Skip to main content
The MCP Service provides endpoints for discovering available MCP servers, managing OAuth connections, and handling MCP instances. It integrates with Composio for OAuth flows and manages the complete lifecycle of MCP server connections.

MCP System Overview

Authentication

All endpoints require a valid Bearer token in the Authorization header and appropriate RBAC permissions. Required Permissions:
  • mcp:read - Read MCP servers and instances
  • mcp:write - Connect accounts and manage instances

Base URL

/api/mcp

MCP Server Discovery

List All MCP Servers

Retrieve all available MCP servers in the platform. 
curl -X GET "{{baseUrl}}/api/mcp/list_servers" \
  -H "Authorization: Bearer YOUR_TOKEN"
Endpoint: GET /api/mcp/list_servers Response Fields:
FieldTypeDescription
serversarrayList of MCP server objects
servers[].idstringServer UUID
servers[].namestringServer display name
servers[].toolkit_namestringOfficial toolkit name
servers[].toolkit_slugstringURL-safe identifier
servers[].toolkit_logostringLogo URL (nullable)
servers[].created_atstringISO 8601 timestamp
servers[].server_instance_countnumberTotal user instances

Get Server with Tools

Retrieve detailed information about an MCP server including all available tools. 
curl -X GET "{{baseUrl}}/api/mcp/server_with_tools?server_id=a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6" \
  -H "Authorization: Bearer YOUR_TOKEN"
Endpoint: GET /api/mcp/server_with_tools Query Parameters:
ParameterRequiredTypeDescription
server_idYesstringMCP server UUID

Connection Management

Connect Account (Start OAuth)

Initiate OAuth flow to connect an MCP server to the user’s account. 
curl -X POST "{{baseUrl}}/api/mcp/connect_account" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "server_id": "a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6",
    "flow_type": "chat"
  }'
Endpoint: POST /api/mcp/connect_account Request Body:
FieldTypeRequiredDescription
server_idstringYesMCP server UUID to connect
flow_typestringNoFlow context (e.g., “chat”, “settings”)
Response Fields:
FieldTypeDescription
idstringConnected account ID from Composio
statusstringConnection status (usually “pending”)
redirect_urlstringOAuth URL to redirect user to
connectionDataobjectAdditional connection metadata
Flow:
  1. Call this endpoint with server_id
  2. Redirect user to redirect_url
  3. User completes OAuth on external service
  4. External service redirects back to callback
  5. System automatically creates MCP instance
  6. User redirected to frontend with success

OAuth Callback Handler

Internal endpoint that handles OAuth callbacks from external services. Endpoint: GET /api/mcp/callback Query Parameters:
ParameterRequiredTypeDescription
mcp_server_idYesstringServer UUID
mcp_session_idYesstringSession instance ID
flow_typeNostringOriginal flow context
Behavior:
  1. Validates OAuth callback
  2. Updates session status to “active”
  3. Auto-creates MCP instance via Composio
  4. Redirects to frontend with parameters
Frontend Redirect Format: 
{frontend_url}/mcp/callback?mcp_server_id={server_id}&mcp_session_id={session_id}&flow_type={flow}
The callback endpoint is configured in the OAuth application settings and is automatically invoked by the external service after user authorization. Clients should not call this endpoint directly.

Generate MCP URL

Generate the MCP connection URL for an active session. 
curl -X POST "{{baseUrl}}/api/mcp/generate_url" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "server_id": "a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6",
    "session_id": "session-uuid"
  }'
Endpoint: POST /api/mcp/generate_url Request Body:
FieldTypeRequiredDescription
server_idstringYesMCP server UUID
session_idstringYesMCP session UUID (from connect_account)
Response:
FieldTypeDescription
mcp_urlstringFull MCP connection URL
statusstringGeneration status
Usage: The generated URL is used internally by the MCP Playground to establish connections with MCP servers.

Instance Management

List User Instances

Retrieve all MCP instances (connections) for the authenticated user’s organization. 
curl -X GET "{{baseUrl}}/api/mcp/list_instances?org_id=your-org-id&status=active" \
  -H "Authorization: Bearer YOUR_TOKEN"
Endpoint: GET /api/mcp/list_instances Query Parameters:
ParameterRequiredTypeDescription
org_idYesstringOrganization UUID
statusNostringFilter by status: active, pending, inactive
Response: Array of MCP instance objects with fields:
FieldTypeDescription
idstringInstance UUID
statusstringCurrent status
mcp_server_idstringParent server UUID
namestringCustom name (nullable)
created_atstringISO 8601 timestamp

Update Instance

Update the custom name of an MCP instance. 
curl -X PUT "{{baseUrl}}/api/mcp/instance?mcp_instance_id=inst-uuid" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Primary Gmail Account"
  }'
Endpoint: PUT /api/mcp/instance Query Parameters:
ParameterRequiredTypeDescription
mcp_instance_idYesstringInstance UUID to update
Request Body:
FieldTypeRequiredDescription
namestringYesNew custom name for the instance

Delete Instance

Delete an MCP instance and disconnect from the external service. 
curl -X DELETE "{{baseUrl}}/api/mcp/instance?mcp_instance_id=inst-uuid" \
  -H "Authorization: Bearer YOUR_TOKEN"
Endpoint: DELETE /api/mcp/instance Query Parameters:
ParameterRequiredTypeDescription
mcp_instance_idYesstringInstance UUID to delete
Behavior:
  • Deletes MCP instance from Composio (if active)
  • Removes session record from database
  • Revokes OAuth access tokens
  • Cannot be undone

Error Responses

Status CodeDescriptionExample
400Bad RequestInvalid server_id or missing parameters
401UnauthorizedInvalid or missing token
403ForbiddenInsufficient permissions (requires mcp:write/read)
404Not FoundMCP server or instance not found
500Internal Server ErrorComposio API failure or database error
Error Response Format: 
{
  "detail": "Error message describing what went wrong"
}
Common Error Messages: 
// No auth config found
{
  "detail": "No auth config found for server: server-uuid"
}

// Connection attempt not found
{
  "detail": "No connection attempt found. Please connect your account first."
}

// Instance not found
{
  "detail": "MCP instance not found"
}

// OAuth failure
{
  "detail": "Failed to create connected account: [Composio error details]"
}

Implementation Notes

OAuth Flow

Complete OAuth flow implementation: 
// 1. List available servers
const servers = await listMCPServers();

// 2. User selects server (e.g., Gmail)
const gmailServer = servers.find(s => s.toolkit_slug === 'gmail');

// 3. Initiate connection
const connection = await connectMCPAccount(gmailServer.id, 'chat');

// 4. Redirect to OAuth
window.location.href = connection.redirect_url;

// 5. User completes OAuth on external site
// ... user authorizes ...

// 6. OAuth provider redirects to callback
// Backend handles: GET /api/mcp/callback?mcp_server_id=...&mcp_session_id=...

// 7. Backend redirects to frontend
// Frontend receives: /mcp/callback?mcp_server_id=...&mcp_session_id=...

// 8. Frontend can now generate MCP URL
const mcpUrl = await generateMCPUrl(gmailServer.id, sessionId);

// 9. Use MCP URL in Playground
// Pass to MCP Playground Service for tool usage

Session Management

Best practices for managing MCP sessions: 
# Check user's existing connections
instances = list_instances(org_id, status="active")

# Filter by server
gmail_instances = [i for i in instances if i["mcp_server_id"] == gmail_server_id]

if gmail_instances:
    # User already connected
    instance_id = gmail_instances[0]["id"]
else:
    # Need to connect
    connection = connect_account(gmail_server_id)
    # Redirect user to OAuth...

Feature Flags

MCP functionality is controlled by feature flags:
  • mcp_sessions: Quota for number of MCP connections
  • Checked on POST /connect_account
  • Returns 402 Payment Required if quota exceeded

Composio Integration

The service integrates with Composio for:
  1. OAuth Management:
    • Creating connected accounts
    • Generating redirect URLs
    • Handling callbacks
  2. Instance Management:
    • Creating MCP instances
    • Generating MCP URLs
    • Deleting instances
  3. Authentication:
    • Token management
    • Automatic token refresh
    • Secure credential storage

Rate Limiting

Rate limits may apply based on:
  • Feature flag quotas (mcp_sessions)
  • Composio API limits
  • External service OAuth limits

Security Considerations

OAuth Security

  • OAuth tokens never exposed to client
  • Tokens stored securely in Composio
  • Automatic token refresh
  • Callback URL validation

Access Control

  • All endpoints require authentication
  • RBAC permissions enforced
  • Org-scoped operations
  • User isolation

Data Privacy

  • No MCP data stored permanently
  • OAuth scopes request minimal permissions
  • Users can revoke access anytime
  • Audit trail for connections

Next Steps

Explore MCP integration further: Ready to build with MCP? Check out the MCP Playground API to start using connected tools!