MCP URL
MCP_REGIONAL_PUBLIC_URL = https://eu.mcp.indykite.com | https://us.mcp.indykite.com
MCP URL = MCP_REGIONAL_PUBLIC_URL/mcp/v1/<project_gid>
Requirements
- environment created on the IK platform:
project,application,application agent,application agent credentials,token introspect configuration.
- project gid
- data captured, KBAC policy created, ContXIQ policy and Knowledge query created
Access
The server needs 2 layers of authorization:
- X-IK-ClientKey Api Key with AppAgent token as value.
- Create an AppAgent token with a short time validity only to access the MCP server with at least Authorization and ContXIQ Api permissions.
- The Api Key is used to access the platform.
- Oauth 2 Authorization Bearer token.
- Create a Bearer token using an allowed issuer
- The Bearer token will be introspected following the Token Introspect configuration corresponding to the issuer.
- To create a Token Introspect configuration: https://openapi.indykite.com/api-documentation-config#POST/token-introspects
- The Bearer token is used as the subject in the MCP requests.
Example to create AppAgent credentials with a token and to create a Token Introspect configuration: https://developer.indykite.com/resources/environment-1
The server sends JSON-RPC requests via HTTP POST to a single MCP endpoint
The server may create a session and return Mcp-Session-Id on initialize; the client must then include it on subsequent calls
The server implements the OAuth 2.0 Protected Resource Metadata (RFC9728); to indicate the locations of authorization servers.
The MCP server uses the official GO SDK https://github.com/modelcontextprotocol/go-sdk : so we can also use the GO SDK client to access it.
MCP process
MCP Endpoints calls with HTTP
- MCP initialization
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "initialize",
"params": {
"protocolVersion": "2025-11-25",
"capabilities": {},
"clientInfo": {"name": "curl", "version": "1.0"}
}
}'
->returns Mcp-Session-Id
- Request without $BEARER_TOKEN
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "X-IK-ClientKey: $API_KEY"
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "initialize",
"params": {
"protocolVersion": "2025-11-25",
"capabilities": {},
"clientInfo": {"name": "curl", "version": "1.0"}
}
}' -> returns 401 Unauthorized
->returns .well-known/oauth-protected-resource
Contact IndyKite to have your providers and scopes for each project added into the .well-known/oauth-protected-resource file.
- Check MCP initialized
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "notifications/initialized",
"params": {
"protocolVersion": "2025-11-25",
"capabilities": {},
"clientInfo": {"name": "curl", "version": "1.0"}
}
}'
- MCP list resources
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "resources/list",
"params": {}
}'
- MCP list tools
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-d '{
"jsonrpc": "2.0",
"id": 3,
"method": "tools/list",
"params": {}
}'- Knowledge Queries list resource
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-d '{
"jsonrpc": "2.0",
"id": 4,
"method": "resources/read",
"params": {
"uri": "indykite://knowledge-queries/"
}
}'
-> returns list of ids and descriptions with all the information necessary for an agent to know how to call the CIQ execute tools, written in an agent-friendly way.
- AuthZEN evaluation tool
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
# random values to adapt in arguments
# subject_id is Bearer token sub
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-H "X-IndyKite-Base-URL: $BASE_URL"
-d '{
"jsonrpc": "2.0",
"id": 5,
"method": "tools/call",
"params": {
"name": "authzen_evaluate",
"arguments": {
"subject_type": "Person",
"subject_id": "alice",
"resource_type": "Car",
"resource_id": "cadillacv16",
"action_name": "CAN_DRIVE"
}
}
}'
- AuthZEN evaluations tool
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
# random values to adapt in arguments
# subject_id is Bearer token sub
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-H "X-IndyKite-Base-URL: $BASE_URL"
-d '{
"jsonrpc": "2.0",
"id": 6,
"method": "tools/call",
"params": {
"name": "authzen_evaluations",
"arguments": {
"subject_type": "user",
"subject_id": "user-123",
"evaluations": [
{"action": {"name": "read"}, "resource": {"type": "doc", "id": "doc1"}},
{"action": {"name": "write"}, "resource": {"type": "doc", "id": "doc2"}}
]
}
}
}'
- AuthZEN search resource tool
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
# random values to adapt in arguments
# subject_id is Bearer token sub
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-H "X-IndyKite-Base-URL: $BASE_URL"
-d '{
"jsonrpc": "2.0",
"id": 7,
"method": "tools/call",
"params": {
"name": "authzen_search_resource",
"arguments": {
"subject_type": "User",
"subject_id": "user-123",
"action_name": "READ",
"resource_type": "Document"
}
}
}'
- AuthZEN search action tool
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
# random values to adapt in arguments
# subject_id is Bearer token sub
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-H "X-IndyKite-Base-URL: $BASE_URL"
-d '{
"jsonrpc": "2.0",
"id": 8,
"method": "tools/call",
"params": {
"name": "authzen_search_action",
"arguments": {
"subject_type": "User",
"subject_id": "user-123",
"resource_type": "Document",
"resource_id": "doc-456"
}
}
}'
- CIQ (ContX IQ) execution tool
# BASE_URL= https://eu.api.indykite.com or https://us.api.indykite.com
# random keys/values to adapt in input_params
curl -v -i -X POST <MCP_URL>/mcp/v1/<project_gid>
-H "Content-Type: application/json"
-H "Authorization: Bearer $BEARER_TOKEN"
-H "X-IK-ClientKey: $API_KEY"
-H "Mcp-Session-Id: $SESSION_ID"
-H "X-IndyKite-Base-URL: $BASE_URL"
-d '{
"jsonrpc": "2.0",
"id": 9,
"method": "tools/call",
"params": {
"name": "ciq_execute",
"arguments": {
"id": "<knowledge_query_id>,
"input_params": {"license": "AL98745", "app_external_id": "applicationParking"}
}
}
}'