// AI agents
MCP for coding agents
Give Claude Code, Cursor or any MCP client the full captured context over five tools — locally, over stdio.
@rebasedotdev/mcp plugs Rebase into Claude Code, Cursor, VS Code, Windsurf or any MCP-capable agent. The agent pulls the real captured context — console errors, failed requests, user steps, suspected source — instead of a one-line description, and its replies land in the same in-page thread your team is watching.
The server runs locally over stdio on the developer's machine. It opens no network listener; the only network traffic is HTTPS to the Rebase API. Requires Node 18+.
1. Mint a token
In the widget: Settings → Project → API tokens. Tokens are prefixed rbk_, shown once, stored only as a hash, and expire after 365 days by default. Each token carries explicit scopes:
| Scope | Allows |
|---|---|
tickets:read | List, search and read tickets |
tickets:write | Update ticket status |
comments:write | Post comments |
2. Connect your editor
Claude Code — one command:
claude mcp add rebase -e REBASE_API_TOKEN=rbk_your_token -- npx -y @rebasedotdev/mcpCursor and VS Code — the widget's MCP settings offer a one-click install link, or add the JSON yourself.
Windsurf, or any MCP client — the same JSON config everywhere:
{
"mcpServers": {
"rebase": {
"command": "npx",
"args": ["-y", "@rebasedotdev/mcp"],
"env": { "REBASE_API_TOKEN": "rbk_your_token" }
}
}
}Environment variables:
| Variable | Required | Default | Purpose |
|---|---|---|---|
REBASE_API_TOKEN | yes | — | The project-scoped rbk_ token. Treat it like a password — keep it in the client's env config, never in source control. |
REBASE_API_URL | no | https://api.rebase.dev | Override the API origin. |
The five tools
| Tool | What it does |
|---|---|
list_tickets | List tickets, newest first — id, title, status, pathname, AI severity, duplicate links. |
search_tickets | Semantic search by meaning — "checkout is broken" finds the 500 on /orders. |
get_ticket | Everything captured for one ticket, optionally with the screenshot as an image. |
add_comment | Post to the ticket's thread — visible to the reporter and team in the widget. |
update_ticket_status | Move a ticket between open, in-progress and resolved. |
list_tickets
Parameters: status (optional: open, in-progress, resolved), limit (1–50, default 25), cursor (from a previous page's nextCursor).
search_tickets
Parameters: q (required, 2–500 characters, natural language), status (optional), limit (1–25, default 10). Returns scored results; costs zero AI credits, searches the last 90 days. Rate-limited — batch questions rather than looping.
get_ticket
Parameters: ticket_id (required), include_screenshot (optional boolean). Returns the full ticket — AI triage, pinned element, suspected source, console, network failures, session events, comments, tracker links. With include_screenshot: true the screenshot arrives as an image block (PNG, up to 10 MB; the fetch times out at 20 seconds and fails gracefully rather than hanging the agent).
add_comment
Parameters: ticket_id, body (1–5,000 characters, plain text). Posted as the person who minted the token; @Full Name mentions notify that member.
update_ticket_status
Parameters: ticket_id, status (open, in-progress, resolved). Resolving removes the ticket's pin from the page and notifies watchers — do it only once a fix has actually landed.
A typical loop
list_ticketswithstatus: "open"— find what needs attention.get_ticketwithinclude_screenshot: true— read the capture, look at the screenshot, start from the suspected file.- Fix the code with the agent's own tools — Rebase never touches your code.
add_comment— tell the reporter what changed.update_ticket_statustoresolved— the pin disappears for everyone.
Limits and errors
Per-token rate limits: 120 reads / 30 writes / 30 searches per minute. Every API call has a 20-second timeout.
| Error | Meaning |
|---|---|
| 401 | Token missing, mistyped, revoked or expired — deliberately indistinguishable. |
| 402 | The project's subscription is inactive; writes pause until billing is restored. |
| 403 | The token lacks the required scope — e.g. a read-only token trying to resolve. |
| 404 | The ticket belongs to a different project than the token — one token, one project. |
Security posture
- Runs as a child process of your agent; stdio in, HTTPS out — nothing listens on the network.
- No code execution, no file access, no secrets in logs; error messages carry only the HTTP status and the API's own text, never the token.
- Rotate or revoke tokens any time from the widget — revocation takes effect immediately.