/api/v0 for registering servers, invoking tools, and administering the system, and a set of MCP proxy endpoints that AI agents connect to directly. All responses are JSON unless otherwise noted.
Base URL
8080 by default. Every REST management endpoint is prefixed with /api/v0. MCP proxy endpoints sit at the root and under /v0.
Authentication
In development mode, the server doesn’t enforce any authentication. In enterprise mode every request must carry a bearer token:POST /api/v0/users or POST /api/v0/clients. The admin token is returned when the server is initialized with POST /init.
Requests that arrive without a valid token in enterprise mode receive
401 Unauthorized. Requests from a user-role token that target admin-only endpoints receive 403 Forbidden.Access levels
MCP clients (non-human agents) authenticate with their own tokens and are further restricted to the servers listed in their allow list.
Example request
Endpoint groups
The REST API surface is organized into a few practical areas:Servers: register, deregister, enable, and disable upstream MCP serversTools, prompts, and resources: list, inspect, invoke, and fetch content exposed through registered serversTool groups: create and manage curated subsets of tools for narrower MCP surfacesClients and users: enterprise-only identity and access management
System endpoints
These endpoints sit outside the/api/v0 prefix and require no authentication.
GET /health
Returns 200 OK when the server is running.
