DevOps Agent
Docs
Everything you need to connect your cloud infrastructure, automate deployments, and manage incidents โ all through a natural language chat interface.
Getting Started
You can be up and running in under five minutes. Here's the full flow from registration to your first cloud command.
list my EC2 instances in us-east-1. The agent will call the appropriate tool and return results in plain English.Chat Interface
The chat interface is the primary way to interact with DevOps Agent. You talk to the AI in plain English and it figures out which tools to call, in what order, and how to present the results.
Example commands
List all running EC2 instances in us-east-1
Stop instance i-0abc123def456789
Create a t3.micro instance named web-server-01
# Cost & optimization
What are my top 5 most expensive AWS services this month?
Show me idle EC2 instances I can terminate
# Kubernetes
Show pods in the production namespace
Scale the api-deployment to 4 replicas
Get logs for pod api-server-xyz
# Incident response
Run the high-cpu-usage playbook on app-server-02
Show me all firing alerts in the last 2 hours
Confirmation for risky operations
Before executing any destructive action (deleting resources, terminating instances, modifying IAM policies), the agent will pause and ask you to confirm. This cannot be disabled โ it is a core safety feature.
Model selector
Use the model toggle in the chat toolbar to switch between AI providers:
| Model | Provider | Best for |
|---|---|---|
| Kimi K2.5 | Moonshot AI | Fast responses, free/starter tiers |
| Claude Sonnet | Anthropic | Complex multi-step reasoning (Professional) |
| Claude Opus | Anthropic | Deepest analysis, largest context (Business) |
Credits
Each message deducts one credit. Your remaining credits are shown in the chat header. Free-tier users receive 20 credits per month. Paid plans include a monthly credit allocation โ see the Billing section for details.
Dashboard
The Dashboard gives you a live overview of your cloud infrastructure without having to ask the agent. It auto-syncs every time you visit.
| Widget | What it shows |
|---|---|
| Resource Summary | Total EC2, RDS, S3, Lambda, and Kubernetes resources across all connected providers |
| Cost Trends | Monthly spend chart + month-over-month change |
| Cost Forecast | Projected spend for the current month based on usage so far |
| Recommendations | Cost savings and rightsizing suggestions from your last sync |
| Resource Groups | Breakdown by service (EC2, RDS, etc.) with expandable utilization detail |
Learning Mode
Enable Learning Mode in Settings โ Preferences to have the agent explain every action it takes as it takes it. Ideal if you're new to a cloud provider or want to build knowledge while getting work done.
Experience levels
| Level | What changes |
|---|---|
| Beginner | Full concept explanations, analogies, step-by-step reasoning, links to AWS/GCP/Azure docs |
| Intermediate | Concise explanations, highlights tradeoffs and gotchas, skips basics |
| Advanced | Minimal commentary, focuses on results and edge cases only |
Your proficiency per topic is tracked automatically. Check Settings โ Learning โ Proficiency Radar to see where you're strongest and where there are gaps.
Sandbox Mode
Sandbox Mode lets you experiment with any command without touching real cloud resources. All tool calls return simulated but realistic responses โ perfect for demos, onboarding, or testing destructive workflows safely.
Sandbox Mode simulates realistic failure scenarios too โ disk full, pod crash loops, service downtime โ so you can practice incident response without manufacturing real outages.
Amazon Web Services
DevOps Agent supports 155 AWS tools covering EC2, VPC, IAM, RDS, Lambda, ECS, EKS, S3, DynamoDB, CloudFormation, Route53, SNS/SQS, CloudWatch, ElastiCache, and more.
Connecting AWS โ Access Key mode
Best for individuals and small teams. Navigate to Settings โ Cloud Credentials โ AWS:
ReadOnlyAccess policy to start, or a custom policy scoped to the services you want the agent to manage.Connecting AWS โ IAM Role mode (enterprise)
Best for enterprise setups and cross-account access. Instead of long-lived access keys, the agent assumes an IAM Role using STS. Under Settings โ AWS โ switch to Role ARN mode and provide:
| Field | Example |
|---|---|
| Role ARN | arn:aws:iam::123456789012:role/DevOpsAgentRole |
| External ID | Optional โ use for cross-account trust policies |
| Region | us-east-1 |
Microsoft Azure
DevOps Agent supports 36 Azure tools covering Virtual Machines, Storage, SQL, NSGs, Container Instances, Disks, VNets, and Public IPs.
Connecting Azure
Navigate to Settings โ Cloud Credentials โ Azure and provide:
| Field | Where to find it |
|---|---|
| Subscription ID | Azure Portal โ Subscriptions |
| Tenant ID | Azure Active Directory โ Properties โ Tenant ID |
| Client ID | App registrations โ your app โ Application (client) ID |
| Client Secret | App registrations โ your app โ Certificates & secrets โ New client secret |
| Default Location | e.g. eastus |
Google Cloud Platform
DevOps Agent supports 40 GCP tools covering Compute Engine, Cloud Storage, Cloud SQL, GKE, Cloud Run, Pub/Sub, Secret Manager, BigQuery, Cloud Functions, and Cloud Logs.
Connecting GCP
roles/compute.viewer, roles/storage.admin)..json file will download.Kubernetes
DevOps Agent supports 28 Kubernetes tools covering pods, deployments, services, namespaces, ConfigMaps, secrets, ingress, nodes, and jobs.
Connecting a cluster
DevOps Agent uses your local kubeconfig file. Ensure the machine running the agent has a valid kubeconfig at ~/.kube/config (or the path set in KUBECONFIG) with credentials for the cluster you want to manage.
To use a specific context, include the context name in your message:
Supported operations
| Resource | Operations |
|---|---|
| Pods | List, describe, logs, delete, exec |
| Deployments | List, describe, create, update image, scale, delete |
| Services | List, create, delete |
| Namespaces | List, get, create, delete |
| Nodes | List, cordon, uncordon |
| ConfigMaps / Secrets | Create, delete |
| Ingress / Jobs | Create, delete |
CI/CD โ Jenkins & GitHub Actions
DevOps Agent supports 21 CI/CD tools โ 11 for Jenkins and 10 for GitHub Actions โ covering pipelines, builds, jobs, and workflow runs.
Jenkins (11 tools)
Set your Jenkins URL and credentials in Settings โ CI/CD before using Jenkins tools. The agent uses the Jenkins REST API with Basic auth.
| Tool | Description |
|---|---|
list_jenkins_jobs | List all jobs on the Jenkins server |
get_jenkins_job_status | Get the current status of a job |
get_jenkins_build_logs | Retrieve console output for a specific build |
trigger_jenkins_build | Trigger a job build (optionally with parameters) |
stop_jenkins_build | Abort a running build |
list_jenkins_pipelines | List all pipeline jobs |
get_jenkins_pipeline_status | Get pipeline run status |
create_jenkins_pipeline | Create a new pipeline job from a Jenkinsfile |
delete_jenkins_job | Delete a job (high-risk, requires confirmation) |
get_jenkins_queue | View the build queue |
get_jenkins_server_info | Retrieve server version and health info |
GitHub Actions (10 tools)
Set your GitHub token (GITHUB_TOKEN) in Settings. The token needs actions:read and actions:write scopes.
| Tool | Description |
|---|---|
list_github_workflows | List all workflows in a repository |
get_github_workflow_runs | Get recent runs for a workflow |
trigger_github_workflow | Trigger a workflow dispatch event |
cancel_github_workflow_run | Cancel a running workflow |
get_github_workflow_run_logs | Download logs from a workflow run |
list_github_actions_secrets | List Actions secrets for a repo |
create_github_actions_secret | Create or update an Actions secret |
delete_github_actions_secret | Delete an Actions secret |
get_github_repo_info | Get repository metadata and stats |
list_github_branches | List branches in a repository |
Example prompts
Docker
DevOps Agent supports 22 Docker tools covering container lifecycle, image management, volumes, networks, and Docker Compose.
Requirements
Docker must be installed and running on the machine where the agent runs. The agent communicates with the Docker daemon via the Docker SDK for Python (docker package).
Supported operations
| Category | Operations |
|---|---|
| Containers | List, inspect, start, stop, restart, remove, exec, logs, stats |
| Images | List, pull, build, remove, tag, push |
| Volumes | List, create, remove |
| Networks | List, create, remove |
| Compose | Up, down, ps (via shell) |
Example prompts
Terraform
DevOps Agent supports 16 Terraform tools for managing infrastructure-as-code: workspaces, state, plans, and module operations.
How it works
Terraform tools operate on a working_dir โ the directory containing your .tf files. Terraform must be installed on the machine where the agent runs.
Supported operations
| Category | Operations |
|---|---|
| Core | Init, validate, plan, apply, destroy |
| State | List, show, move, remove resources |
| Workspaces | List, create, select, delete |
| Output & Providers | Show outputs, list providers, format |
terraform_apply and terraform_destroy are classified as high-risk operations. The agent will ask for confirmation and show the plan output before proceeding.
Example prompts
SonarQube
DevOps Agent supports 12 SonarQube tools for code quality analysis, quality gate checks, and issue management.
Configuration
Set SONAR_TOKEN and SONAR_BASE_URL (e.g., https://sonarqube.yourcompany.com) in your environment. The token needs at minimum Browse permission on projects you want to inspect.
Supported operations
| Category | Operations |
|---|---|
| Projects | List projects, get project quality gate status and metrics |
| Issues | List issues by severity, type, or component; mark as resolved |
| Quality Gates | List quality gates, get conditions |
| Metrics | Coverage, duplication, technical debt, code smells, bugs, vulnerabilities |
Example prompts
Nexus Repository
DevOps Agent supports 12 Nexus Repository Manager tools for artifact management, repository administration, and component search.
Configuration
Set NEXUS_BASE_URL, NEXUS_USERNAME, and NEXUS_PASSWORD in your environment. The agent uses the Nexus REST API v1 with Basic authentication.
Supported operations
| Category | Operations |
|---|---|
| Repositories | List, get details, create hosted/proxy, delete |
| Components | Search, list, get, delete artifacts |
| Assets | List assets in a repository |
| System | Health check, node info, tasks list |
Example prompts
Ansible
DevOps Agent supports 13 Ansible tools for playbook execution, inventory management, and role discovery.
Requirements
Ansible must be installed on the machine where the agent runs. Playbook tools operate on a working_dir containing your playbooks and inventory.
Supported operations
| Category | Operations |
|---|---|
| Playbooks | Run playbook, run with tags, run with extra vars, dry-run (check mode) |
| Inventory | List hosts, list groups, ping all hosts |
| Roles & Galaxy | List installed roles, install from Galaxy |
| Ad-hoc | Run ad-hoc module commands against host patterns |
Example prompts
Alerting โ PagerDuty & OpsGenie
DevOps Agent supports 16 alerting tools โ 8 for PagerDuty and 8 for OpsGenie โ for incident management, on-call schedules, and alert routing.
PagerDuty (8 tools)
Set PAGERDUTY_API_KEY in your environment. Requires a REST API key from PagerDuty's API Access section.
| Category | Operations |
|---|---|
| Incidents | List, get details, create, acknowledge, resolve |
| On-call | Get current on-call users for a schedule |
| Services | List PagerDuty services |
| Escalation | List escalation policies |
OpsGenie (8 tools)
Set OPSGENIE_API_KEY in your environment.
| Category | Operations |
|---|---|
| Alerts | List, get details, create, acknowledge, close |
| On-call | Get current on-call users |
| Teams & Schedules | List teams, list schedules |
Example prompts
Tools Overview
The agent has access to 727 tools across 17 categories. You never call tools directly โ the agent selects and chains the right ones based on your request.
| Provider / Category | Tools | Services covered |
|---|---|---|
| AWS | 334 | EC2, VPC, IAM, RDS, Lambda, ECS, EKS, S3, DynamoDB, CloudFormation, Route53, SNS/SQS, CloudWatch, ElastiCache, EFS, EventBridge, Kinesis, NAT, ALB, ECR, Secrets Manager |
| Azure | 38 | VMs, Storage, SQL, NSGs, Container Instances, Disks, VNets, Public IPs |
| GCP | 42 | Compute, GCS, Cloud SQL, GKE, Cloud Run, Pub/Sub, Secret Manager, BigQuery, Firewall, Cloud Functions, Logs |
| Kubernetes | 76 | Pods, Deployments, Services, Namespaces, ConfigMaps, Secrets, Ingress, Nodes, Jobs |
| CI/CD | 35 | Jenkins (jobs, builds, pipelines, queue), GitHub Actions (workflows, runs, secrets) |
| Docker | 22 | Containers (lifecycle, exec, logs), Images, Volumes, Networks, Compose |
| Terraform | 25 | Init, plan, apply, destroy, state management, workspaces, outputs |
| SonarQube | 12 | Projects, issues, quality gates, coverage & technical debt metrics |
| Nexus | 12 | Repositories, components, assets, system health |
| Ansible | 13 | Playbooks, inventory, ad-hoc commands, roles, Galaxy |
| Monitoring | 12 | Prometheus, CloudWatch metrics, threshold alerts |
| Alerting | 16 | PagerDuty (incidents, on-call, services), OpsGenie (alerts, teams, schedules) |
| Pentest | 12 | Port scanning, SSL checks, HTTP security headers, DNS enumeration |
| Git | 6 | Status, log, diff, branches, commits, stash |
Safety levels
Every tool is classified into one of three risk levels:
| Level | Examples | Behaviour |
|---|---|---|
| Low | List, describe, get, read operations | Executes immediately |
| Medium | Update, restart, scale, IAM changes | Agent asks for confirmation |
| High | Delete, terminate, drop, purge operations | Requires explicit yes/no confirmation. Escalates to Critical if targeting production. |
Monitoring & Alerts
The Monitoring tab lets you create threshold-based alerts on any metric exposed by your cloud provider or Prometheus.
Creating a monitor
85 for 85% CPU). The threshold must be a number โ text values are rejected.Incident Response
The Incidents tab provides automated runbook execution. When an alert fires, you can trigger a playbook that diagnoses and remediates the issue automatically.
Built-in playbooks
| Playbook | What it does |
|---|---|
| high-cpu-usage | Identifies the top CPU-consuming processes, optionally restarts the service or scales the deployment |
| memory-pressure | Checks for memory leaks, triggers a restart or node cordon if critical |
| disk-space-low | Lists large files and stale logs, creates a cleanup plan |
| pod-crashloop | Fetches pod logs, identifies the crash reason, applies a fix or rolls back |
| service-down | Runs connectivity checks, restarts the service, escalates if unresolved |
| security-alert | Blocks the offending IP via security group rule, notifies the team |
REST API
The DevOps Agent REST API lets you integrate cloud automation directly into your own tools, scripts, and CI/CD pipelines. All endpoints require an API key โ generate one from Settings โ Developer โ API Keys.
Authentication
Pass your API key in the Authorization header on every request:
Authorization: Bearer YOUR_API_KEY
Alternatively, use the api_key query parameter for clients that cannot set headers:
GET /api-gateway/v1/resources?api_key=YOUR_API_KEY
Base URL
https://devopsagent.io/api-gateway/v1
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /resources | List all synced infrastructure resources |
| GET | /resources/:id | Get a specific resource by ID |
| GET | /analytics/costs | Cost analytics for the current billing period |
| GET | /incidents | List all incidents |
| POST | /incidents | Create a new incident manually |
| GET | /health | Health check โ no auth required, for load balancers |
Rate limiting
Requests are rate-limited per API key. The current limit and remaining quota are returned on every response:
| Header | Meaning |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per hour |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
When the limit is exceeded the API returns 429 Too Many Requests.
Example โ list resources
curl https://devopsagent.io/api-gateway/v1/resources \ -H "Authorization: Bearer YOUR_API_KEY"
{
"resources": [
{ "id": 1, "name": "prod-web-01", "type": "ec2", "status": "running", "region": "us-east-1" },
{ "id": 2, "name": "prod-db", "type": "rds", "status": "available", "region": "us-east-1" }
]
}
MCP Server
DevOps Agent exposes all cloud tools as an MCP (Model Context Protocol) server registered on the official MCP Registry. Connect any MCP-compatible AI client โ Claude Desktop, Claude.ai, or custom agents โ and manage your infrastructure without leaving your AI assistant.
Registry
The server is published on the official MCP Registry and npm:
| Registry | Identifier |
|---|---|
| MCP Registry | io.github.shittuay/devops-agent |
| npm | @devopsagent/mcp-server |
Connect via Claude.ai (Connectors)
Go to Claude.ai โ Settings โ Connectors โ Add custom connector and fill in:
| Field | Value |
|---|---|
| Name | DevOps Agent |
| Remote MCP server URL | https://devopsagent.io/mcp |
| OAuth Client ID | claude-connector |
| OAuth Client Secret | devopsagent-mcp-secret-2026 |
Click Add. Claude will open a DevOps Agent login page โ sign in with your DevOps Agent credentials to authorize the connection. All your tools will be available in Claude immediately after.
Connect via Claude Desktop
Generate an API key at /api-gateway/keys, then edit your claude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):
{
"mcpServers": {
"devops-agent": {
"url": "https://devopsagent.io/mcp/sse",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
Restart Claude Desktop โ all DevOps Agent tools appear in the tool list automatically.
Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /mcp | Streamable HTTP transport (MCP 2025-03-26). Used by Claude.ai connectors. Returns JSON-RPC responses inline. |
| GET | /mcp/sse | HTTP+SSE transport. Used by Claude Desktop. Server sends an endpoint event with your session's message URL. |
| POST | /mcp/messages?sessionId=โฆ | JSON-RPC message endpoint for SSE sessions. Responses are pushed back via the SSE stream. |
| GET | /mcp/health | Public health check. Returns tool count and protocol version. No auth required. |
Authentication
Two authentication methods are supported:
| Method | How | Used by |
|---|---|---|
| OAuth 2.0 | Authorization Code flow with PKCE. Client ID + Secret in connector settings. | Claude.ai connectors |
| API Key | Authorization: Bearer YOUR_API_KEY header, or ?api_key= query param. | Claude Desktop, custom clients |
Generate API keys at /api-gateway/keys.
OAuth 2.0 Endpoints
| Path | Description |
|---|---|
/.well-known/oauth-protected-resource | Resource metadata (RFC 9728) โ advertises the authorization server URL. |
/.well-known/oauth-authorization-server | Authorization server metadata (RFC 8414) โ lists all OAuth endpoints. |
/mcp/oauth/authorize | Authorization endpoint โ shows login page, issues auth code on success. |
/mcp/oauth/token | Token endpoint โ exchanges auth code for access token. Supports client_secret_post and client_secret_basic. |
Supported JSON-RPC methods
| Method | Description |
|---|---|
initialize | Handshake โ returns server name, version, and capabilities |
tools/list | Returns all tools with names, descriptions, and input schemas |
tools/call | Execute a tool by name with the provided arguments |
ping | Keepalive โ server returns an empty result |
Example โ streamable HTTP (Claude.ai)
POST https://devopsagent.io/mcp
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "list_ec2_instances",
"arguments": { "region": "us-east-1" }
}
}
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"content": [{ "type": "text", "text": "{ \"success\": true, \"instances\": [...] }" }],
"isError": false
}
}
Protocol
Implements MCP protocol version 2025-03-26. SSE sessions expire after 10 minutes of inactivity with keepalive comments every 15 seconds. OAuth access tokens are valid for 30 days.
Billing & Plans
DevOps Agent is billed per subscription tier. Each tier includes a monthly credit allocation that refreshes on your billing date.
| Plan | Price | Credits/mo | AI Model |
|---|---|---|---|
| Free | $0 | 20 | Kimi K2.5 |
| Starter | $29/mo | 1,000 | Kimi K2.5 |
| Professional | $99/mo | 5,000 | Claude Sonnet |
| Business | $299/mo | 10,000 | Claude Opus |
Credit packs
Need more credits without upgrading your plan? Purchase one-time credit packs from the Billing page:
| Pack | Price (USD) | Price (NGN) |
|---|---|---|
| 100 credits | $10 | โฆ5,000 |
| 250 credits | $20 | โฆ9,000 |
| 500 credits | $35 | โฆ15,000 |
| 1,000 credits | $60 | โฆ25,000 |
Payments are processed securely via Stripe. Both USD and NGN currencies are supported โ the currency is auto-detected from your location and can be manually toggled on the billing page.
Security & 2FA
Two-factor authentication
Enable 2FA in Settings โ Security โ Two-Factor Authentication. DevOps Agent supports both:
| Method | How to set up |
|---|---|
| Authenticator App (TOTP) | Scan the QR code with Google Authenticator, Authy, or 1Password. Save your backup codes in a safe place. |
| Email OTP | A one-time code is sent to your registered email address on each login. |
Lost access to your authenticator?
If you can no longer access your authenticator app (deleted the app, got a new phone, etc.), you can reset 2FA from the login screen:
Credential encryption
All cloud credentials (AWS keys, Azure client secrets, GCP service account JSON) are encrypted at rest using AES-128 (Fernet) before being stored in the database. Credentials are decrypted only at request time, in memory, and never logged.
Guardrails
Every message passes through a three-layer guardrail stack before any credits are charged:
Teams
The Teams tab is available on Starter plans and above. It lets an admin invite colleagues to the same workspace so they share access to cloud integrations and conversations.
Roles
| Role | Can do |
|---|---|
| Admin | Invite/remove members, change roles, manage cloud credentials, full agent access |
| Approver | Review and approve high-risk operations flagged by the safety system |
| User | Full agent access, cannot manage team or credentials |
| Viewer | Read-only access to conversations and dashboard |
Settings
| Setting | Where | What it does |
|---|---|---|
| Cloud Credentials | Settings โ Cloud | Add or update AWS, Azure, GCP credentials. Each provider has a Test Connection button. |
| Learning Mode | Settings โ Preferences | Agent explains every action inline. Tracks proficiency per topic. |
| Sandbox Mode | Settings โ Preferences | All tool calls return simulated results. No real cloud calls made. |
| Experience Level | Settings โ Preferences | Beginner / Intermediate / Advanced โ controls explanation depth in Learning Mode. |
| Model Override | Chat toolbar | Force Kimi or Claude regardless of your subscription tier default. |
| Two-Factor Auth | Settings โ Security | Enable TOTP or email OTP for login. |
| Password | Settings โ Security | Change your login password. |
| Notifications | Settings โ Notifications | Configure email alerts for monitoring rules and billing events. |
FAQ
Can the agent accidentally delete my cloud resources?
All delete and terminate operations require an explicit confirmation from you before executing. The agent will describe exactly what will be deleted and wait for your yes/no. You can always type "no" or "cancel" to abort.
Where are my cloud credentials stored?
Credentials are stored encrypted in our database using AES-128 encryption. They are decrypted in memory only when a tool call needs them, and are never written to logs or included in AI model context.
What happens when I run out of credits?
On the Free plan, you'll see an upgrade prompt when credits reach zero โ no charge is made automatically. On paid plans, your subscription auto-renews monthly. You can also purchase credit packs any time from the Billing page.
Does the agent have access to my data inside cloud resources (e.g. database contents, S3 file contents)?
No. The agent can list, describe, start, stop, and manage the lifecycle of cloud resources โ but it does not read the contents of databases, S3 objects, or secrets stored in Secrets Manager unless you explicitly paste content into the chat.
What regions are supported for AWS?
All AWS regions. The default region is set when you configure your credentials. You can override the region per-message by including it in your prompt, e.g. list EC2 instances in eu-west-1.
How do I cancel my subscription?
Go to Billing โ Manage Subscription โ Cancel plan. Your subscription stays active until the end of the current billing period, then downgrades to the Free plan. No refunds are issued for unused credits in the current period.
Is there an API I can call programmatically?
Not yet. API access for programmatic integration is on the roadmap. Watch the GitHub repo for updates.