SYNOLOGY/MCP.
Install
← Back to overview
◆ Operations

Deployment.

Run synology-office-mcp on Linux, on macOS, in Docker, or directly on the NAS via Container Manager. Three transports, two auth modes, one binary.

stdio + SSE + HTTP
Docker · systemd · launchd
TLS by default

Transports

The server speaks three transports. Pick by where the agent runs.

TransportUse whenBind
stdioAgent runs on the same machine as the server (Claude Desktop, Claude Code).N/A — pipes.
sseAgent runs on a different machine on the LAN.Loopback unless MCP_AUTH_TOKEN set.
httpAgent is a long-running service or webhook consumer.Loopback unless MCP_AUTH_TOKEN set.
NetworkSSE and HTTP refuse to bind anything other than 127.0.0.1 unless you set MCP_AUTH_TOKEN. This is intentional and not configurable. Set the token, or use stdio.

Docker

The published image is multi-arch (amd64, arm64). It runs as a non-root user (uid 1000) with a read-only filesystem and a tmpfs at /tmp.

# Pull and run
docker pull ghcr.io/vocweb/synology-office-mcp:0.4.5
 
docker run --rm -i \
  -e SYNOLOGY_HOST=https://nas.lan:5001 \
  -e SYNOLOGY_USERNAME=mcp-user \
  -e SYNOLOGY_PASSWORD=... \
  -e DRIVE_ROOT_PATH=/team \
  ghcr.io/vocweb/synology-office-mcp:0.4.5

Run via Synology Container Manager: pull the image, set environment in the GUI, attach the container to the bridge network only. No volume mounts required — the server holds no on-disk state.

systemd unit

For Linux hosts running the SSE transport long-lived:

# /etc/systemd/system/synology-office-mcp.service
[Unit]
Description=Synology Office MCP Server
After=network-online.target
 
[Service]
Type=simple
User=mcp
EnvironmentFile=/etc/synology-office-mcp/env
ExecStart=/usr/local/bin/synology-office-mcp --transport sse --port 7777
Restart=on-failure
RestartSec=5
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
 
[Install]
WantedBy=multi-user.target

Environment variables

VarRequiredDefaultNotes
SYNOLOGY_HOSTFull URL incl. scheme + port. https://nas.lan:5001
SYNOLOGY_USERNAMEDedicated DSM user with the minimal permissions you want.
SYNOLOGY_PASSWORDLoaded once at startup. Never written to logs.
DRIVE_ROOT_PATHPath-guard prefix. Set to the smallest tree that covers your use case.
MCP_TRANSPORTstdiostdio | sse | http.
MCP_PORT7777SSE/HTTP only.
MCP_AUTH_TOKENRequired to bind non-loopback. 32+ chars, generated by you.
MCP_TLS_INSECUREfalseSelf-signed bypass. Logged loudly at startup. Avoid.
MCP_RATE_LIMIT_RPS20Per-client request rate limit. 0 disables.
MCP_LOG_LEVELinfosilent | error | warn | info | debug.

Health checks

HTTP transport exposes /health (200 + JSON) and /ready (200 only after first successful Synology auth). Wire these into your orchestrator.

curl -s http://127.0.0.1:7777/health
→ { ok: true, version: "0.4.5", uptime_s: 412 }
 
curl -s http://127.0.0.1:7777/ready
→ { ready: true, synology: { version: "DSM 7.2.2-72806", drive: "3.5.2-26119" } }

Move your
NAS forward.

MIT licensed. Open source. Self-hosted from the first byte to the last.

Star on GitHubRead the docs