Base URL
<your-supabase-project> with your Supabase project reference. You can find the full URL in Settings → Connected Apps when you create an API key or connect an OAuth client.
Authentication
Pass your API key or OAuth access token as a bearer credential in theAuthorization header on every request:
401 Unauthorized with a WWW-Authenticate header pointing at the discovery document. See the authentication overview for details on both methods.
What the server exposes
| Category | Count | Details |
|---|---|---|
| Tools | 52 | Across 12 domains — see Tools reference |
| Resources | 5 | 4 static + 1 templated — see Resources reference |
| Prompts | 4 | Named prompt templates — see Prompts reference |
Request format
The MCP server uses JSON-RPC 2.0. Every request is an HTTP POST with aContent-Type: application/json body:
Accept: text/event-stream to receive responses as Server-Sent Events (SSE). Most MCP clients handle this negotiation automatically.
Supported JSON-RPC methods
| Method | Description |
|---|---|
initialize | Start a session. Allowed before authentication. |
tools/list | List all available tools. |
tools/call | Call a specific tool by name. |
resources/list | List all static resources. |
resources/read | Fetch a resource by URI. |
resources/templates/list | List URI templates for templated resources. |
prompts/list | List all named prompt templates. |
prompts/get | Fetch a rendered prompt by name. |
ping | Check that the connection is alive. |
Session management
The server maintains DB-backed sessions. After a successfulinitialize call, the server returns a Mcp-Session-Id header. Include this header in subsequent requests. Sessions idle out after one hour.
Data scoping and security
All tools and resources are scoped to the authenticated user. The server enforces row-level security on every database query — there is no way for an AI assistant to read or modify another user’s data, even if it tries. The only access control knob available is scope:mcp:read grants every read tool, and mcp:write grants reads plus all write tools. There is no per-tool ACL.
Next steps
Tools
All 52 tools organized by domain with scope requirements.
Resources
5 read-only resources for workspace overview, projects, tasks, and calendar.
Prompts
4 named prompt templates for planning, standups, and retrospectives.