MCP Gateway (Floopy as MCP server)
Overview
Section titled “Overview”The Gateway turns Floopy into an MCP server your agents can connect to. Each agent uses its own bearer token, scoped to the resources it needs and revocable at any time. Every tool call is audited per-request — you always know which agent did what, when, and on whose behalf.
The endpoint is:
https://api.floopy.ai/mcpAuthentication is Authorization: Bearer <token> on every request.
Creating a token
Section titled “Creating a token”In the dashboard, navigate to MCP → Gateway → New token. You pick:
- Display name — e.g.
Claude Desktop · AnaorInternal eval bot - Scopes — one or more from the scope catalog. Wildcard
*grants every current and future scope; use it sparingly.
The token is shown once at creation. Floopy hashes it on save — there is no way to retrieve the plaintext later. Store it in your password manager or secret store immediately.
Drop-in configs
Section titled “Drop-in configs”The Reveal modal in the dashboard generates ready-to-paste configs for the major MCP clients. Below is the canonical form for each.
~/Library/Application Support/Claude/claude_desktop_config.json:
{ "mcpServers": { "floopy": { "url": "https://api.floopy.ai/mcp", "headers": { "Authorization": "Bearer flpy_..." } } }}claude mcp add floopy \ --transport http \ --url https://api.floopy.ai/mcp \ --header "Authorization: Bearer flpy_..."Settings → Connectors → Add custom connector:
Name: FloopyServer URL: https://api.floopy.ai/mcpAuth type: Bearer tokenToken: flpy_...~/.cursor/mcp.json:
{ "mcpServers": { "floopy": { "url": "https://api.floopy.ai/mcp", "headers": { "Authorization": "Bearer flpy_..." } } }}curl https://api.floopy.ai/mcp \ -H "Authorization: Bearer flpy_..." \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'What’s enforced
Section titled “What’s enforced”Every request runs through the same pipeline:
- Token authentication — the bearer token is hashed and looked up in
mcp_tbac_tokens. Unknown / expired tokens return JSON-RPC error-32001. - Per-key + per-org rate limit — sliding-window Redis counters. Per-key limit is your plan’s RPM; per-org is 10× that by default. Excess returns JSON-RPC error
-32003withdata.retry_after_secs. - Scope validation —
tools/listfilters to scopes the token holds;tools/callrejects unknown scopes with-32602. - Per-tool budget —
export:read1/5min/org,routing:explain30/min/org + 10/min/key, write tools 5–10/min/org. - Audit emit — every read is throttled 60s by
(org, key, route); every write is audit-first (the audit row lands BEFORE the mutation; failure aborts).
Revocation
Section titled “Revocation”Revoke a token from MCP → Gateway → ⋯ → Revoke. The token is deleted on the next request — Redis-cached lookups expire within mcp.tbac_cache_ttl_secs (default 60s).
For instant revocation across the fleet, also rotate FLOOPY_TBAC_PEPPER — every existing token hash invalidates immediately.
Protocol version
Section titled “Protocol version”Floopy advertises MCP 2025-06-18 in the initialize response, with backward-compatible negotiation for older clients. The transport is HTTP JSON-RPC 2.0 (Streamable HTTP transport for SSE-streaming responses is on the roadmap; today’s wire format is plain application/json).
See the scope catalog for the 12 supported scopes and which tools they expose.