Skip to content

Developer

MCP server

Connect an AI coding agent to your Reqio project backlog over a remote, OAuth-authenticated MCP server.

Reqio exposes each project's backlog to AI coding agents through a remote Model Context Protocol (MCP) server. The server speaks Streamable HTTP, authenticates via OAuth 2.1 browser consent, and enforces your project's live membership rules on every tool call. No API key copying is required.

What agents can do

Once connected, an agent can read your feature backlog, change request statuses, write internal notes and comments, manage the private inbox, send project announcements, and administer widget config and team membership. The exact tools available depend on which OAuth scopes you grant and what your plan allows.

Read the full tool reference at Available tools.

How the server is built

Reqio runs the MCP server as a co-located Resource Server inside the same deployment as the dashboard (ADR 0004 Addendum B). There is no separate MCP host. The Authorization Server (OAuth consent, token issuance) and the Resource Server (MCP tools) both run at https://reqio.app.

This means:

  • One deployment to maintain.
  • The same Reqio URL in your agent config as the one you use to open the dashboard.
  • Token audience is derived from a server-side environment variable (MCP_PUBLIC_URL), not from inbound request headers, so a forged Host header cannot spoof the audience the server validates against.

Per-project endpoint

Each Reqio project gets its own MCP endpoint:

https://reqio.app/p/{projectId}/mcp

Replace {projectId} with the ID shown in your project settings. You can also copy the ready-made URL from Dashboard → Settings → Connected apps.

The project ID is the audience scope of the token. An access token issued for one project is rejected by every other project's endpoint. Cross-project access is structurally impossible, not just a policy rule.

Connect an agent

Step 1: Copy your MCP server URL

Open Dashboard → Settings → Connected apps and copy the MCP server URL for the project you want to connect.

Step 2 -- Add it to your agent's MCP config

Most MCP-capable agents (Claude Code, Cursor, Windsurf) accept an HTTP-type server entry. Add an entry similar to the following, using the actual project ID from your URL:

{
  "mcpServers": {
    "reqio": {
      "type": "http",
      "url": "https://reqio.app/p/proj_abc123/mcp"
    }
  }
}

Check your agent's documentation for the exact config file path and format.

When the agent first calls a Reqio tool, it will redirect a browser window to the Reqio consent screen. The screen shows:

  • The project being connected.
  • The client ID and redirect host of the agent (not a self-declared app name).
  • Each scope being requested, in plain English.

Approve the scopes you want to grant. The agent receives an access token and begins making tool calls immediately. You will never paste a token manually.

Plan gating and daily quota

Every tool call is metered against the project owner's plan. The quota resets at 00:00 UTC.

| Plan | Calls per day | Write access | |---|---|---| | Free | 25 | Read-only | | Pro | 300 | Read and write | | Business | 3000 | Read and write |

Write access means an agent can change statuses, post comments, manage inbox threads, send announcements, update widget config, and manage team members, subject to the OAuth scopes you granted and your role in the project.

On the Free plan, write-scope OAuth grants are blocked at consent time. An agent connected to a Free project can only read the backlog, inbox, widget config, and member list.

If the daily quota is reached, the server returns an MCP error with code QUOTA_EXCEEDED. The quota resets the next UTC day; no action is needed.

Security model

On every tool call, the server runs a fixed pipeline in order:

  1. Extract the Bearer token from the Authorization header.
  2. Look up the opaque token in the database and verify it is not expired or revoked.
  3. Check that the token's stored audience matches this project's resource URL.
  4. Verify the token includes the scope required by this tool.
  5. Call assertCan against live project membership for the acting user.
  6. Check the project owner's plan entitlement for write tools.
  7. Bind the referenced resource (feature, comment, conversation) to this project.
  8. Increment and check the daily quota.
  9. Execute the tool function.

Steps 2 through 8 are independent checks. Removing a project member immediately neuters their agent's authority -- no token revocation is needed -- because step 5 re-reads live membership on every call.

User-submitted content (feature titles, comment bodies, conversation messages) is labeled as untrusted in every tool result to reduce prompt-injection risk. See Available tools for details.

Manage connected agents

Open Dashboard → Settings → Connected apps to see every active grant, the last time each agent called a tool, and a Revoke button that deletes the token row immediately.