API reference
REST + oRPC + MCP surfaces for programmatic access to KlyHub.
API reference
KlyHub exposes three programmatic surfaces:
| Surface | Where | Use for |
|---|---|---|
| REST / oRPC | https://api.klyhub.com | Server-to-server integrations, custom dashboards, anything that's not an AI client. |
| MCP | https://mcp.klyhub.com/v1/<tenant-slug> | AI clients (Claude Desktop, Cursor, ChatGPT, your own). |
| Webhooks | configured per workspace | Receive notifications when entities change. |
All three honor the same row-level security: a request authenticated for tenant A can never see tenant B's data.
REST / oRPC
The HTTP API is generated from oRPC procedure definitions in packages/orpc/procedures/. The OpenAPI spec lives at:
https://api.klyhub.com/openapi.jsonYou can load it into any OpenAPI client — Swagger UI, Postman, oRPC's TypeScript client, etc.
Namespaces (top-level procedures)
| Namespace | Purpose |
|---|---|
auth | Sign up, sign in, session management, 2FA, passkeys. |
tenant | Workspace CRUD, member list, audit log, settings. |
member | Per-user membership operations — invite, role change, removal. |
oauth-providers | Manage your registered MCP OAuth clients. |
entity | Layer entries — Core, Market, Motion, Operations, Memory. |
intake | Start / resume / branch / pause the 4-phase intake. |
methodology | Inspect available methodology Packs + Prompts + Templates. |
mcp | MCP-tool surface (also reachable via the MCP endpoint directly). |
service-token | Issue and rotate non-user API keys (limited scopes). |
audit | Query the tenant audit log (Owner-only UI in the workspace). |
compliance | Data-export + deletion-request endpoints. |
billing | Tier list + subscription + Stripe customer portal handoff. |
Every namespace returns typed responses; client errors carry an ORPCError with a stable code (e.g. QUOTA_EXCEEDED, NOT_FOUND, FORBIDDEN) so your integration can branch on it.
Authentication
For user-mode requests, include the session cookie KlyHub set on .klyhub.com (cross-subdomain). For service-mode requests, pass Authorization: Bearer <service_token> — service tokens are tenant-scoped and respect the same RLS boundaries as user sessions.
Rate limits
The public REST surface is rate-limited per tenant + per IP. Limits are documented in the OpenAPI spec's x-ratelimit extension and surfaced in X-RateLimit-* response headers.
MCP
The MCP endpoint speaks the Model Context Protocol and is the recommended surface for AI clients. Authentication is OAuth 2.1 with PKCE; see Custom integrations for the flow.
The MCP server is intentionally a thin adapter over the same packages/orpc procedures the REST API uses. That means an MCP tool and a REST endpoint never disagree about what your knowledge base says — they're literally calling the same function.
Webhooks
Configure webhooks under Settings → Webhooks in your workspace. Events fire on:
- Entity creation, update, deletion.
- Intake phase completion.
- Tenant billing-state transitions (active ↔ read-only ↔ scheduled-deletion).
- Member added / removed.
Each webhook delivery includes a signed X-KlyHub-Signature header (HMAC-SHA256 over the body) so you can verify authenticity.
Versioning posture (v0.1)
We are pre-1.0. Breaking changes can happen on any minor release, and we surface them in the release notes. v1.0 will introduce semver-style versioning + deprecation windows.
For the MCP-specific protocol pin (2025-06-18 with negotiation up to 2025-11-25) see the Custom integrations guide.