| Server | What it does | URL |
|---|---|---|
| X MCP | Call X API endpoints (search posts, look up users, bookmarks, trends, news, Articles, and more) | https://api.x.com/mcp (hosted; connect via xurl mcp) |
| Docs MCP | Search and read X API documentation | https://docs.x.com/mcp (hosted) |
X MCP — X API
Connect any MCP-compatible AI tool (Grok Build, Cursor, Claude, VS Code, and others) directly to the X API. The model can then search the full archive, look up users, manage bookmarks, fetch trends and news, and draft Articles — all with your own X account’s permissions. The X API exposes a hosted Streamable HTTP MCP server athttps://api.x.com/mcp (protocol 2025-06-18, serverInfo: xmcp). You reach it through the open-source xurl mcp bridge, which handles OAuth for you and injects a fresh Bearer token on every call.
Capabilities at a glance
| Category | What the model can do |
|---|---|
| Posts | Fetch posts, see likers / reposters / quoters, recent counts |
| Search | Full-archive post search, user search, news search |
| Users | Resolve the current user, look up by id / handle, read a user’s posts, timeline, and mentions |
| Bookmarks | List / add / remove bookmarks and manage bookmark folders |
| News & Trends | Get news stories, get trends for a location (WOEID) |
| Articles | Create draft Articles and publish them |
How it works
X’s OAuth requires your own developer app. There is no dynamic client registration, andapi.x.com/mcp does not advertise native MCP OAuth discovery. Instead of pointing your client at the URL directly, you run a tiny local bridge. The bridge owns the app identity, performs the one-time login, and keeps the token fresh.
- The bridge runs via the npm launcher (
npx), so there is no separate install step. - On first run with no cached token, it opens your browser for a one-time OAuth2 login, then caches and auto-refreshes the token forever after.
- All diagnostics go to stderr; stdout stays a clean JSON-RPC channel.
Getting started
Pick one of two routes:- Simple — App-only Bearer. Paste your app’s Bearer token into an
Authorizationheader on the MCP client. No bridge, no browser login. Read-only endpoints; no user context (can’t act as you). Works with clients that support remote MCP with custom headers. - Full —
xurl mcpbridge (OAuth 2.0 user context). A local bridge handles the OAuth 2.0 PKCE login and auto-refreshes tokens, so the model acts with your account’s scopes. Required for writes (bookmarks, Articles) and any user-context tool.
Simple route (app-only Bearer)
- Create an X app in the X Developer Portal.
- Copy your App-only Bearer token from the app’s “Keys and tokens” page.
- Point your client at
https://api.x.com/mcpwith the token as anAuthorizationheader — see App-only (direct URL, no bridge) below for the snippet.
Full route (xurl bridge)
- Create an X app with OAuth 2.0 enabled.
-
Register the redirect URI
http://localhost:8080/callbackon the app (required for the first-run browser login). To use a different one, setREDIRECT_URIand register that instead. -
Copy your
CLIENT_IDandCLIENT_SECRET— you’ll put them in the client config. -
Have Node.js installed (for
npx). -
We recommend you install xurl:
First login needs a browser. On a headless/remote box, authenticate out-of-band first with
xurl auth oauth2 --headless (paste-a-code flow), then the bridge just reuses the cached token. See Headless.Connect your client
1. Grok Build
-e flags become the server’s environment, args after -- go to npx):
doctor), your browser opens for the X login — complete it once and you’re set.
2. Cursor
Create~/.cursor/mcp.json (global, all projects) or .cursor/mcp.json (this project only):
3. Claude Desktop
Editclaude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):
4. VS Code (GitHub Copilot / Agent mode)
Add to.vscode/mcp.json:
5. Any MCP client
xurl bridge (stdio):| Field | Value |
|---|---|
command | npx |
args | ["-y", "@xdevplatform/xurl", "mcp", "https://api.x.com/mcp"] |
env | CLIENT_ID, CLIENT_SECRET |
| startup timeout | ≥ 300s (so the first-run login can finish) |
xurl natively, replace command/args with "command": "xurl", "args": ["mcp", "https://api.x.com/mcp"].
App-only Bearer (remote HTTP):
| Field | Value |
|---|---|
url | https://api.x.com/mcp |
headers.Authorization | Bearer YOUR_APP_ONLY_BEARER_TOKEN |
Authentication
OAuth 2.0 user context (default)
The bridge authenticates as you (PKCE flow), so tools act with your account’s scopes. Resolution order for credentials:CLIENT_ID/CLIENT_SECRET env vars → the active app in ~/.xurl. The bridge caches tokens in ~/.xurl and refreshes them automatically (including a forced refresh after a 401).
First-run browser login
With no cached token, the bridge prints to stderr and opens your browser:startup_timeout_sec.
Headless / remote machines
No reachable browser? Authenticate once out-of-band, then start the client:App-only (direct URL, no bridge)
For read endpoints, you can skip the bridge and point a client straight at the URL with a static App-only Bearer token. This is useful for clients that support remote MCP with custom headers:Multiple apps & accounts
"--app", "my-app" or "-u", "alice" to args.
Configuration reference
| Setting | Where | Notes |
|---|---|---|
CLIENT_ID / CLIENT_SECRET | env | Your X app credentials (or rely on a registered app in ~/.xurl) |
REDIRECT_URI | env | Overrides the callback; must be registered on the app. Default http://localhost:8080/callback |
startup_timeout_sec | client config | Set ≥ 300 so first-run login can complete |
[URL] positional | args | Defaults to https://api.x.com/mcp |
--app NAME | args | Use a specific registered app |
-u, --username | args | Act as a specific OAuth2 user |
AUTH_URL, TOKEN_URL, API_BASE_URL, INFO_URL.
Verify & troubleshoot
| Symptom | Cause / Fix |
|---|---|
| Client times out on startup | Raise startup_timeout_sec to 300+; the bridge is waiting on your browser login |
| Browser never opens | No display (headless) → run xurl auth oauth2 --headless first; ensure npx resolves |
401 / token refresh failed | App credentials wrong, or refresh token revoked → re-run the login (xurl auth oauth2 [--app NAME]) |
| Redirect/callback error in browser | http://localhost:8080/callback not registered on the app (or REDIRECT_URI mismatch) |
client-not-enrolled after login | App isn’t in the right X package/environment → in the portal move it to Pay-per-use + Production |
npx pulls a stale version | A private registry mirror is default → pin --registry=https://registry.npmjs.org/ in args |
| Empty/garbled tool output | Don’t run the client with --verbose; stdout must stay a clean JSON-RPC channel |
Security & best practices
- Treat
~/.xurland access tokens as secrets — don’t paste them into chats, logs, or shared configs. Prefer per-project.mcp.json/.grok/config.tomlthat reference env vars over committing raw secrets. - Use a dedicated app for MCP with only the scopes you need.
- Writes count against rate limits (bookmarks,
article_publish) and are stricter than reads; expect occasional429s and back off. - The bridge is local — your credentials never leave your machine except as a Bearer token sent over TLS to
api.x.com.
Docs MCP — documentation search
X hosts an MCP server for the X API documentation athttps://docs.x.com/mcp. Connect it to your AI tool to search and read documentation pages without leaving your workflow.
Available tools
| Tool | Description |
|---|---|
search_x | Search across the X documentation for relevant information, code examples, API references, and guides |
get_page_x | Retrieve the full content of a specific documentation page by its path |
Configuration
Add the docs MCP server to your MCP client configuration:Using both servers together
You can connect both MCP servers simultaneously. This gives your AI assistant the ability to both look up documentation and call the API. Grok Build (~/.grok/config.toml):
mcp.json):
OpenAPI specification
The machine-readable API specification for all X API v2 endpoints.| Resource | URL |
|---|---|
| OpenAPI Spec (JSON) | https://api.x.com/2/openapi.json |