Skip to content

Business API

Business MCP

Where the partner GraphQL API authenticates a server-to-server integration with a scoped key, the business MCP server lets an AI assistant act as you — the signed-in staff member — running the same tools a staffer would over the Model Context Protocol.

Endpoint/@<handle>/api/mcpTransportStreamable HTTPScopemcp:business

Tools

The assistant runs staff tools against your business:

list_activities
List the business's activities.
upcoming_sessions
List upcoming scheduled sessions.
session_attendance
See a session's registrations and attendance.
business_stats
Summary stats across upcoming sessions.
create_session
Schedule a new session.
cancel_session
Cancel a scheduled session.

Authentication

Access is over OAuth — there's no API key. The token resolves to your user with your real staff permissions, so the business schema still enforces your role; the token is an access path, never an escalation.

mcp:business
resolves the token to your user with your real staff permissions on that business. This is separate from the partner API-key scopes, which only reach the restricted external surface.

The OAuth handshake — discovery, registration, PKCE, consent — is shared across both MCP servers. OAuth reference

Consumer (end-user) access over MCP uses the mcp:account scope on the public server — see the public MCP guide. See the public MCP guide

bash
# 1. An unauthenticated MCP request is challenged:
#    HTTP/1.1 401 Unauthorized
#    WWW-Authenticate: Bearer resource_metadata="https://business.sessions.website/.well-known/oauth-protected-resource"

# 2. After discovery, registration, and consent, call with the token:
curl https://business.sessions.website/@<handle>/api/mcp \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <mcp-access-token>' \
  --data '{"jsonrpc":"2.0","id":1,"method":"tools/call",
           "params":{"name":"upcoming_sessions","arguments":{}}}'