MCP Server — Model Context Protocol
Connect Claude and other AI tools directly to DecodeThis via the Model Context Protocol (MCP) server at /mcp.
On This Page
Overview
DecodeThis exposes its decoding, lookup, image-management, and admin functions to AI tools
through a Model Context Protocol server mounted at /mcp.
Connect any MCP-capable client (Claude Code, Claude Desktop) using one of your API keys.
The MCP server uses Server-Sent Events (SSE) for streaming and standard HTTP POST for JSON-RPC messages:
- SSE stream:
GET /mcp/sse - JSON-RPC messages:
POST /mcp/messages
Connecting
Point your MCP client at https://gamma.decodethis.com/mcp/sse (SSE transport)
and include your API key in the Authorization header.
Use the --transport http flag with the messages endpoint URL and pass your API key as a custom header:
claude mcp add vindecoder \
https://gamma.decodethis.com/mcp/messages \
--transport http \
--header "Authorization: Bearer ak_your_api_key"
The server uses the Streamable-HTTP transport: responses are returned on the request itself.
(Legacy SSE at /mcp/sse with --transport sse is only used if the
server has Streamable HTTP disabled.) Pass the same Authorization: Bearer ak_... header either way.
Add an HTTP/SSE MCP server entry in your Claude Desktop configuration pointing at https://gamma.decodethis.com/mcp/sse with the Authorization header.
Any client that supports the SSE-based streamable-HTTP MCP transport can connect. Configure it with:
- Base URL / SSE endpoint:
https://gamma.decodethis.com/mcp/sse - Messages endpoint:
https://gamma.decodethis.com/mcp/messages - Header:
Authorization: Bearer ak_your_api_key
Some harnesses — such as the Claude.ai and ChatGPT web connectors — won’t let you paste a header; they require OAuth. The server supports OAuth 2.1 out of the box, so you only need the base URL:
- Server URL:
https://gamma.decodethis.com/mcp - OAuth Client ID / Client Secret: leave both blank — the server issues a client automatically. (Those fields are only for servers without dynamic registration.)
Add that URL as a custom/remote MCP connector and click Connect. The client discovers the
authorization server automatically (via /.well-known/oauth-protected-resource), registers itself,
and opens a browser window. Sign in to your VinDecoder account and approve — the client
then receives a token and stays connected. The token carries your account’s permissions, exactly like an
API key (admin tools still require an admin account).
No manual client ID or secret is needed — dynamic registration (RFC 7591), discovery (RFC 9728 / 8414), and the PKCE authorization-code flow are all handled for you. API-key access continues to work unchanged.
Authentication & Permissions
Two ways to authenticate, both resolving to your VinDecoder account:
- API key — the same
ak_key used for the REST API, sent as anAuthorization: Bearer ak_...header on every request. Best for CLI/desktop clients. - OAuth 2.1 — for connectors that require it (see above). You sign in and approve once; the client holds a short-lived token (auto-refreshed) instead of a static key.
Permissions are identical either way: any valid account can call decode and lookup tools, while image-management and admin tools require an administrator account — non-admin principals cannot see or call them.
Available Tools
decode_vin(vin)— decode a modern or classic VIN.batch_decode_vins(vins[])— decode many VINs at once.
list_years(),list_makes(),list_models(year, make),list_engines(year, make, series)browse_archive(year, make?, model?, page?)
generate_vehicle_image(vin? | description?)find_vehicle_image(vin? | pattern?)list_vehicle_images(prefix?, limit?)delete_vehicle_image(key)
search_users(email),get_user(id)disable_user(id),enable_user(id)extend_rate_limit(id, extension),extend_subscription(id, days)refresh_data_cache(),clear_cache()usage_stats(user_id?),performance_metrics()list_subscriptions(status?, plan?, limit?)