Public MCP documentation

Authentication

Web app MCP (honest matrix)

PrincipalHow resolvedStatus
PublicNo Authorization header (or empty Bearer)Shipped — community + travel tools (Grok default)
AdminAuthorization: Bearer <ADMIN_API_TOKEN> (constant-time compare)Shipped — full web tool list including bot-proxy admin tools
MemberPersonal token / Discord OAuth → Discord-bound principalSeam onlyresolveMemberPrincipal always returns null today → 401 (never falls back to public)

Production fact

  • Omit Authorization for public community + travel tools (tools/list and public tools/call work without a token).
  • Pass admin bearer only when you need admin/ops tools.
  • A non-empty invalid Bearer is 401, not public — wrong tokens do not silently open the public catalog.

Visibility (shipped)

ToolFlagAccess
community_overviewpublicpublic / member / admin
builder_pathpublicpublic / member / admin
leaderboardpublicpublic / member / admin
member_statspublicpublic / member / admin (member self-scopes when wired)
upcoming_eventspublicpublic / member / admin
open_quests_and_bountiespublicpublic / member / admin
hangout_infopublicpublic / member / admin
search_stay_packagespublicpublic / member / admin
hangout_statusadminadmin only
list_scheduled_eventsadminadmin only
Other bot-proxy ops toolsadminadmin only

Bot-service admin MCP

RuleDetail
AuthAlways ADMIN_API_TOKEN via requireAdminRequest
Public accessNone
ToolsFull admin catalog — see Admin tools

Secrets hygiene

  • Never put ADMIN_API_TOKEN, Supabase service role keys, or bot tokens in client bundles or this docs site.
  • Configure bearer headers in the MCP client's secret slot.
  • Rotating the admin token invalidates all admin MCP clients immediately.

Error shapes

HTTPMeaning
401Invalid non-empty Authorization (wrong token / member seam null) — body includes onboarding URL https://houseofvibes.app
405GET or non-POST
500Unexpected server error
JSON-RPC errorProtocol errors inside a 200 JSON-RPC envelope