MCP Server
Contit exposes an MCP server (Model Context Protocol) that lets agents like Claude Code, Claude Desktop or other MCP clients read a workspace's content as native tools.
The endpoint is remote (Streamable HTTP) and available at:
https://api.contit.cloud/mcp
Authentication uses a per-user Personal Access Token (PAT) sent as a Bearer. Each token is tied to a user and a workspace, and inherits its permissions (read / read-write, plus any per-content-type permissions).
1. Generate a Personal Access Token
There are two kinds of PAT, depending on scope:
| Kind | Where to create | Scope |
|---|---|---|
| Per-workspace | Console → workspace Settings → Developer → Personal Access Tokens | a single workspace, with per-content-type permissions |
| Admin (multi-workspace) | User profile (IDP) → Personal Access Tokens | all workspaces you administer; restricted to subscription Owner/Manager |
The token (format ctpat_...) is shown only once: copy it immediately.
With an admin token you use a single MCP entry for all your workspaces: the agent picks the workspace per operation (see contit_list_workspaces and the workspaceId parameter below).
2. Configure the agent
Claude Code
claude mcp add --transport http contit https://api.contit.cloud/mcp \
--header "Authorization: Bearer ctpat_xxxxxxxx"
Claude Desktop
In claude_desktop_config.json, via mcp-remote with an X-Api-Key header (recommended: avoids the space-parsing issue of Authorization: Bearer):
{
"mcpServers": {
"contit": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://api.contit.cloud/mcp",
"--header",
"X-Api-Key: ctpat_xxxxxxxx"
]
}
}
}
The PAT (ctpat_…) is accepted equivalently as Authorization: Bearer, an X-Api-Key header, or a ?api_key= query parameter.
Available tools
| Tool | Description |
|---|---|
contit_list_workspaces |
Lists accessible workspaces (useful for admin multi-workspace tokens) |
contit_list_content_types |
Lists the workspace's content types (schemas) |
contit_query_content |
Searches published contents of a content type, with pagination |
contit_get_content |
Retrieves a single published content by content type and id |
All tools require at least read permission. With a per-workspace token the workspace is implicit; with an admin token the tools accept a workspaceId parameter (the user's access to that workspace is verified at runtime). Write tools will be added in a future release.
If the PAT has per-content-type permissions configured, the tools only see and return the allowed content types.
Centralized validation for reserved apps
Reserved apps can validate the same Personal Access Token centrally via the /connect/introspect endpoint, so the authority that knows the tokens stays single (the IDP). In the .NET SDK:
var validator = new ContitTokenValidator(appClientId, appClientSecret);
var info = await validator.ValidateAsync(incomingToken);
if (info.Active)
{
// info.UserId, info.WorkspaceId, info.CanRead, info.CanWrite
}
To call the APIs on behalf of the user with a PAT:
var client = DelegatedContitClient.FromPersonalAccessToken("ctpat_xxxxxxxx");