MCP tools and resources reference
This page lists every tool, resource, and prompt exposed by the Keyban MCP server.
The authoritative source is the live OpenAPI document at https://api.prod.keyban.io/openapi.json — the bridge auto-registers every operation that carries an x-mcp-type annotation. This page mirrors that surface for offline reading. To configure a client, see Connect your AI assistant to the Keyban MCP server.
How to read this page
- Type —
Tool for actions (POST / PATCH / DELETE), Resource for read-only data (GET). Resources whose path contains a parameter (e.g. {provider}) are exposed as MCP resource templates.
- Method + Route — the underlying REST endpoint that the bridge proxies to. The bridge itself listens on
POST /mcp (port 3334 locally, https://mcp.prod.keyban.io/mcp in production).
- Auth —
org-user for endpoints that require an authenticated organization caller (API key or session); public for endpoints that accept anonymous access. The MCP bridge forwards Authorization, X-Api-Key, Cookie, and Mcp-Session-Id headers transparently — it never authenticates the caller itself.
For request and response schemas, follow the route to the Backend OpenAPI reference.
Where to start
The catalogue below is exhaustive. If you only want a sense of what the bridge can already do, here are the most useful entry points — each one is a real capability already wired up:
list_applications + lookup_application_id — navigate your Keyban applications by name. The second tool uses MCP elicitation when several apps match.create_dpp_passport + publish_dpp_passports — create a Digital Product Passport from natural language and anchor it on Starknet, end to end.mint_loyalty_points — mint on-chain loyalty points for a given account in one tool call.get_quota_usage — read the org's monthly consumption so an assistant can self-monitor.create_billing_portal_session — generate a Chargebee self-service URL on demand.
Applications
| Name | Type | Method + Route | Auth | Description |
|---|
list_applications | Resource | GET /v1/applications | org-user | List the applications owned by the current organization. |
get_application | Resource template | GET /v1/applications/{appId} | public | Fetch a specific application by ID. |
create_application | Tool | POST /v1/applications | org-user | Create a new application under the current organization. |
update_application | Tool | PATCH /v1/applications/{appId} | org-user | Update mutable application settings. |
delete_application | Tool | DELETE /v1/applications/{appId} | org-user | Remove an application and clean up associated resources. |
Agent wallets
| Name | Type | Method + Route | Auth | Description |
|---|
list_agent_wallets | Resource | GET /v1/agent-wallets | org-user | List agent wallets for the current organization. |
get_agent_wallet | Resource template | GET /v1/agent-wallets/{id} | org-user | Fetch a specific agent wallet by ID. |
create_agent_wallet | Tool | POST /v1/agent-wallets | org-user | Create a new agent wallet for an application. |
update_agent_wallet | Tool | PATCH /v1/agent-wallets/{id} | org-user | Update the label of an agent wallet. |
delete_agent_wallet | Tool | DELETE /v1/agent-wallets/{id} | org-user | Delete an agent wallet. |
Organization
| Name | Type | Method + Route | Auth | Description |
|---|
get_organization | Resource template | GET /v1/organizations/{id} | org-user | Return the organization identified by ID. |
update_organization | Tool | PATCH /v1/organizations/{id} | org-user | Update mutable fields and settings of the active organization. |
Accounts
| Name | Type | Method + Route | Auth | Description |
|---|
list_application_accounts | Resource | GET /v1/accounts | org-user | List accounts for the organization's selected application. |
get_account_details | Resource template | GET /v1/accounts/{id} | org-user | Fetch a specific account (blockchain address, loyalty config). |
update_account_details | Tool | PATCH /v1/accounts/{id} | org-user | Update mutable account properties (primarily loyalty settings). |
delete_account | Tool | DELETE /v1/accounts/{id} | org-user | Delete an account and clean up its signer keys and cached shares. |
list_application_account_assignments | Resource | GET /v1/account-assignments | org-user | List pending account assignments for the selected application. |
get_account_assignment | Resource template | GET /v1/account-assignments/{id} | org-user | Fetch a specific account assignment. |
create_account_assignment | Tool | POST /v1/account-assignments | org-user | Register a pending loyalty benefit for an identity. |
update_account_assignment | Tool | PATCH /v1/account-assignments/{id} | org-user | Adjust a pending account assignment (points, reward tier). |
delete_account_assignment | Tool | DELETE /v1/account-assignments/{id} | org-user | Remove a pending account assignment. |
Loyalty
| Name | Type | Method + Route | Auth | Description |
|---|
mint_loyalty_points | Tool | POST /v1/loyalty/account/{id}/mint | org-user | Mint on-chain loyalty points and update the optimistic balance. |
list_loyalty_orders | Resource | GET /v1/loyalty/orders | org-user | Retrieve order history for a loyalty account wallet. |
list_loyalty_reward_tiers | Resource | GET /v1/loyalty/reward-tiers | org-user | List loyalty reward tiers configured for the application. |
get_loyalty_reward_tier | Resource template | GET /v1/loyalty/reward-tiers/{id} | org-user | Fetch details of a specific loyalty reward tier. |
create_loyalty_reward_tier | Tool | POST /v1/loyalty/reward-tiers | org-user | Create a loyalty reward tier (unique visit threshold). |
update_loyalty_reward_tier | Tool | PATCH /v1/loyalty/reward-tiers/{id} | org-user | Update reward tier properties. |
delete_loyalty_reward_tier | Tool | DELETE /v1/loyalty/reward-tiers/{id} | org-user | Delete a loyalty reward tier. |
Loyalty / Zelty integration
| Name | Type | Method + Route | Auth | Description |
|---|
get_zelty_settings | Resource | GET /v1/loyalty/zelty/settings | org-user | Retrieve the Zelty integration settings for the organization. |
update_zelty_settings | Tool | PATCH /v1/loyalty/zelty/settings | org-user | Create or update Zelty integration settings and refresh webhooks. |
Digital Product Passport (DPP)
| Name | Type | Method + Route | Auth | Description |
|---|
list_dpp_passports | Resource | GET /v1/dpp/passports | org-user | Paginated list of DPP passports for the organization. |
get_dpp_passport | Resource template | GET /v1/dpp/passports/{id} | public | Retrieve a single DPP passport by ID. |
get_dpp_passport_magic_token | Resource template | GET /v1/dpp/passports/{id}/magic-token | org-user | Generate a magic token for claiming a DPP passport. |
create_dpp_passport | Tool | POST /v1/dpp/passports | org-user | Create a new DPP passport. |
update_dpp_passport | Tool | PATCH /v1/dpp/passports/{id} | org-user | Update an existing DPP passport. |
publish_dpp_passports | Tool | POST /v1/dpp/passports/publish | org-user | Publish DPP passports matching the filter. |
delete_dpp_passport | Tool | DELETE /v1/dpp/passports/{id} | org-user | Delete a DPP passport by ID. |
DPP / Shopify integration
| Name | Type | Method + Route | Auth | Description |
|---|
list_shopify_shops | Resource | GET /v1/dpp/shopify/shops | org-user | List Shopify shops linked to the organization. |
get_shopify_shop | Resource template | GET /v1/dpp/shopify/shops/{id} | org-user | Retrieve a specific Shopify shop by UUID. |
create_shopify_shop | Tool | POST /v1/dpp/shopify/shops | org-user | Register a Shopify shop for an application. |
delete_shopify_shop | Tool | DELETE /v1/dpp/shopify/shops/{id} | org-user | Remove a Shopify shop integration. |
Points of Sale
| Name | Type | Method + Route | Auth | Description |
|---|
list_points_of_sale | Resource | GET /v1/points-of-sale | org-user | Paginated list of points of sale for the organization. |
get_point_of_sale | Resource template | GET /v1/points-of-sale/{id} | org-user | Fetch details for a specific point of sale. |
create_point_of_sale | Tool | POST /v1/points-of-sale | org-user | Create a new point of sale. |
update_point_of_sale | Tool | PATCH /v1/points-of-sale/{id} | org-user | Update mutable properties of a point of sale. |
delete_point_of_sale | Tool | DELETE /v1/points-of-sale/{id} | org-user | Delete a point of sale. |
Quota
| Name | Type | Method + Route | Auth | Description |
|---|
get_quota_usage | Resource | GET /v1/quotas/usage | org-user | Retrieve monthly quota usage data for the current organization. |
Imports
| Name | Type | Method + Route | Auth | Description |
|---|
list_import_jobs | Resource | GET /v1/imports | public | List all import jobs for the organization. |
get_import_job | Resource template | GET /v1/imports/{jobId} | public | Get details of a specific import job by ID. |
stream_import_job_progress | Resource template | GET /v1/imports/{jobId}/progress (SSE) | public | Subscribe to real-time progress updates over Server-Sent Events. |
get_import_job_report | Resource template | GET /v1/imports/{jobId}/report | public | Get the detailed report for an import job. |
start_bulk_import | Tool | POST /v1/imports | public | Upload a JSON array of entities for bulk import. |
Events
| Name | Type | Method + Route | Auth | Description |
|---|
list_events | Resource | GET /v1/events | org-user | Paginated audit and quota events scoped to the caller organization. |
Metrics
| Name | Type | Method + Route | Auth | Description |
|---|
get_loyalty_metrics | Resource | GET /v1/admin/metrics/loyalty | org-user | Loyalty program metrics (points minted, accounts, visits, tier distribution). |
get_dpp_metrics | Resource | GET /v1/admin/metrics/dpp | org-user | DPP metrics (products, minted passports, retrieval rates). |
Billing (public)
| Name | Type | Method + Route | Auth | Description |
|---|
list_billing_plans | Resource | GET /v1/billing/plans | public | List the active subscription plans available for onboarding. |
create_billing_portal_session | Tool | POST /v1/billing/portal-session | org-user | Create a Chargebee self-service portal session. |
Invest
| Name | Type | Method + Route | Auth | Description |
|---|
list_invest_funds | Resource | GET /v1/invest/funds | org-user | List investment funds for the current organization. |
get_invest_fund | Resource template | GET /v1/invest/funds/{id} | org-user | Fetch a specific investment fund by ID. |
create_invest_fund | Tool | POST /v1/invest/funds | org-user | Create a new investment fund. |
update_invest_fund | Tool | PATCH /v1/invest/funds/{id} | org-user | Update fund properties (name, NAV, status). |
delete_invest_fund | Tool | DELETE /v1/invest/funds/{id} | org-user | Delete an investment fund by ID. |
list_invest_funds_investor | Resource | GET /v1/invest/investor/funds | org-user | List active investment funds for the current application. |
list_invest_holdings | Resource template | GET /v1/invest/funds/{fundId}/holdings | org-user | List all holdings for a specific fund. |
get_invest_holding | Resource template | GET /v1/invest/funds/{fundId}/holdings/{id} | org-user | Fetch a specific holding record by ID. |
distribute_shares | Tool | POST /v1/invest/funds/{fundId}/holdings/distribute | org-user | Distribute shares from the fund to an investor. |
redeem_shares | Tool | POST /v1/invest/funds/{fundId}/holdings/redeem | org-user | Buy back shares from an investor. |
list_invest_identities | Resource | GET /v1/invest/identities | org-user | List invest identities for the current organization. |
get_invest_identity | Resource template | GET /v1/invest/identities/{id} | org-user | Fetch a specific invest identity by ID. |
get_my_invest_identity | Resource | GET /v1/invest/identities/me | public | Retrieve the invest identity associated with the current SDK account. |
create_invest_identity | Tool | POST /v1/invest/identities | public | Create a new invest identity for the current SDK account. |
update_invest_identity | Tool | PATCH /v1/invest/identities/{id} | org-user | Update an invest identity. |
list_invest_lockups | Resource template | GET /v1/invest/funds/{fundId}/lockups | org-user | List custom lockup periods for a specific fund. |
get_invest_lockup | Resource template | GET /v1/invest/funds/{fundId}/lockups/{id} | org-user | Fetch a specific lockup record by ID. |
create_invest_lockup | Tool | POST /v1/invest/funds/{fundId}/lockups | org-user | Create a custom lockup period for an investor. |
update_invest_lockup | Tool | PATCH /v1/invest/funds/{fundId}/lockups/{id} | org-user | Update the end date of a custom lockup period. |
delete_invest_lockup | Tool | DELETE /v1/invest/funds/{fundId}/lockups/{id} | org-user | Delete a custom lockup period. |
list_invest_nav | Resource template | GET /v1/invest/funds/{fundId}/nav | org-user | List NAV records for a specific fund. |
get_invest_nav | Resource template | GET /v1/invest/funds/{fundId}/nav/{id} | org-user | Fetch a specific NAV record by ID. |
create_invest_nav | Tool | POST /v1/invest/funds/{fundId}/nav | org-user | Create a new NAV record for the fund. |
delete_invest_nav | Tool | DELETE /v1/invest/funds/{fundId}/nav/{id} | org-user | Delete a NAV record by ID. |
list_invest_offers | Resource | GET /v1/invest/offers | org-user | List secondary market offers. |
get_invest_offer | Resource template | GET /v1/invest/offers/{id} | org-user | Fetch a specific secondary market offer by ID. |
create_invest_offer | Tool | POST /v1/invest/offers | org-user | Create a buy or sell offer on the secondary market. |
update_invest_offer | Tool | PATCH /v1/invest/offers/{id} | org-user | Update the share count or unit price of an open offer. |
delete_invest_offer | Tool | DELETE /v1/invest/offers/{id} | org-user | Soft-delete a secondary market offer. |
Bridge-only features
These capabilities are implemented inside the MCP bridge itself, not as REST proxies.
| Name | Kind | Source | Description |
|---|
lookup_application_id | Tool | backend/mcp/src/lib/registrar/application-lookup-service.ts | Resolve an application's UUID from its human-readable name. Supports exact and partial matching, with MCP elicitation when several applications match. |
prepare_demo_environment | Prompt | backend/mcp/src/lib/registrar/prompt-registry.ts | Runbook prompt that walks the assistant through seeding a sandbox with sample applications, loyalty tiers, and DPP data. |
Argument completion
The bridge auto-completes applicationId and appId arguments by querying /v1/applications (max 20 suggestions, ranked by ID exact-match first, then name substring). Source: backend/mcp/src/lib/registrar/server-introspection.ts.
Capabilities advertised to clients
The bridge advertises these MCP capabilities at handshake time (source: backend/mcp/src/index.ts):
| Capability | Supported | Notes |
|---|
tools | Yes | Listed above. |
resources | Yes | subscribe: false, listChanged: false — no live updates. |
prompts | Yes | listChanged: false. |
completions | Yes | Application ID lookup only. |
elicitation | Yes | Used by lookup_application_id for ambiguous matches. |
logging | No | The bridge does not stream server-side logs to the client. |
HTTP endpoints recap
| Endpoint | Purpose |
|---|
POST https://mcp.prod.keyban.io/mcp | Production MCP entry point (StreamableHTTP transport). |
GET https://api.prod.keyban.io/openapi.json | Authoritative OpenAPI document the bridge consumes at boot. |
Out of scope
The bridge intentionally does not expose two families of endpoints — for two distinct reasons.
Super-admin endpoints
Endpoints decorated with @SuperAdminController() / @SuperAdminEndpoint() (backend/nestjs/src/auth/super-admin.decorator.ts) are excluded from the public OpenAPI document and therefore from the MCP surface. The exclusion is enforced by backend/nestjs/src/auth/super-admin-contract.spec.ts.
Out-of-scope super-admin domains include LLM usage analytics and pricing administration, Chargebee customer creation, plan synchronisation, overage synchronisation, pending-onboarding management, and platform-wide metrics. For platform administration, use the admin dashboard rather than the MCP bridge.
LLM endpoints (/v1/llm/*)
Chat completion and provider catalogue endpoints (POST /v1/llm/chat/completions, GET /v1/llm/providers, GET /v1/llm/providers/{provider}/models) are deliberately not exposed via MCP. An MCP client is already an LLM — proxying a chat completion through the bridge would be redundant and would double-bill the same call (once on the client side, once on the Keyban LLM quota).
LLM remains a Keyban-internal capability consumed by other controllers (e.g. content generation flows). The exclusion is enforced by backend/nestjs/src/auth/mcp-exposure-contract.spec.ts, which fails the build if any controller under backend/nestjs/src/llm/controllers/ regrows an x-mcp-* annotation.