Skip to content

Endpoint and Discovery

The public MCP endpoint is:

text
https://api.saviqo.in/mcp

The first implementation is a stateless HTTP JSON-RPC endpoint for read-only MCP operations.

Protected resource metadata is published at:

text
https://api.saviqo.in/.well-known/oauth-protected-resource

The metadata advertises the protected MCP resource, supported bearer token method, supported scopes, and the configured Supabase authorization server when available.

Saviqo also publishes OAuth authorization server metadata for clients that support dynamic MCP authorization:

text
https://api.saviqo.in/.well-known/oauth-authorization-server

The authorization server metadata points clients to:

  • https://www.saviqo.in/oauth/authorize for user consent
  • https://api.saviqo.in/oauth/token for code exchange and refresh-token rotation
  • https://api.saviqo.in/oauth/register for dynamic client registration
  • https://api.saviqo.in/oauth/revoke for token revocation

The recommended remote-client flow is OAuth. A client should discover the protected resource metadata, open the Saviqo authorization screen, exchange the authorization code, and refresh tokens when access expires. If refresh fails, the client should send the user back through the Saviqo authorization link.

Local stdio can exist later as a developer compatibility mode, but it is not the primary public product surface.

Local stdio wrapper

For desktop clients that only support stdio, run the local wrapper after building apps/mcp-stdio:

bash
SAVIQO_MCP_HTTP_URL=https://api.saviqo.in/mcp \
SAVIQO_MCP_BEARER_TOKEN=<user-access-token> \
npm run mcp:stdio

The wrapper forwards stdio JSON-RPC messages to the HTTP MCP endpoint. It is a compatibility bridge, not a separate authorization model.

The web app reads NEXT_PUBLIC_SAVIQO_MCP_RESOURCE_URL to show the correct endpoint on the Connected Agents settings page.

Saviqo public documentation