webrenew · charlesrhoward · May 17, 2026 · May 17, 2026 · mogplex · May 17, 2026
diff --git a/content/docs/web/api/index.mdx b/content/docs/web/api/index.mdx
@@ -20,7 +20,8 @@ compatibility contract.
 - [Errors](/web/api/errors) for the typed error envelope, code table, and
   retry guidance
 - [Runs](/web/api/runs), [Repos](/web/api/repos), [Sandboxes](/web/api/sandboxes),
-  [MCP](/web/api/mcp) for the v1 public surface (`/api/v1/mogplex/*`)
+  [MCP servers](/web/api/mcp-servers), [MCP](/web/api/mcp) for the v1 public
+  surface (`/api/v1/mogplex/*`)
 - [Models](/web/api/models) for the standalone model catalog, CLI model export,
   and per-user enablement rules
 - [Working Requests](/web/api/working-requests) for concrete `curl` examples
@@ -36,7 +37,7 @@ If you only want the most useful first calls, start here:
 - `GET /api/settings` to inspect shared defaults like theme and default model
 - `GET /api/models` to inspect the visible catalog and enabled model set
 - `GET /api/github/installations` to confirm real GitHub App coverage
-- `GET /api/mcp-servers?format=cli` to export the CLI-ready MCP view
+- `GET /api/v1/mogplex/mcp/servers` to export the CLI-ready MCP view (PAT-only)
 - `GET /api/observability/stats` to inspect runtime health and cost summary
 
 See [Working Requests](/web/api/working-requests) for full examples.

diff --git a/content/docs/web/api/mcp-servers.mdx b/content/docs/web/api/mcp-servers.mdx
@@ -0,0 +1,129 @@
+---
+title: MCP servers
+description: GET /api/v1/mogplex/mcp/servers returns the caller's configured MCP servers — both custom user_mcp_servers and enabled mcp_server connections — with secrets already resolved server-side, ready to hand to a local MCP client.
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+`GET /api/v1/mogplex/mcp/servers`
+
+Returns the merged list of MCP servers the authenticated user has configured
+in Mogplex Cloud: custom servers stored in `user_mcp_servers` plus enabled
+`mcp_server` connections. Secret values (env vars, headers, OAuth tokens) are
+resolved server-side from Supabase Vault before the response is sent, so the
+returned `config` block is ready to hand straight to a local MCP client.
+
+<Callout type="info">
+  Don't confuse this with [`POST /api/v1/mogplex/mcp`](/web/api/mcp). That
+  endpoint is the JSON-RPC tool-call surface for the **v1 REST API itself**.
+  This one lists the **user's external MCP servers** so a CLI or agent host
+  can connect to them locally.
+</Callout>
+
+## Scope
+
+`read` — see [Authentication → Scopes](/web/api/authentication#scopes). The
+listing is gated on `read` explicitly because the response surfaces
+authorization headers and vault-decrypted env vars.
+
+## Merge rules
+
+When a `user_mcp_servers` entry and an enabled `mcp_server` connection share
+a name, the custom row wins — same precedence the CLI uses today via the
+internal `/api/mcp-servers?format=cli` endpoint.
+
+## Example
+
+```bash
+export MOGPLEX_BASE_URL="https://www.mogplex.com"
+export MOGPLEX_TOKEN="mog_..."
+
+curl -sS \
+  -H "Authorization: Bearer $MOGPLEX_TOKEN" \
+  "$MOGPLEX_BASE_URL/api/v1/mogplex/mcp/servers"
+```
+
+Representative response:
+
+```json
+{
+  "ok": true,
+  "data": {
+    "servers": [
+      {
+        "name": "supabase",
+        "enabled": true,
+        "config": {
+          "command": "npx",
+          "args": ["@supabase/mcp-server"],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "sbp_••••••••"
+          }
+        }
+      },
+      {
+        "name": "linear",
+        "enabled": true,
+        "config": {
+          "url": "https://mcp.linear.app/sse",
+          "http_headers": {
+            "Authorization": "Bearer lin_••••••••"
+          }
+        }
+      }
+    ]
+  }
+}
+```
+
+## Response shape
+
+```typescript
+type MogplexApiMcpServer = {
+  name: string;                          // unique per user
+  enabled: boolean;                      // disabled servers are still returned
+  config: Record<string, unknown>;       // stdio: command/args/env
+                                         // http:  url/http_headers
+};
+```
+
+`config` is intentionally a loose record so the server can add transport
+options without bumping the CLI. The two shapes in use today:
+
+```typescript
+// stdio
+{ command: string; args?: string[]; env?: Record<string, string> }
+
+// http
+{ url: string; http_headers?: Record<string, string> }
+```
+
+## Errors
+
+| Code              | HTTP | Cause                              |
+| ----------------- | ---- | ---------------------------------- |
+| `UNAUTHORIZED`    | 401  | Missing/invalid/expired PAT        |
+| `FORBIDDEN`       | 403  | PAT lacks the `read` scope         |
+| `RATE_LIMITED`    | 429  | 60 req/min per PAT exceeded        |
+| `INTERNAL_ERROR`  | 500  | Unexpected server error            |
+
+See [Errors](/web/api/errors) for retry guidance.
+
+## CLI equivalent
+
+The Mogplex CLI calls this endpoint automatically on startup to refresh
+`~/.mogplex/mcp-servers.remote.json`. There's no dedicated subcommand — see
+[Headless runs](/cli/automation/headless-runs) for how the CLI uses these
+servers during agent runs.
+
+## Security notes
+
+- Responses include decrypted secrets. Treat them like a `.env` file: don't
+  log them, don't commit them, don't echo them in CI output.
+- The endpoint requires the `read` scope and never falls back to session
+  cookies — a PAT is the only way in.
+
+## Read next
+
+- [MCP server (JSON-RPC)](/web/api/mcp) — the v1-as-MCP-tools surface
+- [Authentication](/web/api/authentication) — PAT lifecycle and scopes
diff --git a/content/docs/web/api/mcp.mdx b/content/docs/web/api/mcp.mdx
@@ -11,6 +11,12 @@ The Mogplex Cloud API is also reachable as an [MCP](https://modelcontextprotocol
 server over JSON-RPC 2.0. Each tool mirrors a v1 REST endpoint, so a host that
 understands MCP gets the full surface without writing a REST client.
 
+<Callout type="info">
+  Looking for the list of MCP servers you've configured in Mogplex (Linear,
+  Supabase, etc.)? That's a different endpoint — see
+  [GET /api/v1/mogplex/mcp/servers](/web/api/mcp-servers).
+</Callout>
+
 ## Connecting
 
 | Header              | Value                                |

diff --git a/content/docs/web/api/meta.json b/content/docs/web/api/meta.json
@@ -8,6 +8,7 @@
     "runs",
     "repos",
     "sandboxes",
+    "mcp-servers",
     "mcp",
     "working-requests",
     "route-families"

diff --git a/content/docs/web/api/route-families.mdx b/content/docs/web/api/route-families.mdx
@@ -21,6 +21,7 @@ Representative routes:
 - `/api/v1/mogplex/runs/{runId}` (GET)
 - `/api/v1/mogplex/runs/{runId}/events` (GET)
 - `/api/v1/mogplex/runs/{runId}/cancel` (POST)
+- `/api/v1/mogplex/mcp/servers` (GET)
 - `/api/v1/mogplex/mcp` (POST, JSON-RPC)
 
 This is the stable, **PAT-only** surface for headless callers — the CLI's