API Reference | MCP Stack Docs

The MCP Stack REST API manages organizations, MCP servers, gateways, and agents. The CLI wraps these same endpoints.

Each group below lists every endpoint in that resource. Scan the method and description; copy the exact signature; expand a row for a runnable curl example.

Conventions#

Base URL: https://api.mcpstack.com

Auth: send an OAuth access token or a service-account key as a bearer token. Service-account keys (mcpstack_sk_…) are also accepted in the X-API-Key header.

HTTP

Authorization: Bearer <token>
X-API-Key: mcpstack_sk_...

Organization scope: most endpoints live under one organization root. Throughout this page that root is shown inline as /api/v1/organizations/{orgId}, so every signature is complete and unambiguous. A handful of endpoints sit above the org root and are shown with their full /api/v1/... path.

Errors: a 401 means the request was not authenticated; a 403 means the identity authenticated but lacks the required grant on that resource.

BASH

export BASE="https://api.mcpstack.com"
export TOKEN="mcpstack_sk_..."
 
# List the organizations the token can access
curl -sS --fail-with-body "$BASE/api/v1/organizations" \
  -H "Authorization: Bearer $TOKEN"

Organizations and access#

Identity, membership, service-account keys, and permission checks.

MethodEndpointDescriptionCopy

GET/api/v1/organizationsList organizations the token can access.

List organizations the token can access.

POST/api/v1/organizationsCreate an organization. Body: `{ name, slug }`.Create an organization. Body: `{ name, slug }`.

Request body

JSON

{
  "name": "Acme",
  "slug": "acme"
}

Response201

JSON

{
  "id": "org_7Hf3kQ2",
  "slug": "acme",
  "name": "Acme",
  "planTier": "free",
  "mcpServerCount": 0,
  "memberCount": 1,
  "createdOn": "2026-05-29T18:20:11Z",
  "publicMcpGuidesEnabled": true
}

GET/api/v1/organizations/{orgId}Get the current organization.

Get the current organization.

PATCH/api/v1/organizations/{orgId}Update organization details.

Update organization details.

DELETE/api/v1/organizations/{orgId}Delete the organization. Admin only.

Delete the organization. Admin only.

GET/api/v1/organizations/{orgId}/membersList active members.

List active members.

PATCH/api/v1/organizations/{orgId}/members/{principalId}Change a member's role. Body: `{ role }`.

Change a member's role. Body: `{ role }`.

DELETE/api/v1/organizations/{orgId}/members/{principalId}Remove a member.

Remove a member.

GET/api/v1/organizations/{orgId}/invitationsList pending invitations.

List pending invitations.

POST/api/v1/organizations/{orgId}/invitationsInvite a teammate. Body: `{ email, role }`.Invite a teammate. Body: `{ email, role }`.

role is one of admin, developer, or viewer.

Request body

JSON

{
  "email": "teammate@example.com",
  "role": "developer"
}

Response201

JSON

{
  "id": "inv_3Kd9twP",
  "organizationId": "org_7Hf3kQ2",
  "organizationName": "Acme",
  "email": "teammate@example.com",
  "role": "developer",
  "status": "pending",
  "inviteUrl": "https://app.mcpstack.com/invitations/inv_3Kd9twP",
  "createdAt": "2026-05-29T18:20:11Z",
  "expiresAt": "2026-06-05T18:20:11Z",
  "lastSentAt": "2026-05-29T18:20:11Z",
  "acceptedAt": null,
  "acceptedByUserId": null,
  "revokedAt": null,
  "revokedReason": null,
  "lastSendError": null
}

BASH

curl -sS --fail-with-body -X POST \
  "$BASE/api/v1/organizations/$ORG_ID/invitations" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{ "email": "teammate@example.com", "role": "developer" }'

POST/api/v1/organizations/{orgId}/invitations/{invitationId}/resendResend an invitation email.

Resend an invitation email.

POST/api/v1/organizations/{orgId}/invitations/{invitationId}/revokeRevoke an invitation. Body: `{ reason? }`.

Revoke an invitation. Body: `{ reason? }`.

GET/api/v1/organizations/{orgId}/api-keysList service-account keys.

List service-account keys.

GET/api/v1/organizations/{orgId}/api-keys/rolesList roles assignable to keys.

List roles assignable to keys.

POST/api/v1/organizations/{orgId}/api-keysCreate a service-account key. The full secret is returned only here.Create a service-account key. The full secret is returned only here.

roleKey defaults to viewer. The fullKey (mcpstack_sk_…) is returned once on creation and never again.

Request body

JSON

{
  "name": "automation-bot",
  "roleKey": "developer"
}

Response201

JSON

{
  "id": "key_9Lm2vRs",
  "name": "automation-bot",
  "clientId": "mcpstack_sk_3f8ad12c",
  "fullKey": "mcpstack_sk_3f8ad12c_b7e1d9a4c0f24e6fa1c8d3b2e5079a6f",
  "createdAt": "2026-05-29T18:20:11Z",
  "expiresAt": null,
  "roleKey": "developer",
  "roleName": "Developer"
}

BASH

curl -sS --fail-with-body -X POST \
  "$BASE/api/v1/organizations/$ORG_ID/api-keys" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{ "name": "automation-bot", "roleKey": "developer" }'

DELETE/api/v1/organizations/{orgId}/api-keys/{keyId}Revoke a service-account key.

Revoke a service-account key.

POST/api/v1/organizations/{orgId}/authorization/checkCheck organization-level permissions.

Check organization-level permissions.

POST/api/v1/organizations/{orgId}/authorization/check-entitiesCheck permissions on specific resources.

Check permissions on specific resources.

MCP servers#

The core resource: create a server from an OpenAPI spec, then shape, verify, deploy, and operate it.

Lifecycle#

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/mcp-serversList MCP servers.

List MCP servers.

POST/api/v1/organizations/{orgId}/mcp-serversCreate a server. Hosted servers publish to MCP Stack Host automatically.Create a server. Hosted servers publish to MCP Stack Host automatically.

Store a private spec inline with openApiSpecJson (JSON or YAML text); the file does not need to be reachable on the public internet. Set openApiSpecSource to upload (or url with openApiSpecUrl).

BASH

SPEC="$(jq -Rs . < openapi.yaml)"
curl -sS --fail-with-body -X POST \
  "$BASE/api/v1/organizations/$ORG_ID/mcp-servers" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d @- <<JSON
{
  "name": "Support API",
  "slug": "support-api",
  "kind": "generated_openapi",
  "runtimeType": "generated_worker",
  "openApiSpecJson": $SPEC,
  "openApiSpecSource": "upload",
  "openApiSpecFileName": "openapi.yaml"
}
JSON

Response201

JSON

{
  "id": "mcp_5Qp8wYz",
  "organizationId": "org_7Hf3kQ2",
  "slug": "support-api",
  "gatewayPublicId": null,
  "name": "Support API",
  "description": null,
  "status": "draft",
  "kind": "generated_openapi",
  "runtimeType": "generated_worker",
  "openApiSpecUrl": null,
  "totalInvocations": 0,
  "toolCount": 12,
  "createdOn": "2026-05-29T18:20:11Z",
  "hasOpenApiSpec": true,
  "openApiSpecSource": "upload",
  "openApiSpecFileName": "openapi.yaml",
  "openApiSpecUpdatedAt": "2026-05-29T18:20:11Z",
  "hasGateway": false,
  "toolsManaged": true,
  "gateway": null,
  "catalogStatus": "unknown",
  "catalogError": null,
  "installGuideEnabled": true
}

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}Get a server, including its tools.Get a server, including its tools.

The tools array carries the toolId values used by the tool and smoke-test endpoints.

Response200

JSON

{
  "id": "mcp_5Qp8wYz",
  "organizationId": "org_7Hf3kQ2",
  "slug": "support-api",
  "name": "Support API",
  "status": "running",
  "kind": "generated_openapi",
  "runtimeType": "generated_worker",
  "hasOpenApiSpec": true,
  "totalInvocations": 1840,
  "createdOn": "2026-05-29T18:20:11Z",
  "tools": [
    {
      "id": "tool_2Ab7nLk",
      "toolKey": "createTicketNote",
      "displayName": "Create ticket note",
      "httpMethod": "POST",
      "httpPath": "/tickets/{id}/notes",
      "isEnabled": true
    }
  ],
  "hasGateway": false,
  "toolsManaged": true,
  "installGuideEnabled": true
}

PATCH/api/v1/organizations/{orgId}/mcp-servers/{serverId}Update settings or replace the spec.

Update settings or replace the spec.

DELETE/api/v1/organizations/{orgId}/mcp-servers/{serverId}Delete a server. Hosted runtime cleanup is automatic.

Delete a server. Hosted runtime cleanup is automatic.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/configGet the resolved server configuration.

Get the resolved server configuration.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/analyticsGet usage analytics.

Get usage analytics.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/logsPage through request logs.

Page through request logs.

OpenAPI and tools#

MethodEndpointDescriptionCopy

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/openapiReplace the stored OpenAPI spec.

Replace the stored OpenAPI spec.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/openapi/refreshRe-fetch a URL-backed spec and re-import tools.

Re-fetch a URL-backed spec and re-import tools.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/discover-toolsRe-import tools from the current spec.

Re-import tools from the current spec.

PATCH/api/v1/organizations/{orgId}/mcp-servers/{serverId}/tools/{toolId}Edit one tool.Edit one tool.

toolId comes from the tools array on the server detail response. Fields: isEnabled, displayName, descriptionOverride, instructions, whenToUse, whenNotToUse.

Request body

JSON

{
  "isEnabled": true,
  "displayName": "Create ticket note",
  "instructions": "Use only after the user confirms the ticket id and note body."
}

Response200

JSON

{
  "id": "tool_2Ab7nLk",
  "name": "create_ticket_note",
  "toolKey": "createTicketNote",
  "displayName": "Create ticket note",
  "description": "Append a note to a support ticket.",
  "httpMethod": "POST",
  "httpPath": "/tickets/{id}/notes",
  "isEnabled": true,
  "toolNamingVersion": 2,
  "source": "generated_openapi",
  "isManaged": true,
  "instructions": "Use only after the user confirms the ticket id and note body.",
  "whenToUse": null,
  "whenNotToUse": null
}

BASH

curl -sS --fail-with-body -X PATCH \
  "$BASE/api/v1/organizations/$ORG_ID/mcp-servers/$SERVER_ID/tools/$TOOL_ID" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{
    "isEnabled": true,
    "displayName": "Create ticket note",
    "instructions": "Use only after the user confirms the ticket id and note body."
  }'

PUT/api/v1/organizations/{orgId}/mcp-servers/{serverId}/toolsBulk-replace tool settings. Body: an array of tool patches.

Bulk-replace tool settings. Body: an array of tool patches.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/endpointsGet the enabled endpoint set.

Get the enabled endpoint set.

PUT/api/v1/organizations/{orgId}/mcp-servers/{serverId}/endpointsUpdate which endpoints are exposed.

Update which endpoints are exposed.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/auth-configGet the runtime auth configuration.

Get the runtime auth configuration.

PUT/api/v1/organizations/{orgId}/mcp-servers/{serverId}/auth-configUpdate runtime auth.

Update runtime auth.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/auth-discoveryProbe the upstream API's auth requirements.

Probe the upstream API's auth requirements.

Verify, deploy, and operate#

MethodEndpointDescriptionCopy

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/hosting-checksRun DNS, TLS, routing, runtime, and tools/list checks.Run DNS, TLS, routing, runtime, and tools/list checks.

Pass ?environment=prod to target a specific environment.

BASH

curl -sS --fail-with-body -X POST \
  "$BASE/api/v1/organizations/$ORG_ID/mcp-servers/$SERVER_ID/hosting-checks?environment=prod" \
  -H "Authorization: Bearer $TOKEN"

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/mcp-smoke/tools-listList tools over MCP against the live runtime.

List tools over MCP against the live runtime.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/mcp-smoke/tools/{toolName}/callInvoke a tool over MCP. Body: `{ arguments }`.

Invoke a tool over MCP. Body: `{ arguments }`.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deploymentGet the current deployment.

Get the current deployment.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployment/logsGet hosted runtime logs.

Get hosted runtime logs.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deploymentsList deployment history.

List deployment history.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployments/{deploymentId}Get one deployment.

Get one deployment.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployment-configGet the deployment config.

Get the deployment config.

PUT/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployment-configUpdate the deployment config.

Update the deployment config.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployment-operationsList publish/deployment operations.

List publish/deployment operations.

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/deployment-operations/{operationId}Get one operation's status.

Get one operation's status.

Custom domains#

Attach a customer-owned hostname to a hosted server. See custom domains for the staged DNS workflow.

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/custom-domainGet custom-domain status.

Get custom-domain status.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/custom-domain/validateStart validation; returns the ownership TXT record. Body: `{ hostName, environment? }`.

Start validation; returns the ownership TXT record. Body: `{ hostName, environment? }`.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/custom-domain/confirm-ownershipConfirm ownership after the TXT record resolves.

Confirm ownership after the TXT record resolves.

POST/api/v1/organizations/{orgId}/mcp-servers/{serverId}/custom-domain/finalizeFinalize routing once CNAME/TXT records propagate.

Finalize routing once CNAME/TXT records propagate.

DELETE/api/v1/organizations/{orgId}/mcp-servers/{serverId}/custom-domainRemove the custom domain.

Remove the custom domain.

Gateway attachment#

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/mcp-servers/{serverId}/gatewayGet the server's gateway attachment.

Get the server's gateway attachment.

PUT/api/v1/organizations/{orgId}/mcp-servers/{serverId}/gatewayAttach a gateway. Body: `{ gatewayId, publicId? }`.

Attach a gateway. Body: `{ gatewayId, publicId? }`.

DELETE/api/v1/organizations/{orgId}/mcp-servers/{serverId}/gatewayDetach the gateway.

Detach the gateway.

Gateways#

Reusable OAuth/discovery profiles that front one or more hosted servers.

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/gatewaysList gateways.

List gateways.

POST/api/v1/organizations/{orgId}/gatewaysCreate a gateway. Body: `{ name, provider, authorizationServerUrl, clientId, resource, scopes[] }`.

Create a gateway. Body: `{ name, provider, authorizationServerUrl, clientId, resource, scopes[] }`.

GET/api/v1/organizations/{orgId}/gateways/{gatewayId}Get a gateway.

Get a gateway.

PUT/api/v1/organizations/{orgId}/gateways/{gatewayId}Update a gateway.

Update a gateway.

DELETE/api/v1/organizations/{orgId}/gateways/{gatewayId}Delete a gateway.

Delete a gateway.

GET/api/v1/organizations/{orgId}/gateways/{gatewayId}/serversList servers attached to a gateway.

List servers attached to a gateway.

GET/api/v1/organizations/{orgId}/gateways/{gatewayId}/grantsList OAuth grants issued through a gateway.

List OAuth grants issued through a gateway.

GET/api/v1/organizations/{orgId}/gateways/{gatewayId}/logsGet gateway request logs.

Get gateway request logs.

Agents#

Create agents, inspect usage and conversations, and manage embed keys and budgets.

Lifecycle and usage#

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/agent-model-optionsList available models.

List available models.

GET/api/v1/organizations/{orgId}/agentsList agents.

List agents.

POST/api/v1/organizations/{orgId}/agentsCreate an agent. Body: `{ name, mcpServerIds[], … }`.

Create an agent. Body: `{ name, mcpServerIds[], … }`.

GET/api/v1/organizations/{orgId}/agents/{agentId}Get an agent.

Get an agent.

PATCH/api/v1/organizations/{orgId}/agents/{agentId}Update an agent.

Update an agent.

DELETE/api/v1/organizations/{orgId}/agents/{agentId}Delete an agent.

Delete an agent.

GET/api/v1/organizations/{orgId}/agents/{agentId}/usageGet usage and cost for an agent.

Get usage and cost for an agent.

GET/api/v1/organizations/{orgId}/agents/{agentId}/usage/usersGet per-user usage.

Get per-user usage.

GET/api/v1/organizations/{orgId}/agents/{agentId}/usage/llm-callsGet LLM call logs.

Get LLM call logs.

GET/api/v1/organizations/{orgId}/embed-usageGet embedded-agent usage across the organization.

Get embedded-agent usage across the organization.

GET/api/v1/organizations/{orgId}/agents/{agentId}/conversationsList an agent's conversations.

List an agent's conversations.

GET/api/v1/organizations/{orgId}/agents/{agentId}/conversations/{conversationId}Get a conversation.

Get a conversation.

GET/api/v1/organizations/{orgId}/agents/{agentId}/conversations/{conversationId}/messagesGet a conversation's messages.

Get a conversation's messages.

Budgets#

Cap spend at the agent level and per embedded user.

MethodEndpointDescriptionCopy

PATCH/api/v1/organizations/{orgId}/agents/{agentId}/budgetSet the agent's default budget policy.Set the agent's default budget policy.

Fields: monthlyBudgetUsd (required when enabled), defaultUserBudgetUsd, anonymousMonthlyBudgetUsd, currency (default USD), enabled.

Request body

JSON

{
  "enabled": true,
  "monthlyBudgetUsd": 10000,
  "defaultUserBudgetUsd": 5
}

Response200

JSON

{
  "monthlyBudgetUsd": 10000,
  "defaultUserMonthlyBudgetUsd": 5,
  "anonymousMonthlyBudgetUsd": null,
  "currency": "USD",
  "allocationMode": "shared",
  "resetDayOfMonthUtc": 1,
  "currentMonthSpendUsd": 0,
  "remainingBudgetUsd": 10000,
  "trackedUserCount": 0,
  "assignedUserCount": 0,
  "assignedBudgetUsd": 0,
  "enabled": true
}

BASH

curl -sS --fail-with-body -X PATCH \
  "$BASE/api/v1/organizations/$ORG_ID/agents/$AGENT_ID/budget" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{ "enabled": true, "monthlyBudgetUsd": 10000, "defaultUserBudgetUsd": 5 }'

PUT/api/v1/organizations/{orgId}/agents/{agentId}/external-users/{externalUserId}/budgetSet one embedded user's monthly cap. Body: `{ monthlyBudgetUsd }`.

Set one embedded user's monthly cap. Body: `{ monthlyBudgetUsd }`.

GET/api/v1/organizations/{orgId}/agents/{agentId}/external-users/{externalUserId}/budgetGet one embedded user's budget.

Get one embedded user's budget.

DELETE/api/v1/organizations/{orgId}/agents/{agentId}/external-users/{externalUserId}/budgetRemove an embedded user's override.

Remove an embedded user's override.

Embed keys and verified domains#

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/agents/{agentId}/embed-keysList embed keys.

List embed keys.

POST/api/v1/organizations/{orgId}/agents/{agentId}/embed-keysCreate an embed key. The public key is returned once.

Create an embed key. The public key is returned once.

DELETE/api/v1/organizations/{orgId}/agents/{agentId}/embed-keys/{keyId}Revoke an embed key.

Revoke an embed key.

GET/api/v1/organizations/{orgId}/agents/{agentId}/verified-domainsList verified embed domains.

List verified embed domains.

POST/api/v1/organizations/{orgId}/agents/{agentId}/verified-domainsAdd a domain to verify for embedding.

Add a domain to verify for embedding.

POST/api/v1/organizations/{orgId}/agents/{agentId}/verified-domains/{domainId}/confirmConfirm a domain after the DNS record resolves.

Confirm a domain after the DNS record resolves.

Billing, credits, and hosting#

MethodEndpointDescriptionCopy

GET/api/v1/organizations/{orgId}/ai-credits/summaryGet the AI-credit balance.

Get the AI-credit balance.

GET/api/v1/organizations/{orgId}/ai-credits/ledgerGet the AI-credit ledger.

Get the AI-credit ledger.

POST/api/v1/organizations/{orgId}/ai-credits/checkout-sessionStart an AI-credit checkout.

Start an AI-credit checkout.

POST/api/v1/organizations/{orgId}/ai-credits/checkout-session/{sessionId}/syncReconcile an AI-credit checkout session.

Reconcile an AI-credit checkout session.

GET/api/v1/organizations/{orgId}/mcp-hosting/usageGet hosted-runtime usage.

Get hosted-runtime usage.

POST/api/v1/organizations/{orgId}/mcp-hosting/billing/checkout-sessionStart a hosting checkout.

Start a hosting checkout.

POST/api/v1/organizations/{orgId}/mcp-hosting/billing/checkout-session/{sessionId}/syncReconcile a hosting checkout session.

Reconcile a hosting checkout session.

POST/api/v1/organizations/{orgId}/billing/portal-sessionOpen the billing portal.

Open the billing portal.

Dashboard and identity#

These sit above the organization root.

MethodEndpointDescriptionCopy

GET/api/v1/dashboard/statsGet dashboard summary stats.

Get dashboard summary stats.

GET/api/v1/dashboard/analyticsGet aggregated analytics.

Get aggregated analytics.

GET/api/v1/auth/meGet the current user.

Get the current user.

GET/api/v1/cli/configGet CLI bootstrap config. No auth required.

Get CLI bootstrap config. No auth required.

GET/api/v1/cli/whoamiIdentify the caller behind a token or key.

Identify the caller behind a token or key.

These endpoints are intentionally out of scope for this reference: system-admin (/api/v1/admin/*), the OAuth gateway flow (/api/v1/gateway/{publicId}/*), and embed-key chat (/api/v1/chat).