API & agent discovery

Discovery endpoints

• API catalog
• OpenAPI description
• Health status
• OpenID Connect discovery
• OAuth protected resource metadata
• MCP server card
• Board Agent MCP server card
• Agent skills index

Published endpoints

• GET /api/health for health and discovery links
• POST /mcp for read-only MCP discovery tools
• POST /api/agent-sessions for short-lived board agent sessions
• POST /mcp/board for authenticated board agent MCP tools

The public discovery surface intentionally excludes payment and cost-bearing application endpoints. Board agent tools require a short-lived token created from an editable board.

MCP

The MCP endpoint is a read-only public transport. It exposes destination guides, inspiration listings, and site capability metadata. Private board edit and board view URLs are intentionally excluded.

Board Agent MCP

The Board Agent MCP endpoint exposes tools for existing board sessions: get_board, propose_board_changes, and apply_board_changes. It is designed for ChatGPT Apps or MCP-compatible clients that have connected the Holihopper Board Agent server.

A board session is created from the board settings menu. The session id is short-lived and must be passed as board_session when calling board tools. Mentioning the MCP URL in a normal chat prompt is not enough; the ChatGPT environment must expose the Holihopper Board Agent tools.

The endpoint does not create boards, delete boards, publish boards, book travel, send messages, or make purchases. Board responses intentionally exclude the board edit URL, internal board id, board session id, and proposal change payloads. Card ids are included because they are required for precise update and move operations.

App review

Recommended ChatGPT App review tests for the Holihopper Board Agent:

• Read an existing board and summarize the itinerary without applying changes.
• Propose one new card for an existing day, then apply it through the platform tool confirmation.
• Move one existing card to another day using its card id, then apply it through the platform tool confirmation.
• Reject requests to create boards, delete boards, publish boards, book travel, send messages, or make purchases.

Tool annotations declare get_board and propose_board_changes as read-only. apply_board_changes is not read-only, is non-destructive, and operates only inside the connected private Holihopper board.

Authentication

Holihopper uses Supabase Auth for user authentication. Discovery metadata is published under the well-known OAuth and OpenID endpoints so automated clients can discover the issuer, token endpoint, and resource metadata.