Skip to main content
Feedback

MCP in API Control Plane

The API Control Plane can expose managed API Products via Model Context Protocol (MCP) for use as AI Agent tools. This functionality empowers users to easily configure and manage MCP exposure. The API Control Plane abstracts all backend complexity while ensuring strong governance and discoverability for MCP-enabled APIs.

You can expose APIs through hosted MCP servers. When MCP is enabled in API Control Plane, a list of Tools is exposed. Each Tool is an endpoint in an API that is registered in API Control Plane.

MCP resource and tool definitions are automatically generated from the existing API definitions retrieved in API Control Plane. You can then invoke by making a call against the server in the definition and traffic will flow through. Authentication is also passed and there is header injection/pass through.

What is MCP?

MCP acts as a universal language or interface that AI agents and LLMs can use to connect to enterprise tools. Instead of building a unique, manual integration for every possible pair of agent and tool, MCP provides a common way for any agent to connect to any tool, making integration much simpler and more consistent.

At its core, MCP is designed to act as a broker between agents and capabilities. Capabilities can include APIs, file systems, prompts, or databases. These are exposed to agents via MCP servers, which register the available tools and define their input/output schemas and invocation mechanics. Agents connect to one or more MCP servers through MCP clients embedded in host applications (such as Claude Desktop or Replit).

Traditionally, if you have five agents and 10 tools, you would need to build 50 separate integrations for each agent-tool pair. MCP eliminates this complexity by acting as a central hub where agents and tools only need to integrate with MCP, not with each other directly, drastically reducing integration effort, especially as your organization scales up the number of agents or tools it uses.

MCP protocol supported versions

MCP protocol versions 2024-11-05,2025-03-26, and 2025-06-18 are supported.

Allowed IPs

You must add the following IPs to the allow list for any gateway that contains MCP-enabled products:

  • 107.23.62.227
  • 34.228.72.250
  • 18.211.145.9

Enable MCP for an API Product

MCP is disabled by default, but can be enabled for APIs within API Products. This process assumes that you have APIs created, they are in an API Product, and in a subscribed Application.

  1. In API Control Plane, in API Products, select Visibility.

  2. Select Expose APIs as Tools.

  3. Select Learn More for additional information about required configuration for your APIs.

  4. If necessary, fix any issues with the APIs.

  5. Select Save.

  6. The MCP Status is now Enabled for the API Product.

Access MCP Credentials

Connect to the MCP server using the MCP Address and AI Agent key to expose all tools within an API Product.

  1. In Applications, select the application.

  2. In Subscriptions, select Secrets.

    • The AI Agent Key variable at the Application level. When you create an Application that is MCP enabled, an AI Agent Key is created.
    • The MCP Address is a URL in the following format: https://<tenant URL>/mcp?name=<API Product name>

Requests

All requests must also include the header x-agent-key, where the key is generated by API Control Plane and can be found on its Developer Portal.  A key is automatically generated for every subscription to an API Product.  Validation of the tenant id and agent key is performed when the Product metadata and the OpenAPI specifications for each API within the Product is retrieved.

If the deployed API is protected by another form of authentication and not just the API Control Plane key, you also need to provide a valid token or basic auth with headers.

If you have a gateway and APIs accessible only from inside your network, since traffic flows through the gateway, the gateway must be accessible.

An example configuration for Cursor:

{
  "mcpServers": {
    "aviation-stack": {
      "headers": {
        "x-agent-key": "<key>"
      },
      "url": "https://<Gateway URL>/mcp?name=<API Product Name>",
      "timeout": 60000
    }
  }
}

note
  • Sessions and connections are automatically terminated after 30 minutes. Clients must initialize a new session after expiration.
  • If an OpenAPI specification doesn't include an api key in the security schemes, the appropriate api key is not injected.

Examples

Refer to Creating a Sales Insight agent with MCP for a tutorial on connecting an agent with MCP-enabled APIs in the API Control Plane.

On this Page