From fdac60281c1a895c10027d7f48241180b7803630 Mon Sep 17 00:00:00 2001 From: Matei Date: Fri, 3 Jul 2026 15:52:05 -0400 Subject: [PATCH] MCP docs first draft --- docs/docs.json | 3 +- docs/sdk/api-mcp.mdx | 149 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 docs/sdk/api-mcp.mdx diff --git a/docs/docs.json b/docs/docs.json index 5d345be..610af36 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -34,7 +34,8 @@ "sdk/python", "sdk/go", "sdk/cli", - "sdk/mcp" + "sdk/mcp", + "sdk/api-mcp" ] }, { diff --git a/docs/sdk/api-mcp.mdx b/docs/sdk/api-mcp.mdx new file mode 100644 index 0000000..dff999c --- /dev/null +++ b/docs/sdk/api-mcp.mdx @@ -0,0 +1,149 @@ +--- +title: "API MCP (beta)" +--- + + + The Flare API MCP server is still in beta and is subject to change. + {/* TODO Specify beta quota adjustements */} + + +Flare provides a +[Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server that +exposes Flare's search and platform APIs to any MCP-capable client. It lets +agents query Flare's threat-intel dataset, inspect a tenant's monitored +events, look up event-type schemas, and read the current user's profile — +without writing any code against the REST API directly. + +For a documentation-only companion server (search across the Flare API docs +themselves), see the +[Documentation MCP ](/sdk/mcp). + +## Available Tools + +| Tool | Description | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | +| `search_search` | Global Search — execute a Lucene query against the entire Flare threat-intel dataset. | +| `search_tenant` | Tenant Search — execute a Lucene query scoped to events matching the caller's monitored identifiers. | +| `validate_search_query` | Validate that a Lucene query complies with Flare's search rules before running it. Useful when composing or debugging a query. | +| `get_event_type` | Return the documentation and searchable field list for a given event type (e.g. `chat_message`, `forum_post`, `stealer_log`). | +| `profile_get` | Return the current user's profile, including tenants, permissions, feature flags, and default tenant id. | + +### Search Parameters + +The `search_search` (Global) and `search_tenant` (Tenant) tools accept the +same parameters: + + + Lucene query string. + + + + Time window to restrict results to. Either a preset (`last_24h`, `last_7d`, + `last_1m`, …) or a `{ begin_at, end_at }` object with ISO-8601 datetimes. + + + + List of event types to scope the search. + + + + Number of results to return. Between `1` and `10`. + + + + Opaque pagination cursor from a previous response. + + +### Prompt Examples + +- `What has Flare picked up on our monitored domain scatterholt.com in the last 24 hours?` +- `Search the whole Flare dataset for chat messages mentioning "acme-corp" in the last 7 days.` +- `Validate this query for me: author_name:/some_username_\d+/` +- `What fields can I search on the stealer_log event type?` +- `Which tenants do I currently have access to?` + +## MCP Server Configuration + +The MCP server is available at the following URL: + +- `https://api.flare.io/mcp` + +For a copy-pasteable example that wires everything below into a client, see +[Client Setup](#client-setup). + +#### Authentication + +Every MCP request must include a Flare API key in the `Authorization` +header. Follow the +[Authentication Guide ](/concepts/authentication) +to generate one. + +#### Targeting a specific tenant + +Requests default to your account's default tenant. To scope MCP tool calls +to a specific tenant, set the `X-Flare-Tenant-Id` header on the MCP +connection to the target tenant id. You can find your tenant ids on the +[Profile page](https://app.flare.io/#/profile) under the "Tenants" section +(also documented in the +[Authentication Guide ](/concepts/authentication#finding-tenant-ids)). + +## Client Setup + +### Claude Code + +[Claude Code](https://docs.claude.com/en/docs/claude-code/overview) reads +MCP servers from an `.mcp.json` file at the root of your project. Create the +file with the snippet below, replacing `` with a Flare API key +obtained from the +[Authentication Guide ](/concepts/authentication). + +```json .mcp.json +{ + "mcpServers": { + "flare": { + "type": "http", + "url": "https://api.flare.io/mcp", + "headers": { + "Authorization": "", + "X-Flare-Tenant-Id": "" + } + } + } +} +``` + +Restart Claude Code once the file is in place. The Flare tools will appear +under the `flare` server in the `/mcp` command output, and Claude will call +them automatically when your prompts match their descriptions. + + + Store the API key outside version control. Claude Code also supports + reading headers from environment variables — see the + [Claude Code MCP docs](https://code.claude.com/docs/en/mcp#environment-variable-expansion-in-mcp-json) + for details. + + +### Claude Desktop + +Claude Desktop can connect to the Flare MCP server as a remote **Custom +Connector**. Follow the official walkthrough: + +- [Getting started with custom connectors using remote MCP](https://support.claude.com/en/articles/11175166-get-started-with-custom-connectors-using-remote-mcp#h_3d1a65aded) + +When prompted for the server URL, use `https://api.flare.io/mcp`, and set +the `Authorization` header to your Flare API key. + +### Other Clients + +- **Cursor** — + [Using `mcp.json`](https://cursor.com/docs/mcp). + The same JSON shape shown above for Claude Code applies. + +## Quotas & Rate Limits + +- Calls to `search` (Global Search) consume the tenant's monthly Global + Search quota. See + [Rate Limits and Quotas ](/concepts/rate-limits-and-quotas). +- `tenant`, `validate_search_query`, `get_event_type`, and `get` (profile) do + not consume the Global Search quota. +- Standard API rate limits apply to all tools.