https://mcp.<org-slug>.armature.tech/<source-slug> that wraps your product API.
If you have not yet read Product MCP overview, start there for the concepts.
Prerequisites
Before you begin, make sure you have:- An HTTPS base URL for your product API. Plain
http://is rejected except forlocalhostduring local development. - An OpenAPI document (JSON, up to 6 MB) describing the operations you want to expose as MCP tools.
- A validation endpoint on the same origin as your base URL — ideally a “who am I” or token-introspection route that returns
2xxfor valid credentials and401/403for invalid ones. You can skip this only if you accept the security trade-off ofpresence_onlymode. - The editor, admin, or owner role on your Armature organization.
1. Create the Product MCP
Open the Product MCPs page
In the dashboard sidebar, select Product MCPs, then click New Product MCP.
Name your endpoint
Enter a descriptive name (for example,
Acme Public API) and a slug. The slug becomes the path on your public MCP URL — pick lowercase letters, digits, hyphens, or underscores, 2–80 characters.The dashboard previews the public URL as you type:Enter your base URL
Paste the base URL of your product API, for example
https://api.acme.example.com. Armature forwards tool calls to paths under this origin.2. Upload your OpenAPI document
Armature parses your OpenAPI document into MCP tools, capability descriptions, and a search index that callers use to discover the operations you expose.Upload the OpenAPI JSON
Select your OpenAPI document (up to 6 MB). Armature validates it on upload and rejects malformed documents with a clear error.
0, check the warnings — usually a missing operationId, an unsupported request body, or an unreachable $ref.
3. Configure the API Connection
The API Connection controls how the caller’s product credential reaches your MCP endpoint and how Armature forwards it upstream.Choose where the caller sends the credential
Pick the credential location and credential name:Then pick the token format:
- Header (default)
- Query parameter
Callers send the credential in an HTTP header. The default name is
Authorization for bearer format and X-API-Key for raw format. Change the name to match how your customers already authenticate against your product.bearer— the value must include theBearerscheme. Anything else returns401 product_mcp_credential_malformed.raw— the value is forwarded as-is.
Choose how Armature forwards the credential upstream
- Same — Armature forwards the credential to your upstream API in the same location, name, and format the caller used. This is the right default when your MCP authentication is the same as your product API authentication.
- Custom — remap to a different header or query name and/or strip the
Bearerprefix. Use this when your product API expects, for example,X-API-Key: <raw>even though callers sendAuthorization: Bearer <raw>to the MCP endpoint.
Pick a validation mode
validate_before_tools(recommended) — enter a validation endpoint on the same origin as your base URL. Armature calls it with the caller’s credential before servingtools/listor any tool call.2xxmeans valid;401/403means invalid; network failure or5xxfails closed with503.presence_only— accept any well-formed credential without validating. Enabling this requires checking the security-risk acknowledgment in the dashboard.
Example: same forwarding with bearer tokens
Authorization: Bearer <token> to the MCP endpoint. Armature validates against /v1/me, and on every tool call forwards the same header to your upstream API.
Example: custom remapping
Authorization: Bearer <token> to MCP. Armature unwraps the Bearer prefix and forwards the raw token upstream as X-API-Key: <token>.
4. Activate the endpoint
Once API docs shows at least one capability and API Connection is configured, the Activate button on the detail page becomes available. Click it to publish. The status moves to Live and the public MCP URL begins serving traffic. Pause at any time by clicking Pause — paused endpoints return403 until you resume them.
What callers see
A connected MCP client sees:tools/list— one tool per OpenAPI operation, with arguments derived from the operation’s parameters and request body schema.tools/call— Armature executes the operation against your base URL, forwarding the caller’s credential.- A
WWW-Authenticatechallenge advertising the same header or query parameter you configured. A compliant MCP client knows to attach the right credential without any Armature-specific OAuth flow.
Runtime health and security
The detail page surfaces two ongoing signals:- Runtime health — requests in the last 24 hours, broken down by outcome. Useful for confirming traffic and spotting upstream errors.
- Security warning — present whenever the endpoint is configured for
presence_onlyvalidation. Switch tovalidate_before_toolsto clear it.