Docs/MCP Server Guide

🤖

MCP Server Guide

Model Context Protocol · Connect AI agents to your workspace

WORK-X exposes an MCP-compatible HTTP server that lets AI agents — like Claude Desktop, custom LLM pipelines, or any MCP client — securely read and act on your project data using your identity.

What is MCP?

The Model Context Protocol (MCP) is an open standard for connecting AI models to external data sources and tools. Instead of copy-pasting context into every prompt, MCP lets your AI agent query live data from WORK-X directly.

🔐

Scoped tokens

Each token is bound to your user identity and only accesses what you can see.

📋

Task-aware

Agents can read your assigned tasks, update statuses, and log commit notes.

📜

Audit-logged

Every MCP action is written to the org audit log under the MCP category.

Token Types

There are two kinds of MCP tokens, depending on the scope of access you need:

Personal TokenProfile → MCP Agent Tokens

Bound to your user identity. The agent acts as you — it can only read tasks assigned to you, update their status, and create commit entries. Scopes: read:tasks, write:tasks, write:commits.

Org TokenSettings → MCP Tokens · requires mcp.manage

Org-scoped — the agent can query all projects, requirements, and tasks within your org. Broader access, suitable for org-wide automation pipelines. Requires Owner role to create.

Create a Personal MCP Token

Open your Profile

Click your avatar in the bottom-left sidebar. The Profile modal opens.

Scroll to MCP Agent Tokens

Find the 🔒 MCP Agent Tokens section below your avatar. Click + New.

Name the token and select scopes

Enter a descriptive name (e.g. Claude Desktop). Select the scopes your agent needs:

read:tasks — list and read your assigned tasks
write:tasks — update task status
write:commits — create commit history entries on tasks

Copy the token immediately

The token is shown once only — copy it right away and store it securely. It will never be displayed again.

🔑

Personal tokens require the mcp.create permission. By default all Members, Admins, and Owners have this. If you don't see the MCP section, ask your org Owner to sync system roles in Settings → Roles & Permissions → Sync Roles.

Connect Claude Desktop

Claude Desktop supports MCP via mcp-remote, a local stdio bridge that forwards to any HTTP MCP endpoint.

Find your MCP JSON-RPC endpoint

The MCP endpoint for your WORK-X instance is:

https://<your-instance>/api/mcp/rpc

For a local dev setup: http://localhost:4000/mcp/rpc

Edit claude_desktop_config.json

Open the Claude Desktop config file:

# macOS
~/Library/Application Support/Claude/claude_desktop_config.json

# Windows
%APPDATA%\Claude\claude_desktop_config.json

Add your MCP server under mcpServers:

{
  "mcpServers": {
    "work-x": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://<your-instance>/api/mcp/rpc",
        "--header",
        "Authorization: Bearer <your-personal-token>"
      ]
    }
  }
}

Restart Claude Desktop

Fully quit and relaunch Claude Desktop. In a new conversation, type 🔌 or click the MCP tools icon — you should see the WORK-X tools available.

💡

Claude will show a permission approval dialog the first time it tries to call a WORK-X tool. Click Allow to grant access for this session.

Connect Antigravity (Google DeepMind)

Antigravity is Google DeepMind's agentic AI coding assistant. It connects to MCP servers via mcp-remote, which proxies HTTP MCP endpoints through a local stdio bridge.

Find your mcp_config.json

Antigravity reads MCP servers from its config file located at:

~/.gemini/antigravity/mcp_config.json

Open the file (create it if it doesn't exist yet).

Add the WORK-X MCP server

Add a new entry under mcpServers. Pass your token via the --header flag:

{
  "mcpServers": {
    "work-x": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://<your-instance>/api/mcp/rpc",
        "--header",
        "Authorization: Bearer <your-personal-token>"
      ]
    }
  }
}

For a local dev setup:

{
  "mcpServers": {
    "work-x": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "http://localhost:4000/mcp/rpc",
        "--header",
        "Authorization: Bearer <your-personal-token>"
      ]
    }
  }
}

If you already have other MCP servers configured (e.g. figma-dev-mode-mcp-server), simply add work-x as an additional key alongside them.

Reload Antigravity

Restart or reload Antigravity. It will automatically spawn the mcp-remote bridge process and connect to your WORK-X instance. You'll see the WORK-X tools available in the tool palette.

🔌

JSON-RPC 2.0 over HTTP: The WORK-X MCP endpoint uses POST /api/mcp/rpc with standard JSON-RPC 2.0. The Authorization: Bearer header is the recommended auth method. A ?token= query param is also supported as a fallback.

Connect Any Client — JSON-RPC 2.0

WORK-X uses JSON-RPC 2.0 over HTTP — one endpoint, any language, no SDK required.

Endpoint

POST https://<your-instance>/api/mcp/rpc
Authorization: Bearer <your-mcp-token>
Content-Type: application/json

Discover available tools

# Request
curl -X POST https://<your-instance>/api/mcp/rpc \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'

# Response
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "tools": [
      { "name": "listMyTasks", "scope": "read:tasks", "tokenType": "user", ... },
      { "name": "updateTaskStatus", "scope": "write:tasks", ... }
    ]
  }
}

Call a tool

# tools/call — execute a tool
curl -X POST https://<your-instance>/api/mcp/rpc \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "listMyTasks",
      "arguments": {}
    },
    "id": 2
  }'

Batch requests (optional)

Send multiple calls in one HTTP round-trip by wrapping them in a JSON array:

[
  {"jsonrpc":"2.0","method":"tools/call","params":{"name":"listMyTasks","arguments":{}},"id":1},
  {"jsonrpc":"2.0","method":"tools/call","params":{"name":"updateTaskStatus","arguments":{"taskId":"abc","status":"DONE"}},"id":2}
]

ℹ️

Error format — errors follow the JSON-RPC 2.0 spec: {"jsonrpc":"2.0","error":{"code":-32601,"message":"Method not found"},"id":1}. Standard codes: -32000 Unauthorized, -32001 Forbidden, -32601 Method not found.

Available Tools

The following tools are available to Personal Tokens:

listMyTasksread:tasks

Returns all tasks currently assigned to you across your accessible projects. Includes task ID, title, status, priority, and project info.

listTasksByReqread:tasks

Returns tasks linked to a specific requirement ID. Useful for querying what work items belong to a given feature or spec.

updateTaskStatuswrite:tasks

Updates the status of a task (TODO → IN_PROGRESS → IN_REVIEW → DONE). Only works on tasks assigned to you.

createCommitEntrywrite:commits

Creates a commit history entry on a task — logs a message, optional commit hash, and reason. Useful for AI agents to record what code changes were made.

The following additional tools are available to Org Tokens:

listProjectsread:tasks

Lists all active projects in the organization.

listTasksread:tasks

Lists tasks in a project, optionally filtered by status or assignee.

getTaskread:tasks

Returns the full detail of a task including description, comments, assignees, and linked requirements.

updateTaskwrite:tasks

Updates a task field — status, priority, assignee, or title.

listRequirementsread:requirements

Lists requirements in a project.

getRequirementread:requirements

Returns the full text content and metadata of a requirement.

Security & Best Practices

🔒

Use personal tokens for individual agents

Personal tokens are scoped to your identity. If an agent is compromised, it can only access your tasks — not the whole org.

📅

Set expiry dates

When creating a token you can set an expiry date. For CI/CD pipelines prefer short-lived tokens (e.g. 30 days) and rotate them.

🎯

Request minimal scopes

If your agent only needs to read tasks, don't grant write:tasks or write:commits. The principle of least privilege applies here.

🗑️

Revoke unused tokens

Revoke tokens the moment they're no longer needed. Go to Profile → MCP Agent Tokens → Revoke next to any active token.

👁️

Monitor the audit log

All MCP tool calls are logged in Insights → Audit Log under the MCP category. Review regularly for unexpected activity.

Troubleshooting

I don't see the MCP Agent Tokens section in my Profile

Your org's system roles may have been seeded before mcp.create was added. Ask your org Owner to go to Settings → Roles & Permissions and run Sync Roles. Then log out and back in.

Getting 401 Unauthorized

Double-check the token is copied correctly and prefixed with 'Bearer '. The token string should be 64 hex characters. If you lost the token, revoke it and create a new one.

Getting 403 Forbidden

The token doesn't have the required scope for this tool. Revoke the token and create a new one with the necessary scopes checked.

Tool calls return empty arrays

Personal tokens only return tasks assigned to you. If you have no assigned tasks, the result will be empty. Check your task assignments in the project Tasks tab.

Claude Desktop doesn't show WORK-X tools

Ensure you fully quit Claude Desktop (not just close the window). The config file must be valid JSON with no trailing commas. Check the Claude Desktop logs for MCP connection errors.

Back to Documentation