Traditional MCP servers hand-pick a handful of endpoints and call it a day — locking you into whatever subset someone decided was "enough." Why settle for a fraction of an API when you can have all of it?
anyapi-mcp-server is a universal MCP server that connects any REST API to AI assistants like Claude, Cursor, and other LLM-powered tools — just point it at an OpenAPI spec or Postman collection. Every endpoint the API provides becomes available instantly, with GraphQL-style field selection and automatic schema inference. No custom server code, no artificial limits.
1. Install
npm install -g anyapi-mcp-server2. Add to your MCP client (Cursor, Claude Desktop, etc.)
{
"mcpServers": {
"your-api": {
"command": "npx",
"args": [
"-y",
"anyapi-mcp-server",
"--name", "your-api",
"--spec", "path/to/openapi.json",
"--base-url", "https://api.example.com",
"--header", "Authorization: Bearer ${API_KEY}"
],
"env": {
"API_KEY": "your-api-key"
}
}
}
}3. Use the tools — discover endpoints with list_api, inspect schemas with call_api, fetch data with query_api.
Ready-to-use configurations for popular APIs:
| Provider | Auth |
|---|---|
| Cloudflare | API Token or Key + Email |
| Datadog | API Key + App Key |
| GitHub | Personal Access Token |
| Google Workspace | OAuth 2.0 |
| Metabase | API Key |
| PostHog | Personal API Key |
| Slack | Bot/User Token |
These work with any API that has an OpenAPI or Postman spec — the above are just examples. Stripe, Twilio, Shopify, HubSpot, and anything else with a REST API will work the same way.
| Flag | Description |
|---|---|
--name |
Server name (e.g. cloudflare) |
--spec |
Path or HTTPS URL to an OpenAPI spec (JSON/YAML) or Postman Collection. Remote URLs are cached locally. Supports ${ENV_VAR}. |
--base-url |
API base URL (e.g. https://api.example.com). Supports ${ENV_VAR}. |
| Flag | Description |
|---|---|
--header |
HTTP header as "Key: Value" (repeatable). Supports ${ENV_VAR} in values. |
--log |
Path to NDJSON request/response log. Sensitive headers are masked automatically. |
For APIs that use OAuth 2.0 instead of static tokens. If any of the three required flags is provided, all three are required. All flags support ${ENV_VAR}.
| Flag | Required | Description |
|---|---|---|
--oauth-client-id |
Yes* | OAuth client ID |
--oauth-client-secret |
Yes* | OAuth client secret |
--oauth-token-url |
Yes* | Token endpoint URL |
--oauth-auth-url |
No | Authorization endpoint (auto-detected from spec if available) |
--oauth-scopes |
No | Comma-separated scopes |
--oauth-flow |
No | authorization_code (default) or client_credentials |
--oauth-param |
No | Extra token parameter as key=value (repeatable) |
See the Google Workspace guide for a complete OAuth example.
The server exposes five tools (plus auth when OAuth is configured):
Discover what the API offers. Call with no arguments to see all categories, provide category to list endpoints in a tag, or search to find endpoints by keyword.
Makes a real HTTP request and returns the inferred GraphQL schema (SDL) — not the data itself. Use this to discover the response shape and get suggestedQueries you can copy into query_api.
Fetches data and returns only the fields you select via a GraphQL query. Supports both reads and writes (mutations for POST/PUT/DELETE/PATCH).
# Read
{ items { id name status } _count }
# Write
mutation { post_endpoint(input: { name: "example" }) { id } }Returns spec documentation for an endpoint (parameters, request body schema, response codes) without making an HTTP request.
Fetches data from up to 10 endpoints concurrently in a single tool call. Each request follows the query_api flow.
Only available when --oauth-* flags are configured. Manages the OAuth flow:
action: "start"— returns an authorization URL (or exchanges credentials forclient_credentials)action: "exchange"— completes the authorization code flow (callback is captured automatically)action: "status"— shows current token status
Tokens are persisted and refreshed automatically.
list_api → discover what's available
↓
explain_api → read the docs for an endpoint
↓
call_api → inspect the response schema
↓
query_api → fetch exactly the fields you need
↓
batch_query → fetch from multiple endpoints at once
OpenAPI/Postman spec
│
▼
┌─────────┐ ┌─────────────┐ ┌──────────┐ ┌───────────┐ ┌─────────────┐
│list_api │ │ explain_api │ │ call_api │ │ query_api │ │ batch_query │
│(browse) │ │ (docs) │ │ (schema) │ │ (data) │ │ (parallel) │
└─────────┘ └─────────────┘ └──────────┘ └───────────┘ └─────────────┘
│ │ no HTTP │ │ │
▼ ▼ request ▼ ▼ ▼
Spec index Spec index REST API call REST API call N concurrent
(tags, (params, (with retry (cached if REST API calls
paths) responses, + caching) same as + GraphQL
body schema) │ call_api) execution
▼ │
Infer GraphQL ▼
schema from Execute GraphQL
JSON response query against
response data
- Any REST API — provide an OpenAPI (JSON/YAML) or Postman Collection v2.x spec as a file or URL
- Remote spec caching — HTTPS specs are fetched once and cached to
~/.cache/anyapi-mcp/ - GraphQL field selection — query only the fields you need from any response
- Schema inference — automatically builds GraphQL schemas from live API responses
- Multi-sample merging — samples up to 10 array elements for richer schemas
- Mutation support — write operations get typed GraphQL mutations from OpenAPI body schemas
- Smart suggestions —
call_apireturns ready-to-use queries based on the inferred schema - Response caching — 30s TTL prevents duplicate calls across
call_api→query_api - Retry with backoff — automatic retries for 429/5xx with exponential backoff and
Retry-Aftersupport - Multi-format — parses JSON, XML, CSV, and plain text responses
- Pagination — API-level via
params, client-side slicing vialimit/offset - Rich errors — structured error messages with status-specific suggestions and spec context for self-correction
- OAuth 2.0 — Authorization Code (with PKCE) and Client Credentials flows with automatic token refresh
- Env var interpolation —
${ENV_VAR}in base URLs, headers, and spec paths - Request logging — optional NDJSON log with sensitive header masking
- OpenAPI 3.x (JSON or YAML)
- OpenAPI 2.0 / Swagger (JSON or YAML)
- Postman Collection v2.x (JSON)
Proprietary Non-Commercial. Free for personal and educational use. Commercial use requires written permission. See LICENSE for details.
