Skip to content

Commit 1fe1c72

Browse files
authored
docs: Cloud-first README + move internals to docs/ (#46)
* docs: refactor README to be Cloud-first and move internals to docs/ - Trim README to end-user setup: hosted Cloud OAuth + per-client connect instructions (Claude Code/Desktop, Cursor, VS Code, Codex, OpenCode, Windsurf) - Move reference material into docs/: tool-surface, authentication, documentation-search, self-hosted, development - Drop outdated integration screenshots (showed the old 42-tool surface and leaked API keys/PII); keep brand logos and add a centered README header * (docs): remove logo header and unused image assets * (docs): simplify docs — trim redundant tables and diagrams
1 parent 44f1f75 commit 1fe1c72

12 files changed

Lines changed: 470 additions & 143 deletions

README.md

Lines changed: 96 additions & 143 deletions
Original file line numberDiff line numberDiff line change
@@ -2,202 +2,155 @@
22

33
mcp-name: io.github.appwrite/mcp
44

5-
## Overview
5+
A [Model Context Protocol](https://modelcontextprotocol.io) server for Appwrite.
6+
It exposes Appwrite's API — databases, users, functions, teams, storage, and more
7+
— as tools your MCP client can call.
68

7-
A Model Context Protocol server for interacting with Appwrite's API. It provides tools to manage databases, users, functions, teams, and more within your Appwrite project.
9+
Connect to the hosted server at **`https://mcp.appwrite.io/mcp`** and authenticate
10+
through your browser. The first time you connect, your client opens an Appwrite
11+
consent screen; approve the scopes and you're connected. There are no keys to
12+
copy.
813

9-
Appwrite Cloud is available as a hosted [OAuth 2.1 Resource Server](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) over MCP [Streamable HTTP](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports). Self-hosted Appwrite instances use the local MCP `stdio` transport with an Appwrite project API key.
14+
## Connect your client
1015

11-
## Quick Links
12-
- [Cloud hosted MCP](#cloud-hosted-mcp)
13-
- [Self-hosted stdio MCP](#self-hosted-stdio-mcp)
14-
- [How Cloud authentication works](#how-cloud-authentication-works)
15-
- [Tool surface](#tool-surface)
16-
- [Local development](#local-development)
17-
- [Debugging](#debugging)
16+
Pick your client below. Each adds the hosted Appwrite Cloud server.
1817

19-
## Cloud hosted MCP
18+
<details open>
19+
<summary><b>Claude Code</b></summary>
2020

21-
Add the server to any MCP client that supports remote (Streamable HTTP) servers by its URL:
22-
23-
```
24-
https://mcp.appwrite.io/mcp
21+
```bash
22+
claude mcp add --transport http appwrite https://mcp.appwrite.io/mcp
2523
```
2624

27-
For example, in a client that accepts a JSON server config:
25+
</details>
26+
27+
<details>
28+
<summary><b>Claude Desktop</b></summary>
29+
30+
Go to **Settings → Connectors → Add custom connector** and paste
31+
`https://mcp.appwrite.io/mcp`.
32+
33+
On the free plan, bridge the remote server through stdio instead (requires
34+
Node.js) by editing your config via **Settings → Developer → Edit Config**:
2835

2936
```json
3037
{
3138
"mcpServers": {
3239
"appwrite": {
33-
"type": "http",
34-
"url": "https://mcp.appwrite.io/mcp"
40+
"command": "npx",
41+
"args": ["mcp-remote", "https://mcp.appwrite.io/mcp"]
3542
}
3643
}
3744
}
3845
```
3946

40-
The first time you connect, the client opens an Appwrite consent screen in your browser. Approve the requested scopes and the client is connected — there are no keys to copy.
41-
42-
## Self-hosted stdio MCP
47+
</details>
4348

44-
Self-hosted users should run the MCP server locally over stdio and authenticate with a project API key from their Appwrite Console.
49+
<details>
50+
<summary><b>Cursor</b></summary>
4551

46-
Create a project API key with the scopes you want the MCP server to use, then configure your MCP client with:
52+
Edit `~/.cursor/mcp.json` (global) or `.cursor/mcp.json` (project).
4753

4854
```json
4955
{
5056
"mcpServers": {
5157
"appwrite": {
52-
"command": "uvx",
53-
"args": ["mcp-server-appwrite"],
54-
"env": {
55-
"APPWRITE_PROJECT_ID": "<YOUR_PROJECT_ID>",
56-
"APPWRITE_API_KEY": "<YOUR_API_KEY>",
57-
"APPWRITE_ENDPOINT": "https://<YOUR_APPWRITE_DOMAIN>/v1"
58-
}
58+
"url": "https://mcp.appwrite.io/mcp"
5959
}
6060
}
6161
}
6262
```
6363

64-
For the local Appwrite development compose setup in `/Users/chiragaggarwal/Desktop/appwrite/appwrite`, the endpoint is typically:
65-
66-
```text
67-
http://localhost:9501/v1
68-
```
69-
70-
`stdio` is the default transport for the package command. You can also make it explicit:
71-
72-
```bash
73-
APPWRITE_ENDPOINT=http://localhost:9501/v1 \
74-
APPWRITE_PROJECT_ID=<YOUR_PROJECT_ID> \
75-
APPWRITE_API_KEY=<YOUR_API_KEY> \
76-
uvx mcp-server-appwrite --transport stdio
77-
```
78-
79-
The server validates the endpoint, project ID, API key, and at least one supported service during startup. If credentials or scopes are wrong, the MCP server fails before accepting tool calls.
80-
81-
## How Cloud authentication works
64+
</details>
8265

83-
The MCP server validates the bearer access token on every request and forwards it to the Appwrite REST API, which accepts the OAuth2 access token directly. The flow (handled automatically by MCP-aware clients):
66+
<details>
67+
<summary><b>VS Code</b> (GitHub Copilot)</summary>
8468

85-
1. The client requests `/mcp` without a token and receives `401` with a `WWW-Authenticate` header pointing to the protected-resource metadata.
86-
2. The client fetches `GET /.well-known/oauth-protected-resource/mcp` (RFC 9728), which lists the authorization server (`<APPWRITE_ENDPOINT>/oauth2/console`) and supported scopes.
87-
3. The client discovers the authorization server (RFC 8414 / OIDC) and **self-registers** via RFC 7591 Dynamic Client Registration — the OAuth server exposes an open `registration_endpoint`, so there is no client ID or secret to pre-provision. MCP clients register as public (PKCE) clients automatically.
88-
4. The client runs the OAuth 2.1 + PKCE authorization-code flow, including the RFC 8707 `resource` parameter that binds the token's audience to this server.
89-
5. The client calls `/mcp` with `Authorization: Bearer <token>`.
69+
Edit `.vscode/mcp.json` (workspace) or your user configuration via the Command
70+
Palette → **MCP: Open User Configuration**.
9071

91-
## Tool surface
92-
93-
The server starts in a compact workflow so the MCP client only sees a small operator-style surface while the full Appwrite catalog stays internal.
94-
95-
- Up to 4 MCP tools are exposed to the model:
96-
- `appwrite_get_context`
97-
- `appwrite_search_tools`
98-
- `appwrite_call_tool`
99-
- `appwrite_search_docs` — semantic search over the Appwrite documentation (only registered when the docs index and `OPENAI_API_KEY` are present; see [Documentation search](#documentation-search)).
100-
- The full Appwrite tool catalog stays internal and is searched at runtime.
101-
- `appwrite_get_context` gives the client a quick workspace summary. With a local project API key it returns the configured project and readable service totals/samples. With hosted OAuth it also includes account, organization, and discovered project context.
102-
- Large tool outputs are stored as MCP resources and returned as preview text plus a resource URI.
103-
- Mutating hidden tools require `confirm_write=true`.
104-
- Every Appwrite service the installed SDK ships is registered automatically — 25 in total, each becoming a tool-name prefix: `account`, `activities`, `advisor`, `apps`, `avatars`, `backups`, `databases`, `functions`, `graphql`, `health`, `locale`, `messaging`, `oauth2`, `organization`, `presences`, `project`, `proxy`, `sites`, `storage`, `tables_db`, `teams`, `tokens`, `usage`, `users`, and `webhooks`. Which ones a given user can actually call is gated by the scopes their OAuth token was granted (enforced per-route by the Appwrite API), not by the catalog.
105-
106-
## Documentation search
107-
108-
`appwrite_search_docs` runs semantic search over the Appwrite documentation entirely in-process, replacing the standalone docs MCP server. It embeds the query with OpenAI `text-embedding-3-small` and ranks a prebuilt index of doc pages by cosine similarity, returning the most relevant pages with their full content. It needs no `project_id`.
109-
110-
The index is a small artifact committed under `src/mcp_server_appwrite/data/` (`docs_index.npz` + `docs_index_meta.json`) and shipped in the image. The tool is registered only when both the artifact and `OPENAI_API_KEY` are available; otherwise the server boots without it.
111-
112-
### Runtime configuration
113-
114-
- `OPENAI_API_KEY` — required to embed incoming queries (one OpenAI call per search).
115-
- `DOCS_SEARCH_MIN_SCORE` — minimum cosine score for a match (default `0.25`).
116-
- `DOCS_SEARCH_LIMIT` — default maximum pages returned (default `5`, max `10`).
117-
118-
### Rebuilding the index
119-
120-
Re-run the build script when the docs change and commit the refreshed artifact:
121-
122-
```bash
123-
OPENAI_API_KEY=sk-... uv run python scripts/build_docs_index.py
124-
```
125-
126-
It downloads `appwrite/website` docs from GitHub, chunks each page, embeds the chunks, and writes the artifact. Optional env vars: `DOCS_WEBSITE_REF` (git ref, default `main`), `DOCS_EMBED_BATCH` (default `100`).
127-
128-
## Local development
129-
130-
### Clone and install `uv`
131-
132-
```bash
133-
git clone https://github.com/appwrite/mcp.git
134-
cd mcp
135-
# Linux or MacOS
136-
curl -LsSf https://astral.sh/uv/install.sh | sh
137-
# Windows (PowerShell)
138-
# powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
72+
```json
73+
{
74+
"servers": {
75+
"appwrite": {
76+
"type": "http",
77+
"url": "https://mcp.appwrite.io/mcp"
78+
}
79+
}
80+
}
13981
```
14082

141-
### Run the server
142-
143-
With Docker Compose, the server runs the hosted HTTP/OAuth transport:
83+
</details>
14484

145-
```bash
146-
docker compose up --build
147-
```
85+
<details>
86+
<summary><b>Codex</b></summary>
14887

149-
Compose defaults to `MCP_PUBLIC_URL=http://localhost:8000` and exposes the MCP endpoint at:
88+
Edit `~/.codex/config.toml`.
15089

151-
```text
152-
http://localhost:8000/mcp
90+
```toml
91+
[mcp_servers.appwrite]
92+
url = "https://mcp.appwrite.io/mcp"
15393
```
15494

155-
To enable documentation search locally, provide `OPENAI_API_KEY` in your shell or a local `.env` file before running Compose.
156-
157-
With `uv` directly:
95+
</details>
15896

159-
```bash
160-
MCP_PUBLIC_URL=http://localhost:8000 APPWRITE_ENDPOINT=https://cloud.appwrite.io/v1 \
161-
uv run mcp-server-appwrite --transport http
162-
```
97+
<details>
98+
<summary><b>OpenCode</b></summary>
16399

164-
For local self-hosted stdio development, run with API-key credentials:
100+
Edit `opencode.json` (project) or `~/.config/opencode/opencode.json` (global).
165101

166-
```bash
167-
APPWRITE_ENDPOINT=http://localhost:9501/v1 \
168-
APPWRITE_PROJECT_ID=<YOUR_PROJECT_ID> \
169-
APPWRITE_API_KEY=<YOUR_API_KEY> \
170-
uv run mcp-server-appwrite
102+
```json
103+
{
104+
"$schema": "https://opencode.ai/config.json",
105+
"mcp": {
106+
"appwrite": {
107+
"type": "remote",
108+
"url": "https://mcp.appwrite.io/mcp",
109+
"enabled": true
110+
}
111+
}
112+
}
171113
```
172114

173-
## Testing
115+
</details>
174116

175-
### Unit tests
117+
<details>
118+
<summary><b>Windsurf</b></summary>
176119

177-
```bash
178-
uv run python -m unittest discover -s tests/unit -v
179-
```
120+
Edit `~/.codeium/windsurf/mcp_config.json`.
180121

181-
### Live integration tests
182-
183-
These create and delete real Appwrite resources against a real project. They authenticate to the Appwrite API with an API key supplied via the environment or `.env` (`APPWRITE_PROJECT_ID`, `APPWRITE_API_KEY`, `APPWRITE_ENDPOINT`) and are skipped when no credentials are present.
184-
185-
```bash
186-
uv run --extra integration python -m unittest discover -s tests/integration -v
122+
```json
123+
{
124+
"mcpServers": {
125+
"appwrite": {
126+
"serverUrl": "https://mcp.appwrite.io/mcp"
127+
}
128+
}
129+
}
187130
```
188131

189-
## Debugging
132+
</details>
190133

191-
Use the MCP Inspector against a running server URL:
134+
## Self-hosted Appwrite
192135

193-
```bash
194-
npx @modelcontextprotocol/inspector
195-
```
136+
Running your own Appwrite instance? Run the MCP server locally over `stdio` and
137+
authenticate with a project API key. See [docs/self-hosted.md](docs/self-hosted.md)
138+
for per-client setup.
196139

197-
Point it at `https://mcp.appwrite.io/mcp` and complete the OAuth flow when prompted.
140+
## Documentation
198141

199-
For self-hosted stdio debugging, start Inspector in stdio mode and use `uv run mcp-server-appwrite` as the command with the `APPWRITE_*` environment variables above.
142+
- [Tool surface](docs/tool-surface.md) — the tools exposed to the model and the
143+
internal Appwrite catalog.
144+
- [How Cloud authentication works](docs/authentication.md) — the OAuth 2.1 flow.
145+
- [Documentation search](docs/documentation-search.md) — the in-process
146+
`appwrite_search_docs` tool and how to rebuild its index.
147+
- [Self-hosted Appwrite](docs/self-hosted.md) — run the server locally with a
148+
project API key.
149+
- [Local development](docs/development.md) — running, testing, and debugging the
150+
server locally.
151+
- [AGENTS.md](AGENTS.md) — full contributor guide and pre-PR checklist.
200152

201153
## License
202154

203-
This MCP server is licensed under the MIT License. This means you are free to use, modify, and distribute the software, subject to the terms and conditions of the MIT License. For more details, please see the LICENSE file in the project repository.
155+
This MCP server is licensed under the MIT License. See the [LICENSE](LICENSE) file
156+
for details.

docs/authentication.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# How Cloud authentication works
2+
3+
Appwrite Cloud is a hosted
4+
[OAuth 2.1 Resource Server](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)
5+
served over MCP
6+
[Streamable HTTP](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports).
7+
On every request it validates the client's bearer token and forwards it to the
8+
Appwrite REST API, which accepts the OAuth2 access token directly.
9+
10+
## The flow
11+
12+
MCP-aware clients run this automatically:
13+
14+
```mermaid
15+
sequenceDiagram
16+
participant C as MCP Client
17+
participant S as MCP Server (/mcp)
18+
participant A as Appwrite OAuth Server
19+
participant API as Appwrite REST API
20+
21+
C->>S: GET /mcp (no token)
22+
S-->>C: 401 + WWW-Authenticate → metadata URL
23+
C->>S: GET /.well-known/oauth-protected-resource/mcp
24+
S-->>C: auth server + scopes (RFC 9728)
25+
C->>A: Discover (RFC 8414 / OIDC)
26+
C->>A: Self-register as public PKCE client (RFC 7591)
27+
A-->>C: client_id (no secret to pre-provision)
28+
C->>A: OAuth 2.1 + PKCE auth-code flow (RFC 8707 resource)
29+
A-->>C: access token (audience bound to this server)
30+
C->>S: GET /mcp + Authorization: Bearer <token>
31+
S->>API: Forward bearer token
32+
API-->>S: Response
33+
S-->>C: Response
34+
```
35+
36+
The key detail is that clients **self-register** — the auth server exposes an open
37+
`registration_endpoint` (RFC 7591), so there's no client ID or secret to
38+
pre-provision. Everything else is standard OAuth 2.1 + PKCE, with the RFC 8707
39+
resource indicator binding each token's audience to this server.

0 commit comments

Comments
 (0)