> ## Documentation Index
> Fetch the complete documentation index at: https://docs.echozero.app/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP JSON-RPC over Streamable HTTP

> Requires **Authorize** (`x-api-key`) and a JSON-RPC body. Use **Accept**: `application/json, text/event-stream` and **Content-Type**: `application/json`. First call is usually `initialize`; response includes `mcp-session-id` — send it on later requests as header `mcp-session-id`.



## OpenAPI

````yaml https://mcp.echozero.app/api/docs-json post /mcp
openapi: 3.0.0
info:
  title: EchoZero MCP API
  description: >-
    EchoZero MCP Server - Developer API for agent management, trading,
    marketplace, and AI chat.


    **Rate Limiting:** All endpoints enforce per-API-key rate limits. Tiers:
    free (60 req/min), standard (300 req/min), premium (1000 req/min). Every
    response includes `X-RateLimit-Limit`, `X-RateLimit-Remaining`,
    `X-RateLimit-Reset` headers. Exceeding the limit returns `429 Too Many
    Requests` with a `Retry-After` header.
  version: '1.0'
  contact: {}
servers:
  - url: https://mcp.echozero.app
    description: Production
security: []
tags:
  - name: MCP Protocol
    description: >-
      Model Context Protocol (Streamable HTTP): `/mcp`, `/mcp/sse` — not under
      `/api`; same API key as REST
  - name: Health
    description: Server health check
  - name: API Keys
    description: API key generation, listing, and revocation
  - name: User
    description: >-
      User profile, sessions, social, onboarding, internal agent subscriptions,
      and bot activations (v1: /v1/users/me)
  - name: Token
    description: Token data and trending
  - name: Trade
    description: Trade execution and history
  - name: Strategy
    description: Strategy (trading bot) configuration and control
  - name: Agent
    description: Agent registration and management
  - name: AI
    description: AI chat, intent, and insights
  - name: Wallet
    description: Wallet operations, deposits, and withdrawals
  - name: Notification
    description: Notification management and settings
  - name: Auth
    description: >-
      Public authentication: signup / login lookup, code verification, Google
      OAuth, refresh, and sign-out. Returns `accessToken` / `refreshToken` in
      the JSON body.
  - name: OAuth
    description: >-
      OAuth 2.1 authorization-code + PKCE for AI assistant clients:
      `/oauth/authorize`, `/oauth/token`, `/oauth/introspect`, `/status`.
  - name: Activity
    description: User trade activity list and search
  - name: Feed
    description: Social activity feed timeline
  - name: Earn
    description: Leaderboard, rewards, and referrals
  - name: Statics
    description: Countries, languages, and static data
  - name: Misc
    description: File uploads and utility endpoints
  - name: Developer
    description: Developer registration and profile
  - name: Developer dashboard
    description: >-
      Per-agent dashboard: subscribers (anonymized), performance detail, signal
      history (v1)
  - name: Developer Agent
    description: Developer agent listings and management
  - name: Developer Agents (Marketplace)
    description: Public browse, search, and subscribe to external developer-listed agents
  - name: Admin
    description: Admin-only endpoints for review, approval, and platform management
  - name: Webhooks
    description: >-
      Inbound provider webhooks (no API key). Telegram signal-bot uses
      `X-Telegram-Bot-Api-Secret-Token` when configured.
paths:
  /mcp:
    post:
      tags:
        - MCP Protocol
      summary: MCP JSON-RPC over Streamable HTTP
      description: >-
        Requires **Authorize** (`x-api-key`) and a JSON-RPC body. Use
        **Accept**: `application/json, text/event-stream` and **Content-Type**:
        `application/json`. First call is usually `initialize`; response
        includes `mcp-session-id` — send it on later requests as header
        `mcp-session-id`.
      operationId: McpProtocolController_postMcp
      parameters:
        - name: Accept
          in: header
          description: >-
            Must list both `application/json` and `text/event-stream` (MCP
            Streamable HTTP).
          required: true
          schema:
            type: string
            default: application/json, text/event-stream
        - name: x-signature
          in: header
          required: false
          description: >-
            HMAC-SHA256 signature: HMAC-SHA256(secretKey, timestamp + METHOD +
            path + body). Optional -- when omitted, HMAC verification is
            skipped.
          schema:
            type: string
        - name: x-timestamp
          in: header
          required: false
          description: >-
            Request timestamp in epoch milliseconds. Required when x-signature
            is provided. Rejected if drift exceeds 5 minutes.
          schema:
            type: string
      requestBody:
        required: true
        description: Single JSON-RPC request or batch array.
        content:
          application/json:
            schema:
              oneOf:
                - type: object
                  additionalProperties: true
                - type: array
                  items:
                    type: object
                    additionalProperties: true
            examples:
              initialize:
                summary: initialize
                value:
                  jsonrpc: '2.0'
                  id: 1
                  method: initialize
                  params:
                    protocolVersion: '2025-03-26'
                    capabilities: {}
                    clientInfo:
                      name: swagger
                      version: 1.0.0
              toolsList:
                summary: tools/list
                value:
                  jsonrpc: '2.0'
                  id: 2
                  method: tools/list
                  params: {}
      responses:
        '200':
          description: >-
            JSON or SSE per MCP transport. Response headers may include
            `mcp-session-id` (after initialize) and `X-Mcp-Instance-Id` (which
            replica served the request; use with load balancer sticky sessions).
            See `MCP_DEPLOYMENT_SCALING.md`.
        '401':
          description: Missing or invalid API key (JSON-RPC error body on this route).
      security:
        - bearer-jwt: []
        - api-key: []
components:
  securitySchemes:
    bearer-jwt:
      scheme: bearer
      bearerFormat: JWT
      type: http
      description: >-
        User JWT access token issued by `POST /api/auth/verify` or `POST
        /api/auth/social/verify`. Routes that accept both auth modes declare
        `api-key` *and* `bearer-jwt` security schemes.
    api-key:
      type: apiKey
      in: header
      name: x-api-key

````