MCP setup
Hosted Onboard MCP — who can connect, API key, base URL, and HTTP endpoints (no trailing slash).
Use this page when you configure remote MCP over HTTP in a desktop or web client (for example Amazon Quick). For a step-by-step connection checklist (Inspector, OAuth vs API key, staging URLs), see Connecting to Onboard MCP.
Requirements
- Onboard Admin — only admins can create and manage API keys used for MCP.
- Active subscription on a plan that includes MCP — confirm on Onboard pricing.
- API key — from app.onboard.io → Settings → Integrations → API. This is the same class of key as the REST API; treat it like a password.
API key security
Anyone with the key can act as your integration within the permissions of that key. Do not commit it to source control, share it in chat, or paste it into untrusted tools. Rotate it if it may have been exposed. Follow the Security checklist for a fuller pre-launch review.
Base URL
All hosted MCP paths in production share this host:
https://rest.onboard.io
Paths are mounted under /mcp/ in the REST API URL configuration.
HTTP endpoints (no trailing slash)
Use these URLs exactly as shown (no trailing slash). Some clients and proxies mishandle redirects on POST or SSE when a slash is appended.
| Endpoint | URL |
|---|---|
| SSE (session stream; use this as the “MCP URL” in most remote UIs) | https://rest.onboard.io/mcp/sse |
| Messages (reply channel for some transports) | https://rest.onboard.io/mcp/messages |
| RPC (synchronous JSON-RPC) | https://rest.onboard.io/mcp/rpc |
When a product asks for a single URL, use https://rest.onboard.io/mcp/sse
unless its documentation specifies otherwise.
Authentication
Default: paste your Onboard API key into the field the client provides (often labeled Token, API key, or Bearer). For general REST semantics, see Authentication. Review the Security checklist before enabling MCP in production.
OAuth: some clients (for example Claude custom connectors) only support OAuth, not arbitrary headers. When your environment has hosted MCP OAuth enabled, the server returns 401 with metadata so the client can open your identity provider (for example Auth0). You still use an Onboard API key for tools that call the REST API unless your tenant maps tokens differently—see Connecting to Onboard MCP for Inspector fields, OAuth Client ID (Integrations → API when signed in), production reference, and Claude callbacks.
Amazon Quick
Amazon Quick uses a dedicated remote-MCP form (connection type Remote, URL, token). Follow MCP on Amazon Quick for field-by-field values, a screenshot of the dialog, and AWS product limits.
Cursor local development
For Cursor with a local checkout, use the stdio command:
poetry run python -m onboard_mcp.serverFollow MCP on Cursor for a complete
~/.cursor/mcp.json example, including how to merge Onboard MCP with existing
Cursor MCP servers.
Next steps
- Connecting to Onboard MCP — URLs, API key vs OAuth, Inspector, Client ID from Integrations
- Security checklist — API keys, webhooks, and MCP
- MCP desktop clients — choose a client and open its guide
- MCP overview — what Onboard MCP is for
How is this guide?