Business API
Business MCP
Where the partner GraphQL API authenticates a server-to-server integration with a scoped key, the business MCP server lets an AI assistant act as you — the signed-in staff member — running the same tools a staffer would over the Model Context Protocol.
Tools
The assistant runs staff tools against your business:
list_activitiesupcoming_sessionssession_attendancebusiness_statscreate_sessioncancel_sessionAuthentication
Access is over OAuth — there's no API key. The token resolves to your user with your real staff permissions, so the business schema still enforces your role; the token is an access path, never an escalation.
The OAuth handshake — discovery, registration, PKCE, consent — is shared across both MCP servers. OAuth reference
Consumer (end-user) access over MCP uses the mcp:account scope on the public server — see the public MCP guide. See the public MCP guide
# 1. An unauthenticated MCP request is challenged:
# HTTP/1.1 401 Unauthorized
# WWW-Authenticate: Bearer resource_metadata="https://business.sessions.website/.well-known/oauth-protected-resource"
# 2. After discovery, registration, and consent, call with the token:
curl https://business.sessions.website/@<handle>/api/mcp \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <mcp-access-token>' \
--data '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"upcoming_sessions","arguments":{}}}'