What OpenAPI to MCP means
OpenAPI to MCP turns HTTP API operations into tools that MCP-compatible AI clients can discover and call.
The Gateway reads a Swagger/OpenAPI JSON or YAML document, creates operation-derived tool definitions, and exposes the approved tools through an MCP endpoint.
The important part is not only generation. A production MCP surface also needs tool curation, server-side credential handling, limits, logging, and clear descriptions that make tools agent-ready.
Recommended publish flow
Treat generated tools as a draft catalog, then publish only the operations an AI workflow should use.
- Import the OpenAPI source URL and let the Gateway resolve operation metadata.
- Review generated tools before exposing them to MCP clients.
- Hide broad, destructive, or irrelevant operations.
- Edit descriptions so each tool explains its purpose, inputs, and safe use case.
- Connect Claude, Cursor, VS Code, Gateway Chat, or another MCP client to the published MCP URL.
Security model
MCP clients should not receive broad upstream API credentials.
In the recommended setup, clients authenticate to the Gateway. The Gateway applies integration state, account limits, tool publication state, upstream credential policy, and redacted logging before forwarding requests to the REST API.
This keeps the OpenAPI source useful for AI workflows without turning local client configuration or prompts into the security boundary.
When this approach fits
OpenAPI to MCP works best when an organization already has useful REST APIs and needs a governed AI-facing tool layer.
| Use case | Why OpenAPI to MCP helps |
|---|---|
| Internal operations APIs | Expose selected support, order, ticketing, or workflow operations without distributing broad API keys. |
| Customer-facing SaaS APIs | Ship an MCP endpoint while keeping quota, plan, and tool-level governance in the Gateway. |
| Developer demos | Turn public OpenAPI specs into working MCP surfaces for prototypes and agent evaluations. |
Common questions
Does every OpenAPI endpoint become a public MCP tool?
No. The Gateway can generate operation-derived tools, but the published MCP surface should be curated. Unsafe or unnecessary operations can be hidden.
What makes a tool description agent-ready?
An agent-ready description states what the tool does, when to use it, which inputs matter, and what constraints apply. Clear descriptions help MCP clients choose the correct operation.
Do MCP clients need the upstream API key?
No. Clients authenticate to the Gateway. Upstream credentials are handled server-side by the Gateway in the recommended flow.