X MCP — X API
Connect any MCP-compatible AI tool (Grok Build, Cursor, Claude, VS Code, and others) directly to the X API. The model can then search the full archive, look up users, manage bookmarks, fetch trends and news, and draft Articles — all with your own X account’s permissions. The X API exposes a hosted Streamable HTTP MCP server athttps://api.x.com/mcp (protocol 2025-06-18, serverInfo: xmcp). You reach it through the open-source xurl mcp bridge, which handles OAuth for you and injects a fresh Bearer token on every call.
Capabilities at a glance
How it works
X’s OAuth requires your own developer app. There is no dynamic client registration, andapi.x.com/mcp does not advertise native MCP OAuth discovery. Instead of pointing your client at the URL directly, you run a tiny local bridge. The bridge owns the app identity, performs the one-time login, and keeps the token fresh.
- The bridge runs via the npm launcher (
npx), so there is no separate install step. - On first run with no cached token, it opens your browser for a one-time OAuth2 login, then caches and auto-refreshes the token forever after.
- All diagnostics go to stderr; stdout stays a clean JSON-RPC channel.
Getting started
Pick one of two routes:- Simple — App-only Bearer. Paste your app’s Bearer token into an
Authorizationheader on the MCP client. No bridge, no browser login. Read-only endpoints; no user context (can’t act as you). Works with clients that support remote MCP with custom headers. - Full —
xurl mcpbridge (OAuth 2.0 user context). A local bridge handles the OAuth 2.0 PKCE login and auto-refreshes tokens, so the model acts with your account’s scopes. Required for writes (bookmarks, Articles) and any user-context tool.
Simple route (app-only Bearer)
- Create an X app in the X Developer Portal.
- Copy your App-only Bearer token from the app’s “Keys and tokens” page.
- Point your client at
https://api.x.com/mcpwith the token as anAuthorizationheader — see App-only (direct URL, no bridge) below for the snippet.
Full route (xurl bridge)
- Create an X app with OAuth 2.0 enabled.
-
Register the redirect URI
http://localhost:8080/callbackon the app (required for the first-run browser login). To use a different one, setREDIRECT_URIand register that instead. -
Copy your
CLIENT_IDandCLIENT_SECRET— you’ll put them in the client config. If you ever runxurl auth oauth2manually (e.g., the headless flow below), export them as environment variables in that shell first — the login fails in the browser without them. -
Have Node.js installed (for
npx). -
We recommend you install xurl:
First login needs a browser. On a headless/remote box, authenticate out-of-band first with
xurl auth oauth2 --headless (paste-a-code flow), then the bridge just reuses the cached token. See Headless.Connect your client
1. Grok Build
-e flags become the server’s environment, args after -- go to npx):
doctor), your browser opens for the X login — complete it once and you’re set.
2. Cursor
Create~/.cursor/mcp.json (global, all projects) or .cursor/mcp.json (this project only):
3. Claude Desktop
Editclaude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):
4. VS Code (GitHub Copilot / Agent mode)
Add to.vscode/mcp.json:
5. Any MCP client
xurl bridge (stdio):
If you installed
xurl natively, replace command/args with "command": "xurl", "args": ["mcp", "https://api.x.com/mcp"].
App-only Bearer (remote HTTP):
Authentication
OAuth 2.0 user context (default)
The bridge authenticates as you (PKCE flow), so tools act with your account’s scopes. Resolution order for credentials:CLIENT_ID/CLIENT_SECRET env vars → the active app in ~/.xurl. The bridge caches tokens in ~/.xurl and refreshes them automatically (including a forced refresh after a 401).
First-run browser login
With no cached token, the bridge prints to stderr and opens your browser:startup_timeout_sec.
Headless / remote machines
No reachable browser? Authenticate once out-of-band, then start the client:App-only (direct URL, no bridge)
For read endpoints, you can skip the bridge and point a client straight at the URL with a static App-only Bearer token. This is useful for clients that support remote MCP with custom headers:Multiple apps & accounts
The OAuth login authorizes whichever X account is logged in when the browser opens — not necessarily the account that owns the app. If you’re posting on behalf of a secondary/bot account, switch to that account in your browser before completing the login (or use
-u to pick a previously authorized user)."--app", "my-app" or "-u", "alice" to args.
Configuration reference
Advanced env overrides (rarely needed):
AUTH_URL, TOKEN_URL, API_BASE_URL, INFO_URL.
Verify & troubleshoot
Security & best practices
- Treat
~/.xurland access tokens as secrets — don’t paste them into chats, logs, or shared configs. Prefer per-project.mcp.json/.grok/config.tomlthat reference env vars over committing raw secrets. - Use a dedicated app for MCP with only the scopes you need.
- Writes count against rate limits (bookmarks,
article_publish) and are stricter than reads; expect occasional429s and back off. - The bridge is local — your credentials never leave your machine except as a Bearer token sent over TLS to
api.x.com.
Docs MCP — documentation search
X hosts an MCP server for the X API documentation athttps://docs.x.com/mcp. Connect it to your AI tool to search and read documentation pages without leaving your workflow.
Available tools
Configuration
Add the docs MCP server to your MCP client configuration:Using both servers together
You can connect both MCP servers simultaneously. This gives your AI assistant the ability to both look up documentation and call the API. Grok Build (~/.grok/config.toml):
mcp.json):