Model Context Protocol (MCP)
DaloyJS can host a dedicated Model Context Protocol server for AI clients that need tools, resources, and prompts. The core helper implements MCP Streamable HTTP with JSON-RPC 2.0, so a company that already runs a DaloyJS REST API can run a second DaloyJS service at/mcp with a different auth policy and a smaller, agent-safe surface area.
Keep the REST API and the MCP server separate when the callers, permissions, or rate limits differ. MCP tools are model-callable operations, so they deserve the same care as any production API route, plus tighter descriptions and schemas because the caller may be an AI client acting on a user's behalf.
- AI clientClaude, Cursor, VS Code
- DaloyJS MCP appPOST /mcp JSON-RPC
- Tools and contexttools, resources, prompts
- Existing systemsdatabase, REST API, queues
Install
Create an MCP server
Use createMcpHandler() for the MCP protocol layer and mcpRoutes() to mount POST, GET, and OPTIONS on a DaloyJS app. The POST route is the actual MCP transport. GET returns a JSON hint instead of opening a server-initiated SSE stream, and OPTIONS supports browser-based clients when CORS middleware is installed.
Client config
Point an MCP-compatible client at the deployed endpoint. The exact config file differs by client, but remote Streamable HTTP servers use a URL and whatever headers your auth middleware requires.
What core supports
initialize,ping,tools/list,tools/call,resources/list,resources/read,prompts/list, andprompts/get.- Protocol-version negotiation,
MCP-Protocol-Versionrejection for unsupported versions, JSON-RPC parse errors, accepted notifications, and bounded request bodies. - Dependency-free TypeScript types for tools, resources, prompts, JSON schemas, content blocks, structured tool output, and handler context.
What stays out of core
DaloyJS does not bundle the official MCP SDK, stdio process management, OAuth server metadata, persistent MCP sessions, server-initiated SSE, or experimental tasks. Those pieces either add dependency weight or need a product-specific security model. Keep them in your application or a separate integration package until your use case needs them.
Error handling
Throw McpToolError when the model can fix the call, for example missing arguments or a domain object that does not exist. The client receives an MCP tool result with isError: true. Unexpected errors become JSON-RPC internal errors and are redacted in production.
Security checklist
- Put auth in DaloyJS middleware before the MCP route. Bearer tokens, mTLS, IP restrictions, and per-client rate limits all work normally.
- Validate tool arguments inside handlers. The advertised JSON Schema helps clients, but it is not a substitute for server-side validation.
- Keep tool descriptions precise. A vague tool is easier for a model to misuse and harder for a human to approve.
- Route outbound calls through
fetchGuard()when a tool fetches URLs influenced by users, prompts, or external content.