Maximo Enterprise MCP

A production-focused integration that brings IBM Maximo Asset Management into AI workflows through the Model Context Protocol.

Built by Maxis Technology as part of Alchemize — a state-of-the-art enterprise data management platform capable of doing in hours what others do in days. Want to know more? Head over to alchemize.io.

This project now exposes:

• A stable MCP server for Claude Desktop, Cursor, and other MCP clients.
• A hosted HTTP/SSE mode for remote MCP access.
• A FastAPI tool layer for OpenAI, Gemini, Grok, and custom orchestrators.

See CHANGELOG.md for the per-version release history (64 net-new tools across waves 1–9).

The current stable surface is 95 public tools across 21 categories. Every tool ships with a strict Pydantic input model (extra="forbid").

When a customer's Maximo doesn't have a particular vertical's data populated (no oil-and-gas turnarounds, no transportation fleet, no Spatial coordinates, etc.), every tool returns data_unavailable=True with a user-friendly note explaining what's missing and what an admin can do. Never a cryptic 400/404.

Maximo version compatibility

The integration suite (64 net-new tools across 8 wave smoke tests) is verified end-to-end against Maximo 7.6.x with the mxapi integration extensions (the API patch pack — mxapi* object structures published).

Maximo build	Status	Notes
Maximo 7.6.x with mxapi extensions	✅ Verified live (8/8 wave smokes pass in ~3.5 minutes)	The configuration we test against
Maximo 7.6.x without mxapi extensions	✅ Should work	Multi-candidate mx* → mxapi* falls back to mx* paths cleanly
MAS 8.x (Manage on RHOCP)	⚠️ Should work, not tested	Both mx* and mxapi* published; auth flow may need MCP_AUTH_MODE=jwt for MAS SSO
MAS 9.x (Manage on RHOCP)	⚠️ Should work, not tested	mxapi* is primary; same auth caveat

The codebase is defensively designed for cross-version use:

• Multi-candidate OS endpoints (tools/*.py constants like JP_OS_CANDIDATES, LABOR_OS_CANDIDATES) iterate mx* first then mxapi* and fall through 404s
• Single-condition WHERE + Python post-filter (defensive against the most restrictive build encountered — see compound_where_drops_connection)
• +field / -field orderBy direction prefix (strict OSLC v2 spec — works on every build)
• Graceful data_unavailable=True flag with admin-action note when an OSLC object structure isn't published on the customer's deployment

Category	Tools	What it gives you
Assets	9	Lifecycle, history, downtime / MTTR / MTBF, search, criticality matrix, warranty buckets, failure-class hierarchy, meter readings
Work orders	8	List / get / KPIs, task breakdown, planned-vs-actual variance, cost breakdown, schedule calendar, "my assigned WOs"
Job plans	3	Catalog list, full plan with embedded tasks/labor/materials/tools, cost estimate from job plan
Service requests	2	List + get — front-door intake before WOs
Inventory	8	Stock check, low-stock list, reorder recs, item master, storeroom catalog, total valuation, critical-spares risk
Purchasing	6	POs (list + get), purchase requisitions, vendors (list + performance), spend analysis by vendor / status / worktype
Labor	5	List labor / crews / crafts, utilization, available-technician finder (least-busy first)
Locations	3	List + get + hierarchy tree
Reporting	6	Maintenance KPI dashboard, failure Pareto, bad-actor assets, Excel + PDF export, Carbon HTML table
AI intelligence	4	NL-to-OSLC, anomaly detection (>2σ), root-cause suggestion, asset health score
AI moat (Wave 8)	6	WO summary, auto-classify failure, chat with asset, PM optimization, predict failure window, runbook generation — every tool LLM-enhanced with statistical/rule-based fallback
Spatial / GIS (Wave 9)	2	Find assets near a lat/lon, optimised technician routing — graceful "Spatial not installed" fallback when coordinates aren't populated
Compliance & EHS	6	Calibrations / inspections / permits / certifications-expiring / incidents / compliance dashboard
Pharma	3	Calibration audit trail (FDA), cleanroom assets, GxP risk score
Oil & Gas	3	Turnaround status, pressure-vessel inspections, lifting register
Manufacturing	3	OEE (Availability), production-line status, changeover (SMED) WOs
Utilities	3	Outage impact analysis, grid-zone assets, SAIDI/SAIFI proxies
Healthcare	3	Medical-device PM due, device lifecycle (NEW/STABLE/AGING/EOL), JC Environment of Care
Transportation	3	Fleet readiness %, mileage-based PM due, fuel consumption trend with spike detection
Schema / Admin	8	Object-structure discovery, schema details, OSLC query validation, code generation, users, audit log, event subscriptions
Core	1	health_check — connectivity probe + tool count

Every read tool returns a structured envelope (success / data / metadata). Tools that need data their Maximo build doesn't expose surface a data_unavailable: true flag with an admin-action note rather than failing silently. Write tools ship # DISABLED by default.

Quick-start prompts

Once connected to Claude Desktop / Cursor / Code, try:

Use maximo mcp. Asset 1001 isn't behaving — pull its details, recent work-order
history, and meter readings for the last 90 days.

Use maximo mcp. Run the compliance dashboard for site BEDFORD, then list the top
5 bad-actor assets and any calibrations overdue right now.

Use maximo mcp. I'm new to BEDFORD as planner — show me what job plans we have,
estimate cost for one, and find me an available welder.

Use maximo mcp. QBR slides due Friday. Export work orders to Excel + asset
report to PDF, plus the maintenance KPI dashboard for the cover slide.

Use maximo mcp. Quarterly EHS review — run compliance dashboard, list calibrations
due in 90 days, and certifications expiring in 60.

Use maximo mcp. Pump 1001 has been intermittent. Predict its next failure window,
recommend whether we should tune its PM frequency, and generate a runbook for the
last "grinding noise" complaint based on what we did before.

Use maximo mcp. Summarize WO 6540 for tomorrow's shift handover, then auto-classify
the failure code from this complaint: "intermittent grinding noise during operation".

Use maximo mcp. Chat with asset 1001: when did it last fail, what was the root cause,
and how often does it break?

Responsible Use

This server speaks to a live IBM Maximo instance and exposes its data — and,
when explicitly enabled, its mutating operations — to a language model. Before
deploying:

• Run hosted HTTP/SSE behind an authenticated gateway. Per-request identity
  comes from MCP_AUTH_MODE=jwt (OIDC) or static + gateway-injected
  X-MCP-* headers. Never expose the FastAPI tool API to untrusted callers
  without an identity solution in front.
• TLS at the edge (or in-process via MCP_SSL_*) is mandatory for any
  non-stdio deployment. The app does not terminate TLS itself.
• Keep all write tools # DISABLED in server.py until you have
  reviewed the RBAC policy and audit posture for your environment.
• Stamp MAXIMO_ENV=dev|staging|prod per deployment so audit records and
  /healthz make it obvious which Maximo a container is talking to.
• Read SECURITY.md and
  PRODUCT_GAPS_BEFORE_DEPLOY.md before
  pushing to a public registry; the latter documents the exact controls
  required for https://github.com/mcp-style listings.

Architecture

Local MCP clients        -> stdio MCP server -> Maximo OSLC
Remote MCP clients       -> HTTP gateway -> hosted MCP SSE -> Maximo OSLC
OpenAI / Gemini / Grok   -> FastAPI tool API -> shared executor -> Maximo OSLC

Installation

Local MCP for Claude Desktop / Claude Code / Cursor

You have two ways to install: uvx (recommended — no manual install) or pip install.

Option A — uvx (recommended)

Install uv once, then point your MCP client at uvx maximo-enterprise-mcp. uvx downloads, caches, and runs the package on demand.

Option B — pip install

pip install maximo-enterprise-mcp

Then in the configs below, replace:

"command": "uvx",
"args": ["maximo-enterprise-mcp"]

with:

"command": "maximo-enterprise-mcp",
"args": []

Claude Desktop

Edit %APPDATA%\Claude\claude_desktop_config.json (Windows) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "maximo": {
      "command": "uvx",
      "args": ["maximo-enterprise-mcp"],
      "env": {
        "MAXIMO_URL": "https://your-maximo-host.com/maximo/oslc",
        "MAXIMO_HOST": "https://your-maximo-host.com",
        "AUTH_MODE": "basic",
        "MAXIMO_USERNAME": "your-username",
        "MAXIMO_PASSWORD": "your-password",
        "CURRENT_USER_ROLE": "readonly"
      }
    }
  }
}

Restart Claude Desktop. The hammer icon appears once tools load.

Claude Code

Add to project-level .mcp.json or global ~/.claude.json:

{
  "mcpServers": {
    "maximo": {
      "command": "uvx",
      "args": ["maximo-enterprise-mcp"],
      "env": {
        "MAXIMO_URL": "https://your-maximo-host.com/maximo/oslc",
        "MAXIMO_HOST": "https://your-maximo-host.com",
        "AUTH_MODE": "basic",
        "MAXIMO_USERNAME": "your-username",
        "MAXIMO_PASSWORD": "your-password",
        "CURRENT_USER_ROLE": "readonly"
      }
    }
  }
}

Run /mcp in Claude Code to verify the connection.

Cursor

Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (per project):

{
  "mcpServers": {
    "maximo": {
      "command": "uvx",
      "args": ["maximo-enterprise-mcp"],
      "env": {
        "MAXIMO_URL": "https://your-maximo-host.com/maximo/oslc",
        "MAXIMO_HOST": "https://your-maximo-host.com",
        "AUTH_MODE": "basic",
        "MAXIMO_USERNAME": "your-username",
        "MAXIMO_PASSWORD": "your-password",
        "CURRENT_USER_ROLE": "readonly"
      }
    }
  }
}

In Cursor: Settings → MCP → Refresh to load.

Hosted MCP over HTTP/SSE

Hosted mode is intended for trusted network or gateway-protected deployments. It now fails closed unless MCP_ACCESS_TOKEN is set.

python server.py --http --host 0.0.0.0 --port 8080

Remote MCP clients should connect to:

• MCP SSE endpoint: http://host:8080/sse
• Health endpoint: http://host:8080/healthz

Example remote MCP config:

{
  "mcpServers": {
    "maximo": {
      "type": "sse",
      "url": "http://localhost:8080/sse",
      "headers": {
        "Authorization": "Bearer <your MCP_ACCESS_TOKEN>"
      }
    }
  }
}

FastAPI Tool API

Hosted HTTP mode also exposes a tool API for non-MCP platforms:

• GET /healthz
• GET /v1/tools
• POST /v1/tools/{tool_name}
• GET /v1/providers/openai-tools
• GET /v1/providers/gemini-tools
• GET /v1/providers/grok-tools

Example invocation:

curl -X POST http://localhost:8080/v1/tools/list_assets \
  -H "Authorization: Bearer $MCP_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"site_id\":\"BEDFORD\",\"page_size\":10}"

AI Platform Usage

OpenAI

Use GET /v1/providers/openai-tools to retrieve OpenAI-compatible tool definitions, then execute the selected tool via POST /v1/tools/{tool_name}.

Gemini

Use GET /v1/providers/gemini-tools to retrieve Gemini function declarations from the same shared tool registry.

Grok

Use GET /v1/providers/grok-tools. The payload is OpenAI-compatible so the same orchestration pattern works.

Optional Dependencies

Core installation uses requirements.txt.

Optional extras are defined in pyproject.toml:

• pip install ".[ai]" for OpenAI, ChromaDB, and sentence-transformers.
• pip install ".[exports]" for Excel and PDF export dependencies.
• pip install ".[dev]" for local test and lint tooling.

Environment Variables

See .env.example for the complete set. The most important variables are:

Variable	Required	Description
MAXIMO_URL	Yes	Full Maximo OSLC base URL
MAXIMO_HOST	Yes	Maximo host root URL
AUTH_MODE	Yes	basic, apikey, or oauth
MAXIMO_USERNAME / MAXIMO_PASSWORD	Basic auth	Maximo credentials
MCP_ACCESS_TOKEN	Hosted HTTP	Required bearer token for hosted MCP/API mode
CURRENT_USER_ROLE	Local only	Session role for local or trusted deployments
REDIS_URL	No	Redis cache connection string
VPN_SAFE_MODE	No	Enables safer default payload sizes
DEFAULT_PAGE_SIZE	No	Default page size when safe mode is enabled

Docker

Build

docker build -t maximo-enterprise-mcp .

Run

docker run -d ^
  -p 8080:8080 ^
  -e TRANSPORT_MODE=http ^
  -e MCP_ACCESS_TOKEN=change-me ^
  -e MAXIMO_URL=https://your-maximo-host.example.com/maximo/oslc ^
  -e MAXIMO_HOST=https://your-maximo-host.example.com ^
  -e AUTH_MODE=basic ^
  -e MAXIMO_USERNAME=your-maximo-username ^
  -e MAXIMO_PASSWORD=your-maximo-password ^
  maximo-enterprise-mcp

Use docker-compose.yml if you want Redis included.

Deployment Guidance

The server does NOT terminate TLS itself. Every non-stdio deployment
MUST terminate TLS either at the edge or in-process via
MCP_SSL_CERTFILE / MCP_SSL_KEYFILE. See SECURITY.md.

AWS

• Recommended first target: ECS Fargate or App Runner.
• Store secrets in AWS Secrets Manager.
• Required: put ALB or API Gateway in front for TLS and access control.
• Keep Maximo connectivity private when possible.

Azure

• Recommended first target: Azure Container Apps or App Service.
• Store secrets in Key Vault.
• Required: put Application Gateway or Front Door in front for TLS and access control.

Environment Separation

Run one container image, three deployments, three secret stores. Stamp
MAXIMO_ENV=dev|staging|prod per deployment — the value lands in every
audit record and on /healthz, so an operator can confirm at a glance
which Maximo a given container is pointed at.

Recommended pattern:

Deployment	MAXIMO_ENV	Maximo target	Token scope
dev	dev	dev Maximo	dev MCP_ACCESS_TOKEN / OIDC tenant
staging	staging	staging Maximo	staging token / OIDC tenant
prod	prod	prod Maximo	prod token / OIDC tenant

Never reuse a token across environments — a leaked dev token must not
unlock prod, and a misrouted dev container must not write to prod data.

Public Internet

Exposing the raw hosted MCP to the public internet requires ALL of the
following — no exceptions:

• bearer or OIDC inbound authentication (MCP_AUTH_MODE)
• TLS at the edge or in-process (the app serves plaintext by default)
• explicit CORS allowlist (MCP_ALLOWED_ORIGINS) — do NOT use *
• rate limiting (RATE_LIMIT_PER_MINUTE) and a separate edge limiter
• audit logging with durable forwarding
• private Maximo connectivity or strict network controls

Development

Run unit tests

pytest -m "not integration"

Run integration tests

Integration tests hit a real Maximo instance configured in .env. Two suites:

• tests/integration_test_tools.py — tool-by-tool smoke against a single live Maximo
• tests/integration/test_smoke_wave[1-4].py — per-wave smoke runs that gate every public tool added in waves 1–4/6

# Run every integration test (skipped automatically if MAXIMO_URL is unset)
pytest tests/integration -m integration -v

# Run a single wave's smoke
pytest tests/integration/test_smoke_wave2.py -m integration -v

# Or run a wave standalone for ad-hoc debugging
python tests/integration/test_smoke_wave2.py

List registered MCP tools

python server.py --test

Security Notes

• Do not commit real .env, .mcp.json, or .cursor/mcp.json values.
• Use example configs from the *.example files and keep secrets in local-only files or a secret manager.
• Hosted mode requires MCP_ACCESS_TOKEN.
• The env-based role model is suitable for local or trusted deployments, not multi-tenant public hosting.

---

IBM and Maximo are trademarks of International Business Machines Corp., used here for descriptive purposes only. This project is not affiliated with IBM.