Connecting over MCP

Point any MCP-capable agent at a workspace. This page covers the endpoint, headers, the handshake, the response format, and what the server exposes.

Endpoint & transport

Endpointhttps://mcp.product1.c33b.org/mcp — also shown on your workspace's dashboard page
TransportMCP Streamable HTTP
Protocol version2025-06-18 (negotiated; older clients are accepted down to 2024-11-05)
MethodsPOST for requests, GET to open the SSE stream, DELETE to end a session
The path matters. The endpoint is /mcp. Pointing a client at the bare host (https://mcp.product1.c33b.org) will not reach the server — include /mcp.

Required headers

HeaderValue
AuthorizationBearer <credential-id>.<secret>
Acceptapplication/json, text/event-stream (both, required on every request)
Content-Typeapplication/json (on POST)
Mcp-Session-Idreturned by the server on initialize; echo it on every subsequent request

Handshake

A compliant client performs the standard three-step Streamable HTTP handshake:

  1. POST an initialize request → the response carries an Mcp-Session-Id header.
  2. POST a notifications/initialized notification with that session id → the server replies 202 Accepted.
  3. POST further requests (tools/list, tools/call, …) carrying the same Mcp-Session-Id.

Most clients (including Claude Code) do this automatically — you only supply the URL and the Authorization header.

Response format (SSE)

Tool responses are streamed as SSE (Content-Type: text/event-stream), which is valid per the Streamable HTTP spec. Parse the JSON-RPC payload from the data: lines of the stream rather than expecting a single plain-JSON body. Standards-compliant MCP clients handle this for you.

Two ways to connect

Both end with a workspace-scoped credential; pick the one that matches your client.

Claude.ai web & desktop — one-click OAuth connector

In Claude, open Settings → Connectors → Add custom connector and paste your workspace's MCP endpoint (https://mcp.product1.c33b.org/mcp, also shown on your dashboard). Claude discovers the sign-in page automatically (standard OAuth with PKCE), you sign in to your account and pick which workspace to grant, and a per-connector credential is created for you — no copying secrets. Revoke it any time from the workspace page.

Claude Code CLI & other clients — Bearer token

Use a token directly in the Authorization header (see below).

Lost access? The reconnect link

If a client's token was revoked or regenerated, an agent already connected to the workspace can call the get_reconnect_url tool to produce a short-lived, single-use browser link. Opening it (after signing in to the owning account) confirms the workspace and shows a fresh token to paste in. Note these tokens do not expire on their own — the link is for re-linking and onboarding new clients, not refreshing a live session.

Getting a token (Bearer method)

Each workspace has its own credential. A token looks like <credential-id>.<secret> and maps to exactly one workspace homedir. Create or regenerate it from the workspace page in your dashboard — the secret is shown once, with a downloadable .env file. Regenerating the default token invalidates the previous default token immediately; per-connector credentials (OAuth / reconnect-link) are revoked individually.

Claude Code (.mcp.json)

{
  "mcpServers": {
    "workspace": {
      "url": "https://mcp.product1.c33b.org/mcp",
      "headers": {
        "Authorization": "Bearer <credential-id>.<secret>"
      }
    }
  }
}

Available tools (19)

GroupTools
File operations list_files, search_files, read_file, write_file, delete_file, create_directory, move_file, copy_file, get_file_info
Line editing insert_lines, replace_lines, delete_lines, find_replace, insert_after_pattern
Upload sessions create_upload_session, get_upload_status, complete_upload_session, abort_upload_session
Connection get_reconnect_url — mint a single-use browser link to (re)connect a client to this workspace

All paths are relative to your workspace homedir; access outside it is rejected.

Prompts, resources and resource templates are intentionally not exposed — the workspace is plain storage, and file access is provided by the tools above.

Fair-use limit

A per-workspace daily cap applies to tool calls (fair use, not metered billing). The handshake, notifications and discovery calls (tools/list) do not count — only actual tools/call invocations do. Over the cap, calls return a clear error until the counter resets.