Home / Docs / OVH Cloud

OVH Cloud

OVH Public Cloud, VPS, and dedicated servers all merge into the unified instance list with a provider: ovh tag. The redesigned create wizard is region-first with API-backed pricing, and the Manager screen surfaces a state-aware lifecycle toolbar that routes to the correct OVH API based on the row type.

Setup

1. Get OVH API credentials

OVH supports two auth flows. The TUI's setup wizard walks through both:

  • 3-key flow (recommended for personal use) — application key + application secret + consumer key. Consumer key is bound to a fixed list of allowed paths.
  • OAuth2 (for service accounts) — client ID + client secret, with broader access patterns.
bash
# Guided setup — walks you through token creation $ servonaut --setup-ovh # Or open Settings → OVH Setup from inside the TUI

2. Config block

~/.servonaut/config.json
{ "ovh": { "enabled": true, "auth_method": "3-key", "endpoint": "ovh-eu", "default_project_id": "$OVH_PROJECT_ID", "default_region": "GRA11" } }

endpoint selects the OVH API region — ovh-eu, ovh-us, or ovh-ca. The wizard sets it automatically based on your account.

TUI integration

OVH Manager screen

The sidebar's OVH → ⚙ Manage entry opens a per-provider table with a state-aware lifecycle toolbar:

  • Create opens the redesigned region-first create wizard.
  • Start / Stop / Reboot — buttons enable based on the selected row's state and route to the correct API (Public Cloud / VPS / dedicated).
  • Delete — typed-name confirmation; permanent.

Region-first create wizard

The create wizard reorders the picker logic compared to the old flow:

  1. Pick a region first. Datacentre name displays next to the region code.
  2. Flavor and image pickers refilter to only what's actually deployable in that region — no more "this looks fine, why does the create call fail?" dead-ends.
  3. Live pricing per flavor is fetched from the OVH catalog API and shown inline.
  4. SSH key picker reads from the project-level SSH key registry (see below).

Regions and flavors with no deployable offers are hidden entirely, so you can't pick a dead combination. A worker race that previously caused intermittent "no offers" responses has been fixed; the wizard auto-cursors through the list and surfaces a clear hint if you have no SSH keys registered yet.

Project-level SSH keys

OVH → 🔑 SSH Keys manages keys at the Public Cloud project level — the registry the create wizard injects from. This is distinct from the older /me/sshKey endpoint, which manages account-wide keys for OVH dedicated; we deliberately use project-level keys because that's where Public Cloud actually reads from on instance creation.

Other OVH screens

  • DNS Zones — list and edit records (A, AAAA, CNAME, MX, TXT, SRV, …).
  • IP Management — account-wide IP inventory with routing info, failover-IP swap, firewall rules per IP.
  • Block Storage — list, attach, and detach Public Cloud volumes.
  • Snapshots — VPS and Public Cloud snapshots in one view.
  • Billing & Invoices — current period summary and recent invoices, downloadable as PDF.

MCP tools (13)

Thirteen account-scoped MCP tools, gated by the ovh_mcp_operations entitlement (free=0, Solo=50, Teams=400/seat). Mutating tools require mcp.guard_level = dangerous and confirmation. Per-team approval policy can require human approval for any subset of these on Teams plans.

Lifecycle (5)

ToolGuardDescription
ovh_create_instancedangerousCreate a Public Cloud instance. Confirmation required.
ovh_delete_instancedangerousPermanently delete an instance. Confirmation required.
ovh_start_instancedangerousStart a stopped instance (Cloud / VPS / dedicated routed automatically).
ovh_stop_instancedangerousStop an instance.
ovh_reboot_instancedangerousReboot an instance.

Read-only inspection (8)

ToolDescription
ovh_monitoringCPU / RAM / network metrics for an instance.
ovh_list_ipsAccount-wide IP inventory with routing info.
ovh_firewall_rulesFirewall rules for a given IP.
ovh_ssh_keysProject-level SSH keys registered with OVH.
ovh_snapshotsSnapshot list for a VPS or Public Cloud instance.
ovh_dns_recordsDNS records for a zone (optional record-type filter).
ovh_billingCurrent billing summary.
ovh_invoicesRecent invoices.

All read tools are readonly guard tier and run as soon as the OVH service is wired up.

Security notes

  • OVH credentials are stored in ~/.servonaut/config.json, encrypted at rest if you opt in to a passphrase.
  • OVH credentials are stripped from any config-sync upload to servonaut.dev — they never leave this machine, even when cloud config sync is enabled.
  • The 3-key consumer key is scoped to a fixed list of API paths. The wizard requests the minimum scope; you can review and revoke at any time in the OVH API console.

Troubleshooting

"403 Forbidden" on instance ops

Your consumer key probably doesn't include the path you're hitting. The 3-key flow scopes the consumer key to a fixed allowlist of API paths. Re-run servonaut --setup-ovh to mint a new consumer key with broader scope, or switch to OAuth2 for service accounts that need fully open access.

Empty flavor / image picker after selecting a region

OVH catalog returns no deployable offers for that region right now. Pick another region — the picker will refresh — or check the OVH status page for the region you wanted.

Region code vs datacentre name

GRA11 = Gravelines (France), SBG5 = Strasbourg (France), BHS5 = Beauharnois (Canada), WAW1 = Warsaw, DE1 = Frankfurt, etc. The TUI shows both code and name in the picker.

Previous Hetzner Cloud
On this page
Setup API credentials Config block TUI integration Manager screen Create wizard SSH keys Other screens MCP tools (13) Lifecycle (5) Read-only (8) Security notes Troubleshooting
Documentation
Getting Started
Quick Start Installation Configuration
Features
SSH & SCP AWS Integration AI Analysis Log Viewer
Cloud Providers
Hetzner Cloud OVH Cloud
MCP Server
Overview Setup with Claude Code Available Tools Guard Levels
API Reference Premium
Authentication Config Sync AI Proxy Teams