Builder MCP + CLI Overview
This page has been cleared and is ready for updated Builder Studio documentation.
BuilderStudio currently exposes two MCP connection surfaces. Use workspace-scoped builder_ API keys from Security → Workspace API Keys for the main BuilderStudio MCP endpoint at /api/mcp. Published user MCP servers use separate /api/user-mcp/<workspaceId>/<slug> endpoints and, when bearer auth is enabled, a separate owner-managed published-server bearer path, often a umcp_ key when the server owner issues one. Workspace builder_ keys do not unlock those endpoints.
How the flow works
Create a workspace API key
Create a
builder_key from Security → Workspace API Keys when you want to connect Claude Code, Cursor, or Codex to the main BuilderStudio MCP endpoint.Register BuilderStudio in your client
Use the snippets in Dashboard setup. Cursor uses
.cursor/mcp.json, Claude Code uses an HTTP add command, and Codex can use eithercodex mcp addor the custom MCP form.Call workspace tools
Once connected, your agent can list canvases, inspect runs, trigger workflows, and use the BuilderStudio tool surface that your
builder_key scopes allow.
API key scopes
| Scope | Use case |
|---|---|
read:canvases | List canvases, inspect nodes, read run state, and power non-destructive tools. |
run:workflows | Trigger executions, poll run state, and use workflow-running MCP tools. |
write:canvas | Create canvases and mutate nodes, edges, and other canvas structure. |
manage:integrations | Create, edit, list, and revoke workspace integration credentials. |
delete:canvas | Delete canvases through the workspace MCP after explicit confirmation. |
Endpoint split
| Endpoint | Key type | What it is for |
|---|---|---|
/api/mcp | builder_ | Main BuilderStudio workspace tools and orchestration actions. |
/api/user-mcp/<workspaceId>/<slug> | Separate published-server bearer auth, often umcp_ when bearer auth is enabled, otherwise none | Published user MCP servers exposed from BuilderStudio canvases. Public servers need no bearer token; protected servers use a separate published-server credential path. |
builder_ keys. Protected published endpoints use a separate owner-managed published-server bearer path, typically a umcp_ key when the server owner issues API keys. Workspacebuilder_ keys do not unlock direct external client access to those published endpoints. If you own the server, manage its published API keys from the canvas MCP Server panel's API Keys tab. If you do not own it, ask the server owner for the published-server bearer token or exact outbound Authorization header value that endpoint expects. BuilderStudio does not issue self-serve marketplace tokens for protected published servers yet. Adding a marketplace server to a workspace registry is a BuilderStudio-internal install step. For bearer-protected published servers, use the marketplace install flow to save the server owner's bearer token as outbound headers during install, or add and rotate it later on Agent node > MCP Servers > Auth headers. BuilderStudio does not issue self-serve marketplace bearer tokens for protected published servers.Was this page helpful?