Client MCP API
The Asistry Client MCP API lets external AI agents — Claude Desktop, OpenClaw, mcporter, custom scripts — connect directly to your workspace using a per-tenant API key. No Supabase session required; just a Bearer token.
Endpoint:https://asistry.com/api/mcp/client
Also available at/api/mcp/public(legacy alias, identical behaviour).
Authentication
Generate an API key in Settings → API Keys. Pass it as a Bearer token on every request:
Authorization: Bearer ask_<your-api-key>API keys are stored as SHA-256 HMAC hashes — the plaintext is shown exactly once at creation time and never stored in the database. If you lose a key, revoke it and create a new one.
Transport
The endpoint uses Streamable HTTP (MCP spec §5.3). Clients send POST requests with a JSON-RPC body; responses may be plain JSON or an SSE stream depending on the tool.
Both GET and DELETE are also routed to the same handler for MCP protocol compliance (session teardown, capability discovery).
Rate Limits
| Window | Limit | Scope |
|---|---|---|
| 60 seconds | 100 requests | Per API key |
When the limit is exceeded the server returns HTTP 429 with a Retry-After header indicating when to retry.
Available Tools
| Tool | Description |
|---|---|
list_tasks | List tasks in your workspace with optional status/assignee filters. |
search_tasks | Full-text search across task titles and descriptions. |
get_task | Fetch a single task by UUID. |
create_task | Create a new task on the Kanban board. |
update_task | Update task fields (title, status, assignee, labels, etc.). |
list_projects | List all boards/projects in your workspace. |
get_workspace_info | Return a workspace summary — board list, task counts by status, active tasks. |
Tool Reference
list_tasks
{
"status": "todo" | "in_progress" | "review" | "done" | "backlog", // optional
"assignee": "string", // optional
"limit": 1–100 // optional, default 50
}search_tasks
{
"query": "string", // partial match on title + description
"status": "string", // optional filter
"assignee": "string", // optional filter
"limit": 1–100
}get_task
{ "id": "<task-uuid>" }create_task
{
"title": "string", // required
"description": "string", // optional, plain text or HTML
"status": "backlog", // optional, default "backlog"
"assignee": "string", // optional
"priority": "low" | "medium" | "high" | "urgent", // optional, default "medium"
"due_date": "ISO-8601", // optional
"labels": ["string"] // optional, lowercased server-side
}update_task
{
"id": "<task-uuid>", // required
"title": "string", // optional
"description": "string", // optional
"status": "string", // optional — auto-moves task to matching column
"assignee": "string", // optional
"priority": "string", // optional
"due_date": "ISO-8601", // optional
"labels": ["string"] // optional, replaces existing labels
}list_projects
{ "limit": 1–100 } // optional, default 50get_workspace_info
{} // no parametersReturns:
{
"workspace_name": "My Workspace",
"board_count": 3,
"boards": [{ "id": "...", "name": "..." }],
"total_tasks": 42,
"active_tasks": 12,
"tasks_by_status": { "backlog": 10, "todo": 5, "in_progress": 7, "review": 3, "done": 17 },
"authenticated_key": "My Agent",
"user_id": "<uuid>"
}Curl Example
curl -X POST https://asistry.com/api/mcp/client \
-H "Authorization: Bearer ask_<your-api-key>" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "list_tasks",
"arguments": { "status": "in_progress", "limit": 10 }
}
}'OpenClaw / mcporter Config
Add to ~/.mcporter/mcporter.json under servers:
{
"servers": {
"asistry": {
"transport": "streamableHttp",
"url": "https://asistry.com/api/mcp/client",
"headers": {
"Authorization": "Bearer ask_<your-api-key>"
}
}
}
}Then call tools via:
mcporter call asistry.list_tasks --args '{"status":"in_progress"}'
mcporter call asistry.create_task --args '{"title":"Fix login bug","priority":"high","labels":["bug","backend"]}'
mcporter call asistry.get_workspace_infoError Responses
| HTTP | JSON-RPC code | Cause |
|---|---|---|
401 | -32001 | Missing, invalid, or revoked API key |
429 | -32029 | Rate limit exceeded (check Retry-After) |
500 | -32603 | Internal server error |
Security Notes
- API keys are scoped to your user account — they can only read and write your own workspace data (enforced by Supabase RLS).
- Keys are hashed with SHA-256 HMAC before storage; the raw key is never persisted.
- Revoke compromised keys immediately in Settings → API Keys.
- Keys max out at 10 active per account to prevent abuse.