AI Agents

Apiway can expose any API as an AI-discoverable tool using the Model Context Protocol (MCP). Enable a feature flag, and every operation in your API becomes callable by AI agents — with the same authentication, rate limiting, and metering as human consumers.

How It Works

When Feature_Mcp is enabled on an API deployment, Apiway:

1. Generates an MCP tool definition for every OAS operation
2. Exposes an MCP endpoint at /{tenant}/{api}/mcp
3. Handles JSON-RPC 2.0 protocol (initialize, tools/list, tools/call)
4. Routes tool calls through the full gateway pipeline

No code changes needed — the tool definitions are generated from your OpenAPI specification.

MCP Protocol

The MCP endpoint supports standard JSON-RPC 2.0:

Method	Purpose
initialize	Handshake — returns server capabilities
tools/list	Returns all available tools (one per OAS operation)
tools/call	Executes an operation

Tool Quality

The quality of AI tool definitions depends directly on your OAS quality:

OAS Field	MCP Tool Field	Impact
summary	Tool name/description	How the AI decides which tool to use
description	Extended description	Context for complex operations
parameters	Input schema	What arguments the AI provides
requestBody	Input schema	Request body structure

Write for AI

Good API documentation has always mattered. With MCP, your OAS descriptions become the interface between AI agents and your backend. Clear, specific summaries make your APIs more effective as AI tools.

Apiway’s recommendations service can score your spec for AI-readiness.

Security

MCP endpoints go through the same gateway pipeline as regular API calls:

• Authentication — AI agents need valid credentials (OAuth or API key)
• Scopes — Tool access is governed by the agent’s subscription entitlements
• Rate limiting — Same per-subscription limits apply
• RU metering — AI consumption is metered and billed like any other consumer
• WAF — Request validation protects against malicious inputs

AI agents are just API consumers with a different interaction pattern. They don’t get special access or bypass governance.

Use Cases

Internal automation — AI agents manage data, trigger workflows, or generate reports through your APIs.

Customer-facing AI — Build AI assistants that can look up orders, manage accounts, or process requests — all through governed, metered API calls.

Developer tooling — AI coding assistants use your APIs during development, with the same access controls as production.

Agentic workflows — Chain multiple API calls together. The AI agent discovers available tools, plans a sequence, and executes — with each call authenticated, rate-limited, and metered.