Not supported (no server-initiated stream)
/mcpThis server offers no server-initiated SSE stream, which the
streamable-HTTP spec allows. Always returns 405 with
Allow: POST, DELETE.
Authorization
apiKey Issued to you when your integration is provisioned. Determines which catalogue resources are visible and which AI tools are available.
In: header
Response Body
application/json
curl -X GET "https://example.com/mcp"{ "success": false, "status": "fail", "message": "API key is required", "error": { "code": "NO_API_KEY", "message": "API key is required" }}Terminate an MCP session DELETE
Explicitly end the session named in the `Mcp-Session-Id` header. Returns **204** when the owning key deletes its own session, **404** for an unknown or foreign session.
MCP streamable-HTTP endpoint (JSON-RPC 2.0) POST
Model Context Protocol (MCP) gateway. This is a single **opaque JSON-RPC 2.0** endpoint over MCP streamable-HTTP — the request and response bodies are JSON-RPC envelopes, not a REST resource. Drive it with an MCP client (Claude Code, the MCP Inspector, the official SDKs) rather than by hand; the shapes below are documented for completeness. Responses are always `application/json` (this server never upgrades a POST to Server-Sent Events, which the streamable-HTTP spec permits). **Handshake & sessions.** Call `initialize` first; the response carries an `Mcp-Session-Id` header that every subsequent request must echo back in an `Mcp-Session-Id` request header. The session is bound to the api key that created it (a session from one key cannot be resumed by another) and has a rolling TTL. A missing/expired/foreign session returns **404** with JSON-RPC error `-32001` so clients transparently re-initialize. **Methods.** `initialize`, `notifications/initialized` (→ 202, no body), `ping`, `tools/list`, `tools/call`. **Per-tool scopes.** The curated tools require the `read`, `write` or `ai` scope. `tools/list` returns only the tools your key's scopes allow; `tools/call` re-checks and returns JSON-RPC error `-32002` if the key lacks the tool's scope. The linked user's own permission walls apply underneath. Tool execution failures (not-found, validation) come back as in-band results with `isError: true`, not JSON-RPC errors.