Skip to main content

Overview

The Model Context Protocol (MCP) server enables integration with ChatGPT Apps SDK, allowing ChatGPT to search your product catalog and interact with your offerings.

Base URL

https://api.hibonsai.com/mcp

Protocol Version

The MCP server implements protocol version: 2025-03-26

Authentication

MCP requests require authentication via API key in the X-API-Key header: 
X-API-Key: YOUR_API_KEY_HERE
Keep API keys server-side only. Do not expose keys in browser client code.

Endpoints

Main MCP Endpoint

GET /mcp
Server-Sent Events (SSE) initialization. 
POST /mcp
JSON-RPC message handling.

Messages Endpoint

GET /mcp/messages
Session initialization for message stream handling. 
POST /mcp/messages
Session-based MCP JSON-RPC message handling.

Organization-Specific Endpoint

GET /mcp/org/{organization_id}/
Organization-specific MCP endpoint that uses the organization ID from the URL path. 
POST /mcp/org/{organization_id}/

MCP (GET + POST)

GET /mcp and POST /mcp.

Messages (GET + POST)

GET /mcp/messages and POST /mcp/messages.

Organization (GET + POST)

GET /mcp/org/{organization_id}/ and POST /mcp/org/{organization_id}/.

JSON-RPC Methods

The MCP server implements the following JSON-RPC 2.0 methods:

initialize

Initialize the MCP connection.

tools/list

List available tools.

tools/call

Execute a tool.

resources/list

List available resources.

resources/read

Read a resource by URI.

Available Tools

The MCP server provides the following tools:
Search for products and offerings using natural language queries.Input:
  • question (string, required): The search query or question
Output:
  • Returns search results with products and structured content for widget rendering
List all available offerings without a search query.Input: NoneOutput:
  • Returns all available products
Initiate express checkout for a single product.Input:
  • product_id (string, required): The product ID
Output:
  • Returns checkout information

CORS Support

The MCP server supports CORS (Cross-Origin Resource Sharing) with the following headers:
  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: Content-Type, Accept, MCP-Protocol-Version, X-API-Key, Origin

Error Handling

MCP endpoints return JSON-RPC 2.0 error objects: 
{
  "jsonrpc": "2.0",
  "id": 1,
  "error": {
    "code": -32603,
    "message": "Internal error",
    "data": {}
  }
}
Common JSON-RPC error codes:
  • -32700: Parse error
  • -32600: Invalid Request
  • -32601: Method not found
  • -32602: Invalid params
  • -32603: Internal error
  • -32000 to -32099: Server-defined errors

Rate Limiting

API requests are rate limited per organization. If you exceed your rate limit, you’ll receive a 429 Too Many Requests response. Rate limits are configured per customer account. Contact your Customer Success Manager (CSM) for information about your account’s rate limits.

Support

For API support, integration assistance, or to request additional features, contact your Customer Success Manager.