Documentation Index
Fetch the complete documentation index at: https://docs.roe-ai.com/llms.txt
Use this file to discover all available pages before exploring further.
What is MCP?
The Model Context Protocol (MCP) is an open
standard that lets AI assistants connect to external tools and data sources in
a secure, structured way. Roe AI exposes your agents, policies, jobs, and table
utilities as MCP tools that ChatGPT, Claude, Cursor, Claude Code, and Codex can
call directly.
Once configured, you can ask your assistant to “list my Roe agents” or
“run the merchant-risk agent against this URL”, and it will invoke the live
Roe AI API on your behalf through Roe’s hosted MCP endpoint.
How it works
Roe AI hosts a streamable-HTTP MCP server. The MCP host determines which Roe
backend is used:
| Deployment | MCP URL | Roe API used by the MCP server |
|---|
| Roe cloud | https://mcp.roe-ai.com/mcp | https://api.roe-ai.com |
| Single tenant | https://mcp.<tenant>.roe-ai.com/mcp | https://api.<tenant>.roe-ai.com |
Authorization: Bearer <access_token> headers on MCP calls.
The MCP server verifies the token issuer, audience, expiry, and mcp.tools
scope before it calls Roe APIs.
Cloud clients such as ChatGPT apps and Claude custom connectors connect from
their provider’s infrastructure, not from your laptop. Use the public HTTPS MCP
URL for those clients; localhost and private/VPN-only hosts are only useful
for local development clients.
API-key headers are still supported for private deployments and debugging. In
that mode, org isolation is enforced by the Roe API key and
X-Roe-Organization-Id. X-Roe-API-Base-URL is optional when you connect to the
correct MCP host; use it only when an operator explicitly asks you to override
the backend for a test.
Connection values
OAuth clients usually need only the MCP URL:
| Value | Where to get it |
|---|
| MCP URL | https://mcp.roe-ai.com/mcp for Roe cloud, or https://mcp.<tenant>.roe-ai.com/mcp for a single-tenant deployment |
| Value | Header | Where to get it |
|---|
| API key | Authorization: Bearer <key> | app.roe-ai.com/settings/api-keys or the matching single-tenant app |
| Org ID | X-Roe-Organization-Id: <uuid> | Settings → Organization in the same Roe app that minted the key |
| Backend override | X-Roe-API-Base-URL: https://api.<tenant>.roe-ai.com | Optional. Use only for explicit test routing; the normal hosted/ST MCP URL already selects the right API. |
401 X-Roe-Organization-Id header required. if
the org id is missing in API-key mode. OAuth mode does not require this header
because the org is encoded into the access token during consent.
Setup
Every client connects to the same hosted MCP URL and authenticates with OAuth —
no API key required. Use https://mcp.roe-ai.com/mcp for Roe cloud, or
https://mcp.<tenant>.roe-ai.com/mcp for a single-tenant deployment. The first
time you connect, a browser window opens the Roe consent screen; approve it once
and the client stores the token.
ChatGPT (web)
ChatGPT (desktop app)
Claude (web)
Claude Desktop
Claude Code
Codex
Cursor
Connect Roe as a remote MCP connector in ChatGPT on the web (chatgpt.com).
- Open Settings → Connectors. On Plus/Pro, enable Developer mode
(Settings → Connectors → Advanced) to add custom connectors; on
Business/Enterprise, a workspace admin manages connectors.
- Click Create (or Add custom connector).
- Name it
Roe AI and set the MCP server URL to
https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp).
- Keep authentication on OAuth. ChatGPT discovers Roe’s authorization
metadata and registers automatically (dynamic client registration + PKCE).
- Click Connect and complete the Roe consent flow in the browser.
- In a chat, open the + / tools menu, enable Roe AI, and ask it to
run a tool.
Connectors are tied to your ChatGPT account, so one added on the web is also
available in the desktop app. The ChatGPT desktop app (macOS/Windows) shares connectors with your account.
- Open the ChatGPT app → your profile → Settings → Connectors.
- If you already added Roe on the web, it appears here — confirm it’s
connected. Otherwise click Create / Add custom connector.
- Set the MCP server URL to
https://mcp.roe-ai.com/mcp (or
https://mcp.<tenant>.roe-ai.com/mcp), keep OAuth, and click Connect.
- Complete the Roe consent flow in the browser window that opens.
- Enable Roe AI from the tools menu in a chat to use the tools.
Use Claude’s custom connector flow on claude.ai.
- Open Settings → Connectors.
- Click Add custom connector.
- Enter the Roe MCP URL:
https://mcp.roe-ai.com/mcp (or
https://mcp.<tenant>.roe-ai.com/mcp).
- Click Add, then Connect, and complete the Roe OAuth flow.
On Team/Enterprise, an Owner first adds the connector under organization
connector settings; members then connect it individually from their own
Settings → Connectors. Claude Desktop uses the same remote-connector UI as claude.ai.
- Open Claude Desktop → Settings → Connectors.
- Click Add custom connector.
- Enter
https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp).
- Click Add → Connect and complete the Roe OAuth flow.
Add Roe’s hosted MCP through the Connectors UI, not
claude_desktop_config.json. That config file is only for local (stdio) MCP
servers, not remote OAuth servers.
Add the server from your terminal:claude mcp add --transport http roe https://mcp.roe-ai.com/mcp
claude mcp add --transport http roe https://mcp.<tenant>.roe-ai.com/mcp
/mcp, pick the roe server, and complete the
browser OAuth flow. For richer guidance — sync vs async runs, job-status codes,
and destructive-tool handling — install the Claude Code skill
below. Register Roe as a streamable-HTTP MCP server and log in:codex mcp add roe --url https://mcp.roe-ai.com/mcp
codex mcp login roe --scopes mcp.tools
codex mcp add roe --url https://mcp.<tenant>.roe-ai.com/mcp
codex mcp login roe --scopes mcp.tools
~/.codex/config.toml directly:[mcp_servers.roe]
url = "https://mcp.roe-ai.com/mcp"
scopes = ["mcp.tools"]
oauth_resource = "https://mcp.roe-ai.com/mcp"
[mcp_servers.roe]
url = "https://mcp.<tenant>.roe-ai.com/mcp"
scopes = ["mcp.tools"]
oauth_resource = "https://mcp.<tenant>.roe-ai.com/mcp"
codex; check auth status with codex mcp list. Edit ~/.cursor/mcp.json (create it if missing):{
"mcpServers": {
"roe": {
"url": "https://mcp.roe-ai.com/mcp"
}
}
}
{
"mcpServers": {
"roe": {
"url": "https://mcp.<tenant>.roe-ai.com/mcp"
}
}
}
headers block with
Authorization and X-Roe-Organization-Id instead. Don’t use API-key headers
against an OAuth-enabled deployment unless your Roe operator tells you to. App and connector submission checklist
Before submitting Roe MCP as a ChatGPT app or Claude connector, test the public
hostname that users will actually enter:
| Check | Expected result |
|---|
GET https://mcp.roe-ai.com/healthz | 200 ok |
GET https://mcp.roe-ai.com/readyz | {"ready": true} |
GET https://mcp.roe-ai.com/.well-known/oauth-protected-resource | JSON with resource, authorization_servers, bearer_methods_supported: ["header"], and scopes_supported: ["mcp.tools"] |
GET https://app.roe-ai.com/.well-known/oauth-authorization-server | OAuth authorization-server metadata |
Unauthenticated POST https://mcp.roe-ai.com/mcp | 401 invalid_token plus a WWW-Authenticate challenge containing resource_metadata |
| OAuth connect | Browser redirects to Roe, consent succeeds, and the client receives an access token |
| Authenticated MCP smoke | initialize, tools/list, and whoami succeed |
mcp.roe-ai.com and app.roe-ai.com
with mcp.<tenant>.roe-ai.com and app.<tenant>.roe-ai.com.
Verifying the connection
After setup, ask your assistant:
“Use the Roe whoami tool to confirm the connection.”
A successful response returns your user_id, org_id, email, and source.
For OAuth connections, source is mcp-oauth. For API-key connections,
source is mcp-bearer. If you see an authentication error instead, see
troubleshooting below.
For a transport-level check, see the smoke test.
The MCP server wraps the public Agents API,
Policies API, and table utilities. Tool descriptions are tuned for natural
language discovery, so clients can choose tools from prompts like “list my
agents” or “cancel this Roe job.”
| Module | Tools |
|---|
| Identity | whoami |
| Discovery | list_agent_engine_types, list_supported_models |
| Tables | upload_table |
| Agents (CRUD) | list_agents, get_agent, create_agent, update_agent, delete_agent, duplicate_agent |
| Agent versions | list_agent_versions, get_agent_version, get_current_agent_version, create_agent_version, update_agent_version, delete_agent_version |
| Runs | run_agent (sync, ≤25s), trigger_agent_run (async, returns job_id) |
| Jobs | get_agent_job_status, get_agent_job_result, cancel_agent_job, download_job_reference, agents_jobs_delete_data_create |
| Policies | list_policies, get_policy, create_policy, update_policy, delete_policy, list_policy_versions, get_policy_version, create_policy_version, update_policy_version |
| Batch | run_agents_batch (use when N ≥ 3), get_agent_jobs_status_batch, get_agent_jobs_result_batch, cancel_all_agent_jobs |
get_agent_job_status returns the raw integer from roe.models.job.JobStatus:
0 PENDING, 1 STARTED, 2 RETRY, 3 SUCCESS, 4 FAILURE, 5 CANCELLED,
6 CACHED. Terminal set is {3, 4, 5, 6}.
Smoke test
The MCP streamable-HTTP transport is session-oriented, so tools/list alone
returns 400 Missing session ID. You need three POSTs: initialize to mint
a session, notifications/initialized to acknowledge, then tools/list.
OAuth clients handle the bearer token for you. To inspect the public OAuth
metadata manually:
curl https://mcp.roe-ai.com/.well-known/oauth-protected-resource
curl https://app.roe-ai.com/.well-known/oauth-authorization-server
mcp.<tenant>.roe-ai.com and app.<tenant>.roe-ai.com.
For API-key mode, use the smoke below:
KEY="your-org-api-key"
ORG_ID="your-org-uuid"
URL="https://mcp.roe-ai.com/mcp"
HDRS=(-H "Authorization: Bearer $KEY"
-H "X-Roe-Organization-Id: $ORG_ID"
-H 'Content-Type: application/json'
-H 'Accept: application/json, text/event-stream')
# 1. Initialize and capture the session id from the response header.
SID=$(curl -sS -D - -o /dev/null "${HDRS[@]}" -X POST "$URL" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0"}}}' \
| awk 'tolower($1)=="mcp-session-id:"{print $2}' | tr -d '\r')
# 2. Acknowledge initialization (no response body expected).
curl -sS "${HDRS[@]}" -H "Mcp-Session-Id: $SID" -X POST "$URL" \
-d '{"jsonrpc":"2.0","method":"notifications/initialized"}'
# 3. List tools.
curl -sS "${HDRS[@]}" -H "Mcp-Session-Id: $SID" -X POST "$URL" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
event: message SSE frame whose data: line is a
JSON-RPC body listing the registered Roe tools.
Useful prompts
Once connected, try:
Use Roe whoami to confirm the connection.
List my Roe agents and show the first 10 with their ids.
Run the merchant-risk agent asynchronously and poll until it finishes.
List my Roe policies and show the current version for each.
Upload this CSV to Roe tables, then create a run input that references it.
Claude Code skill
A Claude Code skill is
a small SKILL.md Claude Code reads on startup. Installing the Roe skill
teaches the model the correct headers, when to use run_agent vs
trigger_agent_run vs run_agents_batch, and how to interpret job status
codes — so you don’t have to repeat that context in every chat.
Save the block below to ~/.claude/skills/roe-mcp/SKILL.md and restart
Claude Code:
---
name: roe-mcp
description: Call Roe AI agents, policies, and jobs via the hosted Roe MCP server. TRIGGER when the user wants to "run a roe agent", "list my roe agents", interact with Roe policies, or any roe.ai task that maps to the Roe public API. SKIP for non-Roe MCP servers.
---
# Roe MCP skill
The Roe MCP server is registered as `roe` in Claude Code's MCP config.
Preferred auth is OAuth through `/mcp`; do not ask the user for a Roe API key
unless the deployment explicitly uses legacy API-key mode.
Hosted Roe uses `https://mcp.roe-ai.com/mcp`. Single-tenant Roe uses
`https://mcp.<tenant>.roe-ai.com/mcp`; the matching API backend is selected by
the MCP deployment. Never invent an organization id or tenant slug — ask the
user if it isn't already in context.
## Tool surface
- **Identity:** `whoami` — connection check; returns `{user_id, org_id, email, source}`.
- **Agents (CRUD):** `list_agents`, `get_agent`, `create_agent`, `update_agent`, `delete_agent`, `duplicate_agent`.
- **Agent versions:** `list_agent_versions`, `get_agent_version`, `get_current_agent_version`, `create_agent_version`, `update_agent_version`, `delete_agent_version`.
- **Runs:** `run_agent` (synchronous, ≤25s wall clock) or `trigger_agent_run` (returns `job_id`) + `get_agent_job_status` + `get_agent_job_result`.
- **Jobs:** `get_agent_job_status`, `get_agent_job_result`, `cancel_agent_job`, `download_job_reference`.
- **Policies:** `list_policies`, `get_policy`, `create_policy`, `update_policy`, `delete_policy`, `list_policy_versions`, `get_policy_version`, `create_policy_version`.
- **Batch (use when N ≥ 3):** `run_agents_batch`, `get_agent_jobs_status_batch`, `get_agent_jobs_result_batch`, `cancel_all_agent_jobs`.
## Run-mode decision tree
1. One run, expected under 25s → `run_agent`.
2. One run, longer than 25s or you want a job id → `trigger_agent_run`, poll `get_agent_job_status` until terminal, then `get_agent_job_result`.
3. Three or more runs of the same agent → `run_agents_batch`, then batch status/result tools.
## Job status
`get_agent_job_status` returns a raw integer from `roe.models.job.JobStatus`:
| Code | Name | Terminal? |
| --- | --- | --- |
| 0 | PENDING | no |
| 1 | STARTED | no |
| 2 | RETRY | no |
| 3 | SUCCESS | yes |
| 4 | FAILURE | yes |
| 5 | CANCELLED | yes |
| 6 | CACHED | yes |
Stop polling on `{3, 4, 5, 6}`. Anything else means keep polling.
## Error semantics
- `401 X-Roe-Organization-Id header required.` → an API-key config is missing the org-id header; fix the MCP client config, not the prompt.
- `401` with `resource_metadata` in `WWW-Authenticate` → OAuth is required or the OAuth token is invalid; ask the user to reconnect the Roe MCP server through the client's auth UI.
- `401` with any other body in API-key mode → bearer is wrong or revoked. Ask the user to mint a fresh key in Roe settings.
- `503` with `Retry-After` → upstream Roe AI is throttling. Back off for the advertised duration, then retry; do not treat as auth failure.
- Token-bucket rate limits are per user/org/tool for OAuth and per bearer/tool for API-key mode. When one bucket drains, the same user can still call other tools.
## Don'ts
- Don't paste OAuth tokens or API keys into the chat transcript; reference them as placeholders in config snippets.
- Don't call `delete_agent`, `delete_agent_version`, `delete_policy`, or `cancel_all_agent_jobs` without explicit user confirmation — they're destructive.
- Don't add `X-Roe-API-Base-URL` for normal OAuth connections. Use the correct MCP host instead: `mcp.roe-ai.com` or `mcp.<tenant>.roe-ai.com`.
Rate limits and errors
- OAuth token buckets are keyed by user, org, and tool; API-key buckets are
keyed by bearer and tool. When a bucket drains, the server returns a
structured
rate_limited error with a Retry-After header.
- Upstream Roe AI
429 responses map to MCP-level 503 with Retry-After,
so well-behaved clients back off rather than treating the response as
token invalidation.
- A
401 in OAuth mode should include a WWW-Authenticate challenge with
resource_metadata; reconnect the server through the client auth UI.
- A
401 in API-key mode means either the bearer is wrong/revoked or the
X-Roe-Organization-Id header is missing. Mint a fresh key — or fix the
header — and retry.
Troubleshooting
| Symptom | Fix |
|---|
| Client shows no Roe tools after editing config | Restart the client. MCP config is loaded once at startup. |
401 with resource_metadata | Reconnect the Roe MCP server through the client’s OAuth UI. |
401 X-Roe-Organization-Id header required. | API-key mode only: add the X-Roe-Organization-Id header to your client config. Find the UUID under Settings → Organization in the matching Roe app. |
401 Unauthorized (other API-key body) | Verify the key in Roe settings; the key must not be revoked and must belong to the same backend as the org id. |
| Tool calls hit the wrong tenant | Use https://mcp.<tenant>.roe-ai.com/mcp for single-tenant OAuth. In API-key mode, the bearer, org id, and optional backend override must all come from the same tenant. |
503 Service Unavailable with Retry-After | Upstream Roe AI is throttling or briefly unreachable. Back off and retry. |
| Want to inspect raw tool calls | Run the MCP Inspector: npx @modelcontextprotocol/inspector and point it at https://mcp.roe-ai.com/mcp. Use the inspector’s OAuth flow for normal deployments, or API-key headers for private API-key mode. |
Need help?
Email support@roe-ai.com.
