sp00ky Logo
Github|...

MCP Server

The Sp00ky Cloud MCP server lets any Model Context Protocol client — Claude Code, Cursor, VS Code, and others — drive your Sp00ky Cloud account in natural language. Your AI assistant can list projects, deploy, tail logs, manage environment variables, trigger backups, and more — all through the same API the spky CLI uses.

It’s a remote server hosted at https://api.sp00ky.cloud/v1/mcp (Streamable HTTP), authenticated with a dedicated MCP token. Nothing to install or run locally.

Quick start

Get connected in under a minute.

Bash 
# 1. Log in (skip if you already have)
spky login

# 2. Create a token and add the server to your editor
spky mcp token

spky mcp token walks you through picking scopes (default: read-only), prints your token once, and offers to register the server with your editor automatically. Then just ask your assistant:

“List my Sp00ky projects.”

Auto-install

When the claude CLI is on your PATH, spky mcp token runs claude mcp add for you. For other editors it prints a ready-to-paste config.

Add to your editor

Already have a token? Use spky mcp install, or drop the config in by hand.

Bash 
# Auto-detects the editor and registers the server.
# Prompts for a token if you don't pass one.
spky mcp install
spky mcp install --token mcp_live_xxx --client cursor

Claude Code

Register the server at user scope (available in every project):

Bash 
claude mcp add --transport http spooky-cloud \
  https://api.sp00ky.cloud/v1/mcp \
  --header "Authorization: Bearer mcp_live_xxx" \
  --scope user

Verify it’s connected:

Bash 
claude mcp list

Cursor

Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (per project):

~/.cursor/mcp.json
JSON 
{
  "mcpServers": {
    "spooky-cloud": {
      "url": "https://api.sp00ky.cloud/v1/mcp",
      "headers": { "Authorization": "Bearer mcp_live_xxx" }
    }
  }
}

VS Code

Add to .vscode/mcp.json in your workspace:

.vscode/mcp.json
JSON 
{
  "servers": {
    "spooky-cloud": {
      "type": "http",
      "url": "https://api.sp00ky.cloud/v1/mcp",
      "headers": { "Authorization": "Bearer mcp_live_xxx" }
    }
  }
}

Any MCP client

The server speaks Streamable HTTP. Point any client at the endpoint and send the token as a bearer header:

Bash 
URL:     https://api.sp00ky.cloud/v1/mcp
Header:  Authorization: Bearer mcp_live_xxx
Transport: Streamable HTTP

Tokens

MCP access uses dedicated mcp_live_ tokens — separate from your CLI session and from spk_live_ API keys, so you can issue and revoke them independently. Create them with spky mcp token:

Bash 
# Read-only token (recommended default)
spky mcp token --read-only --name "claude-laptop"

# Pick exact scopes, skip the prompts, and auto-install
spky mcp token --scopes mcp:read,deployments:write --name "ci-bot" --install

# Full access including the ability to read secret values
spky mcp token --scopes mcp:full,secrets:reveal
Copy it now

The full token is shown only once, right after creation. Store it like a password — if you lose it, revoke it and create a new one.

List and revoke tokens at any time:

Bash 
# List your MCP tokens
spky mcp tokens

# Revoke one by ID
spky mcp revoke <token-id>
FlagDescription
--read-onlyShortcut for the mcp:read scope
--scopesComma-separated scopes, skips the interactive picker
--nameA label so you can tell tokens apart in spky mcp tokens
--installRegister the server with an editor right after creating the token
--clientWhich editor to register with: claude, cursor, or vscode
--yesNon-interactive (read-only unless --scopes is given)

Scopes & safety

Tokens are read-only by default — your assistant can look but not touch until you grant write scopes. Each tool requires a single scope, and the server only advertises the tools your token is allowed to use.

ScopeGrants
projects:read / projects:writeList/inspect projects · create, destroy
deployments:read / deployments:writeDeployment status · deploy, rollback, restart, scale, tear down
logs:readRead recent project logs
env:read / env:writeList variables · set, delete, bulk-load
vault:read / vault:writeVault status · init, CI access
backups:read / backups:writeList/inspect backups · create, restore, delete, configure
domains:read / domains:writeList custom domains · add, remove
links:read / links:writeRepo link status & runs · set up, trigger, unlink
tenants:read / tenants:writeList teams & members · create, invite, manage
billing:read / billing:writeUsage · checkout, change plan, billing portal
mcp:readConvenience: every *:read scope
mcp:fullConvenience: every read and write scope (excludes secrets:reveal)
secrets:revealUnmask secret values (env values, vault material)
Secrets are masked by default

Environment variable values and vault material are redacted in tool responses unless the token carries secrets:reveal. Grant it only when you intend the assistant to read raw secrets — and never to mcp:full alone, which deliberately does not include it.

What your assistant can do

Once connected, these capabilities are available (gated by the scopes above). Tools marked destructive delete or tear down resources.

  • Projects — list, get details, create, destroy
  • Deployments — status, deploy, finalize, rollback, restart, scale, tear down
  • Logs — fetch recent project logs (bounded, non-streaming)
  • Environment variables — list, set, delete, bulk-load
  • Vault — status, init, enable/disable CI access
  • Backups — list, create, restore, check restore status, delete, configure, reset
  • Custom domains — list, add, remove
  • Repo links — status, recent runs, set up, update, trigger a build, unlink
  • Teams — list teams & members, create, invite, remove members/invitations
  • Billing — usage, checkout, change plan, billing portal

By default tools act in your personal tenant. Most tools accept an optional tenant_id to act within a specific team/organization.

Example prompts

Things you can ask once the server is connected:

  • “Deploy the latest build of my api project.”
  • “Show me the last 200 log lines for web, filtered to the ssp service.”
  • “What environment variables are set on api? (values stay masked)”
  • “Restart web and then tell me its deployment status.”
  • “List the backups for api and create a fresh one.”

Troubleshooting

  • 401 Unauthorized — the token is missing, malformed, or expired. Mint a new one with spky mcp token and re-add it. The header must be exactly Authorization: Bearer mcp_live_….
  • No tools show up — your token’s scopes are too narrow. Create a token with mcp:read (or mcp:full for writes). The server only lists tools your scopes allow.
  • claude: command not found — install the Claude Code CLI, or paste the claude mcp add … command / editor config manually (see Add to your editor).
  • Secret values come back as ***REDACTED — that’s expected without secrets:reveal. Issue a token with that scope if the assistant genuinely needs raw secrets.

You can sanity-check connectivity from a terminal:

Bash 
curl -s https://api.sp00ky.cloud/v1/mcp \
  -H "Authorization: Bearer mcp_live_xxx" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'