Skip to main content
The Navis Ops MCP server lets AI assistants read and write your workspace data using the Model Context Protocol. It implements the MCP specification version 2025-06-18 over Streamable HTTP transport, and supports both API key and OAuth 2.1 authentication. Everything the server exposes — tools, resources, and prompts — is scoped to the authenticated user via row-level security. No cross-user data access is possible.

Base URL

https://<your-supabase-project>.supabase.co/functions/v1/mcp-server-v2
Replace <your-supabase-project> with your Supabase project reference. You can find the full URL in Settings → Connected Apps when you create an API key or connect an OAuth client.

Authentication

Pass your API key or OAuth access token as a bearer credential in the Authorization header on every request:
Authorization: Bearer nops_your_api_key_here
For OAuth access tokens, the format is the same — replace the value with your OAuth token. If authentication fails, the server returns 401 Unauthorized with a WWW-Authenticate header pointing at the discovery document. See the authentication overview for details on both methods.

What the server exposes

CategoryCountDetails
Tools52Across 12 domains — see Tools reference
Resources54 static + 1 templated — see Resources reference
Prompts4Named prompt templates — see Prompts reference

Request format

The MCP server uses JSON-RPC 2.0. Every request is an HTTP POST with a Content-Type: application/json body:
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/list",
  "params": {}
}
The server also accepts Accept: text/event-stream to receive responses as Server-Sent Events (SSE). Most MCP clients handle this negotiation automatically.

Supported JSON-RPC methods

MethodDescription
initializeStart a session. Allowed before authentication.
tools/listList all available tools.
tools/callCall a specific tool by name.
resources/listList all static resources.
resources/readFetch a resource by URI.
resources/templates/listList URI templates for templated resources.
prompts/listList all named prompt templates.
prompts/getFetch a rendered prompt by name.
pingCheck that the connection is alive.

Session management

The server maintains DB-backed sessions. After a successful initialize call, the server returns a Mcp-Session-Id header. Include this header in subsequent requests. Sessions idle out after one hour.
curl https://<your-supabase-project>.supabase.co/functions/v1/mcp-server-v2 \
  -H "Authorization: Bearer nops_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "initialize",
    "params": {
      "protocolVersion": "2025-06-18",
      "capabilities": {},
      "clientInfo": {
        "name": "my-client",
        "version": "1.0.0"
      }
    }
  }'
Most MCP client libraries handle session initialization automatically.

Data scoping and security

All tools and resources are scoped to the authenticated user. The server enforces row-level security on every database query — there is no way for an AI assistant to read or modify another user’s data, even if it tries. The only access control knob available is scope: mcp:read grants every read tool, and mcp:write grants reads plus all write tools. There is no per-tool ACL.

Next steps

Tools

All 52 tools organized by domain with scope requirements.

Resources

5 read-only resources for workspace overview, projects, tasks, and calendar.

Prompts

4 named prompt templates for planning, standups, and retrospectives.