Every tool Primitive MCP exposes, split by required scope.
Most tools on Primitive MCP fall under one of two scopes. Clients request the scope set they need at connect time, and the user sees the scope list on the OAuth consent screen.
mcp:read — read-only inspection. Safe to grant broadly for general-purpose agents. Org admins should note that billing and invoice tools live under mcp:read and return sensitive data — see the Billing section before granting mcp:read to cloud-hosted or web-browsing agents.mcp:write — state-changing actions. Confirm before granting; require human approval for each call.A small set of utility tools (health, whoami) are unscoped — they don't require either mcp:read or mcp:write. They're listed first below.
System tools any authenticated caller can invoke. Useful for connectivity and identity checks; they don't read or change application data.
| Tool | What it does |
|---|---|
health | Returns server status. Useful as a connectivity check. |
whoami | Returns the authenticated user (id, username, email) derived from the bearer token. |
mcp:readRead-only tools. None of these change state on Primitive.
| Tool | What it does |
|---|---|
get_organization | Fetch a single organization by slug or id. |
list_organizations | List organizations the authenticated user can see. |
get_team | Fetch a single team. |
list_teams | List teams within an organization. |
get_member | Fetch a single membership record. |
list_members | List members of an organization. |
get_invitation | Fetch a single pending invitation. |
list_invitations | List pending invitations for an organization. |
| Tool | What it does |
|---|---|
get_project | Fetch a single project. |
list_projects | List projects across the user's organizations. |
get_job | Fetch a single job. |
list_jobs | List jobs within a project. |
get_job_settings | Fetch the run configuration for a job. |
list_job_settings | List job settings records. |
get_job_run | Fetch a single job run. |
list_job_runs | List job runs for a job. |
get_job_run_logs | Fetch the tail of a job run's log output. |
| Tool | What it does |
|---|---|
get_hardware | Fetch a registered hardware host. |
list_hardware | List hardware visible to the caller. |
get_hardware_type | Fetch a hardware type definition. |
list_hardware_types | List hardware types. |
get_capability | Fetch a single capability definition. |
list_capabilities | List capabilities. |
get_operating_system | Fetch an operating system definition. |
list_operating_systems | List operating systems. |
get_reservation | Fetch a single hardware reservation. |
list_reservations | List hardware reservations in an organization (defaults to default org). |
| Tool | What it does |
|---|---|
get_file | Fetch a single file's metadata. |
list_files | List files within scope. |
Billing tools return financial data — invoice PDFs, payment-method metadata, tax IDs, billing addresses — and are only accessible to users with billing permissions in Primitive (typically org admins). Treat them with the same caution as mcp:write in agentic workflows, especially with cloud-hosted agents or anything that processes untrusted content. Billing data may also be regulated personal data in some jurisdictions (e.g., a sole trader's tax ID is personal data under GDPR).
| Tool | What it does |
|---|---|
get_active_plan | Fetch the active subscription plan for the organization. |
get_billing_info | Fetch billing address / contact info, including tax ID and invoice email. |
get_invoice | Fetch a single invoice. Returns a short-lived PDF download URL — treat it as a bearer credential. |
list_invoices | List invoices for the organization. |
get_subscription | Fetch the current Stripe subscription. |
list_payment_methods | List saved payment methods (card brand, last 4 digits, expiry). |
mcp:writeThese tools change real state. Recommend human-in-the-loop approval before each call.
| Tool | What it does |
|---|---|
update_organization | Update an organization's settings. |
delete_organization | Delete an organization. |
update_team | Update a team's settings. |
delete_team | Delete a team. |
remove_member | Remove a user from an organization. |
set_member_role | Change a member's role. |
create_invitation | Invite a new member by email. |
revoke_invitation | Cancel a pending invitation. |
| Tool | What it does |
|---|---|
update_project | Update a project's settings. |
delete_project | Delete a project. |
update_job | Update a job definition. |
delete_job | Delete a job. |
update_job_settings | Update the run configuration for a job. |
cancel_job_run | Cancel an in-flight job run. |
| Tool | What it does |
|---|---|
delete_hardware | Unregister a hardware host. |
rename_hardware | Change a host's display name. |
set_hardware_capabilities | Replace the capability set on a host. |
set_hardware_default_jobs | Replace the default-jobs list for a host. |
update_hardware_type | Update a hardware type definition. |
delete_hardware_type | Delete a hardware type. |
update_capability | Update a capability definition. |
delete_capability | Delete a capability. |
update_operating_system | Update an operating system definition. |
delete_operating_system | Delete an operating system. |
create_reservation | Reserve a hardware host. |
release_reservation | Release a held reservation. |
| Tool | What it does |
|---|---|
update_file | Update file metadata. |
delete_file | Delete a file. |
The toolset evolves. To see exactly what your client can call right now, connect and ask the agent to list its tools — or run whoami to confirm the connection is live.