MCP server

The Model Context Protocol (MCP) server exposes your management API as callable tools, so an MCP client (an agent, an IDE, a chat app) can manage apps, read usage, rotate keys, manage policies and provider keys, and configure auth, data logging, and integrations on your behalf. It wraps the same operations as the REST management API, with the same scope checks.

Endpoint & transport

Authentication

Every message authenticates with a management token sent in the X-Management-Token header, not the Authorization header. Mint a token (and pick its scopes) under Dashboard → Settings → API tokens. The token's scopes are re-checked on every tool call, so a tool can never act beyond what the token was granted.

Tools

The server exposes every management operation as a tool (23 in total). The authoritative, always-current catalog is whatever tools/list returns (see below); the table mirrors it.

ToolRequired scopeWhat it does
list_appsapps:readList every app in the account, newest first.
create_appapps:writeCreate an app; returns it including its public app key.
get_appapps:readRead a single app in the account by id.
update_appapps:writeUpdate an app's name, status (active|disabled), and/or platforms.
delete_appapps:deleteSoft-delete an app; its usage and audit history are preserved.
get_app_usageusage:readAggregated usage for one app, optionally since an ISO-8601 time.
get_usage_timeseriesusage:readAccount-level day-bucketed usage series (requests, cost, tokens) over 7d / 30d / 90d.
rotate_keykeys:rotateRotate an app's public app key (recorded for audit).
list_key_rotationskeys:rotateRead an app's public-key rotation audit log, most recent first.
read_policypolicies:readRead one or all model policies for an app.
update_policypolicies:writeCreate or update a model policy (upsert by category, provider, model, endpoint).
delete_policypolicies:writeDelete a single model policy from an app by policy id.
list_provider_keysprovider_keys:readList account-level BYOK provider keys (secrets are never returned, only masked placeholders).
set_provider_keyprovider_keys:writeCreate or update a BYOK provider key; the secret is encrypted at rest and never returned.
delete_provider_keyprovider_keys:writeDisable (soft-delete) an account-level provider key by id.
get_auth_configapps:readRead an app's end-user auth configuration.
update_auth_configapps:writeSet an app's end-user auth provider and settings, including Firebase App Check.
get_data_loggingapps:readRead an app's data-logging mode and retention window.
update_data_loggingapps:writeSet an app's data-logging mode and retention (1 to 90 days).
update_revenuecat_configapps:writeCreate or update an app's RevenueCat configuration (the API key is write-only).
trigger_revenuecat_refreshapps:writeRefresh one app user's entitlement category from RevenueCat.
update_posthog_configapps:writeCreate or update an app's PostHog configuration (the API key is write-only).
list_notificationsnotifications:readList the account's notifications, most recent first.

Connect a client

Point any MCP client that supports Streamable HTTP with custom headers at the endpoint, setting X-Management-Token. To test the transport directly with JSON-RPC:

# Initialize a session
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
  -H "X-Management-Token: <MANAGEMENT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize",
       "params":{"protocolVersion":"2025-06-18","capabilities":{},
                 "clientInfo":{"name":"curl","version":"1.0"}}}'

# Discover tools
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
  -H "X-Management-Token: <MANAGEMENT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'

# Call a tool
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
  -H "X-Management-Token: <MANAGEMENT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call",
       "params":{"name":"list_apps","arguments":{}}}'

Prefer plain REST? The same operations are documented in the REST API reference.