Developers

Connect anything to your
DeepHarness assistant.

One AI assistant, two open doors: a documented REST API and an OAuth-protected MCP server. Bring your own client — Claude, Cursor, Copilot Studio, a cron job, a backend — and talk to the same orchestrator the product uses. No private allow-list. Self-register in one request.

View the OpenAPI spec Connect via MCP

01REST API

One request. One answer.

POST a message, get JSON back. The assistant analyzes your connected data, answers questions about your dashboards and agents, and routes to specialists server-side — then returns a single, complete answer. Non-streaming, so it drops into Copilot Studio actions, webhooks, and backends without SSE plumbing.

Pass back the returned conversationId to continue a thread. Every call is scoped to your user and organization, rate-limited per day, and governed by the same budget and guardrails as the app.

POST /api/external/v1/chat cURL

# ACCESS_TOKEN is issued by the OAuth flow below.
curl -X POST https://app.deepharness.co/api/external/v1/chat \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "message": "Summarize yesterday'"'"'s dashboard activity" }'

# → 200 OK
# { "answer": "...", "conversationId": "...", "toolsUsed": [...] }

01 02

claude_desktop_config.json JSON

{
  "mcpServers": {
    "deepharness": {
      "type": "streamable-http",
      "url": "https://app.deepharness.co/api/mcp"
    }
  }
}

Works with any MCP client over Streamable HTTP — Claude, Cursor, Copilot Studio. The client auto-discovers OAuth and registers itself; you just approve the connection.

02MCP Server

The assistant, as tools.

An OAuth-protected Model Context Protocol server at /api/mcp. Point any MCP client at it and the assistant shows up as callable tools — starting with chat_with_assistant and get_identity.

Authorization follows the MCP spec end to end: a challenge points the client at the discovery metadata, the client registers itself dynamically, and the user signs in and picks an organization. The same identity, scoping, and limits as the REST surface — no shared keys to leak.

02 03

03Authentication

Self-register. Sign in once. Scoped forever.

DeepHarness is its own OAuth 2.0 / OpenID Connect authorization server. There's no pre-shared client list — register dynamically (RFC 7591), then run the standard authorization-code flow. “Anyone can connect” never means an open relay: a connection always acts as a real, consenting DeepHarness user, scoped to one organization, under that org's budget and guardrails.

Step 1 — Register a client

curl -X POST https://app.deepharness.co/api/auth/oauth2/register \
  -H "Content-Type: application/json" \
  -d '{
    "client_name": "My Integration",
    "redirect_uris": ["https://my.app/oauth/callback"]
  }'

# → 201 Created
# { "client_id": "...", "client_secret": "...", ... }

Step 2 — Exchange the code for a token

# After the user approves at /api/auth/oauth2/authorize and you
# receive ?code=..., exchange it for an access token:
curl -X POST https://app.deepharness.co/api/auth/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=THE_AUTH_CODE" \
  -d "redirect_uri=https://my.app/oauth/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

Scopes

openid OpenID Connect identity.

profile Basic profile information (name).

email Email address — maps requests to your DeepHarness user.

offline_access Issue a refresh token so the connection survives token expiry.

Request offline_access to receive a refresh token, or the connection ends when the access token expires. A DeepHarness account is required — there's no anonymous access.

Reference