Skip to main content

Client integration

Coding Tools MCP can be launched by a client over stdio or reached over HTTP at /mcp. Choose stdio for local editor-style integrations and HTTP for long-running local or remote services.

Stdio client configuration

Use this pattern when the client starts the server process: 
{
  "mcpServers": {
    "coding-tools": {
      "command": "coding-tools-mcp",
      "args": ["--stdio", "--workspace", "/path/to/workspace"]
    }
  }
}
Stdio does not use Bearer auth because the client owns the subprocess. The workspace should be the project directory the model is allowed to inspect and modify.

HTTP client configuration

Start the server: 
coding-tools-mcp --workspace /path/to/workspace --host 127.0.0.1 --port 8000
Then point the client at: 
http://127.0.0.1:8000/mcp
For remote or non-loopback HTTP, add auth: 
export CODING_TOOLS_MCP_AUTH_TOKEN="replace-with-a-strong-token"
coding-tools-mcp --workspace /repo --host 0.0.0.0 --port 8000 --auth-token "$CODING_TOOLS_MCP_AUTH_TOKEN"
The client must send: 
Authorization: Bearer replace-with-a-strong-token

OAuth mode

For clients that support OAuth 2.1 Authorization Code + PKCE, enable: 
coding-tools-mcp --host 0.0.0.0 --port 8000 --oauth-mode
Useful environment variables include CODING_TOOLS_MCP_SERVER_URL, CODING_TOOLS_MCP_OAUTH_CLIENT_ID, CODING_TOOLS_MCP_OAUTH_CLIENT_SECRET, CODING_TOOLS_MCP_OAUTH_PASSWORD, and CODING_TOOLS_MCP_OAUTH_TOKEN_SECRET. The server exposes OAuth metadata through the standard well-known endpoints when OAuth is enabled.

Tool discovery

After initialize, clients should call tools/list. The active tool set depends on --tool-profile:
  • full exposes all implemented tools.
  • read-only hides mutating and permission-changing tools.
  • compat-readonly-all is for compatibility with clients that require readOnlyHint: true annotations.

Session behavior

HTTP responses include an Mcp-Session-Id header. If a later request sends an unknown Mcp-Session-Id, the server returns an unknown-session error. Stdio sessions are tied to the subprocess lifetime.
  • Prefer --stdio for single-workspace local usage.
  • Prefer HTTP plus Bearer token or OAuth for a persistent service.
  • Start with --tool-profile read-only for inspection-only clients.
  • Use --permission-mode trusted only when the client needs to run local development commands that safe mode blocks.
  • Avoid dangerous unless the whole server is already inside an external sandbox.