# pabloMCP

> Secure MCP capability layer that pairs any agent (Claude, Codex, Cursor, ChatGPT, custom) to a user's encrypted workspace vault and tools. Anyone can sign up at https://pablomcp.com; auth is email + TOTP + per-agent revocable bearer keys.

## How an agent connects

1. POST https://pablomcp.com/tools/auth_pairing_start with the human's email and your agent name. The response includes `enrol_required: true` if this email has never paired before.
2. The human gets an email with a 6-digit login code. If `enrol_required` is true, that same email also contains a "Set up your authenticator" button — they tap it on their phone, scan the QR with any TOTP app (Google Authenticator / 1Password / Authy), confirm a code on the page, then come back.
3. POST https://pablomcp.com/tools/auth_pairing_complete with the email code + their current TOTP code — receive a named bearer key.
4. Use `Authorization: Bearer <key>` for all future calls. Sessions are 60 min sliding.

Future pairings on the same email skip step 2's setup link; the user just shares the email code + a fresh authenticator code.

## Bring your own credentials — the vault

Every workspace has a private, encrypted vault. Secrets are AES-256-GCM at rest in Neon, with a per-workspace data key. Other workspaces can never read your secrets.

Secrets are addressed by `(project, name)` where `project` is a free-form namespace you choose:

- `vault_set` (COMMIT) — store/update a credential, e.g. `{ project: "ecostore", name: "STRIPE_API_KEY", value: "sk_live_..." }`. Preview first; pass `confirm:true` to write.
- `vault_get` (READ) — fetch the decrypted value for one `(project, name)`. Every fetch is audit-logged.
- `vault_list` (READ) — list `{project, name, updated_at}` tuples; pass `project` to scope. Values are never returned here.
- `vault_delete` (DANGEROUS) — remove a secret. Irreversible; consumers calling `vault_get` start failing immediately.

Connectors like Stripe/GitHub/Cloudflare/etc. read their credentials from the vault automatically (via a vault-first / env-fallback resolver). To enable a connector, just `vault_set` the relevant key under whatever project name you like — no redeploy.

## Endpoints

- [Agent manifest](https://pablomcp.com/.well-known/pablomcp.json): machine-readable JSON with auth + capability summary.
- [MCP endpoint](https://pablomcp.com/mcp): official MCP Streamable HTTP transport. `tools/list` is readable without auth.
- [REST tool list](https://pablomcp.com/tools): same tool catalogue over plain JSON GET, no auth required.
- [Pairing walkthrough](https://pablomcp.com/agent): human-readable agent onboarding page.
- [Dashboard](https://pablomcp.com/admin): human web UI for keys, connectors, approvals, audit.

## Capabilities (server-wide)

203 tools across 4 risk classes: READ 113, DRAFT 3, COMMIT 80, DANGEROUS 7. These counts describe the server, not any one user — every workspace has access to the same tool registry. Whether a connector actually works for *you* depends on whether you've added its credentials to your vault.

Connectors include Stripe, GitHub, Vercel, Cloudflare, Resend, Neon, Notion, Google Workspace, Google Drive/Docs, Polymarket, Cloudbet, Twilio, Vapi, Telegram, ElevenLabs, plus the project-scoped encrypted vault itself. Full schema at `tools/list`.

## Safety model

- READ tools have no side effects. COMMIT/DANGEROUS tools require `confirm: true` and may pause for in-band human approval.
- Vault secrets are encrypted per workspace; raw values never leave the server unless explicitly fetched and audited.
- Every COMMIT/DRAFT/DANGEROUS call is written to the workspace audit log.

## See also

- [llms-full.txt](https://pablomcp.com/llms-full.txt): full tool index with names and descriptions.