MCP Server
Connect OrbitKit to Claude, Cursor, VS Code, and other AI tools via the Model Context Protocol.
The OrbitKit MCP Server is a remote hosted Model Context Protocol server. It lets you manage your OrbitKit apps from any MCP-compatible AI tool — Claude Code, Claude Desktop, Cursor, VS Code, and others — without installing anything locally.
Quick start
# Claude Code
claude mcp add --transport http orbitkit https://mcp.orbitkit.io/mcp \
--header "Authorization: Bearer ok_YOUR_API_KEY"
// .mcp.json (share with your team)
{
"mcpServers": {
"orbitkit": {
"url": "https://mcp.orbitkit.io/mcp",
"headers": {
"Authorization": "Bearer ok_YOUR_API_KEY"
}
}
}
}
Get your API key from the OrbitKit Dashboard under Settings → API Keys.
Authentication
The MCP server uses the same API keys as the REST API and CLI. Pass your key in the Authorization header:
Authorization: Bearer ok_...
Every MCP request forwards this key to the OrbitKit API. If the key is invalid or revoked, the server returns an error.
Tools
The MCP server exposes 25 tools that map directly to the REST API endpoints. AI tools can call these on your behalf.
Account
| Tool | Description |
|---|---|
whoami |
Show account info — email, name, app count, subscriptions |
App management
| Tool | Description |
|---|---|
list-apps |
List all apps with name, ID, and creation date |
create-app |
Create a new app (takes appName) |
delete-app |
Permanently delete an app and all its data |
Site configuration
| Tool | Description |
|---|---|
get-site |
Get site config — name, slug, domain, deploy status |
update-site |
Update app name, description, or slug |
set-custom-homepage-html |
Replace the default hero on the homepage with custom HTML (max 50 KB). Pass html: "" to clear. Sanitized server-side. |
get-custom-homepage-html |
Read the currently saved custom homepage HTML ("" if using default hero) |
deploy |
Deploy site to production |
Privacy policy
| Tool | Description |
|---|---|
get-policy |
Get privacy policy wizard data (all 14 sections) |
update-policy |
Update privacy policy data |
Support & deletion pages
| Tool | Description |
|---|---|
get-support-page |
Get support page config |
update-support-page |
Update support page |
get-deletion-page |
Get data deletion page config |
update-deletion-page |
Update data deletion page |
Apple features
| Tool | Description |
|---|---|
get-aasa |
Get AASA config (Universal Links, App Clips, Passkeys, Handoff) |
update-aasa |
Update AASA configuration |
get-banner |
Get Smart App Banner config |
update-banner |
Update Smart App Banner |
Custom domains
| Tool | Description |
|---|---|
set-domain |
Set a custom domain (returns DNS instructions) |
remove-domain |
Remove custom domain |
check-domain-status |
Check DNS and SSL provisioning status |
TestFlight
| Tool | Description |
|---|---|
get-testflight |
Get TestFlight page config |
update-testflight |
Update TestFlight page |
Subscription
| Tool | Description |
|---|---|
subscribe |
Subscribe an app to a paid plan (monthly/yearly) |
subscribe tool only works if you have a payment method on file. If not, it will direct you to add one at the dashboard first.
Resources
The MCP server also exposes resources that AI tools can read for context.
App data
| Resource URI | Description |
|---|---|
orbitkit://apps |
List of all your apps |
orbitkit://apps/{appId}/deploy-history |
Chronological deploy history |
orbitkit://apps/{appId}/policy-versions |
Policy snapshots from each deploy |
Documentation
All 46 documentation and API reference pages are available as resources. AI tools can read these to answer questions about OrbitKit or help you configure features correctly.
| Resource URI | Description |
|---|---|
orbitkit://docs/{slug} |
20 product docs pages (e.g., orbitkit://docs/getting-started) |
orbitkit://api/{slug} |
26 API reference pages (e.g., orbitkit://api/authentication) |
Setup by client
Claude Code
claude mcp add --transport http orbitkit https://mcp.orbitkit.io/mcp \
--header "Authorization: Bearer ok_YOUR_API_KEY"
Then verify with /mcp to see the server listed, and try “list my OrbitKit apps” to confirm it works.
Claude Desktop
Add to your Claude Desktop config file (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"orbitkit": {
"url": "https://mcp.orbitkit.io/mcp",
"headers": {
"Authorization": "Bearer ok_YOUR_API_KEY"
}
}
}
}
Cursor / VS Code
Add a .mcp.json file to your project root:
{
"mcpServers": {
"orbitkit": {
"url": "https://mcp.orbitkit.io/mcp",
"headers": {
"Authorization": "Bearer ok_YOUR_API_KEY"
}
}
}
}
.mcp.json to your repo so the whole team gets OrbitKit integration automatically. Use a shared API key or have each developer set their own via environment variables.
Example conversations
Once connected, you can ask your AI tool to manage OrbitKit directly:
- “List my OrbitKit apps”
- “Create a new app called Weather Pro”
- “Show me the privacy policy for my-app”
- “Update the support page email to support@myapp.com”
- “Set up a custom domain privacy.myapp.com for my-app”
- “Deploy my-app to production”
- “What data types does OrbitKit’s privacy policy wizard support?” (reads the docs resource)
Architecture
The MCP server is stateless — each request creates a fresh server instance, processes the JSON-RPC message, and returns. There are no sessions, no persistent connections, and no state between requests.
AI Tool → POST https://mcp.orbitkit.io/mcp → MCP Server → OrbitKit REST API
(Authorization: Bearer ok_...)
The server runs as a Firebase Cloud Function and uses Streamable HTTP transport.
What’s not included
Some operations are intentionally excluded from the MCP server:
| Operation | Reason |
|---|---|
| Icon/file uploads | Binary data is impractical via LLM tool calls |
| Payment method management | Requires the Stripe payment UI on the website |
| API key management | You need a key to use MCP — creating keys must be done on the dashboard |
| Account export/deletion | Destructive operations that should be done deliberately on the dashboard |
| Cancel/reactivate subscription | Subscription management stays on the website |
For these, use the OrbitKit Dashboard.
Security
- API key in header — your key is passed via
Authorization: Beareron every request, never stored by the MCP server - No secrets exposed — the server never returns Stripe client secrets, payment intents, or other sensitive data
- Same permissions — the MCP server has the exact same access as the REST API and CLI; it cannot do anything your API key can’t
- Secret scanning — the
ok_prefix enables GitHub secret scanning if your key is accidentally committed
Errors
| Error | Cause | Fix |
|---|---|---|
UNAUTHORIZED |
Missing or invalid API key | Check your Authorization header and key |
FORBIDDEN |
Key doesn’t have access to the app | Verify the app ID and key permissions |
NOT_FOUND |
App or resource doesn’t exist | Check the app ID |
SUBSCRIPTION_REQUIRED |
App needs an active subscription | Subscribe via the subscribe tool or dashboard |
RATE_LIMITED |
Too many requests | Wait and retry; see rate limits |
CLI vs. GitHub Action vs. MCP Server
| Feature | CLI | GitHub Action | MCP Server |
|---|---|---|---|
| Manage apps | Yes | No | Yes |
| Update policy/pages | Yes | No | Yes |
| Deploy | Yes | Yes | Yes |
| Custom domains | Yes | No | Yes |
| Subscribe | No | No | Yes |
| Read documentation | No | No | Yes |
| Works in AI tools | No | No | Yes |
| Works in CI/CD | Yes | Yes | No |
| Requires Node.js | Yes | No | No |