marco/buildmymcpserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4d136c4fb2
buildmymcpserver/apps/web/app/docs/api-reference/page.tsx
Marco Sadjadi 4d136c4fb2
All checks were successful
Deploy to Production / deploy (push) Successful in 1m31s
Details
fix(mcp): RFC 9728 protected-resource metadata path + audience binding 
Codex/RFC review showed that Claude Desktop addresses the MCP resource
as <PUBLIC_URL>/mcp (the streamable-HTTP endpoint) rather than the
base URL. Per RFC 9728 the protected-resource metadata then lives at
.well-known/oauth-protected-resource inserted between host and path:

  https://mcp.buildmymcpserver.com/.well-known/oauth-protected-resource/<slug>/mcp

Runner template now:
  - publishes `resource: <PUBLIC_URL>/mcp`
  - sets WWW-Authenticate to the RFC 9728 well-known URL
  - serves /.well-known/oauth-protected-resource[/*] so the metadata
    answers at both the legacy and RFC paths during transition
  - accepts both audiences (<PUBLIC_URL>/mcp + <PUBLIC_URL>) during
    rollout so already-issued tokens keep working

API:
  - resolveServerByResource() tries port first, then path segment
    (production path-routing), with a guard against treating "mcp" as
    a tenant slug
  - AS metadata advertises resource_parameter_supported: true

nginx (scripts/setup-runner-tls.sh + scripts/bmm-mcp-runners.nginx):
  - new location matches /.well-known/oauth-protected-resource/<slug>/...
    and proxies to the slug's runner with the slug stripped, so the
    runner sees the local well-known path

Docs (oauth + api-reference) updated to the RFC paths.
2026-05-28 20:54:27 +02:00

91 lines
3.6 KiB
TypeScript
Raw Blame History

import {
DocsTitle,
DocsLead,
DocsH2,
DocsP,
DocsCode,
Mono,
} from '@/components/docs-page';
export const metadata = { title: 'API reference — BuildMyMCPServer docs' };
export default function ApiReference() {
return (
<>
<DocsTitle kicker="Reference">API reference</DocsTitle>
<DocsLead>
Every endpoint on the control plane. Authenticated routes use the session cookie set by
the magic-link verify call.
</DocsLead>
<DocsH2 id="auth">Auth</DocsH2>
<DocsP>
<Mono>POST /v1/auth/magic-link</Mono> body <Mono>{`{"email":"…"}`}</Mono> emails (or
prints in dev) a one-time link.
</DocsP>
<DocsP>
<Mono>POST /v1/auth/verify</Mono> body <Mono>{`{"token":"…"}`}</Mono> exchanges the
token for a session cookie.
</DocsP>
<DocsP><Mono>GET /v1/auth/me</Mono> returns the current session user + org.</DocsP>
<DocsP><Mono>POST /v1/auth/logout</Mono> destroys the session.</DocsP>
<DocsH2 id="servers">Servers</DocsH2>
<DocsP><Mono>GET /v1/servers</Mono> list servers in the current org.</DocsP>
<DocsP>
<Mono>POST /v1/servers/preview</Mono> body <Mono>{`{"prompt":"…"}`}</Mono> runs Claude
synchronously, validates the spec, caches it, returns <Mono>{`{ previewId, source, spec }`}</Mono>.
</DocsP>
<DocsP>
<Mono>POST /v1/servers</Mono> body <Mono>{`{name, slug, prompt, secrets, previewId?}`}</Mono>
creates the server, queues the build, returns the server + build records.
</DocsP>
<DocsP>
<Mono>GET /v1/servers/:id</Mono> server detail with the latest 10 build records.
</DocsP>
<DocsP>
<Mono>POST /v1/servers/:id/iterate</Mono> body <Mono>{`{prompt, secrets}`}</Mono>
queues a new version build.
</DocsP>
<DocsP><Mono>DELETE /v1/servers/:id</Mono> removes the server and tears down the container.</DocsP>
<DocsH2 id="builds">Builds</DocsH2>
<DocsP>
<Mono>GET /v1/builds/:id</Mono> build record + persisted logs.
</DocsP>
<DocsP>
<Mono>WS /v1/builds/:id/stream</Mono> live event stream of build events:
<Mono>status</Mono>, <Mono>log</Mono>, <Mono>done</Mono>, <Mono>error</Mono>.
</DocsP>
<DocsH2 id="oauth">OAuth (clients of generated servers, not dashboard)</DocsH2>
<DocsP>
<Mono>GET /.well-known/oauth-authorization-server/oauth</Mono> RFC 8414 metadata.
</DocsP>
<DocsP><Mono>GET /oauth/jwks</Mono> RS256 public key for verifying access tokens.</DocsP>
<DocsP><Mono>POST /oauth/register</Mono> RFC 7591 dynamic client registration.</DocsP>
<DocsP><Mono>GET /oauth/authorize</Mono> authorization code endpoint, requires session.</DocsP>
<DocsP><Mono>POST /oauth/token</Mono> code exchange + refresh.</DocsP>
<DocsH2 id="examples">Curl example</DocsH2>
<DocsCode
label="full lifecycle"
code={`# 1. magic link
curl -X POST http://localhost:4000/v1/auth/magic-link -d '{"email":"me@x.dev"}'
# (grab token from API console)
# 2. verify -> session
curl -c cookies.txt -X POST http://localhost:4000/v1/auth/verify -d '{"token":"…"}'
# 3. preview
curl -b cookies.txt -X POST http://localhost:4000/v1/servers/preview \\
-d '{"prompt":"echo server with one tool: echo(message)"}'
# 4. build
curl -b cookies.txt -X POST http://localhost:4000/v1/servers \\
-d '{"name":"Echo","slug":"echo","prompt":"…","secrets":{},"previewId":"…"}'`}
/>
</>
);
}
Reference in New Issue View Git Blame Copy Permalink