GitDocAI ships a native MCP (Model Context Protocol) server so AI clients like Claude, Cursor, and any MCP-compatible IDE can read and write your documentation directly. The server speaks OAuth 2.1 with PKCE and Dynamic Client Registration, so connecting a new client is a one-time consent screen — no manual token juggling.
What you can do over MCP
The server exposes a curated toolset that maps to the dashboard's capabilities. From a connected client you can:
Browse your documentations, versions, sections, and entries.
Author content — create, update, move, reorder, and delete entries and sections.
Generate from scratch —
create_documentationspins up a new doc and seeds the wizard flow.Search — hybrid (full-text + semantic) search across published content via
search_documentation.Manage versions — create versions, set default/latest, mark deprecated.
Inspect assets and team — read-only listings for assets and team members.
Read syntax and capabilities —
get_syntax_referencereturns the MDX component catalogue;get_capabilitiesreturns the structured list of supported actions.
All write operations honor the same role-based permissions as the dashboard. A token issued to a Viewer cannot create or modify content.
Mutations made over MCP follow the same review flow as in-editor AI edits when applicable — they're persisted as MDX, autosaved, and surfaced to other collaborators in real time via the doc-change SSE channel.
Connecting an MCP client
The MCP server is reachable at https://mcp.gitdoc.ai. Most clients only need that URL — they'll discover the OAuth endpoints, register themselves dynamically, and walk you through consent.
In your client's MCP configuration, add a server pointing at https://mcp.gitdoc.ai. The client will detect the OAuth-protected resource automatically.
A browser window opens to GitDocAI's consent screen. Sign in with your GitDocAI account, review the scopes the client is requesting, and click Authorize. The client receives tokens and stays signed in across sessions via refresh tokens.
The client now has access to the GitDocAI tool catalogue. Ask it to list your docs, draft a new page, or search your content — it picks the right tool automatically.
The first authenticated tool call against a blank documentation automatically converts it from pending to generated, so your AI assistant can start populating an empty doc without you needing to seed it from the dashboard first.
OAuth 2.1 with PKCE & Dynamic Client Registration
GitDocAI's MCP server is a fully-conformant OAuth 2.1 authorization server. That means:
Dynamic Client Registration (RFC 7591) — a brand-new MCP client can register itself with no prior coordination. You don't need to pre-create a client ID in the dashboard.
PKCE — every authorization flow uses Proof Key for Code Exchange, so tokens can't be intercepted mid-flow.
Multi-audience tokens — the same token can authenticate against both the MCP server and the dashboard/control-plane APIs, scoped to what the user granted.
Refresh tokens — MCP clients stay signed in across restarts. Refresh is rotated per OAuth client to make revocation precise.
Reviewing & revoking connected clients
Every client you authorize shows up in the Connected Apps tab of your Account Settings. From there you can:
See which scopes each client holds.
See the last time it refreshed its token.
Revoke the client — the next API call from that client will fail and it must go through consent again to regain access.
See Managing Team, Billing, Support for where Connected Apps lives inside Account Settings, and Connected Apps & OAuth for the broader OAuth model.
Tool catalogue (high level)
The exact list of tools is also discoverable at runtime via get_capabilities. The current toolset covers:
Most write tools accept MDX in content — call get_syntax_reference from the client to see the available components before authoring.
Limits
Tool calls count toward your plan's AI request quota when they trigger AI generation (e.g.,
create_documentationwith a prompt, or any flow that invokes the docgen pipeline). Read-only tools (list, get, search) do not.Refresh tokens have a long lifetime but can be revoked at any time from Connected Apps.
Per-request payload size limits match the dashboard API.