Backstage logo
via
HODORHODOR

Backstage × Hodor

Backstage MCP, through Hodor

Backstage doesn't have an official MCP server. Hodor exposes the Backstage API as Model Context Protocol tools — with identity, policy, audit, and a kill switch — so platform and SRE agents can query the service catalog, find owners, and run templates without overstepping.

Book a DemoGet Started

Backstage is the open-source developer portal originally built at Spotify, used to catalog services, scaffold projects, and centralize TechDocs.

The gap

Why Backstage doesn't have an MCP — yet

1

Backstage exposes a Catalog API, Scaffolder API, and TechDocs API — but no official Model Context Protocol server for agent consumption.

2

A service catalog with full Scaffolder access in the wrong hands can register fake entities, trigger software templates, or modify ownership records — none of which you can attribute later.

3

Platform teams need agents to read deeply but write narrowly. A raw bearer token doesn't give you that distinction.

How it works

Backstage as MCP, in three steps

  1. STEP 01

    Connect Backstage to Hodor

    Authenticate once with your Backstage account. Hodor stores the credential securely and never exposes it to agents.

  2. STEP 02

    Hodor exposes the API as MCP tools

    Every Backstage endpoint becomes a typed MCP tool. Scope per agent, set policy, and define rate limits at the gateway.

  3. STEP 03

    Agents call MCP through Hodor

    Any MCP-compatible agent — Claude, Cursor, Dust, n8n, custom — connects to Hodor. Every call is checked, logged, and attributed.

Tool catalog

What your agents can do

A subset of the Backstage tools Hodor exposes as MCP. Enable, disable, or constrain each one per agent identity.

backstage.mcp.hodor.ai
  • backstage_search_catalog
  • backstage_get_entity
  • backstage_list_entities
  • backstage_get_entity_relations
  • backstage_get_techdocs
  • backstage_search_techdocs
  • backstage_list_templates
  • backstage_run_template
  • backstage_register_location
  • backstage_list_owners

Built for production

Identity, policy, audit — by default

The same controls Hodor applies to every integration apply to Backstage: per-agent identity, scoped tools, real-time policy enforcement, full audit logs, and a global kill switch.

Agent identity

Every agent gets a unique, revocable identity. Every call is attributed.

Scoped policy

Fine-grained tool access, rate limits, and field-level restrictions enforced at the gateway.

Full audit trail

Every call logged with payload, identity, and policy outcome — SOC 2 / ISO 27001 ready.

Kill switch

Revoke any agent in one click. Hodor blocks all downstream calls instantly.

Common patterns

What teams build with Backstage + Hodor

Incident response copilot

During an incident, the on-call agent finds the owning team, surfaces TechDocs, and lists upstream dependencies — read-only, scoped to the catalog.

Engineer onboarding bot

New hires ask 'what owns the checkout flow?' and the agent answers from the Backstage catalog, with deep links to runbooks — zero write permission.

Catalog hygiene agent

Nightly job scans for entities missing owners or tags and opens issues — can read everything, but can only write to a specific repair label.

Self-service scaffolding

Developer agents kick off approved templates (new service, new lambda) via Scaffolder — restricted to a curated allowlist of templates per team.

FAQ

Backstage MCP, answered

Does Backstage have an official MCP server?

+

Not as of 2026. Backstage is an open-source platform with REST and GraphQL APIs, but no native Model Context Protocol server. Hodor exposes Backstage's Catalog, Scaffolder, and TechDocs APIs as MCP tools your agents can call safely.

Does it work with self-hosted Backstage?

+

Yes. Hodor connects to your Backstage instance over HTTPS using a service account — works for cloud, on-prem, or air-gapped deployments. The MCP gateway can run in your own VPC if needed.

Can I prevent agents from running arbitrary templates?

+

Yes. Hodor lets you allowlist Scaffolder templates per agent identity. An incident copilot can read the catalog but cannot trigger any template; a platform automation agent can run a specific scoped set.

How does this integrate with Backstage permissions?

+

Hodor layers on top of Backstage's permission framework — your existing RBAC still applies. Hodor adds per-agent identity, policy enforcement at the gateway, and a unified audit log across all MCP calls.

How do I get started?

+

Book a demo. We'll connect your Backstage instance, scope the catalog and template access per agent, and walk through audit and policy live.

Live with design partners

Ship your Backstage agents — safely.

Identity, policy, and audit for every Backstage call your agents make. Set up in under an hour with a Hodor engineer on the call.

Book a Demo
  • 20-minute demo
  • No credit card
  • SOC 2-ready logs