Skip to content

[TT-16963] Add MCP swagger information #8001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lghiur wants to merge 5 commits into
base: master
Choose a base branch
from
+172 −0
Open

[TT-16963] Add MCP swagger information #8001

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
129496c
[TT-16963] Add MCP swagger information
lghiur Apr 14, 2026
d04a2d6
update
lghiur Apr 14, 2026
1ebdec2
Merge branch 'master' into TT-16963-mcp-swagger-udpdates
lghiur Apr 15, 2026
700d2cf
Merge branch 'master' into TT-16963-mcp-swagger-udpdates
lghiur Apr 15, 2026
3c6efeb
Merge branch 'master' into TT-16963-mcp-swagger-udpdates
lghiur Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions swagger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@
**Note: Applies only to Tyk Gateway Community Edition** <br/>

name: Tyk OAS APIs
- description: |
Manage MCP (Model Context Protocol) Proxies on Tyk Gateway. MCP Proxies are
defined as Tyk OAS documents that include MCP-specific configuration in the
`x-tyk-api-gateway` extension. All create/update requests are validated against
the MCP JSON schema; a Gateway reload is required for changes to take effect.
name: MCP Proxies
- description: |
All keys that are used to access services via Tyk correspond to a session object that informs Tyk about the context of this particular token, like access rules and rate/quota allowance.
name: Keys
Expand Down Expand Up @@ -1559,7 +1565,173 @@
description: Internal server error.
summary: Import an API in Tyk OAS format.
tags:
- Tyk OAS APIs
/tyk/mcps:
get:
description: List all MCP Proxy definitions on this Tyk Gateway. Each entry
is a Tyk OAS document whose `x-tyk-api-gateway` extension marks it as an
MCP Proxy definition.
operationId: listMCPs
responses:
"200":
content:
application/json:
schema:
items:
allOf:

Check warning on line 1581 in swagger.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The API definition uses a remote schema from `raw.githubusercontent.com` referenced by a branch name (`refs/heads/master`) rather than a specific commit hash. This introduces an external dependency that can impact service availability if GitHub is unreachable. Furthermore, because the reference points to a mutable branch, the schema can change unexpectedly, leading to validation inconsistencies or potential security vulnerabilities if the source were ever compromised.
Raw output 
To improve reliability and security, bundle the schema file within the application and reference it locally (e.g., using `#/components/schemas/...`). If the schema must be referenced remotely, the URL should point to an immutable version by using a specific commit hash instead of a branch name.
- $ref: https://raw.githubusercontent.com/TykTechnologies/tyk/refs/heads/master/apidef/oas/schema/3.0.json
- $ref: '#/components/schemas/TykVendorExtension'
type: array

Check warning on line 1584 in swagger.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The `GET /tyk/mcps` endpoint, which lists all MCP Proxy definitions, does not appear to support pagination. If a large number of MCP definitions exist, this endpoint could be exploited to cause resource exhaustion (high memory and CPU usage) on the server, potentially leading to a denial-of-service condition.
Raw output 
Implement pagination for the `GET /tyk/mcps` endpoint to control the number of items returned in a single request. Common approaches include using query parameters like `limit` and `offset`, or cursor-based pagination. The OpenAPI specification should be updated to include these new parameters.
description: List of MCP Proxy definitions.

Check warning on line 1585 in swagger.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The `GET /tyk/mcps` endpoint is designed to list all MCP Proxy definitions without pagination. If the number of MCP proxies becomes large, this endpoint could return a very large response payload, leading to high memory consumption on the server during serialization and increased network latency for the client.
Raw output 
Consider adding pagination support to the `GET /tyk/mcps` endpoint. Common approaches include using query parameters like `limit` and `offset`, or a cursor-based system, to allow consumers of the API to retrieve the list in smaller, more manageable chunks.
"403":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Forbidden
summary: List MCP Proxy definitions.
tags:
- MCP Proxies
post:
description: |
Create an MCP Proxy definition from a Tyk OAS document. The payload must
contain the `x-tyk-api-gateway` extension with MCP configuration and is
validated against the MCP JSON schema (`/tyk/schema?type=mcp`) before being
stored. The Gateway must be reloaded (`POST /tyk/reload`) for the new MCP
Proxy definition to take effect.
operationId: createMCP
requestBody:
content:
application/json:
schema:
allOf:
- $ref: https://raw.githubusercontent.com/TykTechnologies/tyk/refs/heads/master/apidef/oas/schema/3.0.json
- $ref: '#/components/schemas/TykVendorExtension'
responses:
"200":
content:
application/json:
example:
action: added
key: e30bee13ad4248c3b529a4c58bb7be4e
status: ok
schema:
$ref: '#/components/schemas/ApiModifyKeySuccess'
description: MCP Proxy definition created.
"400":
content:
application/json:
example:
message: the payload should contain x-tyk-api-gateway
status: error
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Validation failed (invalid OAS, missing `x-tyk-api-gateway`, or schema violation).
"403":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Forbidden
summary: Create an MCP Proxy definition.
tags:

Check warning on line 1637 in swagger.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The `apiID` path parameter is defined as a generic string without a `pattern` or `format` to enforce a specific structure. This allows for a wide range of inputs, which could be used in attempts to probe for vulnerabilities like path traversal or other injection attacks if the backend implementation does not perform strict validation. Defining a pattern provides an important layer of defense-in-depth.
Raw output 
Add a `pattern` property to the `apiID` parameter's schema to enforce the expected format (e.g., a regular expression for a UUID). This ensures that only validly formatted IDs are processed by the backend.
- MCP Proxies
/tyk/mcps/{apiID}:
parameters:
- description: The MCP Proxy definition ID.
in: path
name: apiID
required: true
schema:
type: string
get:
description: Retrieve a single MCP Proxy definition by its ID.
operationId: getMCP
responses:
"200":
content:
application/json:
schema:
allOf:
- $ref: https://raw.githubusercontent.com/TykTechnologies/tyk/refs/heads/master/apidef/oas/schema/3.0.json
- $ref: '#/components/schemas/TykVendorExtension'
description: The MCP Proxy definition.
"404":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: MCP Proxy definition not found.
summary: Get an MCP Proxy definition.
tags:
- MCP Proxies
put:
description: Update an existing MCP Proxy definition. Body is validated against
the MCP JSON schema. A Gateway reload is required for changes to take effect.
operationId: updateMCP
requestBody:
content:
application/json:
schema:
allOf:
- $ref: https://raw.githubusercontent.com/TykTechnologies/tyk/refs/heads/master/apidef/oas/schema/3.0.json
- $ref: '#/components/schemas/TykVendorExtension'
responses:
"200":
content:
application/json:
example:
action: modified
key: e30bee13ad4248c3b529a4c58bb7be4e
status: ok
schema:
$ref: '#/components/schemas/ApiModifyKeySuccess'
description: MCP Proxy definition updated.
"400":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Validation failed.
"404":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: MCP Proxy definition not found.
summary: Update an MCP Proxy definition.
tags:
- MCP Proxies
delete:
description: Delete an MCP Proxy definition. A Gateway reload is required to
unload the proxy from the running Gateway.
operationId: deleteMCP
responses:
"200":
content:
application/json:
example:
action: deleted
key: e30bee13ad4248c3b529a4c58bb7be4e
status: ok
schema:
$ref: '#/components/schemas/ApiModifyKeySuccess'
description: MCP Proxy definition deleted.
"404":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: MCP Proxy definition not found.
"500":
content:
application/json:
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Delete failed.
summary: Delete an MCP Proxy definition.
tags:
- MCP Proxies
/tyk/cache/{apiID}:
delete:
description: Invalidate cache for the given API.
Expand Down
Loading