Skip to main content
WorldMonitor exposes its intelligence stack as a Model Context Protocol server so any MCP-compatible client (Claude Desktop, Claude web, Cursor, MCP Inspector, custom agents) can pull live conflict, market, aviation, maritime, economic, and forecasting data directly into a model’s context.
New here? The MCP Quickstart is a five-minute path from zero to a real tool call in Claude Desktop. Come back to this page for auth modes, plans, OAuth setup, and the full tool catalog.
Pro and API tiers can both connect via OAuth — no API key required. Pro subscribers click “Sign in with WorldMonitor Pro” on the consent page; API Starter / Business / Enterprise users may sign in the same way OR paste a wm_… key. Free-tier users see a 401 at the OAuth step.
All paid tiers share the same MCP server and the same 39 tools. The current hard MCP daily reservation is enforced only for OAuth contexts at the Pro counter: 50 quota-consuming tools/call / resources/read calls per UTC day. API-key (wm_…) MCP clients are protected by the 60 requests/minute/key limiter in this handler; broader API Starter / Business REST allowances are enforced outside the MCP daily reservation path. (describe_tool, the v1.5.0 metadata-lookup helper, is exempt from the Pro daily quota.) Pro subscribers can connect Claude Desktop / Cursor / claude.ai without ever pasting an API key — see Pro sign-in flow below. API Starter+ holders may continue to paste a wm_… key on the consent page (the original flow), or use the same OAuth path as Pro.

Endpoints

EndpointPurpose
https://worldmonitor.app/mcpJSON-RPC server (Streamable HTTP transport; JSON responses by default, SSE responses when clients advertise text/event-stream; initialize defaults to protocol 2025-03-26)
https://api.worldmonitor.app/api/oauth/registerDynamic Client Registration (RFC 7591)
https://api.worldmonitor.app/api/oauth/authorizeOAuth 2.1 authorization endpoint (PKCE required)
https://api.worldmonitor.app/api/oauth/tokenToken endpoint (authorization_code + refresh_token)
https://api.worldmonitor.app/.well-known/oauth-authorization-serverAS metadata (RFC 8414)
https://worldmonitor.app/.well-known/oauth-protected-resourceResource server metadata (RFC 9728)
Server identifier: worldmonitor v1.10.0.

Protocol negotiation

WorldMonitor’s static server card at /.well-known/mcp/server-card.json advertises protocol version 2025-06-18, matching the current published capability card. The live initialize handshake is intentionally more conservative during the rollout:
  • By default, initialize negotiates 2025-03-26.
  • When MCP_PROTOCOL_FLOOR_2025_06_18=on is enabled for the deploy, the server supports both 2025-03-26 and 2025-06-18.
  • With that flag on, clients requesting 2025-06-18 receive 2025-06-18; clients pinned to 2025-03-26 continue receiving 2025-03-26.
  • With that flag off, a client that requests 2025-06-18 receives the safe default 2025-03-26.
Tool outputSchema metadata is emitted on tools/list regardless of the negotiated protocol version. Older 2025-03-26 clients should ignore unknown fields, while newer clients can use the schema immediately.

Streamable HTTP responses

WorldMonitor supports the Streamable HTTP POST flow with either JSON or SSE responses:
  • Clients that omit text/event-stream from Accept receive the standard JSON-RPC JSON response body.
  • Clients that send Accept: application/json, text/event-stream can receive a text/event-stream response for successful JSON-RPC POSTs.
  • initialize SSE responses include Mcp-Session-Id; follow-up POSTs should send that same Mcp-Session-Id header.
  • Each SSE response starts with an empty priming event that has an event id, followed by the JSON-RPC response event. If the client disconnects after an event, it can resume by sending GET /mcp with Accept: text/event-stream, the same Mcp-Session-Id, and Last-Event-ID.
The replay buffer is in-memory and bounded per edge instance. Treat Last-Event-ID resume as loss-tolerant transport recovery, not durable message storage.

Authentication

The MCP handler accepts two auth modes, in priority order:
  1. OAuth 2.1 bearerAuthorization: Bearer <token> where <token> was issued by /api/oauth/token. This is what Claude Desktop, claude.ai, Cursor, and MCP Inspector use automatically. Required for any client that hits MCP from a browser origin.
  2. Direct API keyX-WorldMonitor-Key: wm_0123456789abcdef0123456789abcdef01234567 for user-issued keys, or an opaque operator-issued enterprise key. Intended for server-side scripts, curl, and custom integrations. Do not send an API key as a Bearer token — it will fail OAuth resolution and return 401 invalid_token.
OAuth bearer requests re-check the resolved MCP token, user binding, and active entitlement before dispatch, so a subscription downgrade revokes OAuth MCP access on the next request. Direct X-WorldMonitor-Key requests validate the configured API key and then use the per-key limiter; their REST/API plan allowances are enforced outside the Pro/OAuth MCP daily reservation path.

Redirect URI allowlist

Dynamic Client Registration is not open to arbitrary HTTPS redirects. Only these prefixes are accepted:
  • https://claude.ai/api/mcp/auth_callback
  • https://claude.com/api/mcp/auth_callback
  • http://localhost:<port> / http://127.0.0.1:<port> (any port) — for Claude Code, MCP Inspector, local development
Other clients must proxy via one of these redirects or run locally.

Token lifetimes

ArtifactTTL
Authorization code10 min
Access token1 hour
Refresh token7 days
Registered client record90 days (sliding)

Pro sign-in flow

Pro subscribers (and API Starter+ users who’d rather not paste a key) can authorize MCP clients via their existing WorldMonitor account — no API key needed.
  1. Add the server URL in your MCP client. The canonical entrypoint is: 
    https://api.worldmonitor.app/mcp
    (https://worldmonitor.app/mcp works too — it proxies the same handler.)
  2. Click “Sign in with WorldMonitor Pro” on the consent page. This is the default CTA. You’ll bounce through worldmonitor.app/mcp-grant (Clerk-protected — sign in if needed), then back to api.worldmonitor.app/oauth/authorize-pro, then to your client’s redirect.
  3. Done. No wm_… key is created or stored on your machine. The client receives a standard OAuth 2.1 access token (1 h TTL, 7 d refresh).
If you’d rather paste an API key (Starter+ / scripted clients), expand “Use API key instead” on the consent page and submit your wm_ user key or operator-issued enterprise key — that path is unchanged.

Daily limit (Pro tier)

  • 50 quota-consuming calls per UTC day, reset at 00:00 UTC.
  • tools/call and resources/read consume the Pro daily quota, except the metadata helper describe_tool.
  • initialize, tools/list, prompts/list, prompts/get, resources/list, logging/setLevel, notifications/initialized, ping, and describe_tool do not count against the daily cap.
  • Hitting the cap returns JSON-RPC error -32029 plus HTTP 429 with a Retry-After header pointing at the next UTC midnight.
  • The cap is hard: concurrent tools/call or resources/read requests near the boundary use an atomic Redis reservation, so exactly the call that crosses 50 rejects.
Need higher-volume scripted access? API Starter and API Business add a wm_… key option plus REST/API plan allowances, but wm_… MCP calls are not metered by the MCP daily reservation counter; they still have the 60/minute/key MCP throttle. For batch or high-volume workflows, prefer the REST/API endpoints or contact Enterprise — see Plans & limits.

Connected MCP clients

Each authorization mints a separate row, so revoking Claude Desktop does not affect Cursor.
  • Manage connected clients in Settings → Connected MCP clients.
  • See the live clientName (e.g. “Claude”, “Cursor”), lastUsedAt, and createdAt per token.
  • A revoke takes effect on the next MCP request (no positive cache).
  • Up to 5 active tokens per user. The 6th authorization silently revokes the least-recently-used existing one.

Plans & limits

PlanMCP accessAuth modesMCP daily reservationNotes
Free❌ NoOAuth flow returns 401 INSUFFICIENT_TIER. Upgrade at worldmonitor.app/pro.
Pro✅ YesOAuth only50 quota-consuming calls / UTC dayBounce-via-apex Clerk sign-in. No wm_… key needed or stored.
API Starter✅ YesOAuth or wm_… keyOAuth contexts use the Pro counter; wm_… MCP calls have no MCP daily reservationStandard developer-tier REST/API access.
API Business✅ YesOAuth or wm_… keyOAuth contexts use the Pro counter; wm_… MCP calls have no MCP daily reservationHigher REST/API throughput.
Enterprise✅ YesOAuth or wm_… keyCustom; wm_… MCP calls have no default MCP daily reservationCustom SLA available.
Per-minute throttling of 60 calls/minute/key (API-key clients) or 60/minute/user (OAuth contexts) protects against burst storms across all paid tiers. The per-minute limiter runs before method dispatch, so every method (including initialize, tools/list, prompts/list, resources/list, describe_tool, etc.) counts toward 60/min. Only the Pro/OAuth daily-quota cap is selective — that one is consumed exclusively by tools/call and resources/read reservations (see Daily limit (Pro tier) above, and the Error Catalog for the full method-exemption tables for both limits). OAuth 60/min is per-USER (a user with 3 Claude installations shares one 60/min pool); API-key 60/min is per-KEY (multiple keys = higher throughput). Hitting the Pro/OAuth daily quota returns JSON-RPC error -32029 plus HTTP 429 with a Retry-After header pointing at the next UTC midnight. Hitting the per-minute limit returns the same error code with a short Retry-After.

Other rate limits

  • OAuth authorize: 10 requests / minute / IP
  • OAuth token: 10 requests / minute / IP
  • Dynamic registration: 5 registrations / minute / IP
Exceeding any limit returns HTTP 429 with a Retry-After header.

Client setup

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) — use the remote MCP entry: 
{
  "mcpServers": {
    "worldmonitor": {
      "url": "https://worldmonitor.app/mcp"
    }
  }
}
Claude Desktop handles the OAuth flow automatically on first connection.

Claude web (claude.ai)

Add via Settings → Connectors → Add custom connector:
  • Name: WorldMonitor
  • URL: https://worldmonitor.app/mcp

Cursor

~/.cursor/mcp.json: 
{
  "mcpServers": {
    "worldmonitor": {
      "url": "https://worldmonitor.app/mcp"
    }
  }
}

MCP Inspector (debugging)

npx @modelcontextprotocol/inspector https://worldmonitor.app/mcp

Tool catalog

The server exposes 39 tools. Most are cache-reads over pre-seeded Redis keys (sub-second). The slower, non-cache paths are the six live LLM/external-API tools (get_world_brief, get_country_brief, analyze_situation, generate_forecasts, search_flights, search_flight_prices_by_date) plus the live geo RPC tools (get_airspace, get_maritime_activity), which proxy fresh aviation/maritime API calls with edge timeouts. One (describe_tool, added v1.5.0) returns the full uncompressed definition of any other tool — useful when the compressed tools/list description is ambiguous; exempt from the Pro daily quota.
For per-tool parameters, freshness budgets, timeouts, and concrete curl examples, see the MCP Tools Reference. For payload projection — every tool accepts an optional jmespath argument that typically cuts response size by 80-95% — see the JMESPath guide.

Markets & economy

ToolDescription
get_market_dataEquity quotes, commodity prices (incl. gold GC=F), crypto, FX, sector performance, ETF flows, Gulf markets.
get_economic_dataFed Funds, economic calendar, fuel prices, ECB FX, EU yield curve, earnings, COT, energy storage, BIS DSR + property prices.
get_country_macroIMF WEO bundle per country: inflation, current account, GDP/capita, unemployment, savings-investment gap (~210 countries).
get_eu_housing_cycleEurostat annual house price index (prc_hpi_a), 10-yr sparkline per EU member + EA20/EU27.
get_eu_quarterly_gov_debtEurostat quarterly gross government debt (%GDP), 8-quarter sparkline.
get_eu_industrial_productionEurostat monthly industrial production index, 12-month sparkline.
get_prediction_marketsActive Polymarket event contracts with live probabilities.
get_supply_chain_dataDry bulk shipping stress index, customs flows, COMTRADE bilateral trade.
get_tariff_trendsGlobal trade and pricing indicators: US tariff trends (HTS-coded), BigMac index, FAO Food Price Index, and per-country national debt levels.
get_chokepoint_statusLive maritime chokepoint status: per-chokepoint vessel transit counts (10-min cadence), rolling transit summaries, per-port activity, plus static reference data and flow aggregates. Covers Suez, Hormuz, Malacca, Bab-el-Mandeb, Panama, etc.
get_consumer_pricesPer-country consumer-prices intelligence: 30-day overview, category-level inflation, retailer spread (essentials basket), top movers, and source freshness. Requires country_code (currently only ae is seeded).
get_commodity_geo71 major mining sites worldwide (gold, silver, copper, lithium, uranium, coal).

Energy

ToolDescription
get_energy_intelligenceEnergy supply, prices, storage, disruptions, and policy: EIA petroleum stocks, electricity prices (Ember), gas storage (GIE), fuel shortages, fossil & renewable shares, active energy disruptions, government crisis policies.

Geopolitical & security

ToolDescription
get_conflict_eventsActive UCDP/Iran conflicts, unrest w/ geo-coords, country risk scores.
get_country_riskCII score 0-100, component breakdown, travel advisory, OFAC exposure per country. Fast, no LLM.
get_military_postureTheater posture + military risk scores.
get_cyber_threatsURLhaus/Feodotracker malware IOCs, CISA KEV catalog, active C2 infra.
get_sanctions_dataOFAC SDN entities + sanctions pressure scores by country.
get_news_intelligenceAI-classified threat news, GDELT signals, cross-source intel.
get_positive_eventsDiplomatic agreements, humanitarian aid, peace initiatives.
get_social_velocityReddit r/worldnews + r/geopolitics top posts, engagement scores.

Movement & infrastructure

ToolDescription
get_airspaceLive ADS-B over a country. Params: country_code (2-letter code), type (all/civilian/military).
get_maritime_activityAIS density zones, dark-ship events, chokepoint congestion per country. Params: country_code.
get_aviation_statusFAA airport delays, NOTAM closures, tracked military aircraft.
get_infrastructure_statusCloudflare Radar outages, major cloud/internet service status.
search_flightsGoogle Flights real-time search between IATA airport codes on a specific date.
search_flight_prices_by_dateDate-grid cheapest-day pricing across a range.

Environment & science

ToolDescription
get_natural_disastersUSGS earthquakes, NASA FIRMS wildfires, hazard events.
get_climate_dataTemp/precip anomalies vs WMO normals, GDACS/FIRMS alerts, Mauna Loa CO2, OpenAQ PM2.5, sea ice, ocean heat.
get_radiation_dataGlobal radiation monitoring station readings + anomaly flags.
get_research_signalsEmerging technology events from curated research feeds.

Health

ToolDescription
get_health_signalsActive disease outbreaks (WHO/ECDC etc.) and global air-quality station readings (OpenAQ/WAQI PM2.5). For health-risk screening.

Humanitarian & displacement

ToolDescription
get_displacement_dataRefugee and IDP counts by country (UNHCR annual data).

AI intelligence (live LLM)

ToolDescriptionCost
get_world_briefAI-summarized world intel brief with structured source links. Optional geo_context param.LLM
get_country_briefPer-country geopolitical + economic assessment with structured source links. Supports analytical frameworks.LLM
analyze_situationAd-hoc geopolitical deduction from a query + context. Returns confidence + supporting signals.LLM
generate_forecastsFresh probability estimates (bypasses cache).LLM
get_forecast_predictionsPre-computed cached forecasts. Fast.Cache

API coverage

Most MCP tools wrap one or more REST/RPC endpoints from the API Reference. The table below maps each covered tool to the API paths it serves — useful when you know the API endpoint you want and need to find the corresponding MCP tool, or vice versa. A handful of tools don’t appear in this table because they don’t expose a 1:1 public OpenAPI operation — see the trailing note below the table for the categories, and the MCP Tools Reference for the complete 39-tool set.
MCP toolAPI endpoints served
get_market_dataGET /api/market/v1/get-fear-greed-index
GET /api/market/v1/get-sector-summary
GET /api/market/v1/list-commodity-quotes
GET /api/market/v1/list-crypto-quotes
GET /api/market/v1/list-etf-flows
GET /api/market/v1/list-gulf-quotes
GET /api/market/v1/list-market-quotes
get_economic_dataGET /api/economic/v1/get-ecb-fx-rates
GET /api/economic/v1/get-economic-calendar
GET /api/economic/v1/get-eu-yield-curve
GET /api/economic/v1/list-fuel-prices
GET /api/market/v1/get-cot-positioning
GET /api/market/v1/list-earnings-calendar
get_tariff_trendsGET /api/economic/v1/get-fao-food-price-index
GET /api/economic/v1/get-national-debt
GET /api/economic/v1/list-bigmac-prices
get_energy_intelligenceGET /api/economic/v1/get-energy-crisis-policies
GET /api/supply-chain/v1/get-fuel-shortage-detail
GET /api/supply-chain/v1/list-energy-disruptions
GET /api/supply-chain/v1/list-fuel-shortages
get_consumer_pricesGET /api/consumer-prices/v1/get-consumer-price-freshness
GET /api/consumer-prices/v1/get-consumer-price-overview
GET /api/consumer-prices/v1/list-consumer-price-categories
GET /api/consumer-prices/v1/list-consumer-price-movers
GET /api/consumer-prices/v1/list-retailer-price-spreads
get_supply_chain_dataGET /api/supply-chain/v1/get-shipping-stress
GET /api/trade/v1/get-customs-revenue
get_chokepoint_statusGET /api/intelligence/v1/get-country-port-activity
GET /api/supply-chain/v1/get-chokepoint-status
get_climate_dataGET /api/climate/v1/get-co2-monitoring
GET /api/climate/v1/get-ocean-ice-data
GET /api/climate/v1/list-air-quality-data
GET /api/climate/v1/list-climate-anomalies
GET /api/climate/v1/list-climate-disasters
GET /api/climate/v1/list-climate-news
get_health_signalsGET /api/health/v1/list-air-quality-alerts
GET /api/health/v1/list-disease-outbreaks
get_conflict_eventsGET /api/conflict/v1/list-iran-events
GET /api/conflict/v1/list-ucdp-events
GET /api/unrest/v1/list-unrest-events
get_news_intelligenceGET /api/intelligence/v1/list-cross-source-signals
GET /api/intelligence/v1/search-gdelt-documents
get_country_riskGET /api/intelligence/v1/get-country-risk
get_country_briefGET /api/intelligence/v1/get-country-intel-brief
get_social_velocityGET /api/intelligence/v1/get-social-velocity
get_natural_disastersGET /api/natural/v1/list-natural-events
GET /api/seismology/v1/list-earthquakes
GET /api/wildfire/v1/list-fire-detections
get_radiation_dataGET /api/radiation/v1/list-radiation-observations
get_infrastructure_statusGET /api/infrastructure/v1/list-internet-outages
get_airspaceGET /api/aviation/v1/track-aircraft
GET /api/military/v1/list-military-flights
get_maritime_activityGET /api/maritime/v1/get-vessel-snapshot
get_military_postureGET /api/military/v1/get-theater-posture
get_displacement_dataGET /api/displacement/v1/get-displacement-summary
get_positive_eventsGET /api/positive-events/v1/list-positive-geo-events
get_sanctions_dataGET /api/sanctions/v1/list-sanctions-pressure
GET /api/sanctions/v1/lookup-sanction-entity
get_research_signalsGET /api/research/v1/list-tech-events
get_prediction_marketsGET /api/prediction/v1/list-prediction-markets
get_forecast_predictionsGET /api/forecast/v1/get-forecasts
get_world_briefGET /api/news/v1/list-feed-digest
POST /api/news/v1/summarize-article
analyze_situationPOST /api/intelligence/v1/deduct-situation
search_flightsGET /api/aviation/v1/search-google-flights
search_flight_prices_by_dateGET /api/aviation/v1/search-google-dates
A handful of tools have no entry above because they don’t map 1:1 to a public OpenAPI operation. They still return live data via tools/call; they fall into three categories:
  • Cache-backed bootstrap aggregates — read Redis keys seeded directly by Railway crons (e.g. get_aviation_status, get_cyber_threats, get_country_macro, the three EU Eurostat tools).
  • Static in-memory registries — filter a constant bundled with the MCP server’s edge binary, no upstream call at all (e.g. get_commodity_geo).
  • Live tools without a public OpenAPI row — runtime proxies an HTTP call whose method drifts from the public spec, where a sibling tool already covers the spec-declared method (e.g. generate_forecasts POSTs /api/forecast/v1/get-forecasts while get_forecast_predictions owns the GET).
See the Tool catalog above for the complete list of 39 tools, or the MCP Tools Reference for per-tool details.
Reverse lookup — if you know the API path you want, search this table with Cmd/Ctrl+F. The same data is also queryable via the running server’s tools/list response, where each tool description names its domain.

Prompts and resources

In addition to the 39 tools, WorldMonitor exposes MCP prompts and resources so clients can discover common workflows and address stable data slices without inventing tool plans from scratch.

Prompts

prompts/list returns six workflow templates. prompts/get renders the selected template into a user message with the right tools/call sequence and pre-baked JMESPath projections.
PromptPurpose
country-briefingCountry risk, AI intelligence brief, and macro indicators for one ISO 3166-1 alpha-2 country.
energy-shock-watchActive energy disruptions, fuel shortages, and government crisis policies; optional country focus.
market-open-prepLightweight equity, commodity, and crypto mover briefing for a market-open scan.
conflict-pulseActive UCDP conflict events plus alert-flagged top news, globally or for one country.
route-risk-checkMaritime chokepoint transit summary and risk posture for one chokepoint.
freshness-auditCache freshness check across market, energy, and chokepoint bootstrap envelopes.
prompts/list and prompts/get are metadata/workflow discovery methods: they are exempt from the Pro daily quota, though they still count toward the 60/minute per-minute limiter.

Resources

resources/list returns four read-only URI shapes:
Resource URI shapeBacking data
worldmonitor://countries/{iso2}/riskCountry risk score, component breakdown, travel advisory, and sanctions exposure. {iso2} is lowercase alpha-2, for example de or us.
worldmonitor://chokepoints/{slug}/statusChokepoint transit summary and risk narrative. {slug} is one of the published kebab-case chokepoint slugs, such as suez, strait-of-hormuz, or bab-el-mandeb.
worldmonitor://seed-meta/freshnessMarket-data bootstrap freshness envelope only: cached_at and stale.
worldmonitor://markets/{symbol}/quoteSingle-symbol market quote slice. {symbol} is uppercase, for example AAPL, GC=F, or BTC-USD.
resources/list is metadata and does not consume the Pro daily quota. resources/read intentionally does consume the same daily quota slot as the equivalent tools/call; it routes through the same dispatcher so resources cannot bypass the Pro cap. As with every MCP method, both resources/list and resources/read still count toward the 60/minute limiter. For the exact -32029 status/header differences between per-minute throttling and daily quota exhaustion, see the MCP Error Catalog.

JSON-RPC example

Server-side with a direct API key — send it as X-WorldMonitor-Key, not as a bearer token. 
WM_KEY="wm_0123456789abcdef0123456789abcdef01234567"

# 1. List tools
curl -s https://worldmonitor.app/mcp \
  -H "X-WorldMonitor-Key: $WM_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

# 2. Call a cache tool
curl -s https://worldmonitor.app/mcp \
  -H "X-WorldMonitor-Key: $WM_KEY" \
  -H 'Content-Type: application/json' \
  -d '{
    "jsonrpc":"2.0","id":2,
    "method":"tools/call",
    "params":{"name":"get_country_risk","arguments":{"country_code":"IR"}}
  }'
If instead you’ve completed the OAuth flow and hold an access token from /api/oauth/token, pass it as Authorization: Bearer $TOKEN.

Response shape

Tool responses use the standard MCP content block format: 
{
  "jsonrpc": "2.0",
  "id": 2,
  "result": {
    "content": [
      { "type": "text", "text": "{...json payload...}" }
    ],
    "isError": false
  }
}
For cache tools, the JSON payload includes cached_at (ISO timestamp of the oldest contributing data point) and stale (boolean — true when any contributing seed exceeded its per-key freshness budget) so the model can reason about freshness.

Data freshness

All cache tools read from Redis keys written by Railway cron seeders. Typical freshness:
DomainTypical freshness
Markets (intraday)1–5 min
Flights (ADS-B)1–3 min
Maritime (AIS)5–15 min
Conflicts / unrest15–60 min
Macro / BIS / Eurostatdaily–weekly
IMF WEOmonthly
Seed-level health per key: status.worldmonitor.app.

Errors

The MCP handler signals failure on three independent layers — HTTP status, JSON-RPC error.code, and soft-behavior envelopes inside result.content[0].text — and a single failure can touch any combination.
LayerCommon shapesWhere to look
HTTP status200 (default for JSON-RPC), 401, 429, 503WWW-Authenticate / Retry-After headers
JSON-RPC-32001 auth · -32029 rate-limited · -32602 bad params · -32603 internalerror.code + error.message
Soft envelope_budget_exceeded (response too big), _jmespath_error (projection failed)result.content[0].text parsed as JSON
Triage from the outside in: HTTP status → JSON-RPC code → soft envelope. The full per-shape reference (trigger, paired status, recovery, example payload) lives in the MCP Error Catalog. A few high-frequency callouts:
  • 401 + -32001 carries a WWW-Authenticate header with resource_metadata pointing at /.well-known/oauth-protected-resource. RFC 9728-aware clients re-run the OAuth flow on this header automatically.
  • 429 + -32029 is the Pro daily cap (Retry-After: <seconds-until-UTC-midnight>). The per-minute rate limit returns -32029 inside HTTP 200, not 429 — see the catalog for the distinction.
  • Soft envelopes return HTTP 200 with no JSON-RPC error field — clients that inspect only the JSON-RPC layer will silently treat them as successes. Always parse result.content[0].text and check for a leading-underscore discriminator key (_budget_exceeded, _jmespath_error) before consuming the payload as data.