Agent connection
Connect to Forge Tools MCP
Forge Tools exposes selected capability packages through a Streamable HTTP MCP endpoint. This first adapter is intentionally read and draft focused: agents can discover capabilities, inspect package guidance, and produce planning handoffs without making live business changes. Tool calls do not execute scanners, reports, sends, writes, or production mutations.
Local development
Use this while the Forge Tools dev server is running on your machine.
{
"mcpServers": {
"forge-tools-local": {
"url": "http://localhost:3000/api/mcp"
}
}
}Production
Hosted connections should use bearer-token auth. Set tokens withFORGE_MCP_TOKENSbefore enabling production access.
{
"mcpServers": {
"forge-tools": {
"url": "https://tools.byforge.dev/api/mcp",
"headers": {
"Authorization": "Bearer YOUR_TOKEN"
}
}
}
}What agents can do
- Discover Forge capability tools, resources, and prompts
- Plan systems health scans, AI stack audits, weekly reports, and context reviews
- Read capability manifests and generated package guidance
- Return draft-only structured handoffs for agent workflows
Current boundaries
- Planning and draft handoff only
- No live external sends
- No CRM updates
- No production file writes
- No billing or destructive actions
Endpoint details
Endpoint
POST /api/mcp
Protocol
2025-11-25
Transport
Streamable HTTP JSON-RPC
The local endpoint is open for development when no MCP token env var is configured. Production requires bearer tokens and can restrict browser origins withFORGE_MCP_ALLOWED_ORIGINS.
Production requirements
- FORGE_MCP_TOKENS for bearer-token access
- FORGE_MCP_ALLOWED_ORIGINS for browser or webview clients
- KV_REST_API_URL and KV_REST_API_TOKEN for persistent rate-limit buckets and call logs
- FORGE_MCP_RATE_LIMIT_MAX and FORGE_MCP_RATE_LIMIT_WINDOW_SECONDS to tune request limits
- POST /api/mcp only; GET intentionally returns 405 because SSE streaming is not enabled here
- Accept must include application/json and text/event-stream
- Initialize may omit MCP-Protocol-Version; subsequent POSTs must send 2025-11-25