hawkapi-mcp
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@hawkapi-mcpShow me the user with ID 42"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
hawkapi-mcp
MCP (Model Context Protocol) server for HawkAPI. Auto-exports every route as an agent tool — any MCP-compatible client can call your API.
Install
pip install hawkapi-mcpRelated MCP server: openapi-mcp-bridge
Quickstart
from hawkapi import HawkAPI
from hawkapi.responses import JSONResponse
from hawkapi_mcp import mount_mcp
app = HawkAPI()
@app.get("/users/{user_id:int}")
async def get_user(user_id: int) -> JSONResponse:
return JSONResponse({"id": user_id, "name": "Alice"})
@app.post("/items")
async def create_item(body: dict) -> JSONResponse:
return JSONResponse({"created": body})
mount_mcp(app, allow_unauthenticated=True) # serves POST /mcp — dev only; see Auth
/mcpMUST be protected in production — passdependencies=[...]to require auth, orallow_unauthenticated=Trueto opt out explicitly. See Auth.
Point any MCP-compatible client at http://your-host/mcp. Every HawkAPI route becomes a tool — its operationId is the tool name, the OpenAPI schema becomes the input schema.
Tool naming
Route definition | Generated tool name |
|
|
|
|
Tool input schema
The decorator combines path / query / header parameters and the JSON request body into a single object schema. Parameter names are namespaced so they cannot collide:
Source | Schema key |
Path parameter |
|
Query parameter |
|
Header parameter |
|
JSON body |
|
Cookie parameters are deliberately not exposed as tool inputs — exposing session cookies as data trains agents to handle credentials as ordinary fields. Forward credentials via the request to /mcp instead (see Auth).
tools/call example:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "get_user",
"arguments": {"path.user_id": "42"}
}
}The tool result has the response body in content[0].text and the raw HTTP status / headers in structuredContent. isError is true for any 4xx/5xx response.
Credential-bearing response headers are stripped from structuredContent before the agent sees them: set-cookie, authorization, and anything matching x-*-token / x-*-secret. Add more via strip_response_headers={...}.
Filtering tools
mount_mcp(app, include_only={"get_user", "create_item"})
mount_mcp(app, exclude={"internal_admin_route"})Supported JSON-RPC methods
initialize— handshake. Returns the MCP protocol version, server info, and tool capability.ping— keepalive.tools/list— return the tool catalog.tools/call— invoke a tool. Returns response body + HTTP status.notifications/initialized— accepted, no response.
The endpoint accepts both single JSON-RPC objects and batches.
Auth
The /mcp endpoint exposes every route and MUST be protected. A single MCP
tool call can invoke any route, and the bridge synthesises an inner ASGI request
— so middleware that only guards inner routes can be bypassed. To make this
hard to get wrong, mount_mcp() raises RuntimeError at mount time unless you
either:
pass
dependencies=[...]to attach auth (e.g.Depends) to the/mcproute, orexplicitly opt out with
allow_unauthenticated=True(local dev, or auth enforced upstream).
from hawkapi import Depends
from hawkapi_mcp import mount_mcp
mount_mcp(app, dependencies=[Depends(verify_token)]) # protected
mount_mcp(app, allow_unauthenticated=True) # explicit opt-outhawkapi-mcp does not define its own auth layer — wire your HawkAPI dependencies
(HTTPBearer, OAuth2, API key) on the MCP route just like any other path. The
caller's Authorization and Cookie headers on the outer /mcp request are
forwarded into the synthetic inner request, so inner-route Depends(auth) sees
the real credentials (and the real client address is propagated where available).
Header arguments forwarded by the client land in the request before middleware runs.
Tool catalog freshness
The tool catalog is derived from app.openapi() and cached. By default it is
cached for the process lifetime, so routes added/removed/disabled at runtime are
not reflected — call server.invalidate_tools() to force a refresh, or pass
cache_ttl_seconds=... to mount_mcp() (or MCPServer) to auto-refresh after
the given interval:
mount_mcp(app, dependencies=[...], cache_ttl_seconds=60)Development
git clone https://github.com/Hawk-API/hawkapi-mcp.git
cd hawkapi-mcp
uv sync --extra dev
uv run pytest -q
uv run ruff check . && uv run ruff format --check .
uv run pyright src/Specification
Implements a subset of the Model Context Protocol sufficient to advertise and invoke tools. Streamable HTTP transport only — stdio is out of scope (deploy your app behind any ASGI server and the agent connects to the /mcp URL).
License
MIT.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hawk-API/hawkapi-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server