功能对比
| Conversion step | What to decide | Why it matters |
|---|---|---|
| REST/OpenAPI input | Paste a Swagger/OpenAPI URL or spec file, then select only the operations the agent needs | Broad specs create too many tools and increase permission risk. |
| Schema pruning | Remove unused request fields, huge response objects, internal IDs, and write-heavy routes | Smaller schemas are easier for Claude Code, Cursor, and Codex to call correctly. |
| Auth headers | Keep bearer tokens, API keys, and tenant headers in environment variables | Secrets should never be committed into generated MCP config. |
| Hosted adapter | Run an HTTP MCP adapter when multiple users or remote tools need access | Better for team access, but requires auth, logging, rate limits, and ownership. |
| Local adapter | Run a stdio server beside the repo for private APIs and local development | Simpler for one developer and safer for private credentials. |
Generator Workflow
Start from a real OpenAPI or Swagger spec, then generate a narrow MCP server plan rather than a one-to-one mirror of every endpoint. Last updated July 1, 2026; verify MCP SDK and client config syntax against current official docs before production rollout.
- Input: OpenAPI 3.x JSON/YAML, Swagger 2.0 after conversion, or a documented REST endpoint list.
- Select endpoints by agent task: read tickets, fetch weather, search docs, create draft records, or inspect status.
- Prune schemas before code generation so the tool exposes stable, minimal inputs.
- Add safety notes for write operations, destructive endpoints, rate limits, and audit logs.
REST API To MCP Mapping
Each useful API operation becomes an MCP tool with a name, description, input schema, handler, and auth boundary. Prefer names that describe user intent, not raw HTTP verbs.
GET /v1/weather/current -> get_current_weather
POST /v1/issues/search -> search_issues
PATCH /v1/tickets/{id} -> update_ticket_draftSchema Pruning Rules
OpenAPI specs often contain fields an agent does not need. Prune aggressively before exposing tools to a coding agent.
- Keep required user-facing parameters and small enums.
- Remove internal-only fields, raw audit trails, huge nested responses, and write-only secrets.
- Prefer explicit string enums over broad free-text inputs when the API supports them.
- Split one large operation into multiple narrow MCP tools when the schema becomes hard to validate.
Auth Headers And Secrets
Generated examples should show placeholder environment variables, never real API tokens. Document which headers are required and who owns token rotation.
headers: {
Authorization: `Bearer ${process.env.API_TOKEN}`,
"X-Workspace-ID": process.env.API_WORKSPACE_ID
}Hosted Versus Local Adapter
Choose local stdio when the API is private, experimental, or used by one developer. Choose a hosted MCP adapter only when the team needs shared access and has reviewed authentication, logging, rate limits, and data retention.
- Local adapter: fastest for Claude Code and Cursor trials with private credentials.
- Hosted adapter: better for shared tools, but requires an owner and an access policy.
- Hybrid adapter: local dev server first, hosted read-only version later.
Claude Code And Cursor Config Examples
Keep config examples minimal and store secrets outside committed files. These snippets are starter shapes, not official config guarantees.
Claude Code / local stdio:
{
"mcpServers": {
"api-tools": {
"command": "node",
"args": ["dist/openapi-mcp-server.js"],
"env": { "API_TOKEN": "${API_TOKEN}" }
}
}
}
Cursor / local stdio:
{
"mcpServers": {
"api-tools": {
"command": "node",
"args": ["/absolute/path/dist/openapi-mcp-server.js"]
}
}
}Supporting Keywords
This page also supports convert openapi spec to mcp server, api to mcp converter, REST API to MCP, MCP schema example, and hosted MCP adapter searches.
常见问题
Can I convert any OpenAPI spec to an MCP server?
You can use most stable REST/OpenAPI specs as a starting point, but you should select operations and prune schemas before exposing tools to an agent.
Should the MCP server include every API endpoint?
No. Expose only the endpoints needed for the coding workflow. Broad API mirrors create confusing tools and larger permission risk.
Where should API keys go?
Keep API keys and auth headers in environment variables or a managed secret store. Do not paste real tokens into generated code or committed config.
Is a hosted MCP adapter safer than local stdio?
Not automatically. Hosted adapters need authentication, rate limits, logging, and ownership. Local adapters are often safer for early private API trials.