olladns is API-first. Every setting that exists in the dashboard (and many that don't) is a REST endpoint or an MCP tool — version it, diff it, ship it from CI, or hand the keys to your AI agent.
Other DNS security products give you a click-heavy admin console and call the API an "advanced feature." We do the opposite: the console is intentionally read-only — every change goes through versionable, auditable, scriptable APIs. The result: zero drift between staging and prod, every change has an actor, and your AI editor can patch a policy at 2am without a human in the loop.
Every policy, every tenant, every device, every audit event. JSON in, JSON out, conventional verbs. Curl-able from the terminal, fetch-able from the browser, available in any language.
The same surface auto-generated as Model Context Protocol tools. Connect Claude, Cursor, or any MCP-compatible client to mcp.olladns.com and let an AI agent reconcile your policies, triage a phishing campaign, or onboard a new tenant.
Tokens carry granular scopes — policies:read, devices:write, audit:read. Mint a read-only key for your SIEM, a write-key for your IaC pipeline, a tool-specific key for each AI agent. Revoke independently.
Hosted at https://api.olladns.com/api/v1. JSON request bodies, JSON responses. Authentication via x-api-key: <token> header or Authorization: Bearer <jwt>. Every mutation writes an audit-log entry attributed to the actor.
# Mint a scoped key from the dashboard or via API curl -X POST https://api.olladns.com/api/v1/api-keys \ -H "x-api-key: $ADMIN_KEY" \ -H "content-type: application/json" \ -d '{"label":"ci-deploy","scopes":["policies:write"]}' # Block a domain curl -X PUT https://api.olladns.com/api/v1/policies/custom-rules \ -H "x-api-key: $CI_KEY" \ -H "content-type: application/json" \ -d '{"block":["evil.example.com"],"allow":[]}' # Register a device — get its DoH URL back curl -X POST https://api.olladns.com/api/v1/devices \ -H "x-api-key: $CI_KEY" \ -H "content-type: application/json" \ -d '{"slug":"bob-laptop","display_name":"Bob - Macbook Pro"}' # → {"id":7, ..., "doh_url":"https://dns.olladns.com/dns-query/<uuid>--bob-laptop"}
api.olladns.com/api/v1/openapi.json.
mcp.olladns.com exposes the entire API as Model Context Protocol tools.
Connect Claude, Cursor, Cline, Continue, Goose, or any MCP-compatible client and
your AI can configure tenants, write policies, triage detections, and reconcile
state — all gated by the same scoped tokens your humans use.
# ~/.claude/mcp.json { "mcpServers": { "olladns": { "url": "https://mcp.olladns.com", "headers": { "x-api-key": "qd_..." } } } } # Then in Claude: > List all DGA-flagged domains in the last 24h and > block any with a score above 0.85. # Claude calls top_dga, filters, then set_custom_rules. # Every action lands in /audit-logs with actor=api_key #N.
Connect your SOC AI agent to MCP. When a typosquat detection fires, the agent pulls the affected device, opens an incident, and asks the SOC analyst to confirm a block — all in-thread.
New tenant signs up? Your AI sales assistant provisions the tenant, mints a scoped key, subscribes default blocklists, and emails the customer their DoH URL — without a human touching the dashboard.
Keep your custom rules in git. CI calls PUT /policies/custom-rules on merge. Diff between environments. Roll back via revert.
Two authentication flows: human sessions (JWT, admin or viewer role) and machine identities (API keys with explicit scope arrays). No shared secrets, no shared blast radius.
Endpoints publish their required scopes via the x-required-scopes OpenAPI extension, so SDK generators and the MCP server pick them up automatically. Tokens carry a creation actor, an optional expiry, and a last_used_at for housekeeping.
Every audit event can fan out to your SIEM, your ChatOps, or your custom incident pipeline. Events are signed with HMAC-SHA256 over the body using a per-webhook secret; replay-safe with a timestamp header.
curl -X POST https://api.olladns.com/api/v1/webhooks \ -H "x-api-key: $K" \ -H "content-type: application/json" \ -d '{ "url":"https://soc.example.com/hooks/olladns", "events":["policy.*","threat.*","device.create"] }' # Event names use dotted-prefix wildcards. # "*" subscribes to every event.
# Headers on every POST: # X-Olladns-Signature: sha256=<hex> # X-Olladns-Timestamp: <unix-seconds> # X-Olladns-Event: policy.custom_rules.update import hmac, hashlib def verify(body, sig, secret): expected = hmac.new( secret.encode(), body, hashlib.sha256 ).hexdigest() return hmac.compare_digest( f"sha256={expected}", sig )
Full OpenAPI 3.1 spec including x-required-scopes and
x-mcp-tool extensions. Point openapi-generator
at it for typed clients in TypeScript, Go, Python, Rust, Swift, Kotlin —
or just curl it.