Skip to main content
The Vings Model Context Protocol server is exposed at:
POST https://external.vin.gs/api/mcp
Send JSON-RPC 2.0 requests with the same bearer token as REST. See Authentication.

Transport (OpenAPI)

OpenAPI documents the HTTP transport, not each tool’s parameters:
MethodRole
initializeSession setup
notifications/initializedClient notification (HTTP 202, no body)
tools/listList readonly tools with inputSchema and outputSchema
tools/callInvoke a tool
GET /api/mcp returns 405 — use POST with a JSON-RPC body. Per-tool input and output JSON Schemas are returned only from tools/list (outputSchema uses JSON Schema draft 2020-12 for validating structuredContent from tools/call). Tool descriptors also include OAuth securitySchemes for ChatGPT linking. They are intentionally not duplicated in OpenAPI.

V1 tools (readonly)

ToolPurpose
search_transactionsTransaction search
get_cashflow_summaryCashflow summary
get_spending_by_categorySpending by category
get_top_merchantsTop merchants
detect_recurring_paymentsRecurring payments
get_budget_summaryBudget summary
list_budget_categoriesBudget categories
get_connected_banks_statusBank connection status
get_portfolio_snapshotPortfolio snapshot
get_portfolio_historyPortfolio history
get_preferencesUser preferences
Scopes on the bearer token must allow the data each tool reads.

Test locally

From packages/external, run the API (for example bun run dev), then use MCP Inspector:
bunx @modelcontextprotocol/inspector
Point the server URL at http://localhost:<port>/api/mcp and set:
Authorization: Bearer <access-token>
Production smoke check (expect 401 without a token):
curl -sS -o /dev/null -w "%{http_code}\n" -X POST https://external.vin.gs/api/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'

OAuth for ChatGPT and Claude

Discovery URLs:
  • GET /.well-known/oauth-protected-resource
  • GET /api/.well-known/oauth-protected-resource/mcp
  • GET /.well-known/oauth-authorization-server (includes offline_access for refresh tokens)
  • GET /.well-known/openid-configuration
ChatGPT app domain verification (hostname root, not under /api):
  • GET /.well-known/openai-apps-challenge
Authorize requests go through GET /api/oauth/authorize on the external host, which forwards to Supabase after removing offline_access. Token exchange and refresh use Supabase’s token_endpoint directly. After updating OAuth discovery, delete and recreate the ChatGPT connector so cached metadata is refreshed (OpenAI connector OAuth guidance). Shared AI connectors use known_mcp OAuth clients provisioned from the Vings server package; register redirect URIs per the OpenAI Apps SDK auth guide.