API-Central

175 tools. 77 can modify or destroy data without limits.

17 destructive tools with no built-in limits. Policy required.

Last updated:

77 can modify or destroy data
98 read-only
175 tools total

Community server · catalogue entry verified 30/06/2026

How to control API-Central ↓

What API-Central exposes to your agents

Read (98) Write / Execute (60) Destructive / Financial (17)
Critical Risk

The most dangerous API-Central tools

77 of API-Central's 175 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control API-Central

PolicyLayer is an MCP gateway — it sits between your AI agents and API-Central, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "delete_aaa_profile": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "acknowledge_alert": {
    "limits": [
      {
        "counter": "acknowledge_alert_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "aos_s_arp": {
    "limits": [
      {
        "counter": "aos_s_arp_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register API-Central — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON API-CENTRAL →

Instant setup, no code required.

All 175 API-Central tools

WRITE 43 tools
Write acknowledge_alert Acknowledge, clear, or resolve an active alert. action: ACK/CLEAR/RESOLVE. Write add_devices_to_group Add devices to an existing device group by scope ID. Write add_mac_registration Register a MAC address for Central NAC. mac_address e.g. 'aa:bb:cc:dd:ee:ff'. Write add_mpsk_registration Create a Named MPSK registration. network = SSID; password_policy default "WORDS". Write add_visitor Create a Central NAC visitor account. name=login username; expire_at ISO 8601. Write assign_device_to_site Assign or move a device to a site. device_type hint: SWITCH/AP/GATEWAY. Write build_overlay_ssid build_overlay_ssid Write create_aaa_dot1xauth_profile Create a device-side 802.1X profile via POST /dot1xauth/{name}. Write create_aaa_macauth_profile Create a device-side MAC-auth (MAB) profile via POST /macauth/{name}. Write create_aaa_profile Create an AAA profile. fallback_role applies when auth server unreachable. Write create_allow_all_role Create a permit-all wireless role and scope-map it. Write create_auth_server create_auth_server Write create_authz_policy create_authz_policy Write create_config_assignment create_config_assignment Write create_device_group Create a device group, optionally pre-populated with device serial numbers. Write create_dot1x_auth_profile create_dot1x_auth_profile Write create_gw_cluster Create an empty gateway cluster profile shell (add members via gateway_join_cluster). Write create_gw_policy create_gw_policy Write create_mac_auth_profile create_mac_auth_profile Write create_port_profile Create or update a switch port profile and scope-map it. Write create_role create_role Write create_site Create a new site (mandatory geographic scope). Only name is required; name must be unique. Write create_static_tag Create a static classification tag (UUID auto-generated). Used in authz policies to assign roles. Write create_vlan Create an L2 VLAN and scope-map it (org-wide if scope_id omitted). Write create_vlan_interface Create an L3 SVI at device scope (global L2 VLAN shell is auto-confirmed). Write create_webhook create_webhook Write gateway_config_interface PATCH ethernet interface config on an Aruba gateway at device scope. Write gateway_config_static_route Create or replace a static route on an Aruba gateway at device scope. Write gateway_join_cluster Add/update gateway cluster membership (POST to create, PATCH if duplicate). Write glp_add_device Add a device to the GLP workspace (async task, polls until complete, ~5min max). Write glp_add_devices_bulk Bulk add devices to GLP. devices: dicts with 'serialNumber' and 'macAddress'. Write glp_assign_subscription Assign a GLP subscription (license) to a device. Write push_aruba_device_profiles Ensure the four standard Aruba LLDP device profiles exist at library level (idempotent). Write remove_devices_from_group Remove devices from their current device group. Write rotate_webhook_key Rotate the HMAC key for a webhook. Write set_hostname Set the hostname alias on a device. Write set_port_auth PATCH a sw-port-profile to bind mac-auth / dot1x / server-group / role. Write update_device_settings Update device metadata (name, location, notes, banner). device_scope_id required for switch-system path. Write update_mac_registration Update an existing MAC registration. mac_address required even for updates. Write update_port_config PATCH ethernet interface config on a CX switch at device scope. Write update_role PUT-update an existing wireless role in the Central Library. target: see create_role. Write update_ssid PATCH an existing SSID — only provided fields change. scope_id for LOCAL override. Write update_webhook PATCH an existing webhook — only provided fields are changed.
READ 98 tools
Read aos_s_arp Get the ARP table from an AOS-S switch (async, polls ~60s). Read aos_s_show Run 'show' commands on an AOS-S switch (all must start with 'show ', async polls ~60s). Read detect_client_flapping detect_client_flapping Read detect_ssh_brute_force detect_ssh_brute_force Read find_client Find a connected client by MAC address or IP address. Read find_device Find a single device by serial number. Returns the device record or None. Read find_mac_on_switch Find which port a MAC address is learned on for a CX switch. Read find_tool find_tool Read get_aaa_profile Get a single AAA profile by name. Read get_air_quality get_air_quality Read get_ap_neighbors Get neighboring APs visible to this AP with RSSI and channel. Read get_ap_ports List wired ports on an AP with link state, speed, VLAN, and duplex. Read get_ap_radios List radios on an AP with band, channel, power, utilization, and mode. Read get_audit_log Audit logs are not available on New Central instances. Read get_auth_profile Get a single Central NAC auth profile by UUID. Read get_auth_server Get a single RADIUS/auth server profile by name. Read get_authz_policy Get a single CNAC authz policy by ID. Read get_channel_utilization Get per-radio channel utilization and noise floor for an AP. Read get_client_details Fetch detailed info (usage, bandwidth, auth) for a single client by MAC address. Read get_client_roaming_history get_client_roaming_history Read get_client_signal_history get_client_signal_history Read get_cluster_members List members of a gateway cluster. Read get_cluster_tunnel_health Get tunnel health summary (up/down counts) for a gateway cluster. Read get_cluster_tunnels List tunnels for a gateway cluster. Read get_cx_arp_table Get the ARP table from a CX switch. Read get_cx_mac_table Get the MAC address table from a CX switch. Read get_device_health Fetch config-health or monitoring health state for a device. Read get_device_running_config Download the running configuration for a device. Read get_device_trends Time-series utilization trends for an AP or switch. Read get_events_count Count events for a device over the past N hours (default 24). Read get_firmware Fetch current firmware details (version, compliance status, upgrades available) for a device. Read get_firmware_compliance Read the current firmware compliance policy at a given scope. Read get_global_scope_id Return the org-wide global scope_id — use this for 'everywhere'/'all APs' config. Read get_glp_device Fetch a single device from GLP by serial number. Read get_glp_subscription Fetch a single GLP subscription by ID. Read get_lldp_neighbors Get LLDP neighbor table from a CX switch. Read get_passpoint_identity_profile Fetch a Passpoint identity / ANQP NAI realm profile by name. Read get_passpoint_profile Fetch a Passpoint / 802.11u provider profile by name. Read get_scope_maps Return scope-map entries, optionally filtered by resource name (bounded by default). Read get_site Find a site by name (case-insensitive). Returns None if not found. Read get_site_health_summary Return a single-view health summary for a site. Read get_ssid Fetch an existing SSID config by name. Returns None if not found. Read get_switch_details Fetch full monitoring details for a switch (status, uptime, CPU, memory, VLANs). Read get_switch_interface_counters Get Tx/Rx byte and packet counters for CX switch interfaces. Read get_switch_interface_poe Fetch PoE state and power draw for all ports on a switch. Read get_switch_interface_trends Throughput trends for switch interfaces over a time window. Read get_switch_port_errors Get error counters for CX switch ports. Read get_switch_spanning_tree get_switch_spanning_tree Read get_switch_stacking_info get_switch_stacking_info Read get_switch_vlans List VLANs active on a switch (status, membership). filter: OData e.g. "status in ('Up')". Read get_webhook Fetch details for a single webhook by ID. Read get_wireless_metrics Fetch AP wireless metrics: RF stats, client count, utilization, channel. Read get_wlan Fetch monitoring details for a single WLAN by name. Read list_aaa_profiles List AAA profiles (bounded by default). Read list_alerts List active alerts. severity: CRITICAL/MAJOR/MINOR. No server-side offset pagination — narrow filters to page. Read list_ap_wlans List WLANs currently active on a specific AP. Read list_audit_logs Audit logs are not available on New Central instances. Read list_auth_profiles List Central NAC authentication profiles (bounded by default). Read list_auth_servers List RADIUS/auth server profiles (bounded by default). Read list_authz_policies List CNAC authorization policies (bounded by default). Read list_clients list_clients Read list_config_assignments List config assignments (library profiles bound to scopes). Optional filters: scope / device-function / profil Read list_config_templates List configuration templates defined in Central. Read list_device_groups List all device groups (scopeId, scopeName, description). Read list_devices List devices, optionally filtered by device_type (SWITCH/AP) or site_id. Server-side paginated. Read list_events List events for a device over the past N hours (bounded by default). Auto-resolves device type + site. Read list_fingerprinting_profiles List device-fingerprinting wireless profiles (bounded by default). Read list_fingerprinting_switch_profiles List device-fingerprinting switch profiles (bounded by default). Read list_firmware_upgrades list_firmware_upgrades Read list_glp_audit_logs List GLP audit log entries (who did what and when). Read list_glp_devices List devices in the GLP workspace (warranty, subscription state, lifecycle). Read list_glp_subscriptions List subscriptions (license keys) in the GLP workspace (type, assigned device, expiry). Read list_glp_users List users with access to the GLP workspace. Read list_gw_clusters List gateway clusters for overlay/tunneled SSIDs (bounded by default). Read list_gw_policies List GW security policies (bounded by default). Read list_identity_stores List Central NAC identity stores (bounded by default). Read list_inventory List claimed/unprovisioned devices. status: "Yes"=provisioned, "No"=claimed-only. device_type e.g. ACCESS_POIN Read list_mac_registrations List Central NAC MAC address registrations (bounded by default). Read list_mpsk_registrations List Central NAC Named MPSK registrations (bounded by default). Read list_named_vlans List named VLANs configured at the group/scope level in Central. Read list_overlay_wlans List overlay (tunneled/GRE) WLAN profiles (bounded by default). Read list_passpoint_identity_profiles List Passpoint identity / ANQP NAI realm profiles (bounded by default). Read list_passpoint_profiles List Passpoint / 802.11u provider profiles (bounded by default). Read list_rogue_aps list_rogue_aps Read list_role_acls List role ACL policies (bounded by default). Read list_roles List wireless/gateway roles (bounded by default). Read list_scopes List scopes (org, sites, device groups) with scope_id and scope_name (bounded by default). Read list_sites Return sites with IDs, names, and location fields (paginated). Read list_ssid_clients List all clients currently connected to a specific SSID. Read list_ssids Return wlan-ssid objects from Aruba New Central (bounded by default). Read list_static_tags List user-created static classification tags (bounded). System tags (e.g. IoT) not returned. Read list_switch_ports List switch interfaces (link state, speed, duplex, VLAN). filter: OData e.g. "speed eq '1000'". Read list_visitors List Central NAC visitor accounts (bounded by default). Read list_webhooks List configured webhooks (bounded by default). Read list_wlans List all WLANs visible in New Central monitoring. Read locate_client Get the approximate physical location of a client. Read lookup_api lookup_api Read search_docs search_docs

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about API-Central

Can an AI agent delete data through the API-Central MCP server? +

Yes. The API-Central server exposes 17 destructive tools including delete_aaa_profile, delete_auth_profile, delete_auth_server. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through API-Central? +

The API-Central server has 43 write tools including acknowledge_alert, add_devices_to_group, add_mac_registration. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach API-Central.

How many tools does the API-Central MCP server expose? +

175 tools across 4 categories: Destructive, Execute, Read, Write. 98 are read-only. 77 can modify, create, or delete data.

How do I enforce a policy on API-Central? +

Register the API-Central MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every API-Central tool call.

Deterministic rules across all 175 API-Central tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

175 API-Central tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// WHERE THIS COMES FROM

These policies come from API-Central's registry record.

The record behind this page: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.

Teams ship this data inside their own products. See what a licence covers →

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.