Skip to content
Jetrepo
Esc
navigateopen⌘Jpreview
On this page

Connect an MCP client

Discover the stateless Streamable HTTP endpoint, authenticate each request, and list permitted tools.

Management MCP is available at POST /agent/mcp on the Management API origin. It is stateless: every request creates a fresh server and filters tools against live effective access.

Discover the service

Use these root discovery documents instead of hard-coding authorization endpoints:

  • /.well-known/agent-configuration
  • /.well-known/oauth-authorization-server
  • /.well-known/openid-configuration
  • /.well-known/oauth-protected-resource

OAuth and OpenID discovery also support the path-aware form advertised for the issuer.

List tools

Authenticate with an agent key, Agent Auth session, or OAuth access token. A valid credential is enough to call whoami; that tool has no CMS permission expression.

curl https://cms.example.com/agent/mcp \
  -H 'content-type: application/json' \
  -H 'x-api-key: YOUR_AGENT_KEY' \
  --data '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'

Start with whoami, then tools/list, then a scoped read before any write. Each other tool has its own permission expression and rechecks Backend pinning and target scope during execution. Connecting does not universally require backend.read.

Authentication challenge

An unauthenticated request returns 401 with:

WWW-Authenticate: Bearer resource_metadata="https://cms.example.com/.well-known/oauth-protected-resource"
{
  "error": "unauthorized",
  "error_description": "Authenticate with an agent-scoped x-api-key, an Agent Auth JWT, or an OAuth 2.1 access token."
}

This is the management endpoint, not the Delivery API or documentation MCP. Revocation and permission narrowing affect the next request.

Was this page helpful?