Skip to main content
These endpoints are only available when MCPJungle runs in enterprise mode. In development mode they return 403 Forbidden. All endpoints on this page also require the admin role. MCPJungle distinguishes between two kinds of principals:
  • MCP clients — AI agents or automated systems that connect to the MCP proxy. Each client has a bearer token and an allow list of servers it may access.
  • Human users — people who authenticate with the REST API or CLI. Users have a role (admin or user) and their own bearer token.

MCP clients

GET /api/v0/clients

Lists all registered MCP clients. Access: admin only (enterprise mode)
cURL
curl http://localhost:8080/api/v0/clients \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"
Response 200 
[
  {
    "name": "coding-agent",
    "description": "VS Code Copilot integration",
    "access_token": "mcpj_abc123...",
    "is_custom_access_token": false,
    "allow_list": ["filesystem", "github"]
  }
]
name
string
required
Unique name of the MCP client.
description
string
Human-readable description.
access_token
string
Bearer token the client uses to authenticate. Treat this as a secret.
is_custom_access_token
boolean
required
true when the token was provided by the caller at creation time; false when MCPJungle generated it automatically.
allow_list
string[]
required
Server names this client is permitted to access. Use ["*"] to allow all servers.

POST /api/v0/clients

Creates a new MCP client and issues it a bearer token. Access: admin only (enterprise mode)
name
string
required
Unique name for the client.
description
string
Optional human-readable description.
allow_list
string[]
required
List of server names the client may access. Pass ["*"] to grant access to all current and future servers.
access_token
string
Custom bearer token to assign. If omitted, MCPJungle generates a secure token automatically. Avoid hard-coding tokens in production; use a secret manager instead.
cURL
curl -X POST http://localhost:8080/api/v0/clients \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "coding-agent",
    "description": "VS Code Copilot integration",
    "allow_list": ["filesystem", "github"]
  }'
Response 201 — The created client object, same shape as an item from GET /api/v0/clients. The access_token field is populated and should be recorded now — it is not masked on subsequent reads.

PUT /api/v0/clients/:name

Replaces the configuration of an existing MCP client. All fields in the body overwrite the current values. Access: admin only (enterprise mode)
name
string
required
Name of the client to update.
The request body accepts the same fields as POST /api/v0/clients. The name field in the body is ignored — the path parameter is authoritative.
cURL
curl -X PUT http://localhost:8080/api/v0/clients/coding-agent \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "allow_list": ["filesystem", "github", "jira"],
    "description": "VS Code Copilot integration — expanded access"
  }'
Response 200 — The updated client object.

DELETE /api/v0/clients/:name

Deletes an MCP client. Its bearer token is immediately invalidated; any in-flight requests using that token will fail. Access: admin only (enterprise mode)
name
string
required
Name of the client to delete.
cURL
curl -X DELETE http://localhost:8080/api/v0/clients/coding-agent \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"
Response 204 — No content.

Human users

POST /api/v0/users

Creates a new human user and issues a bearer token. Users are assigned the user role by default and have read-plus-invoke access. Access: admin only (enterprise mode)
username
string
required
Unique username for the new user.
role
string
Role to assign. Accepted values: admin, user. Defaults to user.
access_token
string
Custom bearer token. If omitted, MCPJungle generates one automatically.
cURL
curl -X POST http://localhost:8080/api/v0/users \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "alice",
    "role": "user"
  }'
Response 201
username
string
required
Username of the newly created user.
role
string
required
Assigned role — "admin" or "user".
access_token
string
required
Bearer token the user authenticates with. Record it now; there is no way to retrieve it again without rotating it.
{
  "username": "alice",
  "role": "user",
  "access_token": "mcpj_u_xyz789..."
}

GET /api/v0/users

Lists all users. Access tokens are not included in list responses. Access: admin only (enterprise mode)
cURL
curl http://localhost:8080/api/v0/users \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"
Response 200 
[
  { "username": "alice", "role": "user" },
  { "username": "bob",   "role": "admin" }
]
username
string
required
Username of the user.
role
string
required
Role assigned to the user.

PUT /api/v0/users/:username

Updates a user’s configuration. You can use this to rotate the access token or change the role. Access: admin only (enterprise mode)
username
string
required
Username of the user to update.
username
string
New username. Omit to keep the existing username.
role
string
New role. admin or user.
access_token
string
New bearer token. If omitted, the existing token is kept.
cURL
# Rotate the access token by providing a new one
curl -X PUT http://localhost:8080/api/v0/users/alice \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "alice",
    "role": "admin"
  }'
Response 200 — Same shape as the POST /api/v0/users response, including the (possibly new) access_token.

DELETE /api/v0/users/:username

Deletes a user. Their bearer token is immediately revoked. Access: admin only (enterprise mode)
username
string
required
Username of the user to delete.
cURL
curl -X DELETE http://localhost:8080/api/v0/users/alice \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"
Response 204 — No content.

GET /api/v0/users/whoami

Returns the identity of the currently authenticated user. Useful for verifying that a token is valid and checking the assigned role. Access: any authenticated user (enterprise mode)
cURL
curl http://localhost:8080/api/v0/users/whoami \
  -H "Authorization: Bearer YOUR_TOKEN"
Response 200 
{
  "username": "alice",
  "role": "user"
}
username
string
required
Username associated with the provided token.
role
string
required
Role of the authenticated user.
/api/v0/users/whoami is the only user endpoint accessible to non-admin users. All other /api/v0/users endpoints require admin role.