MCP server
Connect Claude Desktop / Cursor / ChatGPT / Codex / Windsurf and let your agent deploy, manage, and operate apps via 46 tools.
VibeHost ships a remote Model Context Protocol server at https://api.vibehost.com/mcp. Any MCP-compatible agent can connect to it and gain a tool surface for the entire platform.
What your agent can do
46 tools, split into 8 surfaces. Read-only tools are marked (read). Tools that change publicly-visible internet state carry openWorldHint: true so the client can prompt for confirmation.
Workspaces & apps
list_workspaces, list_teams, list_apps, create_app,
get_app, update_app, delete_app.
Deployments
create_deployment, list_deployments, get_deployment,
promote_deployment, rollback_deployment,
delete_deployment, get_deployment_logs.
Channels
list_channels, create_channel, delete_channel,
get_channel.
Custom domains
add_custom_domain, list_custom_domains,
verify_custom_domain, remove_custom_domain.
Redirects + env
set_redirect, list_redirects, remove_redirect,
set_env_var, list_env_vars, remove_env_var.
Grants & access
add_grant, list_grants, remove_grant,
set_visibility, set_password_gate, set_share_link.
Endpoints
| What | URL |
|---|---|
| MCP server | https://api.vibehost.com/mcp |
| OAuth 2.1 authz server metadata (RFC 8414) | https://api.vibehost.com/.well-known/oauth-authorization-server |
| Protected resource metadata (RFC 9728) | https://api.vibehost.com/.well-known/oauth-protected-resource/mcp |
| Dynamic client registration (RFC 7591) | https://api.vibehost.com/api/v1/oauth/register |
Transport: Streamable HTTP (the MCP spec's recommended transport since 2025-06).
Authentication
OAuth 2.1 authorization-code flow with mandatory PKCE (S256). The first time your agent connects:
- Agent calls
/.well-known/oauth-protected-resource/mcpto discover the authz server. - Agent registers itself dynamically at
/api/v1/oauth/register(no client secret needed for public clients). - Agent kicks off the auth code flow with PKCE.
- You approve in browser; agent gets an access token.
- Access token is 60 minutes, refresh token is 30 days with single-use rotation and reuse detection.
Token audience is bound to https://api.vibehost.com/mcp via RFC 8707, so a token minted for VibeHost won't be accepted by another resource server.
Supported clients
Permissions
Tool calls run through the same per-app permissions the dashboard uses. The OAuth token represents you; the agent can only do what you can do.
viewergrant → read-only tools workdeployergrant → also deploy, promote, rollbackadmingrant → also manage settings + grants
Tools that change public state (create_deployment, add_custom_domain, set_password_gate, etc.) carry openWorldHint: true so well-behaved clients prompt you before calling.
Privacy
The MCP server adds no extra data store. Every tool call:
- Authenticates against the same user/token DB rows as the dashboard.
- Audit-logs the same way (operation, actor, resource, outcome).
- Hashes OAuth refresh tokens at rest.
Tools that touch third-party services (add_grant invites via Resend; verify_custom_domain uses public DNS resolvers) declare openWorldHint: true.
See VibeHost privacy — same policy applies.
Source
- MCP server source:
apps/api/src/mcp— every tool's annotation reflects its actual behavior (read / write / destructive / open-world). - Issues + feature requests: github.com/Dcard/VibeHost/issues.