MCP Server - Roe Documentation

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI assistants connect to external tools and data sources in a secure, structured way. Roe exposes your agents, policies, jobs, and table utilities as MCP tools that ChatGPT, Claude, Cursor, Claude Code, and Codex can call directly. Once configured, you can ask your assistant to “list my Roe agents” or “run the merchant-risk agent against this URL”, and it will invoke the live Roe API on your behalf through Roe’s hosted MCP endpoint.

How it works

Roe hosts a streamable-HTTP MCP server. The MCP host determines which Roe backend is used:

Deployment	MCP URL	Roe API used by the MCP server
Roe cloud	`https://mcp.roe-ai.com/mcp`	`https://api.roe-ai.com`
Single tenant	`https://mcp.<tenant>.roe-ai.com/mcp`	`https://api.<tenant>.roe-ai.com`

OAuth is the preferred connection mode. OAuth clients discover Roe’s authorization metadata from the MCP server, open the Roe consent flow, and then send short-lived Authorization: Bearer <access_token> headers on MCP calls. The MCP server verifies the token issuer, audience, expiry, and mcp.tools scope before it calls Roe APIs. You can also connect without OAuth using a Roe API key. Any client that lets you set custom request headers — Cursor, Claude Code, and Codex — sends Authorization: Bearer <api-key> plus X-Roe-Organization-Id: <org-uuid> on every call instead of running the consent flow. It’s a great fit for scripts, automations, and CI, or any time you’d rather manage a key yourself. See Connect with an API key (no OAuth) for per-client setup. ChatGPT and Claude connect through their built-in connector UIs, which use OAuth, so those clients always use OAuth. The MCP URL already points each connection at the right backend, so you never need to set X-Roe-API-Base-URL.

Connection values

OAuth clients usually need only the MCP URL:

Value	Where to get it
MCP URL	`https://mcp.roe-ai.com/mcp` for Roe cloud, or `https://mcp.<tenant>.roe-ai.com/mcp` for a single-tenant deployment

API-key clients (Cursor, Claude Code, Codex) set these headers instead — see Connect with an API key (no OAuth):

Value	Header	Where to get it
API key	`Authorization: Bearer <key>`	app.roe-ai.com/settings/api-keys or the matching single-tenant app
Org ID	`X-Roe-Organization-Id: <uuid>`	Settings → Organization in the same Roe app that minted the key

In API-key mode both headers are required; OAuth mode needs neither, because the org is encoded into the access token when you sign in.

Setup

Every client connects to the same hosted MCP URL and signs in with OAuth — no API key required. Use https://mcp.roe-ai.com/mcp for Roe cloud, or https://mcp.<tenant>.roe-ai.com/mcp for a single-tenant deployment. The first time you connect, a browser window opens the Roe sign-in screen; approve it once and you’re ready to use the tools — the client remembers you from then on.

Connect Roe as a remote MCP connector in ChatGPT on the web (chatgpt.com).

Open Settings → Connectors. On Plus/Pro, enable Developer mode (Settings → Connectors → Advanced) to add custom connectors; on Business/Enterprise, a workspace admin manages connectors.
Click Create (or Add custom connector).
Name it Roe and set the MCP server URL to https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp).
Keep authentication on OAuth. ChatGPT discovers Roe’s authorization metadata and registers automatically (dynamic client registration + PKCE).
Click Connect and complete the Roe consent flow in the browser.
In a chat, open the + / tools menu, enable Roe, and ask it to run a tool.

Connectors are tied to your ChatGPT account, so one added on the web is also available in the desktop app.

The ChatGPT desktop app (macOS/Windows) shares connectors with your account.

Open the ChatGPT app → your profile → Settings → Connectors.
If you already added Roe on the web, it appears here — confirm it’s connected. Otherwise click Create / Add custom connector.
Set the MCP server URL to https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp), keep OAuth, and click Connect.
Complete the Roe consent flow in the browser window that opens.
Enable Roe from the tools menu in a chat to use the tools.

Use Claude’s custom connector flow on claude.ai.

Open Settings → Connectors.
Click Add custom connector.
Enter the Roe MCP URL: https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp).
Click Add, then Connect, and complete the Roe OAuth flow.

On Team/Enterprise, an Owner first adds the connector under organization connector settings; members then connect it individually from their own Settings → Connectors.

Claude Desktop uses the same remote-connector UI as claude.ai.

Open Claude Desktop → Settings → Connectors.
Click Add custom connector.
Enter https://mcp.roe-ai.com/mcp (or https://mcp.<tenant>.roe-ai.com/mcp).
Click Add → Connect and complete the Roe OAuth flow.

Add Roe through the Connectors UI, not claude_desktop_config.json — the Connectors flow is what handles the OAuth sign-in.

Add the server from your terminal:

claude mcp add --transport http roe https://mcp.roe-ai.com/mcp

For a single-tenant deployment:

claude mcp add --transport http roe https://mcp.<tenant>.roe-ai.com/mcp

Confirm it registered:

claude mcp list

In a Claude Code session, run /mcp, pick the roe server, and complete the browser OAuth flow. For richer guidance — sync vs async runs, job-status codes, and destructive-tool handling — install the Claude Code skill below.

codex mcp add roe --url https://mcp.roe-ai.com/mcp
codex mcp login roe --scopes mcp.tools

For a single-tenant deployment, use the tenant MCP URL in both commands:

codex mcp add roe --url https://mcp.<tenant>.roe-ai.com/mcp
codex mcp login roe --scopes mcp.tools

You can also edit ~/.codex/config.toml directly:

[mcp_servers.roe]
url = "https://mcp.roe-ai.com/mcp"
scopes = ["mcp.tools"]
oauth_resource = "https://mcp.roe-ai.com/mcp"

For a single-tenant deployment, set both URLs to the tenant MCP URL:

[mcp_servers.roe]
url = "https://mcp.<tenant>.roe-ai.com/mcp"
scopes = ["mcp.tools"]
oauth_resource = "https://mcp.<tenant>.roe-ai.com/mcp"

Restart codex; check auth status with codex mcp list.

Edit ~/.cursor/mcp.json (create it if missing):

{
  "mcpServers": {
    "roe": {
      "url": "https://mcp.roe-ai.com/mcp"
    }
  }
}

For a single-tenant deployment, use the tenant URL:

{
  "mcpServers": {
    "roe": {
      "url": "https://mcp.<tenant>.roe-ai.com/mcp"
    }
  }
}

Restart Cursor. The Roe tools appear in any new Agent or Composer chat under the MCP servers list. When Cursor prompts you to authenticate, complete the Roe OAuth flow in the browser.Prefer not to use OAuth? Add a headers block with your Roe API key instead — see Connect with an API key (no OAuth).

Connect with an API key (no OAuth)

OAuth is the smoothest option for most people, but if you’d rather use a key, any client that lets you set custom request headers can skip the sign-in flow and authenticate with a Roe API key plus your organization id. It’s a natural fit for scripts, automations, and CI. Both headers are required in this mode:

Header	Value	Where to get it
`Authorization`	`Bearer <api-key>`	app.roe-ai.com/settings/api-keys (or the matching single-tenant app)
`X-Roe-Organization-Id`	`<org-uuid>`	Settings → Organization in the same Roe app that minted the key

The API key and org id must come from the same backend you’re connecting to. On Roe cloud use https://mcp.roe-ai.com/mcp; on a single-tenant deployment use https://mcp.<tenant>.roe-ai.com/mcp and keys from that tenant. You don’t need X-Roe-API-Base-URL — the MCP host already selects the right backend.

ChatGPT and Claude’s remote-connector UIs don’t expose custom headers, so they can’t send X-Roe-Organization-Id and must use OAuth. API-key mode works with Cursor, Claude Code, and Codex.

Cursor
Claude Code
Codex

Edit ~/.cursor/mcp.json (create it if missing) and add a headers block:

{
  "mcpServers": {
    "roe": {
      "url": "https://mcp.roe-ai.com/mcp",
      "headers": {
        "Authorization": "Bearer your-org-api-key",
        "X-Roe-Organization-Id": "your-org-uuid"
      }
    }
  }
}

For a single-tenant deployment, use the tenant MCP URL and keys from that tenant:

{
  "mcpServers": {
    "roe": {
      "url": "https://mcp.<tenant>.roe-ai.com/mcp",
      "headers": {
        "Authorization": "Bearer your-org-api-key",
        "X-Roe-Organization-Id": "your-org-uuid"
      }
    }
  }
}

Restart Cursor. The Roe tools appear in any new Agent or Composer chat under the MCP servers list — no browser consent step, because the API key authenticates every call.

Pass both headers when you register the server:

claude mcp add --transport http roe https://mcp.roe-ai.com/mcp \
  --header "Authorization: Bearer your-org-api-key" \
  --header "X-Roe-Organization-Id: your-org-uuid"

For a single-tenant deployment, swap in the tenant MCP URL:

claude mcp add --transport http roe https://mcp.<tenant>.roe-ai.com/mcp \
  --header "Authorization: Bearer your-org-api-key" \
  --header "X-Roe-Organization-Id: your-org-uuid"

Confirm it registered with claude mcp list. Because the headers carry the API key, you can skip the /mcp OAuth login step.

Codex’s native MCP config sends at most a single bearer header, so bridge the two required headers through mcp-remote in ~/.codex/config.toml:

[mcp_servers.roe]
command = "npx"
args = [
  "-y",
  "mcp-remote",
  "https://mcp.roe-ai.com/mcp",
  "--header",
  "Authorization: Bearer your-org-api-key",
  "--header",
  "X-Roe-Organization-Id: your-org-uuid",
]

For a single-tenant deployment, replace the URL with https://mcp.<tenant>.roe-ai.com/mcp. Restart codex; the Roe tools load from the roe server without an OAuth login.

Confirm the connection with the API-key smoke test, or ask your assistant to run the Roe whoami tool — source comes back as mcp-bearer for API-key connections.

Verifying the connection

After setup, ask your assistant:

“Use the Roe whoami tool to confirm the connection.”

A successful response returns your user_id, org_id, email, and source. For OAuth connections, source is mcp-oauth. For API-key connections, source is mcp-bearer. If you see an authentication error instead, see troubleshooting below. For a transport-level check, see the smoke test.

Available tools

The MCP server wraps the public Agents API, Policies API, and table utilities. Tool descriptions are tuned for natural language discovery, so clients can choose tools from prompts like “list my agents” or “cancel this Roe job.”

Module	Tools
Identity	`whoami`
Discovery	`list_agent_engine_types`, `list_supported_models`
Tables	`upload_table`
Agents (CRUD)	`list_agents`, `get_agent`, `create_agent`, `update_agent`, `delete_agent`, `duplicate_agent`
Agent versions	`list_agent_versions`, `get_agent_version`, `get_current_agent_version`, `create_agent_version`, `update_agent_version`, `delete_agent_version`
Runs	`run_agent` (sync, ≤25s), `trigger_agent_run` (async, returns `job_id`)
Jobs	`get_agent_job_status`, `get_agent_job_result`, `cancel_agent_job`, `download_job_reference`, `agents_jobs_delete_data_create`
Policies	`list_policies`, `get_policy`, `create_policy`, `update_policy`, `delete_policy`, `list_policy_versions`, `get_policy_version`, `create_policy_version`, `update_policy_version`
Batch	`run_agents_batch` (use when N ≥ 3), `get_agent_jobs_status_batch`, `get_agent_jobs_result_batch`, `cancel_all_agent_jobs`

get_agent_job_status returns the raw integer from roe.models.job.JobStatus: 0 PENDING, 1 STARTED, 2 RETRY, 3 SUCCESS, 4 FAILURE, 5 CANCELLED, 6 CACHED. Terminal set is {3, 4, 5, 6}.

Smoke test

The MCP streamable-HTTP transport is session-oriented, so tools/list alone returns 400 Missing session ID. You need three POSTs: initialize to mint a session, notifications/initialized to acknowledge, then tools/list. OAuth clients handle the bearer token for you. To inspect the public OAuth metadata manually:

curl https://mcp.roe-ai.com/.well-known/oauth-protected-resource
curl https://app.roe-ai.com/.well-known/oauth-authorization-server

For a single-tenant deployment, replace both hosts with mcp.<tenant>.roe-ai.com and app.<tenant>.roe-ai.com. For API-key mode, use the smoke below:

KEY="your-org-api-key"
ORG_ID="your-org-uuid"
URL="https://mcp.roe-ai.com/mcp"
HDRS=(-H "Authorization: Bearer $KEY"
      -H "X-Roe-Organization-Id: $ORG_ID"
      -H 'Content-Type: application/json'
      -H 'Accept: application/json, text/event-stream')

# 1. Initialize and capture the session id from the response header.
SID=$(curl -sS -D - -o /dev/null "${HDRS[@]}" -X POST "$URL" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0"}}}' \
  | awk 'tolower($1)=="mcp-session-id:"{print $2}' | tr -d '\r')

# 2. Acknowledge initialization (no response body expected).
curl -sS "${HDRS[@]}" -H "Mcp-Session-Id: $SID" -X POST "$URL" \
  -d '{"jsonrpc":"2.0","method":"notifications/initialized"}'

# 3. List tools.
curl -sS "${HDRS[@]}" -H "Mcp-Session-Id: $SID" -X POST "$URL" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'

Step 3 streams an event: message SSE frame whose data: line is a JSON-RPC body listing the registered Roe tools.

Useful prompts

Once connected, try:

Use Roe whoami to confirm the connection.
List my Roe agents and show the first 10 with their ids.
Run the merchant-risk agent asynchronously and poll until it finishes.
List my Roe policies and show the current version for each.
Upload this CSV to Roe tables, then create a run input that references it.

Claude Code skill

A Claude Code skill is a small SKILL.md Claude Code reads on startup. Installing the Roe skill teaches the model the correct headers, when to use run_agent vs trigger_agent_run vs run_agents_batch, and how to interpret job status codes — so you don’t have to repeat that context in every chat. Save the block below to ~/.claude/skills/roe-mcp/SKILL.md and restart Claude Code:

---
name: roe-mcp
description: Call Roe agents, policies, and jobs via the hosted Roe MCP server. TRIGGER when the user wants to "run a roe agent", "list my roe agents", interact with Roe policies, or any roe.ai task that maps to the Roe public API. SKIP for non-Roe MCP servers.
---

# Roe MCP skill

The Roe MCP server is registered as `roe` in Claude Code's MCP config.
Preferred auth is OAuth through `/mcp`; do not ask the user for a Roe API key
unless the deployment uses API-key mode.

Hosted Roe uses `https://mcp.roe-ai.com/mcp`. Single-tenant Roe uses
`https://mcp.<tenant>.roe-ai.com/mcp`; the matching API backend is selected by
the MCP deployment. Never invent an organization id or tenant slug — ask the
user if it isn't already in context.

## Tool surface

- **Identity:** `whoami` — connection check; returns `{user_id, org_id, email, source}`.
- **Agents (CRUD):** `list_agents`, `get_agent`, `create_agent`, `update_agent`, `delete_agent`, `duplicate_agent`.
- **Agent versions:** `list_agent_versions`, `get_agent_version`, `get_current_agent_version`, `create_agent_version`, `update_agent_version`, `delete_agent_version`.
- **Runs:** `run_agent` (synchronous, ≤25s wall clock) or `trigger_agent_run` (returns `job_id`) + `get_agent_job_status` + `get_agent_job_result`.
- **Jobs:** `get_agent_job_status`, `get_agent_job_result`, `cancel_agent_job`, `download_job_reference`.
- **Policies:** `list_policies`, `get_policy`, `create_policy`, `update_policy`, `delete_policy`, `list_policy_versions`, `get_policy_version`, `create_policy_version`.
- **Batch (use when N ≥ 3):** `run_agents_batch`, `get_agent_jobs_status_batch`, `get_agent_jobs_result_batch`, `cancel_all_agent_jobs`.

## Run-mode decision tree

1. One run, expected under 25s → `run_agent`.
2. One run, longer than 25s or you want a job id → `trigger_agent_run`, poll `get_agent_job_status` until terminal, then `get_agent_job_result`.
3. Three or more runs of the same agent → `run_agents_batch`, then batch status/result tools.

## Job status

`get_agent_job_status` returns a raw integer from `roe.models.job.JobStatus`:

| Code | Name | Terminal? |
| --- | --- | --- |
| 0 | PENDING | no |
| 1 | STARTED | no |
| 2 | RETRY | no |
| 3 | SUCCESS | yes |
| 4 | FAILURE | yes |
| 5 | CANCELLED | yes |
| 6 | CACHED | yes |

Stop polling on `{3, 4, 5, 6}`. Anything else means keep polling.

## Error semantics

- `401 X-Roe-Organization-Id header required.` → an API-key config is missing the org-id header; fix the MCP client config, not the prompt.
- `401` with `resource_metadata` in `WWW-Authenticate` → OAuth is required or the OAuth token is invalid; ask the user to reconnect the Roe MCP server through the client's auth UI.
- `401` with any other body in API-key mode → bearer is wrong or revoked. Ask the user to mint a fresh key in Roe settings.
- `503` with `Retry-After` → upstream Roe is throttling. Back off for the advertised duration, then retry; do not treat as auth failure.
- Token-bucket rate limits are per user/org/tool for OAuth and per bearer/tool for API-key mode. When one bucket drains, the same user can still call other tools.

## Don'ts

- Don't paste OAuth tokens or API keys into the chat transcript; reference them as placeholders in config snippets.
- Don't call `delete_agent`, `delete_agent_version`, `delete_policy`, or `cancel_all_agent_jobs` without explicit user confirmation — they're destructive.
- Don't add `X-Roe-API-Base-URL` for normal OAuth connections. Use the correct MCP host instead: `mcp.roe-ai.com` or `mcp.<tenant>.roe-ai.com`.

Codex and Cursor don’t have an equivalent skill mechanism today — for those, keep the relevant rules in your prompt or workspace rules file.

Rate limits and errors

OAuth token buckets are keyed by user, org, and tool; API-key buckets are keyed by bearer and tool. When a bucket drains, the server returns a structured rate_limited error with a Retry-After header.
Upstream Roe 429 responses map to MCP-level 503 with Retry-After, so well-behaved clients back off rather than treating the response as token invalidation.
A 401 in OAuth mode should include a WWW-Authenticate challenge with resource_metadata; reconnect the server through the client auth UI.
A 401 in API-key mode means either the bearer is wrong/revoked or the X-Roe-Organization-Id header is missing. Mint a fresh key — or fix the header — and retry.

Troubleshooting

Symptom	Fix
Client shows no Roe tools after editing config	Restart the client. MCP config is loaded once at startup.
`401` with `resource_metadata`	Reconnect the Roe MCP server through the client’s OAuth UI.
`401 X-Roe-Organization-Id header required.`	API-key mode only: add the `X-Roe-Organization-Id` header to your client config. Find the UUID under Settings → Organization in the matching Roe app.
`401 Unauthorized` (other API-key body)	Verify the key in Roe settings; the key must not be revoked and must belong to the same backend as the org id.
Tool calls hit the wrong tenant	Use `https://mcp.<tenant>.roe-ai.com/mcp` for your single-tenant deployment, and make sure your API key and org id come from that same tenant.
`503 Service Unavailable` with `Retry-After`	Upstream Roe is throttling or briefly unreachable. Back off and retry.
Want to inspect raw tool calls	Run the MCP Inspector: `npx @modelcontextprotocol/inspector` and point it at https://mcp.roe-ai.com/mcp. Use the inspector’s OAuth flow for normal deployments, or API-key headers for private API-key mode.

Need help?

Email support@roe-ai.com.

​What is MCP?

​How it works

​Connection values

​Setup

​Connect with an API key (no OAuth)

​Verifying the connection

​Available tools

​Smoke test

​Useful prompts

​Claude Code skill

​Rate limits and errors

​Troubleshooting

​Need help?

What is MCP?

How it works

Connection values

Setup

Connect with an API key (no OAuth)

Verifying the connection

Available tools

Smoke test

Useful prompts

Claude Code skill

Rate limits and errors

Troubleshooting

Need help?