MCP Director

Appearance

HTTP API

MCP Director exposes a JSON-RPC 2.0 MCP endpoint over streamable HTTP, plus OAuth/OIDC endpoints and an admin API.

Base URL

  • Default: http://127.0.0.1:3000
  • MCP endpoints: /sse and /mcp

Protocol Version Header

All MCP HTTP requests must include the MCP-Protocol-Version header.

VersionStatus
2025-11-25Default
2025-06-18Supported
2025-03-26Supported
2024-11-05Supported

Authentication

OAuth 2.1 (PKCE)

MCP Director implements OAuth 2.1 Authorization Code with PKCE (S256).

EndpointDescription
GET /authorizeBegin authorization flow
POST /authorizeSubmit consent decision
POST /tokenExchange code for access token
POST /registerRegister OAuth clients
/.well-known/oauth-authorization-serverOAuth metadata
/.well-known/openid-configurationOIDC metadata

Profile Tokens

If profile auth is enabled, provide a token via:

  • Query: /sse?profile=restricted&token=...
  • Header: Authorization: Bearer <token>

Admin API Auth

The /api admin endpoints use HTTP Basic Auth when settings.auth.enabled is true.

MCP Transport

GET /sse

Opens the SSE event stream. The server sends an endpoint event with the session-specific POST URL.

Headers:

  • MCP-Protocol-Version: 2025-11-25
  • Authorization: Bearer <token> (optional)

Query params:

  • profile: optional profile name
  • project: optional project name
  • token: optional profile token

Response:

  • text/event-stream
  • First event: event: endpoint with data /mcp?sessionId=<id>

POST /mcp

Send MCP JSON-RPC requests.

Headers:

  • MCP-Protocol-Version: 2025-11-25
  • Authorization: Bearer <token> (optional)

Query params:

  • sessionId: optional session ID (provided by /sse)

Example - ping:

json
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "ping"
}

Example - initialize:

json
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "initialize",
  "params": {
    "protocolVersion": "2025-11-25",
    "clientInfo": { "name": "example", "version": "0.0.1" }
  }
}

Key MCP Methods

MethodDescription
tools/listList available tools
tools/callCall a tool
resources/listList resources
resources/readRead a resource
resources/subscribeSubscribe to resource updates
prompts/listList prompts
prompts/getGet a prompt
tasks/resultGet async task result
tasks/listList tasks
tasks/cancelCancel a task
pingHealth check

Async Tool Calls

Include a task object in tools/call params to run asynchronously:

json
{
  "jsonrpc": "2.0",
  "id": 10,
  "method": "tools/call",
  "params": {
    "name": "filesystem/read_file",
    "arguments": { "path": "/tmp/notes.txt" },
    "task": { "timeoutMs": 300000 }
  }
}

Check status:

json
{
  "jsonrpc": "2.0",
  "id": 11,
  "method": "tasks/result",
  "params": { "taskId": "<id>" }
}

SSE Notifications

The SSE stream carries notifications:

  • notifications/tools/list_changed
  • notifications/resources/list_changed
  • notifications/prompts/list_changed
  • notifications/resources/updated
  • notifications/progress
  • notifications/cancelled
  • notifications/shutdown

Observability

EndpointDescription
GET /metricsPrometheus-style counters
GET /healthBackend + analytics health
GET /api-docsOpenAPI 3.0 document

Admin API

All endpoints are under /api and require Basic Auth when enabled.

Servers

EndpointDescription
GET /api/serversList servers
POST /api/serversAdd server
DELETE /api/servers/{name}Remove server
GET /api/servers/{name}/statusServer status

Tools

EndpointDescription
GET /api/toolsList all tools

Profiles

EndpointDescription
GET /api/profilesList profiles
POST /api/profilesCreate profile
DELETE /api/profiles/{name}Delete profile

Projects

EndpointDescription
GET /api/projectsList projects
POST /api/projectsCreate project
DELETE /api/projects/{name}Delete project

Configuration

EndpointDescription
GET /api/configGet configuration
POST /api/configUpdate configuration
POST /api/config/reloadReload configuration

Authentication

EndpointDescription
POST /api/auth/enableEnable auth with username/password

Error Handling

StatusDescription
400Invalid request or unsupported protocol version
403Invalid origin header
429Rate limit exceeded

JSON-RPC errors follow MCP spec codes: -32600, -32602, -32603.

Released under the MIT License.

Copyright 2024-present