Verify a token for an MCP tool call

POST

/v1/mcp/verify

const url = 'http://localhost:8693/v1/mcp/verify';
const options = {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{"tool_id":"example","token":"example","request_body_hash":"example"}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url http://localhost:8693/v1/mcp/verify \
  --header 'Content-Type: application/json' \
  --data '{ "tool_id": "example", "token": "example", "request_body_hash": "example" }'

Runs the 9-check verification pipeline against the provided token and tool. Used by non-Go MCP servers via the sidecar pattern.

Request Body^required

application/json

object

tool_id

required

string

token

required

string

request_body_hash

SHA-256 base64url hash of the request body (for inp_hash check)

string

Example ^generated

{
  "tool_id": "example",
  "token": "example",
  "request_body_hash": "example"
}

Responses

200

Verification passed

403

Verification failed

application/json

object

error

required

Error code (RFC 8693 compatible)

string

Allowed values: invalid_request unsupported_grant_type access_denied server_error not_implemented not_found method_not_allowed

error_description

Human-readable error detail

string

Example

{
  "error": "invalid_request"
}

Verify a token for an MCP tool call

Request Body required

Example generated

Responses

200

403

Example

Request Body^required

Example ^generated