MCP streamable-HTTP endpoint (JSON-RPC 2.0)
/mcpModel Context Protocol (MCP) gateway. This is a single opaque JSON-RPC 2.0 endpoint over MCP streamable-HTTP — the request and response bodies are JSON-RPC envelopes, not a REST resource. Drive it with an MCP client (Claude Code, the MCP Inspector, the official SDKs) rather than by hand; the shapes below are documented for completeness.
Responses are always application/json (this server never upgrades a
POST to Server-Sent Events, which the streamable-HTTP spec permits).
Handshake & sessions. Call initialize first; the response carries
an Mcp-Session-Id header that every subsequent request must echo back
in an Mcp-Session-Id request header. The session is bound to the api
key that created it (a session from one key cannot be resumed by
another) and has a rolling TTL. A missing/expired/foreign session
returns 404 with JSON-RPC error -32001 so clients transparently
re-initialize.
Methods. initialize, notifications/initialized (→ 202, no body),
ping, tools/list, tools/call.
Per-tool scopes. The curated tools require the read, write or
ai scope. tools/list returns only the tools your key's scopes allow;
tools/call re-checks and returns JSON-RPC error -32002 if the key
lacks the tool's scope. The linked user's own permission walls apply
underneath. Tool execution failures (not-found, validation) come back as
in-band results with isError: true, not JSON-RPC errors.
Authorization
apiKey Issued to you when your integration is provisioned. Determines which catalogue resources are visible and which AI tools are available.
In: header
Header Parameters
The session id returned by initialize (in the response's
Mcp-Session-Id header). Required on every request except
initialize.
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
A JSON-RPC 2.0 request or notification for the MCP endpoint. A request
carries an id and expects a response; a notification omits id.
Response Body
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/mcp" \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "id": 1, "method": "initialize", "params": { "protocolVersion": "2025-06-18", "capabilities": {}, "clientInfo": { "name": "my-agent", "version": "1.0" } } }'{ "jsonrpc": "2.0", "id": "string", "result": {}, "error": { "code": 0, "message": "string" }}{ "jsonrpc": "2.0", "id": "string", "result": {}, "error": { "code": 0, "message": "string" }}{ "success": false, "status": "fail", "message": "API key is required", "error": { "code": "NO_API_KEY", "message": "API key is required" }}{ "jsonrpc": "2.0", "id": "string", "result": {}, "error": { "code": 0, "message": "string" }}{ "success": false, "status": "fail", "message": "Hourly rate limit exceeded.", "error": { "code": "RATE_LIMITED", "message": "Hourly rate limit exceeded." }}Not supported (no server-initiated stream) GET
This server offers no server-initiated SSE stream, which the streamable-HTTP spec allows. Always returns **405** with `Allow: POST, DELETE`.
Archive a resource DELETE
Archives (soft-deletes) a resource: it is moved to the deletion archive state, disappears from search and normal views, and remains recoverable by an administrator in-app. This mirrors the internal delete behaviour. **Permanent (hard) deletion is not available on the external API.** Requires the `write` scope and edit access to the resource under the linked user. Archiving an already-archived resource succeeds and reports `already_in_deletion_state` in `details`.