Discover the contract
GET /openapi.json is generated from the same schema source the MCP
tools use.
Get a key
An agent with no credentials can mint one: the manifest’sauth.self_serve_key
block lists the three calls (start email OTP, verify the user’s 8-digit code,
then POST /api-keys with the session token). The walkthrough, including a
ready-made MCP config, is at Connect your agent.
List tools (scoped to the token)
tools/list returns only the tools allowed by both the token’s scopes and its
enabled-endpoint claims, so an agent sees exactly what the user granted.
Call a tool
Scopes and endpoint grants
Tokens carry scopes (health:data:read, health:data:write,
health:connections:write, health:labs:read) and per-endpoint grants. Issue
agents the smallest set they need, for example imports.file,
analyses.create, query.create, and dashboard_specs.read. Errors use RFC
9457 Problem Details for REST and structured error.data (with code, cause,
fix, docs_url, request_id) for MCP.