Resources

OpenAPI to MCP

OpenAPI to MCP: how to turn REST APIs into agent-ready tools

A practical guide to converting Swagger/OpenAPI operations into MCP tools with gateway-side auth, curation, and observability.

7 min readUpdated 2026-06-26
OpenAPISwaggerMCP toolsAI agents

Written by RTT Intelligence Engineering

Technical notes from the team building governed MCP surfaces for OpenAPI APIs and database scopes.

Reviewed for practical implementation

Focused on usable architecture, security boundaries, and production tradeoffs rather than generic definitions.

What OpenAPI to MCP means

OpenAPI to MCP turns HTTP API operations into tools that MCP-compatible AI clients can discover and call.

The Gateway reads a Swagger/OpenAPI JSON or YAML document, creates operation-derived tool definitions, and exposes the approved tools through an MCP endpoint.

The important part is not only generation. A production MCP surface also needs tool curation, server-side credential handling, limits, logging, and clear descriptions that make tools agent-ready.

Recommended publish flow

Treat generated tools as a draft catalog, then publish only the operations an AI workflow should use.

  • Import the OpenAPI source URL and let the Gateway resolve operation metadata.
  • Review generated tools before exposing them to MCP clients.
  • Hide broad, destructive, or irrelevant operations.
  • Edit descriptions so each tool explains its purpose, inputs, and safe use case.
  • Connect Claude, Cursor, VS Code, Gateway Chat, or another MCP client to the published MCP URL.

Security model

MCP clients should not receive broad upstream API credentials.

In the recommended setup, clients authenticate to the Gateway. The Gateway applies integration state, account limits, tool publication state, upstream credential policy, and redacted logging before forwarding requests to the REST API.

This keeps the OpenAPI source useful for AI workflows without turning local client configuration or prompts into the security boundary.

When this approach fits

OpenAPI to MCP works best when an organization already has useful REST APIs and needs a governed AI-facing tool layer.

Use caseWhy OpenAPI to MCP helps
Internal operations APIsExpose selected support, order, ticketing, or workflow operations without distributing broad API keys.
Customer-facing SaaS APIsShip an MCP endpoint while keeping quota, plan, and tool-level governance in the Gateway.
Developer demosTurn public OpenAPI specs into working MCP surfaces for prototypes and agent evaluations.

Common questions

Does every OpenAPI endpoint become a public MCP tool?

No. The Gateway can generate operation-derived tools, but the published MCP surface should be curated. Unsafe or unnecessary operations can be hidden.

What makes a tool description agent-ready?

An agent-ready description states what the tool does, when to use it, which inputs matter, and what constraints apply. Clear descriptions help MCP clients choose the correct operation.

Do MCP clients need the upstream API key?

No. Clients authenticate to the Gateway. Upstream credentials are handled server-side by the Gateway in the recommended flow.