--- name: sentinel-iot description: Operate Kajeet Sentinel cellular IoT fleets via the Kajeet MCP server (https://mcp.kajeet.dev/mcp). Use whenever the user mentions Kajeet, Sentinel, smartSIM, or asks to list devices, check cellular data usage, suspend or activate a SIM, inspect content filtering, or pull failover/GPS state on a managed IoT fleet. --- # Sentinel IoT skill This skill teaches the agent how to operate **Kajeet Sentinel** — a cellular IoT fleet platform managing hundreds of thousands of SIMs across U.S. education, transit, public sector, healthcare, and enterprise deployments. All operations go through the **Kajeet IoT Connectivity MCP server**, which exposes Sentinel as a typed, self-describing tool catalog. ## 1. Wire up the MCP server (one-time) ### 1a. Get an API key Go to and create a key. A single key authenticates REST, CLI, and MCP traffic — there is no separate "MCP key". ### 1b. Add the server to your host's MCP config Pick **one** of the three auth patterns below. All three are accepted by the server; the first is recommended. **Option A — `Authorization: Bearer` header (recommended).** Most hosts that support remote MCP servers accept a `headers` block: ```json { "mcpServers": { "sentinel": { "url": "https://mcp.kajeet.dev/mcp", "transport": "streamable-http", "headers": { "Authorization": "Bearer YOUR_API_KEY" } } } } ``` If your host supports environment-variable expansion in the config (Claude Code does, via `${VAR}` syntax), keep the secret out of the file: ```json "headers": { "Authorization": "Bearer ${SENTINEL_API_KEY}" } ``` …and then `export SENTINEL_API_KEY="..."` in your shell. **Option B — `X-API-Key` header.** Same effect, different header name: ```json "headers": { "X-API-Key": "YOUR_API_KEY" } ``` **Option C — URL query parameter (fallback for hosts that can't send custom headers).** Some MCP clients only accept `{ url, transport }`: ```json { "mcpServers": { "sentinel": { "url": "https://mcp.kajeet.dev/mcp?apiKey=YOUR_API_KEY", "transport": "streamable-http" } } } ``` Keys passed in URLs may show up in server logs. Prefer the header forms in production. ### 1c. OAuth (optional) Hosts that support OAuth flows instead of static keys can discover the flow from the server's metadata at `https://mcp.kajeet.dev/.well-known/oauth-protected-resource`. After the server is connected, the live tool catalog is the source of truth — call `tools/list` once and trust what it returns. The summary below is a high-level map, not a contract. ## 2. Tool groups (high-level map) There are 11 top-level MCP tools, each taking an `action` parameter to dispatch to a specific operation. The action keys below are accurate as of writing; the **live `tools/list` response is authoritative** — when in doubt, trust it over this table. | Tool | Actions | Write? | |---|---|---| | `auth` | `whoami`, `session_status`, `list_accounts`, `switch_account`, `diagnose`, `connect_guide`, `list_api_keys`, `create_api_key`, `revoke_api_key`, `rate_limit_status` | mixed | | `sentinel_devices` | `list`, `details`, `lookup`, `totals`, `health`, `status_summary`, `groups` | read | | `sentinel_device_actions` | `suspend`, `unsuspend` | **write** | | `sentinel_usage` | `summary`, `details`, `hourly`, `daily`, `by_device`, `balance`, `invoices` | read | | `sentinel_web_activity` | `top_allowed`, `top_denied`, `filter_groups` | read | | `sentinel_gps` | `devices`, `history` | read | | `sentinel_activation` | `carriers`, `inventory`, `history`, `status`, `generate_test_imei`, `activate` | **write** | | `sentinel_admin` | `list_users`, `user_details`, `mediacenter_summary`, `mediacenter_devices` | read | | `sentinel_cradlepoint` | `usage`, `logs`, `signal` | read | | `smart_failover` | Per-device: `get_device`, `get_status`, `get_signal`, `get_usage`, `get_data_usage`, `get_uptime`, `get_transfer`, `get_kart_traffic`, `get_readiness`, `get_top_sites`, `get_alarms`. Events: `get_events`, `get_paired_events`, `get_active_events`, `get_device_events`, `get_all_alarms`. Fleet/account: `list_devices`, `get_stats`, `get_account_usage_summary`, `get_account_data_usage`, `get_account_lines`, `get_account_top_sites`. Commands: `reboot_device`, `factory_reset_device`, `update_firmware`. Read-only diagnostics: `check_firmware`, `ping_device`. | **write** | | `support` | `search_kb`, `get_kb`, `list_cases`, `get_case`, `create_case`, `list_incidents`, `get_incident` | mixed | ### Pillar disambiguation — pick the right tool Kajeet has several distinct product pillars. Mis-routing a query is the most common agent mistake. Use this table: | If the user is asking about… | Use | |---|---| | Cellular SIMs / fleet (SmartBus, IoT, BYOD) — list, status, usage, suspend, activate | `sentinel_devices`, `sentinel_usage`, `sentinel_device_actions`, `sentinel_activation` | | Kajeet Failover routers — online/offline, signal, RSRP, alarms, reboot | `smart_failover` | | Cradlepoint routers — usage/logs/signal | `sentinel_cradlepoint` | | Web filtering / blocked & allowed domains | `sentinel_web_activity` | | GPS / device location | `sentinel_gps` | | Sentinel admin users (logins for the Sentinel app) | `sentinel_admin` · `list_users` / `user_details` | | **Media Center — physical asset checkout** (laptops, iPads, hotspots checked in/out) | `sentinel_admin` · `mediacenter_*` | | Support cases, KB, incidents | `support` | | Identity, accounts, API keys | `auth` | **Critical:** Media Center is asset checkout tracking — it is **not** SmartBus, IoT, Failover, or any cellular-connectivity product. If the user asks about device health, signal, fleet status, or anything network-related, do **not** call `sentinel_admin.mediacenter_*` — use `sentinel_devices` or `smart_failover` instead. ## 3. Safety model A subset of write actions follows a strict **preview → confirm** pattern: - `sentinel_device_actions` — `suspend`, `unsuspend` - `sentinel_activation` — `activate` - `smart_failover` — reboot, factory_reset, firmware_update For these, the first call returns a structured **preview** of the proposed change without mutating anything. Surface the preview to the user, get explicit approval, then re-call with `confirm: "YES"` to execute. **Never** pass `confirm: "YES"` on the first turn. Other destructive operations (`auth.switch_account`, `auth.create_api_key`, `auth.revoke_api_key`, `support.create_case`, etc.) execute immediately when called — there is no preview step. Still get explicit user approval before invoking these, but expect the change to land on the first call. The live `tools/list` response reports per-tool danger flags (`destructive`, `readOnly`). Trust those over the summary above. ## 4. Common user queries → which tool | User intent | Call | |---|---| | "Who am I connected as?" | `auth` · `whoami` | | "Which accounts can I switch to?" | `auth` · `list_accounts` | | "Switch me to the Sales Demo account" | `auth` · `switch_account` | | "How many active devices in the fleet?" | `sentinel_devices` · `totals` | | "Show device 521-267-1508" | `sentinel_devices` · `lookup` | | "What's the rate plan on this device?" | `sentinel_devices` · `details` | | "How much data did the account use last week?" | `sentinel_usage` · `details` | | "Show daily usage for the last 30 days" | `sentinel_usage` · `daily` | | "Which devices used the most data this month?" | `sentinel_usage` · `by_device` | | "Top blocked sites this week" | `sentinel_web_activity` · `top_denied` | | "List filter groups for activation" | `sentinel_web_activity` · `filter_groups` | | "Show GPS devices for my account" | `sentinel_gps` · `devices` | | "Show location history for this IMEI in April" | `sentinel_gps` · `history` | | "Which carriers can I activate on?" | `sentinel_activation` · `carriers` | | "Generate a test IMEI" | `sentinel_activation` · `generate_test_imei` | | "Activate this SIM on T-Mobile" | `sentinel_activation` · `activate` (preview → confirm) | | "Suspend SIM 521-267-1508" | `sentinel_device_actions` · `suspend` (preview → confirm) | | "Show Cradlepoint signal quality for this MDN" | `sentinel_cradlepoint` · `signal` | | "Is this SmartFailover router online?" | `smart_failover` · `get_status` | | "Show signal strength for IMEI X over the last 12 hours" | `smart_failover` · `get_signal` | | "Reboot SmartFailover router X" | `smart_failover` · `reboot_device` (preview → confirm) | | "Search the KB for activation help" | `support` · `search_kb` | | "Open a support case for this outage" | `support` · `create_case` | ## 5. Identifier conventions - **MDN** — 10-digit phone number. Accept dashed (`521-267-1508`) or undashed (`5212671508`); the server normalizes either form. - **ICCID** — 19–22 digit SIM serial. - **IMEI** — 15-digit device serial. - **IP** — current device IP; lookup is best-effort and may be stale. - **corpId** — Kajeet account/organization ID (e.g. `NORTHSTAR-ISD`). Matches `^[A-Za-z0-9_-]{1,64}$`. Auto-detected from the API key when omitted; only set explicitly when the user is managing multiple accounts. Most device lookups accept any identifier via a single `identifier` parameter — the server infers the type. ## 6. Common errors - `invalid_api_key` — key missing, malformed, or revoked. Direct the user to . - `invalid_corpId` — corp ID does not match the allowed pattern. Usually auto-detected; only specify when switching accounts. - `invalid_mdn` — MDN is not 7–15 digits after stripping non-digits. Ask the user to double-check the number. - `confirm_required` — write action called without `confirm: "YES"`. Surface the preview to the user, get approval, then re-call with confirm. - `upstream_unreachable` — Sentinel proxy briefly unavailable. Retry once; if it persists, surface the failure to the user and stop. ## 7. When NOT to use this skill - General cellular or networking advice unrelated to a Kajeet fleet — answer from general knowledge. - Account creation, billing portal questions, or trial sign-up — direct the user to , , or . - The user is on a different IoT platform (Hologram, Twilio Super SIM, Soracom, etc.) — do not try to map their devices into Sentinel tools. - Bulk operations on more than ~50 devices in a single call — paginate, or recommend the CLI / REST API for batch work. ## 8. Resources - **API keys:** - **MCP hub** (config block, OAuth metadata, tool catalog): - **REST API explorer** (200+ endpoints): - **In-browser API tester:** - **CLI install + reference:** - **Free 60-day trial SIM:** - **Machine-readable platform reference:**