{"id":"basher83-zammad-mcp","name":"Zammad-MCP","homepage":null,"repo_url":"https://github.com/basher83/Zammad-MCP","category":"communication","subcategories":[],"tags":["mcp","zammad","helpdesk","ticket-management","attachments","ai-integration"],"what_it_does":"Zammad-MCP is an MCP (Model Context Protocol) server that exposes Zammad helpdesk capabilities to AI assistants via tools for managing tickets, users, organizations, groups/system lists, and attachments (including listing, downloading as base64, and deleting attachments). It supports both stdio and an HTTP transport mode for remote MCP deployments.","use_cases":["AI-assisted ticket triage, search, and summarization","Drafting and updating ticket responses and metadata","User and organization lookup in Zammad","Managing ticket tags and adding articles/notes","Retrieving and handling ticket attachments during support workflows"],"not_for":["Direct public exposure of the MCP endpoint without authentication and TLS","Use cases requiring fine-grained, per-tool/operation authorization beyond what Zammad tokens provide","Real-time operations that require guaranteed low-latency and strict SLA guarantees (not documented)"],"best_when":"You need an agent-accessible helpdesk integration for Zammad and can run the MCP server with appropriate Zammad API tokens, using stdio for local/desktop use or HTTP behind a properly secured reverse proxy.","avoid_when":"Avoid exposing the HTTP transport broadly or without TLS/auth; avoid username/password auth if an API token is available; avoid sending large unpaginated requests that could stress rate limits.","alternatives":["Build a custom MCP server (or agent tool layer) directly on top of the Zammad REST API","Use an unofficial Zammad API client library in an agent framework without MCP","Use Zammad native integrations/webhooks combined with an agent (where applicable)"],"af_score":66.0,"security_score":65.1,"reliability_score":32.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:31:43.402765+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:8000/mcp/ (HTTP transport; url configurable by MCP_HOST/MCP_PORT)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["ZAMMAD_HTTP_TOKEN (API token)","ZAMMAD_OAUTH2_TOKEN (OAuth2 token)","ZAMMAD_USERNAME / ZAMMAD_PASSWORD (username/password)"],"oauth":true,"scopes":false,"notes":"Authentication is delegated to Zammad using a configured token or credentials. README advises API tokens over passwords; it also notes tokens must have permissions for operations. The MCP layer itself does not appear to provide additional fine-grained scopes beyond what the Zammad token allows."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source project; no service pricing described. Costs are those of running the MCP server and consuming your Zammad instance/API usage."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":66.0,"security_score":65.1,"reliability_score":32.5,"mcp_server_quality":78.0,"documentation_accuracy":74.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":78.0,"rate_limit_clarity":60.0,"tls_enforcement":60.0,"auth_strength":80.0,"scope_granularity":35.0,"dependency_hygiene":70.0,"secret_handling":78.0,"security_notes":"README and manifest indicate multiple security measures: input validation/sanitization, SSRF protection via URL validation, XSS prevention, preference for API tokens over passwords, dependency scanning and CI security testing (Bandit/Safety/pip-audit). For HTTP transport, README warns to bind to 0.0.0.0 only behind a reverse proxy with TLS and to implement authentication at the proxy/application layer; this suggests TLS/auth are not inherently enforced by the MCP server itself.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":35.0,"error_recovery":40.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guarantees documented for create/update operations.","pagination_style":"supports pagination for some read operations (e.g., get_ticket/articles) and references pagination for stats; no uniform pagination contract documented across all tools","retry_guidance_documented":false,"known_agent_gotchas":["HTTP transport requires MCP_TRANSPORT=http and correct MCP_HOST/MCP_PORT; endpoint is at /mcp/","Docker stdio mode requires the -i flag so the server can receive stdin","Large searches/downloads may hit Zammad rate limits; README recommends reducing frequency and paginating"]}}