- Title: PRD: mcp4openapi (Universal OpenAPI to MCP Server)
- Version: 1.0
mcp4openapi is a universal Model Context Protocol (MCP) server that automatically generates MCP tools from any valid OpenAPI 3.x specification. It allows Large Language Models (LLMs) like Claude or Copilot to interact with external REST APIs without writing any custom integration code.
The product prioritizes a "Zero Config" experience where users simply provide an OpenAPI URL to get started. For advanced use cases, it supports a "Profile" system that allows developers to curate, filter, and aggregate API operations into optimized tools, reducing context pollution and improving LLM reliability.
- Accelerate Integration: Enable rapid connection of any OpenAPI-compliant service to the MCP ecosystem without custom development.
- Improve LLM Efficiency: Reduce token usage and context window pollution by allowing granular control over exposed tools and response fields via Profiles.
- Enterprise Readiness: Support robust authentication (OAuth 2.0, Bearer), observability (metrics, logging), and secure transport options.
- LLM User: Instantly access API tools by just pointing to a spec URL ("It just works").
- Developer/Integrator: Customize tool definitions, hide dangerous operations, and chain multiple API calls into single logical actions to simplify complex workflows.
- Legacy Support: Support for OpenAPI 2.0 (Swagger) is not a priority for v1.0.
- Protocol Translation: We do not aim to support non-REST protocols (GraphQL, gRPC) in this specific server.
- The Consumer (LLM User)
- The Integrator (Developer/DevOps)
- The Consumer: Uses LLM clients (Claude Desktop, VS Code Copilot) and wants to connect to a service (e.g., GitLab, Jira) quickly. They care about ease of setup and tool reliability.
- The Integrator: Configures the MCP server for a team or specific use case. They care about security (hiding admin endpoints), performance (filtering huge JSON responses), and usability (renaming cryptic API operation IDs).
- Admin: Full access to server configuration (env vars, profiles).
- User: Consumes the exposed tools via the MCP client.
- OpenAPI Parsing:
- Must load OpenAPI 3.x specifications from a local file path.
- Must load OpenAPI 3.x specifications from a public HTTP/HTTPS URL.
- Must validate the specification and handle parsing errors gracefully.
- Tool Generation:
- Automatically generate MCP tools for all
GET,POST,PUT,PATCH,DELETEoperations defined in the spec. - Use
operationId(or fallback to path+method) for tool naming. - Map OpenAPI parameters (path, query, body) to MCP tool arguments.
- Automatically generate MCP tools for all
- Tool Filtering: Allow allowlisting specific operations to expose (e.g., only read-only endpoints).
- Aliasing: Rename complex
operationIds to human-readable tool names (e.g.,get_project_issues_v4->list_issues). - Response Filtering: Define JSON paths to keep in the API response, discarding irrelevant data to save context.
- Composite Tools:
- Chain multiple API calls into a single MCP tool (e.g., "Create Project" + "Add Badge").
- Support passing outputs from one step as inputs to the next.
- Metadata Parameters: Inject static parameters (like
user_agentorapi_version) that are hidden from the LLM.
- Token-based Auth:
- Support
Authorization: Bearer <token>. - Support custom headers (e.g.,
X-API-Key). - Support query parameters (e.g.,
?api_key=...). - Read tokens securely from environment variables.
- Support
- OAuth 2.0:
- Support Authorization Code flow for HTTP transport.
- Handle token refresh automatically.
- Multi-Auth: Support fallback strategies (try OAuth, then Bearer).
- Stdio Transport: Default mode for local CLI usage.
- HTTP Transport: Server-Sent Events (SSE) support for remote deployment.
- Security:
- Redact sensitive tokens from logs.
- Enforce DNS rebinding protection for local HTTP servers.
- CLI (npx): User runs
npx mcp4openapiwith env vars. No install needed. - Docker: User runs a pre-built Docker container.
-
Zero Config:
- User sets
MCP4_OPENAPI_SPEC_PATHto a URL. - User sets
MCP4_API_TOKEN. - Server starts and exposes all valid operations as tools.
- User sets
-
Profile Config:
- User creates a
profile.json. - User maps
operationIds to friendly names. - User defines composite workflows.
- Server starts with
MCP4_PROFILE_PATH, exposing only the curated tools.
- User creates a
- Composite Workflows: Handling partial failures in a chain (e.g., step 1 succeeds, step 2 fails).
- Large Specs: Indexing large specs (like GitLab/AWS) to ensure fast tool lookups.
A developer wants to let Claude manage their GitLab issues. They run mcp4openapi pointing to GitLab's OpenAPI URL. Initially, Claude is overwhelmed by 500+ tools. The developer creates a simple profile.json selecting only "retrieve_content" and "set_content" related operations with defined targets as "issue", "project", "merge_request" etc. Now, Claude sees a clean, focused toolset and can perform complex tasks like "Find high priority bugs and assign them to me" efficiently.
- Time to First Tool Call: < 5 minutes from installation.
- Context Efficiency: % reduction in token usage when using Profiles vs. raw API.
- Adoption: Number of GitHub stars/forks.
- Ecosystem: Number of community-contributed Profiles.
- Startup Time: < 2 seconds for average specs.
- Error Rate: < 1% for valid API calls.
- MCP SDK: Built on top of the official TypeScript MCP SDK.
- OpenAPI Parser: Uses standard libraries to parse YAML/JSON specs.
- Stateless: The server is stateless (except for OAuth sessions in memory).
- No Persistence: No user data is stored on disk.
- Indexing: Pre-index OpenAPI operations on startup to avoid O(n) lookups during execution.
- Streaming: Use SSE for HTTP transport to handle long-running LLM interactions.
- Malformed Specs: Many public OpenAPI specs are invalid or incomplete. We need robust error handling.
- Auth Complexity: OAuth flows vary significantly between providers.
- Size: Medium (Existing codebase is ~3k LOC).
- 1 Backend Engineer: Core logic, OpenAPI parsing.
- Phase 1: Core Stability (Current): Robust parsing, Stdio transport, Basic Auth.
- Phase 2: Advanced Profiles: Composite tools, deep response filtering.
- Phase 3: Remote & OAuth: HTTP transport, OAuth 2.0, Dockerization.
- Phase 4: Future (v2.0): Runtime spec loading, UI for profile generation, Multi-tenant support.
- ID: GH-001
- Description: As a user, I want to start the server with just an OpenAPI URL and an API token so that I can use the tools immediately without configuration.
- Acceptance criteria:
- Server accepts
MCP4_OPENAPI_SPEC_PATHas a URL. - Server accepts
MCP4_API_TOKENfor Bearer auth. - All valid operations in the spec are exposed as tools.
- Server accepts
- ID: GH-002
- Description: As an integrator, I want to use a profile to allowlist specific API operations so that the LLM is not confused by irrelevant or dangerous tools.
- Acceptance criteria:
- Server accepts
MCP4_PROFILE_PATH. - Only tools defined in the profile are exposed.
- Tools can be renamed via the profile.
- Server accepts
- ID: GH-003
- Description: As an integrator, I want to chain multiple API calls into a single tool so that the LLM can perform complex actions (like "create project and add webhook") in one step.
- Acceptance criteria:
- Profile supports
composite: truetool definitions. - Steps are executed in order.
- Output from step N can be used in step N+1.
- Profile supports
- ID: GH-004
- Description: As a user, I want to authenticate via OAuth 2.0 so that I don't have to manually manage long-lived tokens.
- Acceptance criteria:
- HTTP transport supports OAuth authorization code flow.
- Server handles token exchange and refresh.
- Access token is automatically injected into API requests.