Docs

MCP server reference

Hollahoop MCP server

A remote Model Context Protocol server that lets Claude, Cursor, ChatGPT, Codex, and anything else that speaks MCP read and write your Hollahoop workspace. No local install, no SDK, no bridge process — just a URL and a bearer token.

This page is the developer reference. For a guided overview, setup tabs and client-specific snippets, see hollahoop.app/mcp-server.

Endpoint

Field	Value
URL	`https://hollahoop.app/mcp`
Transport	HTTP + JSON-RPC 2.0
Protocol	MCP `2025-06-18`
Methods	`initialize`, `ping`, `tools/list`, `tools/call`
Auth	`Authorization: Bearer hh_live_<token>`
Alternate header	`x-hollahoop-key: hh_live_<token>` (same effect)

A plain GET https://hollahoop.app/mcp with Accept: application/json returns a self-describing manifest that lists every tool with its scope and description.

Authentication

Tokens are minted from any project under Settings → API keys. They look like hh_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (a hh_live_ prefix followed by 32 hex chars).

Every token:

Is scoped to a single Hollahoop organisation.
Carries one of two scopes: read or write. Read tokens can list and search; only write tokens may create posts, change statuses, comment, publish changelog entries, or upsert docs.
Acts as the user who created it for audit purposes — comments and changelog entries are attributed to that user.
Is hashed with SHA-256 at rest. The plaintext is shown once at creation, never again.

Revoke from the same settings page. Revocation takes effect on the next request — there is no caching layer in front of token validation.

Tools

Every tool is a JSON-RPC method named after the table below. Inputs are documented as JSON Schema in the tools/list response. Outputs are returned as structuredContent plus a pretty-printed text content block, per the MCP spec.

Read tools (require `read` scope)

Tool	What it does
`list_projects`	Every project the API key can see, scoped to the org.
`list_boards`	Boards on a project (e.g. `feature-requests`, `bugs`, `general`).
`list_statuses`	The full status workflow for a project, including custom ones.
`list_posts`	Posts on a project, optionally filtered by board and status. Sortable by votes, newest, or oldest.
`get_post`	A single post by id, with its full comment thread.
`list_changelog`	Changelog entries for a project, filterable by status (`draft` / `published`).
`list_docs`	Doc pages on a project, grouped by section, filterable by visibility.
`search`	Free-text search across posts, changelog and docs for a project.

Write tools (require `write` scope)

Tool	What it does
`create_post`	Create a new feedback / roadmap post. Defaults to `feature-requests` board and the project default status.
`update_post_status`	Move a post on the roadmap by changing its status (`open` → `planned` → `in_progress` → `shipped`).
`comment_on_post`	Reply on a post or to another comment. Author is the user who created the API key.
`publish_changelog`	Create a changelog entry. Pass `publish=false` to leave it as a draft.
`upsert_doc_page`	Create or update a docs page (project + slug). Body is Markdown; visibility is `public` or `internal`.

Examples

`initialize`

Sent automatically by every MCP client on connection. Returns the protocol version, server info and tool capabilities.

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "initialize",
  "params": {}
}

`tools/list`

{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/list"
}

`tools/call`

{
  "jsonrpc": "2.0",
  "id": 3,
  "method": "tools/call",
  "params": {
    "name": "list_posts",
    "arguments": { "project": "hollahoop", "status": "planned", "limit": 10 }
  }
}

Errors

JSON-RPC error codes follow the spec for transport-level issues, plus two Hollahoop-specific codes for application-level failures.

Code	Meaning
`-32700`	Parse error — body was not valid JSON.
`-32600`	Invalid request — missing `jsonrpc` or `method`.
`-32601`	Method or tool not found.
`-32602`	Invalid params — Zod validation failed on a tool input.
`-32603`	Internal error.
`-32001`	Auth error — `data.code` is one of `missing_token`, `invalid_token`, `revoked_token`, `forbidden_scope`.
`-32002`	Tool error — `data.code` is `not_found`, `forbidden`, `db_error`, etc.

Setup

For copy-paste configs, see the setup tabs on the public page — they cover Cursor, Claude Code, Claude Desktop, ChatGPT, Codex and Windsurf.

The shape is the same everywhere:

{
  "mcpServers": {
    "hollahoop": {
      "url": "https://hollahoop.app/mcp",
      "headers": {
        "Authorization": "Bearer hh_live_<your_token>"
      }
    }
  }
}

Security notes

Treat MCP tokens like any other production secret. They live in agent config files on developer machines — rotate them when you rotate laptops, and revoke aggressively.
Prefer read scope for analyst / dashboard agents, and write scope only on agents you trust to draft and publish.
Every tool runs through the same Postgres tables as the dashboard, with the same row-level checks. There is no escape hatch around RLS.