Skip to main content

Overview

The MCP Server with LangGraph exposes RESTful API endpoints for identity management, authentication, and user provisioning. All endpoints require authentication and follow RESTful conventions.

Service Principals

Machine-to-machine authentication for automated workflows

API Keys

Long-lived authentication for CLI tools and legacy integrations

SCIM 2.0

Automated user provisioning from identity providers

Service Principals API

Service principals enable machine-to-machine authentication for batch jobs, streaming tasks, and background processes.

Base Path

/api/v1/service-principals

Authentication

All endpoints require Bearer token authentication: 
Authorization: Bearer YOUR_JWT_TOKEN

Create Service Principal

Creates a new service principal for machine-to-machine authentication.
  • Request
  • Response
  • Example
Endpoint: POST /api/v1/service-principalsHeaders:
Authorization: Bearer YOUR_JWT
Content-Type: application/json
Body:
{
  "name": "Batch ETL Job",
  "description": "Nightly data processing",
  "authentication_mode": "client_credentials",
  "associated_user_id": "user:alice",
  "inherit_permissions": true,
  "refresh_token_lifespan": 2592000
}
Parameters:
  • name (required): Human-readable name for the service principal
  • description (optional): Description of purpose
  • authentication_mode (required): client_credentials or service_account
  • associated_user_id (optional): User ID to inherit permissions from
  • inherit_permissions (optional): Enable permission inheritance (default: false)
  • refresh_token_lifespan (optional): Refresh token lifetime in seconds (default: 2592000 = 30 days)

List Service Principals

Retrieves all service principals for the authenticated user.
  • Request
  • Response
  • Example
Endpoint: GET /api/v1/service-principalsHeaders:
Authorization: Bearer YOUR_JWT
Query Parameters:
  • page (optional): Page number (default: 1)
  • page_size (optional): Items per page (default: 20, max: 100)
  • authentication_mode (optional): Filter by mode (client_credentials or service_account)

Get Service Principal

Retrieves details of a specific service principal.
  • Request
  • Response
  • Example
Endpoint: GET /api/v1/service-principals/{service_id}Headers:
Authorization: Bearer YOUR_JWT
Path Parameters:
  • service_id: Service principal ID

Delete Service Principal

Deletes a service principal and revokes all its credentials.
  • Request
  • Response
  • Example
Endpoint: DELETE /api/v1/service-principals/{service_id}Headers:
Authorization: Bearer YOUR_JWT
Path Parameters:
  • service_id: Service principal ID to delete

Rotate Secret

Rotates the client secret for a service principal.
  • Request
  • Response
  • Example
Endpoint: POST /api/v1/service-principals/{service_id}/rotate-secretHeaders:
Authorization: Bearer YOUR_JWT
Content-Type: application/json
Body:
{
  "grace_period_hours": 24
}
Parameters:
  • grace_period_hours (optional): Hours to keep old secret valid (default: 24)

API Keys API

API keys provide simple, long-lived authentication for CLI tools, webhooks, and legacy integrations.

Base Path

/api/v1/api-keys

Authentication

All endpoints require Bearer token authentication: 
Authorization: Bearer YOUR_JWT_TOKEN

Create API Key

Creates a new API key for the authenticated user.
  • Request
  • Response
  • Example
Endpoint: POST /api/v1/api-keysHeaders:
Authorization: Bearer YOUR_JWT
Content-Type: application/json
Body:
{
  "name": "Production API Key",
  "expires_days": 365
}
Parameters:
  • name (required): Descriptive name for the API key
  • expires_days (optional): Days until expiration (default: 365, max: 730)

List API Keys

Retrieves all API keys for the authenticated user.
  • Request
  • Response
  • Example
Endpoint: GET /api/v1/api-keysHeaders:
Authorization: Bearer YOUR_JWT
Query Parameters:
  • include_expired (optional): Include expired keys (default: false)

Revoke API Key

Revokes an API key, making it invalid immediately.
  • Request
  • Response
  • Example
Endpoint: DELETE /api/v1/api-keys/{key_id}Headers:
Authorization: Bearer YOUR_JWT
Path Parameters:
  • key_id: API key ID to revoke

Using API Keys

API keys are used in the apikey header: 
curl -X POST https://api.example.com/message \
  -H "apikey: mcpkey_live_EXAMPLE1234567890abcdefghijklmnopqrstuvwxyz" \
  -H "Content-Type: application/json" \
  -d '{"query": "Hello, world!"}'
Key Format:
  • Prefix: mcpkey_
  • Environment: live_ (production) or test_ (development)
  • Token: 48-character random string (base62)
Internally: The API key is exchanged for a JWT token via Kong Gateway’s custom plugin, then validated like any other JWT.

SCIM 2.0 API

SCIM (System for Cross-domain Identity Management) enables automated user provisioning from identity providers.

Base Path

/scim/v2

Authentication

SCIM endpoints support two authentication methods: Option 1: Bearer Token (Recommended) 
Authorization: Bearer JWT_TOKEN
Option 2: OAuth 2.0 Client Credentials 
Authorization: Bearer ACCESS_TOKEN
(obtained via service principal client credentials flow)

Supported Schemas

  • urn:ietf:params:scim:schemas:core:2.0:User
  • urn:ietf:params:scim:schemas:core:2.0:Group
  • urn:ietf:params:scim:api:messages:2.0:ListResponse
  • urn:ietf:params:scim:api:messages:2.0:PatchOp

User Endpoints

Endpoint: POST /scim/v2/UsersRequest:
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "alice@example.com",
  "name": {
    "givenName": "Alice",
    "familyName": "Smith"
  },
  "emails": [{
    "value": "alice@example.com",
    "primary": true
  }],
  "active": true
}
Response: 201 Created
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "user:alice",
  "userName": "alice@example.com",
  "name": {
    "givenName": "Alice",
    "familyName": "Smith"
  },
  "emails": [{
    "value": "alice@example.com",
    "primary": true
  }],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2025-01-28T00:00:00Z",
    "lastModified": "2025-01-28T00:00:00Z",
    "location": "/scim/v2/Users/user:alice"
  }
}
Endpoint: GET /scim/v2/Users/{id}Response: 200 OK
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "user:alice",
  "userName": "alice@example.com",
  "name": {
    "givenName": "Alice",
    "familyName": "Smith"
  },
  "emails": [{
    "value": "alice@example.com",
    "primary": true
  }],
  "active": true,
  "groups": [],
  "meta": {
    "resourceType": "User",
    "created": "2025-01-28T00:00:00Z",
    "lastModified": "2025-01-28T00:00:00Z"
  }
}
Endpoint: PUT /scim/v2/Users/{id}Request:
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "alice@example.com",
  "name": {
    "givenName": "Alice",
    "familyName": "Johnson"
  },
  "emails": [{
    "value": "alice@example.com",
    "primary": true
  }],
  "active": true
}
Response: 200 OK (updated user object)
Endpoint: PATCH /scim/v2/Users/{id}Request:
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": false
    },
    {
      "op": "replace",
      "path": "name.familyName",
      "value": "Johnson"
    }
  ]
}
Supported Operations:
  • add: Add attribute value
  • replace: Replace attribute value
  • remove: Remove attribute
Response: 200 OK (updated user object)
Endpoint: DELETE /scim/v2/Users/{id}Response: 204 No Content
This sets active: false on the user but doesn’t delete the account. The user can be reactivated via PATCH.
Endpoint: GET /scim/v2/Users?filter={filter}Query Parameters:
  • filter: SCIM filter expression
  • startIndex: Pagination start (default: 1)
  • count: Results per page (default: 20)
Example Filter:
userName eq "alice@example.com"
active eq true
emails.value co "@example.com"
name.familyName sw "Sm"
Response: 200 OK
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults": 1,
  "startIndex": 1,
  "itemsPerPage": 20,
  "Resources": [
    {
      "id": "user:alice",
      "userName": "alice@example.com",
      "active": true
    }
  ]
}
Supported Filter Operators:
  • eq: Equal
  • ne: Not equal
  • co: Contains
  • sw: Starts with
  • ew: Ends with
  • pr: Present (attribute exists)

Group Endpoints

Endpoint: POST /scim/v2/GroupsRequest:
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "displayName": "Engineering",
  "members": [
    {
      "value": "user:alice",
      "display": "Alice Smith"
    }
  ]
}
Response: 201 Created
Endpoint: GET /scim/v2/Groups/{id}Response: 200 OK
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "id": "group:engineering",
  "displayName": "Engineering",
  "members": [
    {
      "value": "user:alice",
      "display": "Alice Smith",
      "$ref": "/scim/v2/Users/user:alice"
    }
  ],
  "meta": {
    "resourceType": "Group",
    "created": "2025-01-28T00:00:00Z",
    "lastModified": "2025-01-28T00:00:00Z"
  }
}
Endpoint: PATCH /scim/v2/Groups/{id}Request:
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [
        {
          "value": "user:bob",
          "display": "Bob Jones"
        }
      ]
    }
  ]
}
Response: 200 OK

Bulk Operations

Endpoint: POST /scim/v2/Bulk Create, update, or delete multiple resources in a single request. 
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
  "Operations": [
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "user1",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "user1@example.com",
        "name": {
          "givenName": "User",
          "familyName": "One"
        }
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "user2",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "user2@example.com",
        "name": {
          "givenName": "User",
          "familyName": "Two"
        }
      }
    }
  ]
}
Response: 200 OK 
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
  "Operations": [
    {
      "bulkId": "user1",
      "method": "POST",
      "status": "201",
      "location": "/scim/v2/Users/user:user1"
    },
    {
      "bulkId": "user2",
      "method": "POST",
      "status": "201",
      "location": "/scim/v2/Users/user:user2"
    }
  ]
}

Error Responses

All SCIM endpoints return errors in SCIM format: 
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "status": "400",
  "scimType": "invalidValue",
  "detail": "userName is required"
}
SCIM Error Types:
  • invalidValue: Invalid attribute value
  • tooMany: Too many results
  • uniqueness: Uniqueness constraint violated
  • mutability: Immutable attribute modification attempted
  • invalidSyntax: Invalid filter syntax
  • invalidFilter: Invalid filter
  • invalidPath: Invalid path expression

Rate Limiting

All API endpoints are rate-limited to prevent abuse:
Endpoint CategoryRate LimitWindow
Service Principals10 requests/minutePer user
API Keys20 requests/minutePer user
SCIM User Operations100 requests/minutePer client
SCIM Bulk Operations10 requests/minutePer client
Rate Limit Headers: 
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1643370000
Rate Limit Exceeded Response: 
{
  "error": "rate_limit_exceeded",
  "message": "Too many requests. Please try again later.",
  "retry_after": 60
}

Error Handling

Common HTTP Status Codes

StatusMeaningWhen Used
200 OKSuccessGET, PUT, PATCH requests
201 CreatedResource createdPOST requests
204 No ContentSuccess, no bodyDELETE requests
400 Bad RequestInvalid requestValidation errors
401 UnauthorizedAuth required/invalidMissing or invalid token
403 ForbiddenInsufficient permissionsAuthorization failure
404 Not FoundResource not foundInvalid ID
409 ConflictResource conflictDuplicate username, key limit exceeded
429 Too Many RequestsRate limitedExceeded rate limit
500 Internal Server ErrorServer errorUnexpected errors

Error Response Format

{
  "error": "validation_error",
  "message": "Invalid request parameters",
  "details": {
    "name": "name is required",
    "authentication_mode": "must be 'client_credentials' or 'service_account'"
  },
  "request_id": "abc123"
}

Best Practices

Secure Credentials

  • Store API keys and client secrets in secrets managers
  • Never commit credentials to version control
  • Rotate credentials regularly (90 days recommended)
  • Use different credentials per environment

Error Handling

  • Implement exponential backoff for retries
  • Handle rate limiting gracefully
  • Log request IDs for debugging
  • Validate responses before processing

Performance

  • Cache JWT tokens until expiration
  • Use bulk SCIM operations for multiple users
  • Implement request pooling/batching
  • Monitor rate limit headers

Security

  • Use HTTPS for all API calls
  • Validate SSL certificates in production
  • Implement request signing for SCIM (optional)
  • Monitor for unusual API usage patterns

See Also