Endpoint and Discovery
The public MCP endpoint is:
https://api.saviqo.in/mcpThe first implementation is a stateless HTTP JSON-RPC endpoint for read-only MCP operations.
Protected resource metadata is published at:
https://api.saviqo.in/.well-known/oauth-protected-resourceThe metadata advertises the protected MCP resource, supported bearer token method, supported scopes, and the configured Supabase authorization server when available.
Saviqo also publishes OAuth authorization server metadata for clients that support dynamic MCP authorization:
https://api.saviqo.in/.well-known/oauth-authorization-serverThe authorization server metadata points clients to:
https://www.saviqo.in/oauth/authorizefor user consenthttps://api.saviqo.in/oauth/tokenfor code exchange and refresh-token rotationhttps://api.saviqo.in/oauth/registerfor dynamic client registrationhttps://api.saviqo.in/oauth/revokefor token revocation
The recommended remote-client flow is OAuth. A client should discover the protected resource metadata, open the Saviqo authorization screen, exchange the authorization code, and refresh tokens when access expires. If refresh fails, the client should send the user back through the Saviqo authorization link.
Local stdio can exist later as a developer compatibility mode, but it is not the primary public product surface.
Local stdio wrapper
For desktop clients that only support stdio, run the local wrapper after building apps/mcp-stdio:
SAVIQO_MCP_HTTP_URL=https://api.saviqo.in/mcp \
SAVIQO_MCP_BEARER_TOKEN=<user-access-token> \
npm run mcp:stdioThe wrapper forwards stdio JSON-RPC messages to the HTTP MCP endpoint. It is a compatibility bridge, not a separate authorization model.
The web app reads NEXT_PUBLIC_SAVIQO_MCP_RESOURCE_URL to show the correct endpoint on the Connected Agents settings page.