MCP Server

MCP Gateway provides a Model Context Protocol (MCP) server so AI assistants can work with your workspace. Use it with Claude Desktop or any MCP-compatible client.

  • Endpoint: https://mcp.agentic-accounting.com/mcp
  • Auth: the same Bearer tokens and scopes as the REST API
  • Requires: the api-access entitlement on your workspace's plan

Connecting from Claude Desktop

Claude Desktop connects to remote MCP servers by URL and handles the OAuth flow for you:

  1. Open Claude Desktop's Settings → Connectors and choose Add custom connector
  2. Enter the server URL: https://mcp.agentic-accounting.com/mcp
  3. When you first connect, your browser opens MCP Gateway's sign-in page
  4. Pick which workspace to connect (if you belong to more than one) and review the requested scopes
  5. Click Allow

That's it — no client ID or manual registration. MCP Gateway publishes OAuth discovery documents (RFC 9728 / RFC 8414) and supports dynamic client registration (RFC 7591), so compliant clients register themselves and complete the authorization-code flow automatically. The issued token is scoped to the workspace you picked; to switch workspaces, disconnect and connect again.

Other clients that support remote MCP servers with OAuth auto-discovery (MCP Inspector, Cursor, and friends) work the same way: give them the URL and approve the consent screen.

Connecting with an API key

For headless setups — scripts, CI, or clients without OAuth support — use an API key instead. Workspace owners can create one under API Keys in the sidebar (grant it the webhooks:manage scope if you want the webhook tools). Then configure your client to send the key as a Bearer token:

{
  "mcpServers": {
    "mcp-gateway": {
      "url": "https://mcp.agentic-accounting.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

API keys are long-lived, so there's no refresh step — but they're a static secret. Treat them like any credential, and revoke them from the API Keys page if they leak.

Available tools

Tools are filtered by your token's scopes: a tool only appears if its required scope is present.

Tool Description Required scope
whoami Return the connected workspace (id, name, slug) and the token's scopes any valid token
list_webhook_endpoints List the workspace's webhook endpoints webhooks:manage
create_webhook_endpoint Create a webhook endpoint; returns the signing secret (only shown once) webhooks:manage
update_webhook_endpoint Update an endpoint's URL, events, description, or enabled state webhooks:manage

Deleting endpoints isn't exposed as a tool — use the REST API or the Webhooks page in the app. This tool set is the working example that ships with the boilerplate; add your own tools alongside them as you build your domain.

Once connected, try asking your assistant things like:

  • "Which MCP Gateway workspace am I connected to?"
  • "List my webhook endpoints and tell me if any are disabled"
  • "Create a webhook endpoint for member.joined events pointing at https://example.com/hooks"

Protocol details

  • Endpoint: POST https://mcp.agentic-accounting.com/mcp
  • Protocol: JSON-RPC 2.0 over HTTP, stateless (no server-side sessions)
  • Server name / version: mcp-gateway / 1.0.0
  • GET /mcp returns 405 Method Not Allowed (SSE streaming is not supported in stateless mode)
  • DELETE /mcp returns 204 No Content (no sessions to clean up)
  • Rate limits are shared with the REST API: 60 requests/minute and 500 requests/hour per token

OAuth discovery (for client implementers)

A 401 from /mcp includes WWW-Authenticate: Bearer realm="MCP Gateway", resource_metadata="…" per RFC 6750, which is the entry point for discovery.

Next steps

  • API Overview -- the same operations over REST
  • Webhooks -- event types, payloads, and signature verification