MCP server
The Model Context Protocol (MCP) server exposes your management API as callable tools, so an MCP client (an agent, an IDE, a chat app) can manage apps, read usage, rotate keys, manage policies and provider keys, and configure auth, data logging, and integrations on your behalf. It wraps the same operations as the REST management API, with the same scope checks.
Endpoint & transport
- Endpoint:
POST /api/mcpon your dashboard origin. - Transport: Streamable HTTP with JSON-RPC 2.0. A
POSTcarries one JSON-RPC request and returns one JSON response.GETreturns405(there is no server-initiated stream). - Protocol version:
2025-06-18. - Availability: the whole surface is gated behind the
MCP_SERVER_ENABLEDenvironment flag and ships dark: when it is off,/api/mcpreturns404. Check the status underDashboard → Settings → API tokens.
Authentication
Every message authenticates with a management token sent in the X-Management-Token header, not the Authorization header. Mint a token (and pick its scopes) under Dashboard → Settings → API tokens. The token's scopes are re-checked on every tool call, so a tool can never act beyond what the token was granted.
Tools
The server exposes every management operation as a tool (23 in total). The authoritative, always-current catalog is whatever tools/list returns (see below); the table mirrors it.
| Tool | Required scope | What it does |
|---|---|---|
list_apps | apps:read | List every app in the account, newest first. |
create_app | apps:write | Create an app; returns it including its public app key. |
get_app | apps:read | Read a single app in the account by id. |
update_app | apps:write | Update an app's name, status (active|disabled), and/or platforms. |
delete_app | apps:delete | Soft-delete an app; its usage and audit history are preserved. |
get_app_usage | usage:read | Aggregated usage for one app, optionally since an ISO-8601 time. |
get_usage_timeseries | usage:read | Account-level day-bucketed usage series (requests, cost, tokens) over 7d / 30d / 90d. |
rotate_key | keys:rotate | Rotate an app's public app key (recorded for audit). |
list_key_rotations | keys:rotate | Read an app's public-key rotation audit log, most recent first. |
read_policy | policies:read | Read one or all model policies for an app. |
update_policy | policies:write | Create or update a model policy (upsert by category, provider, model, endpoint). |
delete_policy | policies:write | Delete a single model policy from an app by policy id. |
list_provider_keys | provider_keys:read | List account-level BYOK provider keys (secrets are never returned, only masked placeholders). |
set_provider_key | provider_keys:write | Create or update a BYOK provider key; the secret is encrypted at rest and never returned. |
delete_provider_key | provider_keys:write | Disable (soft-delete) an account-level provider key by id. |
get_auth_config | apps:read | Read an app's end-user auth configuration. |
update_auth_config | apps:write | Set an app's end-user auth provider and settings, including Firebase App Check. |
get_data_logging | apps:read | Read an app's data-logging mode and retention window. |
update_data_logging | apps:write | Set an app's data-logging mode and retention (1 to 90 days). |
update_revenuecat_config | apps:write | Create or update an app's RevenueCat configuration (the API key is write-only). |
trigger_revenuecat_refresh | apps:write | Refresh one app user's entitlement category from RevenueCat. |
update_posthog_config | apps:write | Create or update an app's PostHog configuration (the API key is write-only). |
list_notifications | notifications:read | List the account's notifications, most recent first. |
Connect a client
Point any MCP client that supports Streamable HTTP with custom headers at the endpoint, setting X-Management-Token. To test the transport directly with JSON-RPC:
# Initialize a session
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
-H "X-Management-Token: <MANAGEMENT_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize",
"params":{"protocolVersion":"2025-06-18","capabilities":{},
"clientInfo":{"name":"curl","version":"1.0"}}}'
# Discover tools
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
-H "X-Management-Token: <MANAGEMENT_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
# Call a tool
curl https://YOUR_DASHBOARD_ORIGIN/api/mcp \
-H "X-Management-Token: <MANAGEMENT_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call",
"params":{"name":"list_apps","arguments":{}}}'Prefer plain REST? The same operations are documented in the REST API reference.