Two directions, one platform
The same MCP fluency works outbound and inbound — expose what you build, and keep a graded catalog of what you consume.
Serve your specs
Apiome runs a read-only MCP server that lists, searches, and returns your published OpenAPI straight from Postgres — so assistants and automation work from the same specs your teams ship in Studio.
Catalog the servers you use
Import any external MCP server, discover its full capability surface, version and grade it, and publish the best ones to a public catalog anyone can browse.
How it fits together
MCP hosts connect over stdio or HTTP. The server uses a shared async Postgres pool; public rows come from published public revisions, and scoped MCP API keys unlock in-tenant private published content according to key scope.
Visibility & keys
Anonymous callers see the public catalog. Bearer tokens (HTTP) or metadata secrets (stdio) map to MCP API keys with tenant/project scope stored hashed in the database.
Full-text & semantic search
Keyword search uses Postgres full-text ranking. Semantic search uses pgvector where embeddings are backfilled, with an OpenAI-compatible embedding endpoint configured on the server.
Spec-shaped tools
Pull whole OpenAPI documents or drill into operations and components — designed for agents that need structured fragments, not a wall of YAML.
Transports
stdio
Local MCP hosts (Claude Desktop, MCP Inspector, Cursor). Credentials can travel in tool call metadata when the host supports it.
Streamable HTTP
Remote endpoint at /mcp with Bearer tokens per request. Binds with APIOME_MCP_HTTP_HOST / PORT (or CLI flags). Health at GET /health.
Tools exposed to hosts
Names follow the spec.* and project.* conventions from the server implementation.
Catalog & discovery
- ping — service id, version, Postgres reachability
- spec.list — cursor-paginated published specs (public catalog; optional private scope with API key)
- project.list — distinct projects visible to the caller
- spec.list_my_specs — same shape as spec.list; requires MCP API key
- spec.describe — metadata for one revision UUID
- spec.list_tags — public tags with counts
Search & retrieval
- spec.search — full-text search over public specs (ranked, paginated)
- spec.search_semantic — vector similarity when embeddings are configured (OpenAI-compatible endpoint)
- spec.get_openapi — full OpenAPI JSON for a revision
- spec.export_yaml — same bundle as YAML text
Operations & components
- spec.list_operations — compact index of paths and methods
- spec.describe_operation — parameters, body, responses, security
- spec.list_components — component keys by kind
- spec.describe_component — single component with $ref expansion
Catalog & monitor the MCP servers you use
Import an external MCP server and Apiome discovers its entire capability surface, runs three complementary lint engines, records a graded, versioned snapshot, and keeps it current on a schedule — turning a sprawl of endpoints into an inventory you can trust.
Import any MCP endpoint
Add a server by URL over Streamable HTTP, Server-Sent Events (SSE), or stdio. Connect anonymously, or with a Bearer token, a custom header, or an OAuth 2.1 access token for protected servers.
Discover the full surface
One discovery run lists everything the server offers — tools, resources, resource templates, and prompts — with their schemas, captured as a structured catalog entry instead of a screenshot.
Versioned snapshots & diffs
Every discovery is fingerprinted. An unchanged surface is a no-op; when a server adds, removes, or changes a capability, a new version is recorded with an exact added / removed / modified diff.
Three lint engines, A–F grades
Every snapshot is scored by three independent scanners — surface lint, protocol conformance & agent readiness, and trust posture — each with its own A–F grade and evidence trail, so an unscanned check never looks like a clean pass.
Encrypted credentials
Secrets for protected servers are sealed with AES-256-GCM envelope encryption before they touch the database. The catalog stores ciphertext only — never a usable token.
Scheduled re-discovery
Set a per-server cadence and Apiome re-checks on its own, with exponential backoff on failure and automatic quarantine of an endpoint that keeps erroring — so your catalog stays current without babysitting.
Linting sources for every snapshot
Each engine answers a different question, keeps its own score and fingerprint, and writes separate evidence — so surface quality, protocol behaviour, and supply-chain posture never overwrite each other.
Surface lint
Deterministic checks over the discovered capability surface — naming, structure, schema completeness, descriptions, annotations, and security hygiene — so every tool, resource, template, and prompt is well-formed and well-described.
Protocol conformance & agent readiness
Did the server behave like an MCP server on the wire, and can an agent actually use its tools safely? Covers version negotiation, capability honesty, JSON-RPC discipline, constrained parameters, and destructive-operation declarations.
Trust posture & supply chain
What the server is made of — metadata poisoning, linked source and SBOM, secrets and unsafe configs, dependency risk — mapped to the OWASP MCP Top 10, with static signals never labeled exploitable without proof.
Connect
Point Apiome at an MCP endpoint, pick the transport, and add credentials if the server is protected.
Discover
Apiome connects, lists every tool, resource, template, and prompt, and records a versioned snapshot.
Score & review
Surface lint, conformance, and trust posture each grade the snapshot A–F; changes are diffed against the prior version.
Publish
Mark a server public to list it in the public MCP catalog on the browser for anyone to discover.
Published to the public MCP catalog
Mark a cataloged server public and it joins the public MCP catalog on the Apiome browser — a credential-free directory where anyone can find quality servers by site, grade, and capability.
Grade-led, ranked by host
Published servers are grouped by host and led by their A–F grade and score (for example B · 82), so the highest-quality servers for each site surface first.
Capability counts at a glance
Each card shows what a server actually exposes — tool, resource, template, and prompt counts — before you ever open it.
Full-text capability search
Search tool, resource, and prompt names and descriptions across every published public server, ranked server-side, to find the exact capability you need.
api.example.com
Acme Weather
8 tools · 3 resources · 2 prompts
Ledger MCP
12 tools · 5 resources
Docs Search
4 tools · 1 prompt
Illustrative — endpoints grouped by host, led by grade.
Authentication
- HTTP: send
Authorization: Bearer …. Missing or non-Bearer requests run as anonymous where allowed. - stdio: hosts may pass secrets via tool-call metadata fields documented for MCP auth (for example authorization or api_key shaped fields).
- Keys are scoped with JSON tenant/project UUID lists; the server intersects scope with revision visibility before returning private documents.
Run it yourself
The MCP package ships in this monorepo as apiome-mcp. Configure APIOME_MCP_DATABASE_URL, APIOME_MCP_INTERNAL_SECRET, and optional embedding variables, then start apiome-mcp serve --transport stdio|http. Full env reference lives in the package CONFIGURATION doc.
Docker Compose at the repo root can bring up Postgres, migrations, and the MCP image for local integration testing.