> ## Documentation Index
> Fetch the complete documentation index at: https://docs.acrity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP server

> How to use the Acrity MCP server with the public API.

The Acrity MCP server exposes tools for clients compatible with Model Context Protocol using an existing public API key. It does not create provider credentials and does not need to receive VCS or PM tokens. Two tools are write-capable: `start_security_scan` queues a dependency security scan, and `request_review` requests a review. Both require the API key to hold the matching write scope. Every other tool is read-only.

## When to use

Use the MCP server to let an assistant query Acrity information, such as repositories, PRs, reviews, findings, and security scans, within the scopes authorized by the API key.

Recommended scopes for read-only use:

```text theme={null}
Repositories.Read
Reviews.Read
SecurityScans.Read
```

Add:

* `SecurityScans.Write` when the assistant can start on-demand scans.
* `Reviews.Write` when the assistant can request reviews.

## Configuration

Example MCP client configuration when the npm package is available:

```json theme={null}
{
  "mcpServers": {
    "acrity": {
      "command": "npx",
      "args": ["-y", "@acrity/mcp-server"],
      "env": {
        "ACRITY_API_BASE_URL": "https://acrity.io",
        "ACRITY_API_KEY": "acr_live_..."
      }
    }
  }
}
```

Use the Acrity base URL without adding `/api`. The MCP server builds public paths automatically.

To change how long the server waits for each public API call, set the optional `ACRITY_MCP_TIMEOUT_MS` environment variable to the timeout in milliseconds. If you omit it, the server uses a default of `20000` ms (20 seconds).

<Note>
  If Acrity provides a different MCP server distribution for your installation, keep the same variable set and replace only `command` and `args` with the installation method provided by Acrity.
</Note>

<Warning>
  Store the API key in the MCP client's secrets vault. Do not put the key in repositories, shared messages, or screenshots.
</Warning>

## Available tools

| Tool                          | Scope                 |
| ----------------------------- | --------------------- |
| `get_acr_context`             | valid API key         |
| `list_repositories`           | `Repositories.Read`   |
| `get_repository`              | `Repositories.Read`   |
| `list_pull_requests`          | `Reviews.Read`        |
| `get_pull_request`            | `Reviews.Read`        |
| `list_reviews`                | `Reviews.Read`        |
| `get_review_findings`         | `Reviews.Read`        |
| `request_review`              | `Reviews.Write`       |
| `check_bootstrap_eligibility` | `Repositories.Read`   |
| `get_bootstrap_status`        | `Repositories.Read`   |
| `get_bootstrap_artifact`      | `Repositories.Read`   |
| `list_security_scans`         | `SecurityScans.Read`  |
| `get_security_scan`           | `SecurityScans.Read`  |
| `start_security_scan`         | `SecurityScans.Write` |

The `list_` tools follow the public API pagination limit and return a maximum of 50 items per page. Request the next page to retrieve more results.

## Validation

After configuring it, call `get_acr_context`. The tool confirms workspace, scopes, and API availability from that key's view.

If a tool returns missing permission, create or edit the API key in the Console with the minimum required scope.
