Developer Interface
Connect AI agents to your Chalk deployment over the Model Context Protocol.
Chalk hosts a Model Context Protocol (MCP) server so that AI agents — Claude, Cursor, your own LangChain/agent code, or any MCP-compatible client — can interact with your Chalk deployment directly. Through the MCP server an agent can run online queries, execute ChalkSQL, read feature and resolver definitions, search logs and traces, and inspect query errors, all scoped to the permissions of the credentials it presents.
The MCP server is hosted alongside the Chalk API and requires no installation or self-hosting.
The server speaks the Streamable HTTP transport (MCP specification 2025-03-26). A single
URL handles both the JSON-RPC POST requests and the Server-Sent Events (SSE) streams that the
transport uses, so most clients only need this one URL. Despite the /sse suffix in the path,
this is the modern Streamable HTTP transport rather than the deprecated HTTP+SSE transport —
configure your client for a streamable-HTTP (or “HTTP”) remote server, not a legacy SSE server.
If you are on a dedicated or self-hosted Chalk deployment, replace api.chalk.ai with your own
API server host. You can find it in the apiServer field of chalk config --format json.
The MCP server authenticates with the same service credentials
used everywhere else in Chalk. Provide your client_id and client_secret as HTTP headers on
every request:
| Header | Value |
|---|---|
X-Chalk-Client-Id | Your service token’s client_id |
X-Chalk-Client-Secret | Your service token’s client_secret |
The server exchanges these for a short-lived access token internally, so you do not need to run the OAuth client-credentials flow yourself.
The credentials are sensitive — they can query and, depending on their permissions, modify your Chalk deployment. Treat them like any other secret and prefer a scoped service token over personal credentials.
Generate or look up a service token in the Settings → Service Tokens tab of the Chalk
dashboard, then retrieve the values from the CLI with chalk config:
chalk configName Value Description
client_id token-392c737aa1e467e42e85ae3e8417a003 default token
client_secret ts-6307f46a00a68436b0f955b82b7fb30075d default token
environment btfxgaqqxbt7z ...
api_server https://api.chalk.ai ...
To pull the values out programmatically, use a machine-readable format:
# JSON object with clientId / clientSecret / apiServer fields
chalk config --format json
# Shell export statements: CHALK_CLIENT_ID / CHALK_CLIENT_SECRET / ...
chalk config --format shellThe server also accepts a standard Authorization: Bearer <access_token> header. If a request
arrives without credentials, the server responds with 401 and a WWW-Authenticate challenge
pointing at Chalk’s OAuth discovery endpoints
(/.well-known/oauth-protected-resource), so MCP clients that implement the
MCP authorization spec
(including Dynamic Client Registration) can negotiate a token interactively. For headless and
server-to-server use, the X-Chalk-Client-Id / X-Chalk-Client-Secret headers are the simplest
option.
By default, requests run against the environment associated with your service token. To target a different environment, either:
X-Chalk-Env-Id: <environment_id> header, orenvironment_id argument to an individual tool call.Environment overrides are only honored for user (personal) credentials. Use the list_environments
tool to discover the environment IDs available to your team.
Most MCP clients accept a remote server URL plus a set of headers. Use the streamable-HTTP / remote-server configuration for your client and point it at the endpoint above.
This is the format used by Cursor, Windsurf, and many other clients (mcp.json /
mcpServers):
{
"mcpServers": {
"chalk": {
"url": "https://api.chalk.ai/v1/mcp/sse",
"headers": {
"X-Chalk-Client-Id": "token-392c737aa1e467e42e85ae3e8417a003",
"X-Chalk-Client-Secret": "ts-6307f46a00a68436b0f955b82b7fb30075d"
}
}
}
}Add the server from the command line with claude mcp add:
claude mcp add --transport http chalk https://api.chalk.ai/v1/mcp/sse \
--header "X-Chalk-Client-Id: $(chalk config --format json | jq -r .clientId)" \
--header "X-Chalk-Client-Secret: $(chalk config --format json | jq -r .clientSecret)"For a client that cannot connect to a remote server directly, bridge to it with
mcp-remote:
{
"mcpServers": {
"chalk": {
"command": "npx",
"args": [
"mcp-remote",
"https://api.chalk.ai/v1/mcp/sse",
"--header",
"X-Chalk-Client-Id: ${CHALK_CLIENT_ID}",
"--header",
"X-Chalk-Client-Secret: ${CHALK_CLIENT_SECRET}"
],
"env": {
"CHALK_CLIENT_ID": "token-392c737aa1e467e42e85ae3e8417a003",
"CHALK_CLIENT_SECRET": "ts-6307f46a00a68436b0f955b82b7fb30075d"
}
}
}
}You can confirm your credentials are accepted by issuing an initialize request directly:
curl -sS https://api.chalk.ai/v1/mcp/sse \
-H "X-Chalk-Client-Id: $(chalk config --format json | jq -r .clientId)" \
-H "X-Chalk-Client-Secret: $(chalk config --format json | jq -r .clientSecret)" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"curl","version":"0"}}}'A 401 with a WWW-Authenticate header means the credentials were missing or rejected.
The server exposes a set of tools for querying and operating your Chalk deployment. The exact set
evolves over time, and the tools a given client can call depend on the permissions granted to its
credentials — for example, run_online_query requires the query.online permission, and the
observability tools require monitoring.read. Tools your token is not authorized for will return a
permission error.
| Tool | Description |
|---|---|
run_online_query | Run an online query for one or more features. |
execute_sql_query | Execute a ChalkSQL query, with preview support. |
get_offline_queries | List offline queries (batch jobs). |
get_offline_query | Fetch metadata for a single offline query. |
| Tool | Description |
|---|---|
list_features | List the features defined in the environment. |
get_feature_definition | Read a feature’s definition and metadata. |
list_resolvers | List resolvers. |
get_resolver_definition | Read a resolver’s definition and metadata. |
list_functions / get_function / call_function | List, inspect, and invoke external functions. |
list_branches | List the deployment’s branches. |
list_environments | List environments available to your team (with their IDs). |
search_deployment_source | Search the deployed source code. |
search_docs | Search the Chalk documentation. |
| Tool | Description |
|---|---|
get_query_errors | List recorded query errors, with filtering and pagination. |
get_query_plan_json | Retrieve a query plan as JSON. |
get_perf_summary_json | Retrieve a query performance summary as JSON. |
search_logs | Search application logs for the environment. |
search_traces | Search distributed traces and their spans. |
search_kube_events | Search Kubernetes cluster events (scheduling, OOM kills, crashes). |
Additional infrastructure and sandbox tools (Kubernetes deployment/node inspection, sandboxed Python execution, and similar) are available to credentials with the appropriate elevated permissions.
execute_sql_query.