# MCP Server

Jitsu runs an [MCP](https://modelcontextprotocol.io) server, so AI agents can manage your
pipeline directly: create destinations, wire up streams, inspect [Live Events](/docs/features/live-events),
and edit [Functions](/docs/functions).

There is a single endpoint:

```
https://use.jitsu.com/mcp
```

:::info

`use.jitsu.com` is the Jitsu Cloud console. If you self-host Jitsu, replace it with your own
console host — the MCP server is served at `/mcp` on the same host.

:::

For interactive clients, authentication is **OAuth 2.1** — you don't paste an API key. The
first time a client uses the server, a browser tab opens asking you to approve the connection.
Approve it once and the client gets a scoped, revocable token. The connection shows up under
your account and can be revoked any time (see [Managing access](#managing-access)).

In CI and other headless environments the browser flow can't run. There you authenticate with
a personal API key instead — see [Automation and CI](#automation-and-ci).

## Connect a client

The endpoint is the same everywhere; only the configuration format differs.

<Tabs>
  <TabItem value="claude-code" label="Claude Code" default>

Add the server with one command:

```bash
claude mcp add --transport http jitsu https://use.jitsu.com/mcp
```

The next time the agent calls a Jitsu tool, Claude Code opens a browser tab for the OAuth
approval. Run `/mcp` inside Claude Code to check the connection status or re-authenticate.

  </TabItem>
  <TabItem value="claude-desktop" label="Claude Desktop">

1. Open **Settings → Connectors**.
2. Click **Add custom connector**.
3. Name it `Jitsu` and set the URL to `https://use.jitsu.com/mcp`.
4. Click the connector and **Connect** — a browser window opens for the OAuth approval.

  </TabItem>
  <TabItem value="cursor" label="Cursor">

Add Jitsu to your MCP config — `~/.cursor/mcp.json` for all projects, or `.cursor/mcp.json`
in a single project:

```json
{
  "mcpServers": {
    "jitsu": {
      "url": "https://use.jitsu.com/mcp"
    }
  }
}
```

Open **Settings → MCP**, and Cursor will prompt you to log in to Jitsu through the browser.

  </TabItem>
  <TabItem value="vscode" label="VS Code / Copilot">

Create `.vscode/mcp.json` in your workspace (or run **MCP: Add Server** from the command
palette and pick **HTTP**):

```json
{
  "servers": {
    "jitsu": {
      "type": "http",
      "url": "https://use.jitsu.com/mcp"
    }
  }
}
```

Start the server from the `mcp.json` editor or the **MCP: List Servers** command. VS Code
opens a browser tab for the OAuth approval on first use.

  </TabItem>
</Tabs>

## Automation and CI

OAuth needs a browser, so it doesn't work in CI, cron jobs, or any headless setup. For those,
authenticate with a personal API key — the same key the [Management API](/docs/api) uses. The key
maps to your user and inherits your workspace access, so an agent running with it can do
anything you can.

Generate a key on the [user settings page](https://use.jitsu.com/user) and pass it in an
`Authorization` header. API keys have the format `{keyId}:{keySecret}`; the secret is shown
only once at creation. Keys can be set to never expire, which is what you want for CI.

```
Authorization: Bearer <api-key>
```

With Claude Code, add the header on the command line:

```bash
claude mcp add --transport http jitsu https://use.jitsu.com/mcp \
  --header "Authorization: Bearer $JITSU_API_KEY"
```

For clients configured through a file, set a static header on the server — the same shape as in
[Connect a client](#connect-a-client), plus a `headers` block. Read the key from an environment
variable rather than committing it. For Cursor (`~/.cursor/mcp.json`):

```json
{
  "mcpServers": {
    "jitsu": {
      "type": "http",
      "url": "https://use.jitsu.com/mcp",
      "headers": {
        "Authorization": "Bearer ${JITSU_API_KEY}"
      }
    }
  }
}
```

VS Code uses a top-level `servers` key instead of `mcpServers`; add the same `headers` block to
the `jitsu` entry shown in its tab above.

Revoke a key from the same [API Keys](https://use.jitsu.com/user) page to cut off access.

## What the agent can do

The tools mirror the [Management API](/docs/api). Every configuration object — destination,
stream, service, connection, function — follows the same `list / get / create / update /
delete` shape, so an agent that learns one resource knows them all.

| Tool | What it does |
| --- | --- |
| `list_workspaces` | List the workspaces you can access |
| `list_resources` | List resources of a type in a workspace |
| `get_resource` | Get a single resource by id |
| `get_resource_schema` | Get the JSON Schema for creating/updating a resource type |
| `create_resource` | Create a resource |
| `update_resource` | Update a resource by id |
| `delete_resource` | Delete a resource by id |
| `list_event_sources` | List the sources — streams, connections, destinations — you can read events for |
| `query_events` | Read recent [Live Events](/docs/features/live-events) for a stream, connection, or destination |

Resource `type` is one of `destination`, `stream`, `service`, `function`, or `connection`.
The agent typically calls `get_resource_schema` first to learn the exact payload, then
`create_resource` or `update_resource`.

### Live Events and Functions

`query_events` exposes the same real-time stream as the [Live Events](/docs/features/live-events)
view in the UI: incoming events, function execution logs, and warehouse write statuses, with
an errors-only filter. The agent calls `list_event_sources` first to find the stream,
connection, or destination to watch. Combined with the config tools, this lets an agent verify
its own work — create a connection, send a test event, check that it landed.

Because [Functions](/docs/functions) are configuration objects too, the agent can read a function's
code with `get_resource` and ship a fix with `update_resource`. So when Live Events shows a
function throwing, the agent can find the bug and correct it without leaving the conversation.

## Managing access

Each connected client holds a token issued through OAuth. To see or revoke them, open the
[**API Keys** section of your account](https://use.jitsu.com/user). Revoking a key
disconnects that client immediately; reconnecting re-runs the browser approval.