The Busymate MCP server is a JSON-RPC 2.0 tool surface at mcp.busymate.net that mirrors every read and write the dashboard can do — so you can point Claude, Cursor, or any agent at your captured traffic, devices, and settings and let it work for you.
What it is
MCP (the Model Context Protocol) is a standard way for AI clients to discover and call tools. The Busymate MCP server speaks it over JSON-RPC 2.0 at a single endpoint:
https://mcp.busymate.netBehind that hostname, nginx reverse-proxies to a Supabase Edge Function (functions/v1/mcp). The function exposes 188 tools that together cover the full dashboard surface: list and inspect captured requests, control paired devices in real time, drive a remote Chrome over CDP, author sandboxed scripts, manage service groups (and the BusyBro agents they link), tags, workspaces, settings, roles, push, Telegram links, and TestFlight beta admin.
The contract is full dashboard parity — anything you can click in the dashboard has a matching tool here, so an agent can do the same job programmatically.
Why connect an agent
Once a client is connected, you can drive Busymate with natural language instead of clicking around:
- Reverse-engineer an API. "Show me exactly how the DoorDash app authenticates" — the agent calls
inspect_requestsfor that host and reads back the real headers, payloads, and token flow it captured. - Control a device hands-free. "Turn on the VPN on my iPad, then route it through a German proxy" —
vpn_on_device+set_device_external_proxy. - Export evidence. "Give me a HAR of every request to
api.stripe.comtoday" —export_harscoped by host and date. - Operate a remote browser. "Open this URL in the bmc Chrome, take a screenshot, and read the page" —
browser_open+browser_screenshot+browser_snapshot.
The same brain is available over chat as BusyBro, and the in-dashboard consoles give you a click-to-run explorer for the same tools.
How auth works
Authentication is OAuth 2.1, single path. External clients register dynamically (DCR) and complete a PKCE authorization-code flow to obtain an access token; that token's jti is registered in the api_tokens table with label='oauth'. The exact same token type authenticates every Busymate service — MCP, the REST API, Realtime, and getUser-gated Edge Functions. There is no pasted "universal" token. The in-app dashboard consoles obtain the identical token type by exchanging the logged-in session at POST /first-party-token. See Connect & authenticate for the full flow.
Where to go next
- Connect & authenticate — sign in with OAuth 2.1 and wire up Claude Desktop, Cursor, or curl.
- Tool reference — all 188 tools, grouped by what they do, with their permission gating.
- Prompts & examples — ready-to-use prompts and raw JSON-RPC examples.
- REST API and Realtime — the lower-level sibling surfaces the same token unlocks.