Traditional MCP servers hand-pick a handful of endpoints and call it a day — locking you into whatever subset someone decided was "enough." Why settle for a fraction of an API when you can have all of it?
anyapi-mcp-server is a universal MCP server that connects any REST API to AI assistants like Claude, Cursor, and other LLM-powered tools — just point it at an OpenAPI spec or Postman collection. Every endpoint the API provides becomes available instantly, with GraphQL-style field selection and automatic schema inference. No custom server code, no artificial limits.
1. Install
npm install -g anyapi-mcp-server2. Add to your MCP client (Cursor, Claude Desktop, etc.)
{
"mcpServers": {
"your-api": {
"command": "npx",
"args": [
"-y",
"anyapi-mcp-server",
"--name", "your-api",
"--spec", "path/to/openapi.json",
"--base-url", "https://api.example.com",
"--header", "Authorization: Bearer ${API_KEY}"
],
"env": {
"API_KEY": "your-api-key"
}
}
}
}3. Use the tools — discover endpoints with list_api, inspect schemas with call_api, fetch data with query_api.
Ready-to-use configurations for popular APIs:
| Provider | Auth |
|---|---|
| Cloudflare | API Token or Key + Email |
| Datadog | API Key + App Key |
| GitHub | Personal Access Token |
| Google Workspace | OAuth 2.0 |
| Metabase | API Key |
| PostHog | Personal API Key |
| Slack | Bot/User Token |
These work with any API that has an OpenAPI or Postman spec — the above are just examples. Stripe, Twilio, Shopify, HubSpot, and anything else with a REST API will work the same way.
| Flag | Description |
|---|---|
--name |
Server name (e.g. cloudflare) |
--spec |
Path or HTTPS URL to an OpenAPI spec (JSON/YAML) or Postman Collection. Remote URLs are cached locally. Supports ${ENV_VAR}. |
--base-url |
API base URL (e.g. https://api.example.com). Supports ${ENV_VAR}. |
| Flag | Description |
|---|---|
--header |
HTTP header as "Key: Value" (repeatable). Supports ${ENV_VAR} in values. |
--log |
Path to NDJSON request/response log. Sensitive headers are masked automatically. |
For APIs that use OAuth 2.0 instead of static tokens. If any of the three required flags is provided, all three are required. All flags support ${ENV_VAR}.
| Flag | Required | Description |
|---|---|---|
--oauth-client-id |
Yes* | OAuth client ID |
--oauth-client-secret |
Yes* | OAuth client secret |
--oauth-token-url |
Yes* | Token endpoint URL |
--oauth-auth-url |
No | Authorization endpoint (auto-detected from spec if available) |
--oauth-scopes |
No | Comma-separated scopes |
--oauth-flow |
No | authorization_code (default) or client_credentials |
--oauth-param |
No | Extra token parameter as key=value (repeatable) |
See the Google Workspace guide for a complete OAuth example.
The server exposes four tools (plus auth when OAuth is configured):
Discover what the API offers. Call with no arguments to see all categories, provide category to list endpoints in a tag, or search to find endpoints by keyword.
Makes a real HTTP request and returns the inferred GraphQL schema (SDL) — not the data itself. Use this to discover the response shape and get suggestedQueries you can copy into query_api. Also returns per-field token costs (fieldTokenCosts) and a dataKey for cache reuse. For PUT/PATCH requests, automatically creates a pre-write backup (returns backupDataKey). Supports bodyFile for large payloads and blocks requests with detected placeholder values.
Fetches data and returns only the fields you select via a GraphQL query. Supports both reads and writes (mutations for POST/PUT/DELETE/PATCH). Pass a dataKey from call_api to reuse cached data with zero HTTP calls.
# Read
{ items { id name status } _count }
# Write
mutation { post_endpoint(input: { name: "example" }) { id } }Key parameters:
maxTokens— token budget for the response (default 4000). Arrays are truncated to fit.dataKey— reuse cached data from a previouscall_apiorquery_apiresponse.jsonFilter— dot-path to extract nested values after the GraphQL query (e.g."data[].attributes.name").bodyFile— absolute path to a JSON file to use as request body (mutually exclusive withbody). Use for large payloads that can't be sent inline.skipBackup— skip the automatic pre-write backup for PUT/PATCH requests (default:false).
Returns spec documentation for an endpoint (parameters, request body schema, response codes) without making an HTTP request.
Only available when --oauth-* flags are configured. Manages the OAuth flow:
action: "start"— returns an authorization URL (or exchanges credentials forclient_credentials)action: "exchange"— completes the authorization code flow (callback is captured automatically)action: "status"— shows current token status
Tokens are persisted and refreshed automatically.
list_api → discover what's available
↓
explain_api → read the docs for an endpoint
↓
call_api → inspect the response schema (returns dataKey)
↓
query_api → fetch exactly the fields you need (pass dataKey for zero HTTP calls)
↓
query_api → re-query with different fields using the same dataKey
OpenAPI/Postman spec
│
▼
┌─────────┐ ┌─────────────┐ ┌──────────┐ ┌───────────┐
│list_api │ │ explain_api │ │ call_api │ │ query_api │
│(browse) │ │ (docs) │ │ (schema) │ │ (data) │
└─────────┘ └─────────────┘ └──────────┘ └───────────┘
│ │ no HTTP │ │
▼ ▼ request ▼ ▼
Spec index Spec index REST API call dataKey cache
(tags, (params, (with retry) hit → no HTTP
paths) responses, │ miss → fetch
body schema) ▼ │
Infer schema + ▼
return dataKey Execute GraphQL
+ token budget
truncation
- Any REST API — provide an OpenAPI (JSON/YAML) or Postman Collection v2.x spec as a file or URL
- Remote spec caching — HTTPS specs are fetched once and cached to
~/.cache/anyapi-mcp/ - GraphQL field selection — query only the fields you need from any response
- Schema inference — automatically builds GraphQL schemas from live API responses
- Multi-sample merging — samples up to 10 array elements for richer schemas
- Mutation support — write operations get typed GraphQL mutations from OpenAPI body schemas
- Smart suggestions —
call_apireturns ready-to-use queries based on the inferred schema - Response caching — filesystem-based cache with 5-min TTL;
dataKeytokens letquery_apireuse data with zero HTTP calls - Token budget —
query_apiacceptsmaxTokens(default 4000) and truncates array results to fit via binary search - Per-field token costs —
call_apireturns afieldTokenCoststree so the LLM can make informed field selections - Rate limit tracking — parses
X-RateLimit-*headers and warns when limits are nearly exhausted - Pagination detection — auto-detects cursor, next-page-token, and link-based pagination patterns in responses
- JSON filter —
query_apiaccepts ajsonFilterdot-path for post-query extraction (e.g."data[].name") - Retry with backoff — automatic retries for 429/5xx with exponential backoff and
Retry-Aftersupport - Multi-format — parses JSON, XML, CSV, and plain text responses
- Safe writes — PUT/PATCH requests automatically snapshot the resource before writing (
backupDataKey); placeholder values (e.g.PLACEHOLDER,TODO,file://) are detected and blocked before sending - File-based body —
bodyFileparameter accepts an absolute path to a JSON file, enabling large payloads that can't be sent inline - Rich errors — structured error messages with status-specific suggestions and spec context for self-correction
- OAuth 2.0 — Authorization Code (with PKCE) and Client Credentials flows with automatic token refresh
- Env var interpolation —
${ENV_VAR}in base URLs, headers, and spec paths - Request logging — optional NDJSON log with sensitive header masking
- OpenAPI 3.x (JSON or YAML)
- OpenAPI 2.0 / Swagger (JSON or YAML)
- Postman Collection v2.x (JSON)
Proprietary Non-Commercial. Free for personal and educational use. Commercial use requires written permission. See LICENSE for details.