Which agents support the Superkabe MCP server?

Any MCP-compatible client: Claude Desktop, Claude Code, Cursor, Zed, Continue, and the Anthropic MCP SDK. The server speaks standard MCP over stdio — no special client-side code required.

Can the agent modify sending state?

Yes. Tools are scoped by API key permissions — read-only keys expose only inspection tools; write-capable keys additionally expose pause, resume, and rotation controls.

npm install -g @superkabe/mcp-server, then add a server entry to your MCP client's config pointing at `superkabe-mcp` with SUPERKABE_API_KEY in env.

Claude (MCP Server)

Connect any Claude surface to Superkabe via the Model Context Protocol — run leads, campaigns, validation, and replies through natural language prompts

Two ways to connect

Pick the one that matches your Claude surface:

Claude.ai (browser): Remote MCP via OAuth. No install. Paste a URL into Settings → Integrations → Add Integration. Skip to § 1.
Claude Desktop / Claude Code / Cursor / Continue: Local stdio process via the @superkabe/mcp-server npm package + your API key. Skip to § 2.

Overview

Superkabe exposes 17 tools over the Model Context Protocol — Anthropic's open standard for letting AI agents discover and call backend APIs. Once Claude is connected, you can prompt naturally:

"Import these 200 leads, validate their emails, create a 3-step sequence targeting SaaS founders, and launch it through my Outlook mailboxes."

Claude chains the right tools (import_leads → validate_leads → get_validation_results → create_campaign → launch_campaign), reads the results between steps, and executes. No Superkabe UI required for the workflow itself.

1. Claude.ai (browser)

Claude.ai connects to remote MCP servers over HTTPS using OAuth 2.0 with Dynamic Client Registration (RFC 7591) and PKCE (RFC 7636). Superkabe runs an OAuth authorization server alongside the MCP endpoint at api.superkabe.com, so the entire connection is handled in-browser through a consent flow — no API key copy/paste, no install.

Add the integration

Open claude.ai → Settings → Integrations → Add Integration.
Grab your per-org MCP URL from Dashboard → API & MCP → MCP Server tab. It looks like:

https://api.superkabe.com/mcp/<your-org-slug>

The <your-org-slug> is unique per organization. The dashboard fills in the right value for you — copy directly from there. (The legacy https://api.superkabe.com/mcp URL still works for single-org accounts, but the per-org URL is recommended for everyone.)

Claude.ai opens a popup to Superkabe's consent screen showing the org name.
Sign in to your Superkabe account if you aren't already. Important: sign in with an account that belongs to the org named on the consent screen — if you sign into a different org, Superkabe will block the consent and ask you to sign in correctly.
Review the requested scopes and click Authorize. The 17 Superkabe tools become available in any Claude conversation, and the resulting OAuth grant is bound to that one org only.

Working with multiple orgs from one Claude.ai account?

Agencies and consultants often manage several Superkabe orgs from the same Claude.ai account. The per-org URL is what makes that clean:

Add a separate connector to Claude for each org — https://api.superkabe.com/mcp/acme, https://api.superkabe.com/mcp/beta, etc.
Name them in Claude ("Acme", "Beta") so you can pick the right one per conversation.
Each connector holds its own OAuth grant tied to that one org. Tokens never cross-talk.
Switching which org Claude is acting on is a Claude-side connector switch — no Superkabe re-authorization required.

You sign each org's connector by signing into that Superkabe account once and approving the consent screen. Once authorized, Claude refreshes the token silently for 90 days.

Heads-up

Custom integrations are gated to paid Claude.ai plans (Pro / Team / Enterprise). Free accounts can use the local-clients path in § 2 instead.

What happens behind the scenes

When Claude.ai first calls POST /mcp/<org-slug> without auth:

Superkabe returns 401 with WWW-Authenticate: Bearer resource_metadata="…/.well-known/oauth-protected-resource/mcp/<slug>".
Claude.ai fetches that metadata and discovers our authorization server.
Claude.ai fetches /.well-known/oauth-authorization-server for the auth endpoints.
Claude.ai POSTs to /register (Dynamic Client Registration) — no manual app registration required.
Claude.ai redirects you to /authorize with resource=https://api.superkabe.com/mcp/<slug>; we bounce to /oauth/consent on superkabe.com showing the org name.
You log in (with an account belonging to the named org) and click Authorize. Superkabe returns an authorization code to claude.ai with the grant pinned to that one org.
Claude.ai exchanges the code for an access token at /token (with PKCE verifier).
From here on, every /mcp/<slug> call carries Authorization: Bearer oat_…. The backend enforces that the slug in the URL matches the org the token was issued for — present an Acme token at /mcp/beta and you get 403.

Access tokens expire after 1 hour. Refresh tokens are valid for 90 days. Claude.ai refreshes silently — you only see the consent screen the first time you connect.

Verify the connection

Once authorized, the dashboard Integrations page shows the Claude card as Connected. The same status comes from GET /api/oauth/connections — see § 5.

Disconnect

Dashboard → Integrations → Claude card → Manage → Disconnect. Revokes all tokens for that client immediately. Claude.ai will prompt you to re-authorize on next use. See Disconnecting Integrations for details.

2. Local clients (Desktop, Code, Cursor)

Claude Desktop, Claude Code (CLI), Cursor, and Continue spawn the MCP server as a local stdio process on your machine. Authentication is a Superkabe API key in the env block of your client config — same key you'd use for the REST API.

Generate an API key

Open Dashboard → API & MCP.
Click Create new key. Give it a name (e.g. "Claude Desktop on laptop").
Tick the scopes you want Claude to have. Read-only set: account:read leads:read campaigns:read mailboxes:read domains:read replies:read validation:read reports:read.
Copy the key (sk_live_…). It's shown once — store it somewhere secure.

Configure your client

Same JSON shape across every client — only the file path differs:

{
  "mcpServers": {
    "superkabe": {
      "command": "npx",
      "args": ["-y", "@superkabe/mcp-server"],
      "env": {
        "SUPERKABE_API_KEY": "sk_live_your_key_here",
        "SUPERKABE_API_URL": "https://api.superkabe.com"
      }
    }
  }
}

Where to put it:

Client	Config path
Claude Desktop (macOS)	`~/Library/Application Support/Claude/claude_desktop_config.json`
Claude Desktop (Windows)	`%APPDATA%\Claude\claude_desktop_config.json`
Claude Desktop (Linux)	`~/.config/Claude/claude_desktop_config.json`
Claude Code	`~/.claude/settings.json` (under `mcpServers`) or per-project `.mcp.json`
Cursor	`~/.cursor/mcp.json` (global) or per-project
Continue	`<project>/.continue/config.json` under `mcpServers`

Restart your client. Look for a tools indicator (Claude Desktop shows a hammer icon, Cursor shows the connector count). 17 Superkabe tools should be available.

Never put the API key in args[]

It will leak into ps aux and OS process lists. Always use the env block.

First prompt

Try one of these to confirm the connection:

"List my campaigns and tell me which mailboxes are in healing."
"Show me all replies from the last 24 hours and flag anything that looks positive."
"If any campaign has a bounce rate above 2%, pause it."

3. The 17 tools

Every tool maps 1:1 to a v1 REST endpoint and is gated by a specific scope on your API key (or OAuth grant). Grant the minimum.

Tool	Risk	Scope	What it does
`get_account`	low	`account:read`	Plan, usage counts, tier limits.
`import_leads`	medium	`leads:write`	Bulk import (max 5,000).
`list_leads`	low	`leads:read`	Paginated list with filters.
`get_lead`	low	`leads:read`	Single lead with validation + engagement history.
`validate_leads`	medium	`validation:trigger`	Async validate by lead IDs or emails.
`get_validation_results`	low	`validation:read`	Org-wide breakdown by status.
`create_campaign`	high	`campaigns:write`	Sequencer campaign with steps + variants + schedule.
`list_campaigns`	low	`campaigns:read`	All campaigns with status, lead/step counts.
`get_campaign`	low	`campaigns:read`	Full campaign incl. steps, variants, first 100 leads.
`update_campaign`	high	`campaigns:write`	Edit name / schedule / daily limit. Paused or draft only.
`launch_campaign`	high	`campaigns:write`	Starts real sends.
`pause_campaign`	medium	`campaigns:write`	Stop sending on an active campaign.
`get_campaign_report`	low	`reports:read`	Sent / replies / reply-rate / status breakdown.
`get_campaign_replies`	low	`replies:read`	Inbound replies (last 100 threads).
`send_reply`	high	`replies:send`	Sends a real email from the original mailbox.
`list_mailboxes`	low	`mailboxes:read`	Health, send/bounce counts, warmup, recovery phase.
`list_domains`	low	`domains:read`	Health, bounce-rate trends, engagement, recovery phase.

4. Security model

Per-grant org scoping. Every OAuth access token and API key is tied to one organization. Cross-tenant access is structurally impossible — there's no "super-key" that crosses orgs.
Hashed at rest. Both sk_live_… API keys and oat_… OAuth tokens are stored only as SHA-256 hashes. The plaintext value is shown to the user once at creation and never again.
Scope-gated tools. The MCP server attempts every tool, but the backend rejects calls whose scope isn't on the bearer token. Read-only keys can't create campaigns even if Claude tries.
Short-lived OAuth tokens. Access tokens expire after 1 hour; refresh tokens after 90 days. Revocation via POST /revoke or the dashboard is immediate.
PKCE-only OAuth. All OAuth clients are public clients with PKCE — no client secrets shipped to claude.ai or any other browser-resident integration.
Stateless transport. The HTTP MCP endpoint (/mcp) holds no per-session state — every request is independently authenticated, no session hijack surface.
Stdio opens no ports. Local clients spawn the npm package as a subprocess that talks over stdin/stdout. Compromise requires local process access.

5. API reference (OAuth + connections)

Discovery

GET https://api.superkabe.com/.well-known/oauth-authorization-server
GET https://api.superkabe.com/.well-known/oauth-protected-resource/mcp
GET https://api.superkabe.com/.well-known/oauth-protected-resource/mcp/<your-org-slug>

The third endpoint is per-org and returns metadata pointing at resource: https://api.superkabe.com/mcp/<slug>. Claude.ai discovers it from the WWW-Authenticate header on the first /mcp/<slug> call. Returns 404 for unknown slugs.

OAuth endpoints

POST /register — Dynamic Client Registration (RFC 7591). Returns client_id; no secret (PKCE).
GET /authorize — kicks off the consent flow. Redirects to /oauth/consent on superkabe.com.
POST /token — exchanges authorization code for access + refresh tokens. Also handles refresh-token grant.
POST /revoke — revokes a single token (access or refresh).

List active connections

GET https://api.superkabe.com/api/oauth/connections
Authorization: Bearer sk_live_…  # or any auth — JWT cookie also works

Response:

[
  {
    "client_id": "mcp_client_a4cce2cca6baf67e084ef681",
    "client_name": "Claude",
    "client_uri": null,
    "logo_uri": null,
    "scopes": ["account:read", "leads:read", "leads:write", "campaigns:read", "campaigns:write", ...],
    "granted_at": "2026-04-29T10:43:24.000Z",
    "last_used_at": "2026-04-29T11:02:08.000Z",
    "access_token_expires_at": "2026-04-29T12:02:08.000Z",
    "refresh_expires_at": "2026-07-28T10:43:24.000Z"
  }
]

Powers the "Connected" status on the Integrations page. One row per distinct OAuth client tied to your org with at least one non-revoked, non-expired grant. Refresh-token rotation is deduped by client_id.

Revoke connections

POST https://api.superkabe.com/api/oauth/connections/revoke
Authorization: Bearer <jwt-or-api-key>
Content-Type: application/json

{ "client_id": "mcp_client_a4cce2cca6baf67e084ef681" }

Marks every access & refresh token for that (org, client) pair as revoked. Effective immediately — claude.ai will get 401 on next call. Omit client_id to revoke all OAuth grants for the org at once.

6. Troubleshooting

Symptom	Likely cause	Fix
claude.ai "Couldn't reach the MCP server"	Free Claude.ai plan or transient handshake failure	Verify you're on Pro/Team/Enterprise; remove and re-add the integration.
Consent screen says "You're signed in to a different organization"	Active Superkabe session is for a different org than the connector URL targets	Sign out of Superkabe, sign in with an account for the org named on the consent screen, then re-open the connection from Claude.ai.
Claude tools return `403` "different organization"	Token issued for a different org than the URL slug — usually a stale connector pointed at the wrong slug	Remove the connector in Claude, re-add using the URL from your dashboard, re-authorize.
Tools icon never appears (Desktop / Cursor)	Bad JSON or wrong config path	`jq . <config>` to validate; quit & relaunch the client.
Stdio: `FATAL: SUPERKABE_API_KEY required`	Env not passed to subprocess	Put key under `env`, not `args`.
All tool calls return 401	Key revoked / wrong env	Reissue key; check `SUPERKABE_API_URL`.
Some tools return "Missing required scope"	Key/token lacks that scope	Edit key in dashboard or re-authorize claude.ai with broader scopes.
`ECONNREFUSED 127.0.0.1:4000`	Default URL used; no local backend	Set `SUPERKABE_API_URL=https://api.superkabe.com`.

Verbose logs (stdio)

# Claude Desktop (macOS)
tail -f "$HOME/Library/Logs/Claude/mcp-server-superkabe.log"

# Claude Desktop (Windows)
Get-Content -Wait "$env:APPDATA\Claude\Logs\mcp-server-superkabe.log"

# Cursor
tail -f "$HOME/.cursor/logs/mcp-server-superkabe.log"

# Verbose Node HTTP tracing
NODE_DEBUG=http,https SUPERKABE_API_KEY=… npx @superkabe/mcp-server