AISARAISAR

MCP server

Connect an AI agent to your AISAR workspace over the Model Context Protocol.

AISAR exposes a Model Context Protocol server — this lets any MCP-capable AI client (Claude Code, claude.ai, Cursor, and others) work with your workspace through self-describing tools, without hand-writing an integration against every REST endpoint.

Endpoint and authentication

The server speaks Streamable HTTP:

text
POST https://mcp.aisar.app/mcp/company

Authentication uses the same company API token as the REST API (created in the cabinet: Settings → Systems → API, requires the Business plan), sent in the Authorization header:

text
Authorization: Bearer 123|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The server only accepts service-account tokens — the same tokens the REST API uses. Mobile session, embed-widget, and browser-session tokens are rejected. An active company subscription is also required.

Transport is Bearer-only — there is no cookie/session path and no OAuth flow. A request without a valid token gets 401; a token of the wrong class gets 401/403.

Connecting a client

Claude Code

bash
claude mcp add --transport http aisar https://mcp.aisar.app/mcp/company \
  --header "Authorization: Bearer YOUR_API_TOKEN"

claude.ai

Settings → Connectors → Add custom connector, URL https://mcp.aisar.app/mcp/company, header Authorization: Bearer YOUR_API_TOKEN.

Generic MCP client (e.g. Cursor)

json
{
  "mcpServers": {
    "aisar": {
      "url": "https://mcp.aisar.app/mcp/company",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN"
      }
    }
  }
}

After connecting, call the whoami tool first — it confirms which company the token maps to.

Server tools

Documentation

These read the platform's live documentation straight from the server — answers are always in sync with the latest deploy.

ToolPurpose
list_docsList available documents
list_doc_sectionsA document's section headings
get_docA whole document, or one section
search_docsFull-text search across the docs
list_webhook_eventsThe platform's webhook event catalogue
get_webhook_payload_specThe exact payload spec for one event
lookup_error_codeExplanation of a WhatsApp Cloud (Meta) error code, e.g. 131047

Reads

ToolArguments
whoami
list_channelsstatus?, type?, page, per_page
list_funnels
list_dealsfunnel_id?, stage_id?, status?, search?, page
get_dealdeal_id
search_contactsquery, page
get_contactcontact_id
list_conversationsstatus?, channel_id?, assigned_to_me?, search?, page
get_conversationconversation_id
search_messagesquery (rate-limited)
list_templateschannel_id?, language?, sendable_only?
list_broadcasts / get_broadcast—, broadcast_id
get_dashboard_summaryperiod? (today/7d/30d)

Every response uses an explicit field allow-list — channel credentials, provider keys, integration secrets, tokens and passwords are never returned.

Writes

Every write tool enforces the matching permission, is scoped to the token's company, and is audited.

ToolArguments
send_messageconversation_id, text
send_template_messagechannel_id, contact_id\|conversation_id, template_id, variables?
create_contact / update_contactcontact fields
add_internal_noteconversation_id, text
assign_conversationconversation_id, user_id\|team_id
close_conversationconversation_id
create_deal / update_dealdeal fields (stage_id must belong to the funnel)
move_deal_stagedeal_id, stage_id
create_deal_notedeal_id, text

Webhook self-service

ToolArguments
list_integrations
create_webhook_integrationurl, events[], signing_secret?
test_webhookintegration_id\|url
get_webhook_deliveriesintegration_id

The webhook URL passes the same SSRF guard as the REST integration-creation endpoint (private/loopback/link-local/metadata addresses are refused, including DNS-rebinding and encoded-IP forms); there is a per-company cap on the number of integrations; event names are validated against the platform's event catalogue.

Limits & behaviour

  • Rate limits (per token, per company): search_messages — 30/min, send_message and send_template_message — 60/min, create_webhook_integration — 10/min, documentation tools — 120/min.
  • Pagination: per_page is capped at 50.
  • No bulk send: messaging tools only reach an existing conversation or a single contact — there is no mass-broadcast surface here (use the Broadcasts feature in the cabinet for that).
  • Untrusted content: message bodies, contact names and notes returned by these tools are third-party data, not instructions for the model.

Troubleshooting

SymptomCause / fix
401 UnauthorizedThe token is missing or invalid.
403 ForbiddenThe token is not a service-account API token (e.g. a mobile/embed token), or the subscription is inactive / the api feature is off.
A tool returns "not found" for an id that existsThe id belongs to a different company — tenancy is enforced on every argument.
"Rate limit exceeded"A per-tool limit was exceeded (see "Limits & behaviour") — retry shortly.