@gavai/mcp-server) generates its tool list directly from the platform’s OpenAPI spec. Every operation tagged x-mcp-tool: true becomes a callable tool, so the AI surface tracks the REST API automatically — rotate a key, mint a domain, query logs, list deployments, all without the Builder MCP’s curated 14. By the end of this page you will know how to install and authenticate the server, how tools are generated, and which scopes you should put on the API key it runs with.
At a glance
| Package | @gavai/mcp-server (published to npm) |
| Transport | stdio (JSON-RPC) |
| Command | bunx @gavai/mcp-server |
| Auth | GAVAI_TOKEN env var (workspace API key) |
| Base URL | GAVAI_PUBLIC_API_URL env var (defaults to https://api.gavai.app) |
| Tools | One per OpenAPI operation tagged x-mcp-tool: true |
Install
bunx fetches and runs the latest published version. No global install:
Configure
The server needs two environment variables: a workspace API key and the API base URL. Both go in the Claude Desktop config:gak_live_... with the workspace API key you mint in Settings → API keys. Use a gak_test_* key against a test workspace while you are figuring out which tool calls your assistant will make. Restart Claude Desktop after saving the file.
How the tool list is built
The server reads the OpenAPI spec at startup and registers one tool per operation taggedx-mcp-tool: true. The mapping is deterministic:
You do not configure individual tools. Add or remove the tag on the spec and the next server start picks up the change — there is no per-tool config to drift.
Coverage
Every endpoint tagged withx-mcp-tool: true is reachable. The 15 public resources documented at API reference map one-to-one to operations, covering workspaces, tokens, pages, theme, forms, agents, secrets, domains, logs, deployments, billing, monetization, and approvals.
If you need to know exactly which operations are tagged, ask the connected client for tools/list after restart — the response is the canonical answer for the running server.
Worked example: AI rotates an API key
Here is what happens when a user says “Rotate the deploy bot’s API key on the acme workspace”: Three points worth pulling out:- Tool names mirror OpenAPI operation IDs.
listWorkspaceTokensdispatches to androtateWorkspaceTokendispatches to . SameoperationIds you would call from the REST SDK. - The bearer token never leaves the server process. The MCP server reads
GAVAI_TOKENfrom its env, attachesAuthorization: Bearer, and the AI client only ever sees the response body. - The new secret is returned exactly once. The chain ends with the client surfacing it to the user; if they don’t capture it, they rotate again.
Pinning scopes
A practical default: start with read-only scopes (workspaces:read, logs:read, deployments:read), watch what the assistant tries to call for a session, and add the specific write scopes you decide to allow.