Back to Academy

Developer Guide

Set up the Omnitrex CLI, configure MCP servers for Claude Code, and access the platform API. Everything a developer needs to work with Omnitrex programmatically.

6 min read·Omnitrex Team

API Keys

All programmatic access to Omnitrex uses API keys.

  1. Log in to the dashboard at https://app.omnitrex.eu
  2. Navigate to Settings > API Keys
  3. Click Create API Key and copy the key immediately (it's shown only once)
API keys are passed as Authorization: Bearer headers. Scopes control what the key can do:
  • nodes:read / nodes:write — Read and modify nodes
  • links:read / links:write — Read and modify cross-domain links
  • status:write — Push status updates and change node statuses
  • audit:read — Read audit logs
  • users:read — Read user data

Omnitrex CLI

The CLI lets you push compliance updates like you push code — directly from your terminal.

Installation

npm install -g @omnitrex/cli

Authentication

# Interactive (prompts for API key)
omnitrex auth login

Direct

omnitrex auth login --key YOUR_API_KEY

Local development (uses http://localhost:3001)

omnitrex auth login --local

Verify your connection:

omnitrex auth status

Project Setup

Link a project directory to a GRC node:

cd your-project
omnitrex init          # Interactive node selection
omnitrex link NODE_ID  # Or link directly by ID

This creates .omnitrexrc.json in your project root.

Push Status Updates

The core workflow — record compliance changes without leaving your terminal:

omnitrex push "Deployed v2.1.0 with encryption at rest"
omnitrex push "Completed quarterly access review"
omnitrex push "Fixed CVE-2026-1234 in dependency X"

Node Management

omnitrex nodes list                    # List all nodes
omnitrex nodes list --domain RISK      # Filter by domain
omnitrex nodes list --status LIVE      # Filter by status
omnitrex nodes get NODE_ID             # Get node details
omnitrex nodes create                  # Interactive node creation
omnitrex nodes archive NODE_ID         # Soft-delete

Search and Export

omnitrex search "payment processing"   # Full-text search
omnitrex export nodes --format csv     # Export to CSV
omnitrex export nodes -o nodes.json    # Export to JSON file

Git Integration

Automatically sync commit messages to your linked GRC node:

omnitrex git-hook install              # Install post-commit hook
omnitrex sync                          # Sync last 10 commits
omnitrex sync --since "1 week ago"     # Sync recent commits

CI/CD Integration

Generate pipeline configs for 10+ platforms:

omnitrex github-action     # GitHub Actions
omnitrex gitlab-ci         # GitLab CI
omnitrex azure-pipeline    # Azure DevOps
omnitrex jenkinsfile       # Jenkins

Notification Channels

Route compliance events to your existing tools:

omnitrex notify slack WEBHOOK_URL
omnitrex notify teams WEBHOOK_URL
omnitrex notify discord WEBHOOK_URL
omnitrex notify test                   # Test all channels

MCP Servers

Omnitrex provides three Model Context Protocol servers that give AI assistants like Claude direct access to your GRC data, email, and files.

Server 1: mcp-omnitrex (61 tools)

Direct read/write access to the Omnitrex platform — query nodes, manage links, generate reports, and run gap analysis.

Setup:

cd mcp-omnitrex
npm install && npm run build

Environment variables:

VariableRequiredDescription
OMNITREX_API_URLYesPlatform API URL (e.g., https://api.omnitrex.eu)
OMNITREX_API_KEYYesAPI key from Settings > API Keys
Add to Claude Code: 
claude mcp add omnitrex \
  -e OMNITREX_API_URL=https://api.omnitrex.eu \
  -e OMNITREX_API_KEY=YOUR_KEY \
  -- node dist/index.js

Verify: Ask Claude "Who am I on Omnitrex?"

Server 2: mcp-ms365-mail (18 tools)

Manage Outlook email and calendar with draft-before-send safety.

Azure AD setup (one-time, ~5 minutes):

  1. Go to entra.microsoft.com > App registrations > New registration
  2. Name: MCP Outlook, Account types: Multitenant + personal
  3. Add delegated permissions: User.Read, Mail.ReadWrite, Mail.Send
  4. Enable Allow public client flows under Authentication > Advanced settings
Environment variables:
VariableRequiredDescription
MS365_CLIENT_IDYesAzure app Application (client) ID
MS365_TENANT_IDYesAzure app Directory (tenant) ID
MS365_INTERNAL_DOMAINSNoComma-separated internal domains
Add to Claude Code: 
claude mcp add mcp-ms365-mail \
  -e MS365_CLIENT_ID=YOUR_CLIENT_ID \
  -e MS365_TENANT_ID=YOUR_TENANT_ID \
  -- node dist/index.js

First use: Claude will show a device code URL. Open it in a browser, paste the code, sign in, and accept permissions. Tokens are cached automatically.

Server 3: mcp-ms365-files (13 tools)

Manage OneDrive files and SharePoint document libraries.

Azure AD setup: Same process as mcp-ms365-mail, but create a separate Azure app with these delegated permissions: User.Read, Files.ReadWrite, Sites.ReadWrite.All.

Important: Do not reuse the mail app — each server needs its own token cache and scopes.

Environment variables:

VariableRequiredDescription
MS365_CLIENT_IDYesAzure app Application (client) ID
MS365_TENANT_IDYesAzure app Directory (tenant) ID
Add to Claude Code: 
claude mcp add mcp-ms365-files \
  -e MS365_CLIENT_ID=YOUR_CLIENT_ID \
  -e MS365_TENANT_ID=YOUR_TENANT_ID \
  -- node dist/index.js

Combined Claude Desktop Config

{
  "mcpServers": {
    "omnitrex": {
      "command": "node",
      "args": ["path/to/mcp-omnitrex/dist/index.js"],
      "env": {
        "OMNITREX_API_URL": "https://api.omnitrex.eu",
        "OMNITREX_API_KEY": "omni_YOUR_KEY"
      }
    },
    "mcp-ms365-mail": {
      "command": "node",
      "args": ["path/to/mcp-ms365-mail/dist/index.js"],
      "env": {
        "MS365_CLIENT_ID": "your-mail-client-id",
        "MS365_TENANT_ID": "your-tenant-id"
      }
    },
    "mcp-ms365-files": {
      "command": "node",
      "args": ["path/to/mcp-ms365-files/dist/index.js"],
      "env": {
        "MS365_CLIENT_ID": "your-files-client-id",
        "MS365_TENANT_ID": "your-tenant-id"
      }
    }
  }
}

Safety Features

All three MCP servers include:

  • Audit logging — Every write operation logged to monthly-rotated JSONL files
  • No permanent deletes — Only archive/soft-delete operations available
  • Rate limiting — mcp-omnitrex enforces 10 writes per minute
  • Draft-before-send — mcp-ms365-mail requires explicit confirmation to send email

REST API

The backend exposes a full REST API at {BACKEND_URL}/api. Key endpoints:

GET    /api/auth/me              # Current user
GET    /api/nodes                # List nodes (with domain, status, layer filters)
POST   /api/nodes                # Create node
GET    /api/nodes/:id            # Get node details
PUT    /api/nodes/:id            # Update node
DELETE /api/nodes/:id            # Archive node
POST   /api/nodes/:id/status-updates  # Push status update
GET    /api/links                # List links
POST   /api/links                # Create link
GET    /api/audit/:nodeId        # Audit log
GET    /api/users                # List users
GET    /api/health               # Health check

All endpoints require an Authorization: Bearer header.

Next Steps