An MCP server for
the physical layer of the internet.
DNS, domains, certificates, monitors, incidents — every Relays primitive, exposed to Claude Code, Cursor, Windsurf, Zed, and any agent runtime that speaks Model Context Protocol.
Claude investigates.
Relays has the answers.
Install the MCP once. From then on, every chat, every agent, every pair session has DNS, certs, and monitoring as first-class capabilities.
Seventy-four tools.
Real ones.
Not “return this mock JSON”. Real-world operations with real side effects, rate limits, idempotency, and audit trails.
DNS
25 toolsEvery zone on your account
Create a zone, get NS delegations
All records for a zone, filterable
Create one or many, DNSSEC-signed
Atomic update with optimistic locking
Idempotent, soft-delete, restorable
Atomic multi-op with transactional rollback
BIND, JSON, Terraform, Pulumi
Paste a zone file, any format
Global propagation across 8 resolvers
Recursive trace from root
Live answers vs zone file
Chain-of-trust validation
Query volume, top names, answer mix
KSK/ZSK, DS records, NSEC3 params
Sign a zone, publish DS
Unsigned, with parent DS cleanup
Every RRSET for a domain
Depth + include chain + void
Selector discovery + key length
Policy parse + alignment
Which CAs can issue
Parent-child NS match
Receiver infrastructure
Registrar + expiry + lock
Domains
10 toolsCheck availability + price across 1,147 TLDs
Buy a domain · requires capability token
All domains on your account
Full domain details
Manual renewal · spend cap enforced
Transfer in with auth code
LLM-assisted name brainstorm
Generate an auth code
Toggle WHOIS privacy
Transfer lock / server lock
Certificates
8 toolsAll issued certificates
Full cert details + chain
ACME order, DNS-01 challenge
Bring-your-own-cert
Force renew before expiry
Revoke, reason, CRL update
Add/remove Subject Alt Names
Trust chain dry-run
Monitoring
8 toolsAll monitors
HTTP/TCP/DNS/ICMP/SSL/keyword/heartbeat
Pause without losing history
Latest N checks · p50/p95/p99
Time-range series
One-shot check from selected regions
Traceroute on failure
Synthetic browser check
Incidents
7 toolsOpen and historical
Manual incident declare
Acknowledge, start clock
Timeline note, status change
Close + cause-code
Manual escalation
Draft a template
Status pages
5 toolsAll status pages
New page with components
Post an incident update
Add a subscriber
Change component status
Give the keys.
Keep the spend.
Every MCP connection is issued a capability token with a scope, spend cap, rate limit, and expiry. Agents can only do what you explicitly allowed, within the budget you set.
- • Fine-grained scopes (dns:read · dns:write · domain:buy)
- • Spend caps per capability (daily / monthly / total)
- • Approval policies: auto / email / slack / webhook
- • Audit log with content-addressed receipts
- • Token rotation + just-in-time revocation
{
"id": "cap_9fe2",
"issued_to": "ONE (did:oas:one:agent:mira)",
"scopes": [
"dns:read",
"dns:write",
"domain:search",
"domain:buy"
],
"constraints": {
"spend_cap_monthly": { "USD": 500.00 },
"domain_tld_allowlist": ["com", "io", "ai", "run"],
"zones_allowlist": ["acme-ai.run", "*.relays.internal"],
"rate_limit": "60rpm",
"approval": {
"domain:buy": "auto_if_under $100, else slack #ops"
}
},
"expires_at": "2026-05-11T00:00:00Z",
"audit_webhook": "https://hooks.example.com/ops"
}Every call.
Hash-chained.
The audit log is a Merkle-chained append-only sequence. Export to SIEM. Prove to auditors. Replay an incident.
| T | Actor | Tool | Argument | Result | Hash |
|---|---|---|---|---|---|
| 14:02:11 | ONE | dns_list_records | acme-ai.run | ✓ 200 | …1620 |
| 14:02:14 | ONE | dns_create_record | A api → 142.93.18.201 | ✓ 200 | …8457 |
| 14:02:14 | ONE | dns_create_record | CNAME www → @ | ✓ 200 | …8315 |
| 14:02:15 | ONE | cert_issue | *.acme-ai.run | ✓ 200 | …6828 |
| 14:02:22 | cheetah | dns_update_record | TTL 1h → 5m | ✓ 200 | …0396 |
| 14:02:48 | ONE | domain_register | driftsense.io $49.00 | ✓ 200 | …6965 |
| 14:03:02 | mira | monitor_create | https://api.acme-ai.run | ✓ 200 | …3061 |
| 14:03:10 | ONE | domain_register | super-pricey.ai $899 | ✗ 402 spend-cap | …7189 |
Rotate keys
every morning.
Capability tokens are disposable. Relays can rotate them daily, on a schedule, or after every session. Old tokens are revoked atomically — your agents automatically pick up fresh ones through MCP resource updates.
Install the MCP.
Forget it exists.
Drop one line in your Claude Code config. Your agents start making real DNS changes in the next turn.
{
"mcpServers": {
"relays": {
"command": "npx",
"args": ["-y", "@relays/mcp"],
"env": {
"RELAYS_API_KEY": "rk_live_…",
"RELAYS_CAPABILITY": "cap_9fe2"
}
}
}
}