 2.
The 3 prerequisites (read this first)
Most beginner problems come from skipping one of these three. The AI will complain with
"no servers on your account" or 403 IP_NOT_WHITELISTED, and it is always
one of them:
| # | Prerequisite | How to know you have it |
|---|---|---|
| 1 | A server (VPS / dedicated, Impreza or BYO) | Shows under My Apps |
| 2 | The agent running on it | status: online in My Apps |
| 3 | An API key (IP whitelist optional β see below) | Created under Impreza API |
1 β A server
Three ways to get one:
- Buy a VPS from Impreza β provisions in ~3 minutes (Proxmox). At checkout you pick what comes installed (see the box below).
- Buy a dedicated from Impreza β bare metal, manual provisioning (24β48h). Our team installs the agent for you.
- Bring your own (BYO) β any Debian / Ubuntu / RHEL / Alpine works. You just install the agent (next step).
- Impreza Agent β just the agent.
- Agent + MCP for AI tools β the agent plus a post-purchase email with the MCP quickstart. Best pick for the AI flow in this tutorial.
- A catalog app (WordPress, n8n, Vaultwardenβ¦) β the agent plus that app.
- No app β bare server, no agent (install later).
- A control panel β exclusive mode, no agent and no Docker catalog. Not for the AI flow; see Tutorial 2.
2 β The agent running on the server
If you bought from Impreza and chose "Impreza Agent" / "Agent + MCP" / a catalog app, the agent is already installed β skip to the API key. Otherwise:
- Sign in to portal.imprezahost.com β My Apps.
- Click + Add another server (or the Custom App tile, shown when you have a server but no online agent). The panel mints a 10-minute bootstrap token and prints a one-liner:
curl -fsSL https://raw.githubusercontent.com/imprezahost/agent-public/main/install.sh \ | IMPREZA_BOOTSTRAP=<token-from-panel> sh - Run it on the VPS as
root. Either SSH in yourself and paste it, or grant the AI SSH access and let it run the one-liner for you. - Within ~10 seconds the agent appears in My Apps as
status: online. Done.
BOOTSTRAP_EXPIRED β just click + Add another server again for a fresh one.
3 β API key (IP whitelist is now optional)
This is the credential the local MCP uses (different from the agent's own credential, issued automatically at bootstrap).
- Portal β Impreza API.
- Give it a label (
laptop,claude,ciβ¦), pick an IP mode (next paragraph), and click Generate New Key. - Copy the secret immediately. It is shown once; if you close the modal you cannot retrieve it (delete + recreate). The
imp_β¦prefix stays visible. (Or skip the copy entirely β pair with a code.)
Choose how the key's second factor (IP) works β per key:
| IP mode | What it does | Use when |
|---|---|---|
| Whitelist default | You add the allowed IP(s); calls from anywhere else get 403 IP_NOT_WHITELISTED. The original behaviour. | Static IP, maximum control. |
| Trust on first use | The first successful call pins that IP automatically; later calls must match. No manual whitelist step. | You don't know the IP up front but it's stable (laptop, one server). |
| Key only | Skips the IP factor entirely β the key + secret alone authenticate. (Availability is set by the operator.) | The caller's IP changes (CI, dynamic egress) and the secret is kept safe. |
403 is opt-out now. Pick Trust on first use or
Key only and there is no whitelist step at all. Staying on Whitelist? Open the
IP Whitelist tab and add the public IP of the machine running the AI tool
(find it with curl https://api.ipify.org) β or just click Add my current
IP. You can change a key's mode any time, and reset a trust-on-first-use binding to
re-pin from a new location.
Install the local MCP (one command)
npx -y impreza-mcp setup --tool claude-code
# also supported: cursor | codex-cli | continue | zed
The wizard writes the MCP config for that tool, prints the exact config file path, and tells you to restart the tool.
Manual config (same shape for Claude Code, Cursor, Codex CLI)
{
"mcpServers": {
"impreza": {
"command": "npx",
"args": ["-y", "impreza-mcp"],
"env": {
"IMPREZA_API_KEY": "imp_...",
"IMPREZA_API_SECRET": "..."
}
}
}
}
Fill IMPREZA_API_KEY / IMPREZA_API_SECRET with the key/secret from the
step above and restart the AI tool. The only machine prerequisite is Node.js (it
ships with npx).
Pair with a code (no secret to copy)
Don't want to copy-paste a secret into a config file? Pair the tool instead:
- Clientarea β Impreza API β Connect an AI assistant. Pick what the assistant may do (read / deploy / manage) and generate a one-time pairing code (valid 10 minutes).
- On the machine running the tool:
npx -y impreza-mcp login --code <code-from-clientarea> - The CLI exchanges the code for a key and stores it in
~/.impreza/credentials.json(permissions0600). The secret is never printed. The MCP server reads it automatically β no env vars to set.
The 31 tools the AI gains #
You never have to memorize these β just talk in plain language and the AI picks the right one. The remote connector exposes the same set; each call is gated by the scope you granted β β’ needs only read, unmarked needs deploy, and β needs manage (destructive or financial β opt-in on the consent screen):
| Tool | Does |
|---|---|
| Apps & deployments | |
impreza_list_servers β’ | List the account's VPSes + agents |
impreza_list_apps β’ | Browse the catalog |
impreza_list_deployments β’ | What is currently running |
impreza_deploy_custom | Deploy code from cwd (image / dockerfile / manifest) |
impreza_deploy_catalog_app | Install a catalog app |
impreza_uninstall_deployment β | Tear down a deployment |
impreza_restart_deployment | Restart a deployment's containers |
impreza_redeploy_deployment | Rebuild a custom deployment in place (domain + URL preserved) |
impreza_get_logs | Tail the last N lines of container logs |
impreza_change_domain | Re-route a running deployment to a new hostname |
impreza_add_onion | Provision a Tor .onion mirror for a deployment |
impreza_git_webhook_status β’ | Inspect the auto-deploy connection of a git-backed deployment |
impreza_git_webhook_connect | Install a GitHub push webhook (every commit re-deploys) |
impreza_git_webhook_disconnect | Disable auto-deploy (optionally delete the hook on GitHub) |
| Account & balance | |
impreza_account_info β’ | Profile, account status, currency + current balance |
impreza_list_services β’ | List billable services (VPS / hosting / domains) + their IDs |
impreza_topup β | Create a balance top-up invoice in BTC / XMR / USDT / TRX |
impreza_topup_status β’ | Poll a top-up invoice until it's paid |
| Domains & DNS | |
impreza_domain_check β’ | Check availability + price for one or more domains |
impreza_domain_details β’ | Status, expiry, nameservers, registrar-lock state |
impreza_list_dns β’ | List a domain's DNS records |
impreza_add_dns_record | Add an A / AAAA / CNAME / MX / TXT / β¦ record |
impreza_update_dns_record | Change an existing DNS record |
impreza_delete_dns_record | Remove a DNS record |
impreza_set_nameservers | Replace a domain's authoritative nameservers |
| VPS lifecycle (Proxmox) | |
impreza_vps_status β’ | Power state + live CPU / memory / disk / uptime |
impreza_vps_list_backups β’ | List available backups |
impreza_vps_list_templates β’ | List OS templates (to pick one for reinstall) |
impreza_vps_power | Start / shutdown / reboot / stop |
impreza_vps_create_backup | Trigger an on-demand backup |
impreza_vps_reinstall β | Wipe + reinstall from an OS template (erases all data) |
Using it in practice #
Some prompts that work well (the AI understands plain English):
- Ship the current project: "Deploy this project to my Impreza server and give me the URL." β
impreza_list_serversto find theagent_id, thenimpreza_deploy_custom. - Install a catalog app: "Install Vaultwarden on my VPS at vault.example.com with a .onion mirror." β
impreza_deploy_catalog_appwithonion: true. - Investigate: "Is app X down? Show me the last logs and restart it if needed." β
impreza_list_deploymentsβimpreza_get_logsβimpreza_restart_deployment. - Turn on auto-deploy: "Connect git auto-deploy so every push to main ships a new version." β
impreza_git_webhook_connect. - Point a domain: "Add an A record for app.example.com pointing at my VPS's IP." β
impreza_list_dnsto see what's there βimpreza_add_dns_record. - Manage a VPS: "Is my VPS up? Take a backup, then reboot it." β
impreza_vps_statusβimpreza_vps_create_backupβimpreza_vps_power. - Top up in crypto: "Add $50 to my balance in Monero." β
impreza_topupreturns a payment link;impreza_topup_statusconfirms once paid.
agt_β¦, dpl_β¦) by hand. Ask
"list my servers" / "list my deployments" and the AI discovers the IDs before acting.
Troubleshooting #
| Symptom | Cause | Fix |
|---|---|---|
Connector says "automatic client registration isn't supported" | Old cached connector entry | Remove the connector and re-add https://mcp.imprezahost.com/mcp β registration is automatic now |
| OAuth screen says the app is unverified | Expected β third-party AI clients self-register | Check the app name + redirect look right, then Authorize. Revoke later under Connected Apps |
403 IP_NOT_WHITELISTED (local MCP) | Key is in Whitelist mode and the IP isn't listed | Add it under Impreza API β IP Whitelist (or click Add my current IP), or switch the key to Trust on first use / Key only |
"no servers on your account" | You have a VPS but no agent installed | Do prerequisite 2 (My Apps β + Add another server) |
BOOTSTRAP_EXPIRED | The 10-min token expired | Generate another via + Add another server |
AI does not see the impreza_* tools | MCP did not load | Check the config JSON + env vars, then restart the tool |
401 / Unauthorized | Wrong key/secret, or a revoked OAuth token | The secret shows once β delete the key and generate a new one; for OAuth, re-authorize the connector |
400 "already in use" (domain) | *.imprezaapps.com name is taken (shared namespace) | Pick another name or leave it empty to auto-allocate |
Under the hood #
- Remote connector (OAuth 2.1): the AI client talks to
https://mcp.imprezahost.com/mcpand authorizes via standard OAuth β you consent in your clientarea, the client gets a scoped, revocable access token (no password or API secret ever leaves Impreza). Tokens are short-lived and refreshed automatically; revoke instantly under Connected Apps. - Customer β API (local MCP): headers
X-API-Key: imp_β¦+X-API-Secret: β¦. The second factor (IP) is per-key: whitelist (default), trust-on-first-use, or key-only. The MCP reads the key fromIMPREZA_API_KEY/IMPREZA_API_SECRETor from~/.impreza/credentials.json(after pairing). - Agent β API: headers
X-Agent-Id: agt_β¦+X-Agent-Secret: β¦, issued at bootstrap and stored in/etc/impreza-agent/credentials.toml. You never touch this. - Domains: empty
domainauto-allocates<app>-<6hex>.imprezaapps.com. Own domain? Point its A record at the agent IP before calling so Let's Encrypt can issue. - Other paths (no AI): the
imprezaCLI (Tutorial 4) and the REST API (Tutorial 3).
