Skode Remote MCP Server — Technical Reference
Skode operates a production Remote MCP server, hosted by Skode Technologies Private Limited
in Mumbai (ap-south-1), that exposes Skode CRM data to any MCP-compatible client
— most commonly Claude Desktop, Claude Web, and the Claude API. This page is the
technical reference used by developers and by AI-platform review teams. End-users should
instead follow the plain-English{' '}
Claude connector guide,{' '}
ChatGPT connector guide, or{' '}
Gemini connector guide.
Endpoints
- MCP endpoint (Streamable HTTP):
https://api.skode.ai/mcp - OAuth 2.1 Authorization Server Metadata (RFC 8414):
https://api.skode.ai/.well-known/oauth-authorization-server - OAuth 2.0 Protected Resource Metadata (RFC 9728):
https://api.skode.ai/.well-known/oauth-protected-resource - Dynamic Client Registration (RFC 7591):
https://api.skode.ai/oauth/register - Authorization endpoint:
https://app.skode.ai/oauth/authorize - Token endpoint:
https://api.skode.ai/oauth/token - OpenAPI 3.0 spec:
https://api.skode.ai/openapi.json
Manifest
The public MCP manifest is served at{' '}
https://skode.ai/.well-known/mcp.json.
It advertises manifest_version: "0.4", the Streamable HTTP
endpoint, the OAuth metadata URL, human-readable policy and contact URLs, the logo, and the
full list of tool annotations. SSE is deprecated; Streamable HTTP is the only supported
transport as of MCP spec 2026-03-15.
Authentication and authorisation
Access is gated by OAuth 2.1 Authorization Code + PKCE (S256). Per the 2026-03-15 MCP
revision, Resource Indicators (RFC 8707) are mandatory and the server rejects token
introspection requests whose aud claim does not match
https://api.skode.ai/mcp. Tokens are scoped per CRM module and are tenant-
isolated. Refresh tokens are rotated on every use. Idle tokens expire after 30 minutes,
hard tokens after 12 hours. All responses enforce row-level tenant scoping against the
authenticated user's workspace.
Tool catalogue
The server advertises read-only and mutating tools across twenty CRM modules: leads, contacts, deals, tasks, notes, calendar, invoices, estimates, payments, activities, reports, projects, products, email sequences, time-tracking, and five e-commerce modules (orders, customers, revenue, shipping, returns). Each tool is published with MCP annotations that review teams can read without calling the tool:
readOnlyHint: trueon alllist_*/get_*/search_*toolsdestructiveHint: trueondelete_*andvoid_invoiceopenWorldHint: falseon every tool — the server never makes outbound calls beyond the authenticated CRM tenant
All non-read-only tools require an additional HumanInTheLoop confirmation step enforced server-side, independent of the host client.
Data handling
Sensitive fields are masked before they leave the server (full card numbers and CVVs are never returned; card brand and last-4 digits only). Personally identifiable information is passed through unmodified because it is the customer's own tenant data and is needed for the user's prompt — Skode does not apply any training, logging, or secondary use to it. No request payload or response payload is retained beyond the tenant's own CRM history tables. See the{' '} Privacy Policy,{' '} Sub-Processors page, and{' '} AI Connector Terms.
Rate limits and reliability
MCP requests are metered at 600 requests/minute per workspace. The server exposes{' '}
X-RateLimit-Remaining and X-RateLimit-Reset headers and returns
429 Too Many Requests with a Retry-After header once the budget
is exhausted. Uptime target is 99.5% per the published SLA.
Local / self-hosted option
The reference implementation is also available as a local Node package
@skode/mcp-server for developers who prefer local Claude Desktop
integrations. The local package targets the same API surface as the Remote MCP server
and uses the same OAuth token, so a user can switch between the two with no config
change.
{
"mcpServers": {
"skode-crm": {
"command": "npx",
"args": ["-y", "@skode/mcp-server"],
"env": { "SKODE_API_KEY": "sk_live_xxx" }
}
}
}