FruxonDocs
IntegrationsMCP

Rotate the MCP key for an integration.

Mints a fresh secret with the same `mcp:invoke` scope, binds the MCP config to it, and revokes the original. The raw secret is returned once on `apiKey` — the user must update their MCP client config (Claude Desktop, Cursor) with the new value. Rotating renders any previously-distributed copy of the key permanently unusable.

POST
/v1/tenants/{tenant}/integrations/{integration}/mcp:rotateKey

Authorization

Bearer
AuthorizationBearer <token>

JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token.

In: header

Path Parameters

integration*string

The integration ID.

tenant*string

The tenant identifier

Response Body

curl -X POST "https://api.fruxon.com/v1/tenants/string/integrations/string/mcp:rotateKey"
{
  "integrationId": "string",
  "enabled": false,
  "configId": "00000000-0000-0000-0000-000000000000",
  "exposedToolIds": [
    "string"
  ],
  "description": "string",
  "apiKeyId": "00000000-0000-0000-0000-000000000000",
  "callUrl": "string",
  "testUrl": "string",
  "createdAt": 0,
  "modifiedAt": 0,
  "keyPrefix": "string",
  "apiKey": "string"
}
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}
Empty
Empty
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}

Update MCP settings for an integration.

Patches `enabled`, `configId`, `exposedToolIds`, and `description` on the integration's MCP server settings; null fields are preserved. When `enabled` transitions to `true` for the first time, a dedicated MCP-scoped API key is auto-minted and bound to this MCP; the raw secret is returned exactly once on `apiKey` — surface it to the user immediately. Use `POST /integrations/{integration}/mcp:rotateKey` to mint a fresh secret later. Toggling `enabled` to false causes the JSON-RPC endpoints to reject calls for this integration but leaves the bound key in place so re-enabling doesn't break already-distributed configs.

MCP JSON-RPC endpoint (sandbox)

Mirrors the surface of `/integrations/{integration}/mcp:call` — same JSON-RPC methods, same API-key auth, same rate limiting — but `tools/call` requests are dispatched to the integration simulator instead of the real upstream. Use this from eval harnesses and CI to exercise an MCP client against deterministic, side-effect-free responses. The simulator still respects `exposedToolIds`, so changing what production clients can see also changes what sandbox clients can see.