MCP server

Connect Claude Code, Cursor, or any MCP client over OAuth and let your agent drive the /v1 API.

The Rank Prompt MCP server is a hosted remote Model Context Protocol server at https://mcp.rankprompt.com/mcp. It exposes your AI visibility data (brands, reports, citations) as tools any MCP client can call, plus generic read, write, and delete over the /v1 API. Same data and the same entitlement as the API; nothing to host or keep running.

For the product overview see the MCP landing page. This page is the technical reference.

PropertyValue
Endpointhttps://mcp.rankprompt.com/mcp
TransportStreamable HTTP (remote), one JSON-RPC request per POST
AuthOAuth 2.1 + PKCE in the browser, or a pass-through API key
PlanStarter and up, or a standalone API plan (the same entitlement as the /v1 API)
Tools20, read-only by default; write tools are explicit

Connect

Pick your client, add the server, then authenticate. In Claude Code you sign in over OAuth and never paste a key. Other clients point at the URL and approve in the browser, or fall back to an API key.

claude mcp add --transport http --scope user rankprompt https://mcp.rankprompt.com/mcp
{
"mcpServers": {
  "rankprompt": {
    "url": "https://mcp.rankprompt.com/mcp"
  }
}
}

--scope user makes the server available in every project. Once connected, call rankprompt_prime first: it returns your entitlement status and the canonical workflow the agent should follow.

Authentication

Two ways to authenticate, both resolving to a scoped /v1 API key:

  • OAuth 2.1 (interactive clients). The client registers over dynamic client registration, then you approve access on a consent screen and sign in with Google. The flow uses PKCE (S256), so no secret ends up in your shell history. The access token the server issues carries your API key encrypted: the client can read the token but not the key, which is decrypted server-side only to call /v1.
  • Pass-through API key (headless / CI). Send a rp_live_... key as the bearer token. Mint one on the Developers page inside your workspace. Use this for clients without a built-in OAuth flow.

Either way, every call is bound to the key’s scopes and brand restriction, and revoking a key takes effect on its next call.

Scopes

The OAuth flow mints a key scoped to the MCP toolset: brands, reports, prompts, citations, jobs, page audit, scheduled reports, and region configs (read and write where a tool needs it). The generic rankprompt_read, rankprompt_write, and rankprompt_delete tools reach any /v1 path within those scopes. Endpoints outside the set (for example webhooks or shares) return insufficient_scope.

Implementing your own client

Discovery is standard, so any compliant MCP client connects with no manual config. All paths are on the server origin mcp.rankprompt.com:

DocumentPath
Protected resource metadata (RFC 9728)/.well-known/oauth-protected-resource
Authorization server metadata (RFC 8414)/.well-known/oauth-authorization-server
Dynamic client registration (RFC 7591)POST /oauth/register
AuthorizeGET /oauth/authorize
TokenPOST /oauth/token

Public clients only (token_endpoint_auth_method: none), the authorization_code grant, and PKCE S256 are required. A tools/call sent without a token returns 401 with a WWW-Authenticate header pointing at the protected-resource metadata, which is the pointer MCP clients follow to start OAuth.

Tools

Twenty tools, read-only by default. The write tools are explicit, and the generic read, write, and delete tools reach any /v1 endpoint within your scopes, so the agent grows with the API.

Discover

ToolWhat it does
rankprompt_primeStart here: auth, the canonical loop, and your entitlement status.
rankprompt_schemaFind any /v1 endpoint by method, path, and summary.
rankprompt_skills_listList the built-in playbooks (workflow, prompts, scheduling, seo-aeo).
rankprompt_skills_readRead a playbook by name.

Read

ToolWhat it does
rankprompt_list_brandsList your brands, newest first.
rankprompt_get_brand_factsA brand’s researched facts (description, industry, value prop).
rankprompt_list_reportsA brand’s reports, newest first.
rankprompt_get_reportFull report: prompts, per-platform results, and citations inlined.
rankprompt_get_report_summaryVisibility score plus AI analysis for a report.
rankprompt_list_citationsA brand’s citations, with actionability filters.
rankprompt_get_jobPoll an async job until it completes.
rankprompt_readGeneric GET against any /v1 path.

Build

These tools write.

ToolWhat it does
rankprompt_research_brandResearch a brand’s facts automatically (async, 1 credit).
rankprompt_create_reportCreate a draft report and pick the engines.
rankprompt_add_promptsSeed a report with prompts, or auto-generate them.
rankprompt_create_scheduleRe-measure a brand daily, weekly, or monthly.

Act

These tools write.

ToolWhat it does
rankprompt_run_reportTrigger an analysis run and get a job to poll.
rankprompt_audit_pagesSEO/AEO audit of a URL, list, or sitemap (1 credit per page).
rankprompt_writeGeneric POST or PATCH against any /v1 path.
rankprompt_deleteGeneric DELETE against any /v1 path.

The workflow

Run it end to end. The value is in shipping the fixes, not in “report done”. rankprompt_prime returns this loop in full.

  1. Pick or create a brand, and make sure it has facts. A report cannot run without them.
  2. Create a report and choose the engines.
  3. Seed prompts (the questions engines answer), or auto-generate them.
  4. Run the report and poll the job until it completes.
  5. Read the summary (score plus AI analysis) and the actionable citations: those are the to-do list.
  6. Audit your pages, implement the fixes in your repo, then track over time with a schedule.

Engines and credits

Reports measure mentions and citations across six answer engines: ChatGPT, Perplexity, Google AI Mode, Claude, Gemini, and Grok. Choose the platforms when you create a report:

  • Standard (chatgpt, perplexity, ai_overviews, claude): 1 credit per prompt, total.
  • Premium (chatgpt_search, claude_search, gemini, grok): 1 credit per platform, per prompt.

See Pricing for the full cost model.

Security

  • OAuth 2.1 with PKCE (S256): browser sign-in, no secret in your shell history.
  • Dynamic client registration plus an explicit consent screen with Google sign-in.
  • Your API key is never exposed to the client. It is carried encrypted inside the access token and decrypted server-side only to call /v1.
  • Scoped, brand-restricted access. Revocation is enforced on every call.
  • A hosted remote server; the OAuth endpoints are rate-limited per IP.