Transport (OpenAPI)
OpenAPI documents the HTTP transport, not each tool’s parameters:| Method | Role |
|---|---|
initialize | Session setup |
notifications/initialized | Client notification (HTTP 202, no body) |
tools/list | List readonly tools with inputSchema and outputSchema |
tools/call | Invoke a tool |
GET /api/mcp returns 405 — use POST with a JSON-RPC body.
Per-tool input and output JSON Schemas are returned only from tools/list (outputSchema uses JSON Schema draft 2020-12 for validating structuredContent from tools/call). Tool descriptors also include OAuth securitySchemes for ChatGPT linking. They are intentionally not duplicated in OpenAPI.
V1 tools (readonly)
| Tool | Purpose |
|---|---|
search_transactions | Transaction search |
get_cashflow_summary | Cashflow summary |
get_spending_by_category | Spending by category |
get_top_merchants | Top merchants |
detect_recurring_payments | Recurring payments |
get_budget_summary | Budget summary |
list_budget_categories | Budget categories |
get_connected_banks_status | Bank connection status |
get_portfolio_snapshot | Portfolio snapshot |
get_portfolio_history | Portfolio history |
get_preferences | User preferences |
Test locally
Frompackages/external, run the API (for example bun run dev), then use MCP Inspector:
http://localhost:<port>/api/mcp and set:
OAuth for ChatGPT and Claude
Discovery URLs:GET /.well-known/oauth-protected-resourceGET /api/.well-known/oauth-protected-resource/mcpGET /.well-known/oauth-authorization-server(includesoffline_accessfor refresh tokens)GET /.well-known/openid-configuration
/api):
GET /.well-known/openai-apps-challenge
GET /api/oauth/authorize on the external host, which forwards to Supabase after removing offline_access. Token exchange and refresh use Supabase’s token_endpoint directly.
After updating OAuth discovery, delete and recreate the ChatGPT connector so cached metadata is refreshed (OpenAI connector OAuth guidance).
Shared AI connectors use known_mcp OAuth clients provisioned from the Vings server package; register redirect URIs per the OpenAI Apps SDK auth guide.