Customer Portal MCP Tools
Customer Portal MCP tools follow a portal activation and customer service workflow across customer accounts, portal users, roles and permissions, 2FA, service records, project status, orders and bookings, document versions, invoices and payments, service requests, FAQs, forms, notifications, data sync, consent records, access logs, and audit trails.
Read portal timezone, login policy, document versioning, notifications, payments, support SLA, and customer visibility defaults.
Read-only baseline before portal activation or customer-visible writes.
Do not expose API secrets, payment secrets, or internal tokens.
Read portal logo, colors, domain, welcome message, languages, and white-label settings.
Read-only; used before workspace activation or branding updates.
Return public branding only, not DNS secrets or verification tokens.
portal.customers.list
readList customers by status, company, owner, or portal activation state.
Read-only; used to avoid duplicate activation or wrong customer mapping.
Customer lists are tenant and role scoped to prevent cross-customer leakage.
Read customer profile, contacts, preferences, service summary, consent state, and portal status.
Read-only; required before portal activation, profile update, or invitation.
Mask PII by permission; do not expose sensitive contacts to unauthorized roles.
portal.portal_users.list
readList portal users, roles, activation state, 2FA state, and last login under a customer.
Read-only; used before invite, role change, or access reset.
Show only necessary login state; never return passwords or session tokens.
portal.access_roles.list
readRead portal roles, visible data scope, document permissions, payment permissions, and support request permissions.
portal.config.get, portal.portal_users.list
Read-only; used before access scope design or role changes.
Use least privilege; do not recommend admin role as default.
portal.auth_policy.get
readRead login, 2FA, password reset, invitation expiry, lockout, and session policies.
Read-only; used before invitation, reset, or security changes.
Do not return password hashes, reset tokens, or 2FA seeds.
portal.service_records.list
readList customer service records, after-sales projects, delivery states, owners, and visibility.
Read-only; used before preparing portal home and service summaries.
Internal notes and costs must not appear as customer-visible records.
portal.service_record.get
readRead one service record's timeline, status, files, comments, deliverables, and related payments.
portal.service_records.list
Read-only; used before publishing service progress or welcome summary.
Separate customer-visible comments from internal handling notes.
portal.project_status.list
readRead client-visible project stages, task summaries, milestones, blockers, and expected completion dates.
portal.service_records.list
Read-only; verify before publishing project status.
Do not expose internal tasks, costs, staff performance, or unconfirmed risks.
List customer orders, quotes, contracts, fulfillment states, delivery dates, and related files.
Read-only; used for order status and portal dashboard summaries.
Return only orders authorized for that customer, with no cross-company merge.
Read customer service, class, meeting, or after-sales bookings and reschedule state.
Read-only; used to show upcoming bookings or service times.
Do not expose other customers or staff private schedules.
portal.documents.list
readList customer-visible and pending files, contracts, quotes, invoice copies, designs, reports, and versions.
portal.customer.get, portal.access_roles.list
Read-only; required before document publish or revocation.
Hide internal files by default; version and visibility scope must be explicit.
portal.document_version.get
readRead one document version, source, expiry, download permissions, sign-off state, and customer-visible history.
Read-only; verify latest version before publish, revoke, or client sign-off.
Avoid publishing old or unapproved versions to customers.
List customer invoices, due dates, outstanding balance, payment link state, and visibility.
Read-only; used before creating payment links or showing billing in portal.
Do not show sensitive billing data to users without payment permission.
Read payment records, gateway state, receipts, refunds, failed payments, and finance notification state.
Read-only; used before payment follow-up, receipt download, or reconciliation.
Never return full card data, bank secrets, or gateway secrets.
List service requests by customer, status, type, priority, owner, or SLA.
Read-only; used before support dashboards, replies, or status updates.
Show only requests visible to the customer or authorized staff.
Read request details, conversation, internal notes, attachments, SLA, handling history, and customer-visible state.
Read-only; required before reply, status update, or follow-up creation.
Internal notes must not leak into customer-visible replies.
portal.faq_entries.list
readList FAQs, self-service support content, categories, languages, visible customer segments, and last update time.
Read-only; used before FAQ updates or support reply suggestions.
Avoid exposing internal SOPs or unreviewed answers to customers.
portal.form_templates.list
readRead customer interaction forms, questionnaires, drawing approvals, profile updates, and service application templates.
Read-only; used before form publishing or submission recording.
Form fields must identify PII and sensitive data handling.
portal.notifications.list
readRead portal notifications, channels, recipients, read state, failure state, and reminder rules.
Read-only; used before welcome, document, or payment notifications.
Respect consent, opt-out, frequency caps, and customer-visible scope.
portal.access_logs.list
readList login, invitation, password reset, document download, payment view, and role change logs.
Read-only; used for security audit, disputes, or permission investigations.
Access logs are for authorized admins only, not customer-public content.
portal.activation.preview
previewPreview customer portal activation including workspace, users, roles, documents, service records, and welcome message.
portal.customer.get, portal.portal_users.list, portal.documents.list, portal.service_records.list, portal.branding.get
Preview required; customer service lead approval required before activation and invite.
Do not include unapproved files, internal notes, or wrong customer data in activation draft.
portal.access_scope.preview
previewPreview what files, invoices, service records, requests, and payment actions become visible after role or scope changes.
portal.portal_users.list, portal.access_roles.list, portal.documents.list, portal.invoices.list
Any permission elevation or customer-visible scope change requires approval.
Use least privilege and identify newly visible data.
portal.document_publish.preview
previewPreview document publishing recipients, version, download permissions, expiry, notification content, and leakage risk.
portal.documents.list, portal.document_version.get, portal.access_scope.preview
Customer-visible documents require approval by an authorized person.
Block internal files, wrong-customer files, old versions, or unapproved versions from publishing.
portal.support_reply.preview
previewPreview service request reply, customer-visible content, attachments, FAQ citations, follow-ups, and SLA impact.
portal.request.get, portal.faq_entries.list, portal.documents.list
Customer-visible replies or attachments require support or owner confirmation.
Internal notes, other-customer data, or unverified promises must not appear in replies.
portal.payment_action.preview
previewPreview payment links, invoice visibility, receipts, payment reminders, gateway state, and finance notifications.
portal.invoices.list, portal.payments.list, portal.access_roles.list
Finance or authorized approval required before creating or resending payment links.
Prevent duplicate charges and avoid sending payment details to users without payment permission.
portal.notification.preview
previewPreview welcome, document, payment, support reply, or portal update notification content, recipients, and channels.
portal.notifications.list, portal.customer.get, portal.portal_users.list
Bulk, customized, or sensitive customer notifications require approval.
Respect consent, opt-out, frequency limits, and prevent wrong-customer recipients.
portal.profile_update.preview
previewPreview customer-updated contact, company, or preference fields that will sync to the central system.
portal.customer.get, portal.form_templates.list
Sensitive or company-profile changes require staff approval.
Keep old value, new value, source, and verification state.
portal.workspace.create
writeCreate customer portal workspace linked to branding, service records, documents, invoices, support entry, and default access.
portal.activation.preview
Must execute from an approved activation preview.
Requires idempotency; avoid duplicate workspace for the same customer.
Invite a customer user to activate portal access with secure invitation link, role, and welcome message.
portal.activation.preview, portal.notification.preview
Customer service lead must approve recipient and role before invitation.
Invitation link must expire and raw token must not be returned in response.
portal.user.role_update
writeUpdate portal user role, visibility scope, payment permission, document download permission, and support permissions.
portal.access_scope.preview
Permission elevation or new sensitive visibility requires approval.
Do not grant internal admin privileges to customer users.
Disable, reset, or reissue portal access including password reset, 2FA reset, and account unlock.
portal.portal_users.list, portal.auth_policy.get, portal.access_logs.list
Security-sensitive reset requires authorized staff or identity verification.
Never return password or 2FA seed; all resets are audited.
portal.branding.upsert
writeCreate or update portal logo, colors, login page, welcome copy, languages, and white-label settings.
Public branding changes require owner approval.
Validate image sources and domains; do not expose DNS or certificate secrets.
portal.customer_profile.update
writeUpdate approved customer contact, company profile, preferences, notification settings, or synced fields.
portal.profile_update.preview
Sensitive customer-submitted updates require staff approval.
Keep old and new values; avoid unverified data overwriting official records.
portal.document.publish
writePublish a document version to a customer portal with visible roles, expiry, download access, and notification.
portal.document_publish.preview
Must execute from an approved document preview.
Check customer, version, visibility scope, and idempotency.
portal.document.revoke
writeRevoke access to a file, version, or customer user and retain revoke reason.
portal.documents.list, portal.document_version.get, portal.access_logs.list
Revoking customer-visible files requires authorized confirmation.
Do not delete audit; revoke visibility or download permission only.
portal.invoice.payment_link.create
writeCreate or resend a portal payment link for an invoice and update notification and finance tracking state.
portal.payment_action.preview
Requires finance or authorized approval.
Prevent duplicate payment links, wrong-customer sends, and unauthorized recipients.
portal.request.create
writeCreate a support request, service case, form follow-up, or internal task for a customer.
portal.customer.get, portal.requests.list, portal.form_templates.list
Customer submissions can create automatically; staff-created cases must mark source.
Check duplicate requests, attachment safety, and customer identity.
portal.request.status_update
writeUpdate support request status, priority, owner, SLA, customer-visible state, or follow-up.
Closure, escalation, or SLA exceptions require owner confirmation.
Status changes need timestamp, actor, and reason.
portal.request.reply_add
writeAdd customer-visible replies, internal notes, attachments, FAQ citations, or next-step instructions.
portal.support_reply.preview
Customer-visible replies must be confirmed from preview.
Clearly mark internal/customer-visible; do not include other customers' data.
portal.faq_entry.upsert
writeCreate or update FAQ/self-service answers, categories, languages, visible segments, and publish state.
Public FAQ or policy answers require owner approval.
Do not publish unreviewed legal, payment, or service promise content.
portal.form_submission.record
writeRecord customer form, questionnaire, drawing approval, profile update, or service application submission.
portal.form_templates.list, portal.customer.get
Sensitive submissions or formal data changes require staff approval.
Validate fields, attachments, and identity; keep submission source.
portal.notification.send
writeSend portal welcome, document update, payment reminder, support reply, service progress, or security notifications.
portal.notification.preview
Bulk or sensitive notifications require approval; security notifications follow policy.
Respect consent, opt-out, frequency caps, and recipient permissions.
portal.consent.update
writeUpdate customer consent for portal terms, privacy, notifications, payments, or data sync.
portal.customer.get, portal.access_logs.list
Customer-submitted consent can be recorded; staff changes need authorization and reason.
Consent records need timestamp, source, version, and IP/device summary.
portal.analytics_snapshot.record
writeRecord self-service queries, file downloads, payment clicks, support requests, response time, and deflection performance.
portal.notifications.list, portal.requests.list, portal.access_logs.list, portal.payments.list
Writes aggregate analytics only and does not change customer service records.
Avoid writing personal data into analytics snapshots.
portal.action_request.status
statusCheck portal write request, approval, execution, failure, retry, and audit state.
Read-only status; tracks activation, invitations, documents, payments, replies, and notifications.
Status endpoint must not re-execute writes.