Hawkapi
FreeNot checkedAuto-exports HawkAPI routes as MCP tools, allowing any MCP-compatible client to call your API.
About
Auto-exports HawkAPI routes as MCP tools, allowing any MCP-compatible client to call your API.
README
MCP (Model Context Protocol) server for HawkAPI. Auto-exports every route as an agent tool — any MCP-compatible client can call your API.
Install
pip install hawkapi-mcp
Quickstart
from hawkapi import HawkAPI
from hawkapi.responses import JSONResponse
from hawkapi_mcp import mount_mcp
app = HawkAPI()
@app.get("/users/{user_id:int}")
async def get_user(user_id: int) -> JSONResponse:
return JSONResponse({"id": user_id, "name": "Alice"})
@app.post("/items")
async def create_item(body: dict) -> JSONResponse:
return JSONResponse({"created": body})
mount_mcp(app, allow_unauthenticated=True) # serves POST /mcp — dev only; see Auth
/mcpMUST be protected in production — passdependencies=[...]to require auth, orallow_unauthenticated=Trueto opt out explicitly. See Auth.
Point any MCP-compatible client at http://your-host/mcp. Every HawkAPI route becomes a tool — its operationId is the tool name, the OpenAPI schema becomes the input schema.
Tool naming
| Route definition | Generated tool name |
|---|---|
@app.get("/users/{id}", operation_id="get_user") |
get_user |
@app.get("/users/{id}") (no operation_id) |
get_users_id |
Tool input schema
The decorator combines path / query / header parameters and the JSON request body into a single object schema. Parameter names are namespaced so they cannot collide:
| Source | Schema key |
|---|---|
| Path parameter | path.<name> |
| Query parameter | query.<name> |
| Header parameter | header.<name> |
| JSON body | body |
Cookie parameters are deliberately not exposed as tool inputs — exposing session cookies as data trains agents to handle credentials as ordinary fields. Forward credentials via the request to /mcp instead (see Auth).
tools/call example:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "get_user",
"arguments": {"path.user_id": "42"}
}
}
The tool result has the response body in content[0].text and the raw HTTP status / headers in structuredContent. isError is true for any 4xx/5xx response.
Credential-bearing response headers are stripped from structuredContent before the agent sees them: set-cookie, authorization, and anything matching x-*-token / x-*-secret. Add more via strip_response_headers={...}.
Filtering tools
mount_mcp(app, include_only={"get_user", "create_item"})
mount_mcp(app, exclude={"internal_admin_route"})
Supported JSON-RPC methods
initialize— handshake. Returns the MCP protocol version, server info, and tool capability.ping— keepalive.tools/list— return the tool catalog.tools/call— invoke a tool. Returns response body + HTTP status.notifications/initialized— accepted, no response.
The endpoint accepts both single JSON-RPC objects and batches.
Auth
The /mcp endpoint exposes every route and MUST be protected. A single MCP
tool call can invoke any route, and the bridge synthesises an inner ASGI request
— so middleware that only guards inner routes can be bypassed. To make this
hard to get wrong, mount_mcp() raises RuntimeError at mount time unless you
either:
- pass
dependencies=[...]to attach auth (e.g.Depends) to the/mcproute, or - explicitly opt out with
allow_unauthenticated=True(local dev, or auth enforced upstream).
from hawkapi import Depends
from hawkapi_mcp import mount_mcp
mount_mcp(app, dependencies=[Depends(verify_token)]) # protected
mount_mcp(app, allow_unauthenticated=True) # explicit opt-out
hawkapi-mcp does not define its own auth layer — wire your HawkAPI dependencies
(HTTPBearer, OAuth2, API key) on the MCP route just like any other path. The
caller's Authorization and Cookie headers on the outer /mcp request are
forwarded into the synthetic inner request, so inner-route Depends(auth) sees
the real credentials (and the real client address is propagated where available).
Header arguments forwarded by the client land in the request before middleware runs.
Tool catalog freshness
The tool catalog is derived from app.openapi() and cached. By default it is
cached for the process lifetime, so routes added/removed/disabled at runtime are
not reflected — call server.invalidate_tools() to force a refresh, or pass
cache_ttl_seconds=... to mount_mcp() (or MCPServer) to auto-refresh after
the given interval:
mount_mcp(app, dependencies=[...], cache_ttl_seconds=60)
Development
git clone https://github.com/Hawk-API/hawkapi-mcp.git
cd hawkapi-mcp
uv sync --extra dev
uv run pytest -q
uv run ruff check . && uv run ruff format --check .
uv run pyright src/
Specification
Implements a subset of the Model Context Protocol sufficient to advertise and invoke tools. Streamable HTTP transport only — stdio is out of scope (deploy your app behind any ASGI server and the agent connects to the /mcp URL).
License
MIT.
Installing Hawkapi
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/Hawk-API/hawkapi-mcpFAQ
Is Hawkapi MCP free?
Yes, Hawkapi MCP is free — one-click install via Unyly at no cost.
Does Hawkapi need an API key?
No, Hawkapi runs without API keys or environment variables.
Is Hawkapi hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Hawkapi in Claude Desktop, Claude Code or Cursor?
Open Hawkapi on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Hawkapi with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
