> ## Documentation Index
> Fetch the complete documentation index at: https://api.docs.flare.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API MCP (beta)

<Note>The Flare API MCP server is still in beta and is subject to change.</Note>

Flare provides a
[Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server that
exposes Flare's search and platform APIs to any MCP-capable client. It lets
agents query Flare's threat-intel dataset, inspect a tenant's monitored
events, look up event-type schemas, and read the current user's profile —
without writing any code against the REST API.

For a documentation-only companion server (search across the Flare API docs
themselves), see the
[Documentation MCP <Icon icon="book" size={16} />](/sdk/docs-mcp).

## Available Tools

| Tool                           | Description                                                                                                                     |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- |
| `search_global`                | Global Search — executes a Lucene query against the entire Flare threat-intel dataset.                                          |
| `search_tenant`                | Tenant Search — executes a Lucene query scoped to events matching the caller's monitored identifiers.                           |
| `search_validate_search_query` | Validates that a Lucene query complies with Flare's search rules before running it. Useful when composing or debugging a query. |
| `events_get_event`             | Returns the complete event payload (metadata + data) for a single uid.                                                          |
| `events_get_event_type`        | Returns the documentation and searchable field list for a given event type (e.g. `chat_message`, `forum_post`, `stealer_log`).  |
| `profile_get`                  | Returns the current user's profile, including tenants, permissions, feature flags, and default tenant id.                       |

<Note>
  `search_global` requires the Global Search permission on the target tenant.
</Note>

### Search Parameters

The `search_global` and `search_tenant` tools accept the
same parameters:

<ParamField body="query" type="string" required>
  Lucene query.
</ParamField>

<ParamField body="date_range" type="string | object">
  Time window to restrict results to. Either a preset (`last_24h`, `last_2d`, `last_7d`,
  `last_1m`, `last_3m`, `last_6m`, `all`) or a `{ begin_at, end_at }` object with ISO-8601 datetimes.
</ParamField>

<ParamField body="search_types" type="array of string">
  List of event types to scope the search. Defaults to all event types.
</ParamField>

<ParamField body="size" type="integer" default="10">
  Number of results to return. Between `1` and `10`.
</ParamField>

<ParamField body="cursor" type="string">
  Opaque pagination cursor from a previous response.
</ParamField>

### Prompt Examples

* `What has Flare picked up on our monitored domain scatterholt.com in the last 24 hours?`
* `Search the whole Flare dataset for chat messages mentioning "acme-corp" in the last 7 days.`
* `Validate this query for me: author_name:/some_username_\d+/`
* `What fields can I search on the stealer_log event type?`
* `Which tenants do I currently have access to?`

## MCP Server Configuration

The MCP server is available at the following URL:

* `https://api.flare.io/mcp`

To connect an MCP client to the server, see
[Client Setup](#client-setup).

### Authentication

Every MCP request must include a Flare API key in the `Authorization`
header. Follow the
[Authentication Guide <Icon icon="book" size={16} />](/concepts/authentication)
to generate one.

### Targeting a specific tenant

Requests default to your account's default tenant. To scope MCP tool calls
to a specific tenant, set the `X-Flare-Tenant-Id` header on the MCP
connection to the target tenant id. You can find your tenant ids via the `profile_get` MCP tool, or on the [Profile page](https://app.flare.io/#/profile) under the "Tenants" section
(also documented in the
[Authentication Guide <Icon icon="book" size={16} />](/concepts/authentication#finding-tenant-ids)).

## Client Setup

<Note>
  The `X-Flare-Tenant-Id` header is optional: omitting it uses your default
  tenant.
</Note>

### Claude Code

The quickest way to add the server to a project's config is through the
[Claude Code](https://docs.claude.com/en/docs/claude-code/overview) CLI:

```bash theme={null}
claude mcp add flare --transport http https://api.flare.io/mcp \
  --scope project \
  --header "Authorization: <api-key>" \
  --header "X-Flare-Tenant-Id: <tenant-id>"
```

The Flare API key is obtained from the
[Authentication Guide <Icon icon="book" size={16} />](/concepts/authentication).

Alternatively, you may create an
`.mcp.json` file at the root of your project and restart Claude Code once the file is in place:

```json .mcp.json theme={null}
{
  "mcpServers": {
    "flare": {
      "type": "http",
      "url": "https://api.flare.io/mcp",
      "headers": {
        "Authorization": "<api-key>",
        "X-Flare-Tenant-Id": "<tenant-id>"
      }
    }
  }
}
```

The Flare tools will appear
under the `flare` server in the `/mcp` command output, and Claude will call
them automatically when your prompts match their descriptions.

<Note>
  Store the API key outside version control. Claude Code also supports reading
  headers from environment variables — see the [Claude Code MCP
  docs](https://code.claude.com/docs/en/mcp#environment-variable-expansion-in-mcp-json)
  for details.
</Note>

### Claude Desktop

Claude Desktop's configuration file only supports local (stdio) servers, so the connection goes through the `mcp-remote` bridge via `npx` (requires Node.js).
The configuration file is located at:

* **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`
* **Windows**: `%APPDATA%\Claude\claude_desktop_config.json`

The file is also reachable through **Settings → Developer → Edit Config**.

```json claude_desktop_config.json theme={null}
{
  "mcpServers": {
    "flare": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://api.flare.io/mcp",
        "--header",
        "Authorization:<api-key>",
        "--header",
        "X-Flare-Tenant-Id:<tenant-id>"
      ]
    }
  }
}
```

Once the change is in place, you should fully quit and relaunch Claude Desktop.

### Cursor

The server can be added to the `.cursor/mcp.json` in your project (or
`~/.cursor/mcp.json` to make it available in all projects).

```json .cursor/mcp.json theme={null}
{
  "mcpServers": {
    "flare": {
      "url": "https://api.flare.io/mcp",
      "headers": {
        "Authorization": "<api-key>",
        "X-Flare-Tenant-Id": "<tenant-id>"
      }
    }
  }
}
```

Cursor picks up the change automatically: check **Settings → MCP** to confirm the MCP server is connected.
See [Cursor's MCP docs](https://cursor.com/docs/mcp) for details.

## Quotas & Rate Limits

* Calls to `search_global` (Global Search) consume the tenant's monthly Global
  Search quota. See
  [Rate Limits and Quotas <Icon icon="book" size={16} />](/concepts/rate-limits-and-quotas).
* Calls to other tools do
  not consume the Global Search quota.
* Standard API rate limits apply to all tools.
