Get started

// AI agents

MCP for coding agents

Give Claude Code, Cursor or any MCP client the full captured context over five tools — locally, over stdio.

@rebasedotdev/mcp plugs Rebase into Claude Code, Cursor, VS Code, Windsurf or any MCP-capable agent. The agent pulls the real captured context — console errors, failed requests, user steps, suspected source — instead of a one-line description, and its replies land in the same in-page thread your team is watching.

The server runs locally over stdio on the developer's machine. It opens no network listener; the only network traffic is HTTPS to the Rebase API. Requires Node 18+.

1. Mint a token

In the widget: Settings → Project → API tokens. Tokens are prefixed rbk_, shown once, stored only as a hash, and expire after 365 days by default. Each token carries explicit scopes:

ScopeAllows
tickets:readList, search and read tickets
tickets:writeUpdate ticket status
comments:writePost comments

2. Connect your editor

Claude Code — one command:

Claude Code
claude mcp add rebase -e REBASE_API_TOKEN=rbk_your_token -- npx -y @rebasedotdev/mcp

Cursor and VS Code — the widget's MCP settings offer a one-click install link, or add the JSON yourself.

Windsurf, or any MCP client — the same JSON config everywhere:

.mcp.json
{
  "mcpServers": {
    "rebase": {
      "command": "npx",
      "args": ["-y", "@rebasedotdev/mcp"],
      "env": { "REBASE_API_TOKEN": "rbk_your_token" }
    }
  }
}

Environment variables:

VariableRequiredDefaultPurpose
REBASE_API_TOKENyesThe project-scoped rbk_ token. Treat it like a password — keep it in the client's env config, never in source control.
REBASE_API_URLnohttps://api.rebase.devOverride the API origin.

The five tools

ToolWhat it does
list_ticketsList tickets, newest first — id, title, status, pathname, AI severity, duplicate links.
search_ticketsSemantic search by meaning — "checkout is broken" finds the 500 on /orders.
get_ticketEverything captured for one ticket, optionally with the screenshot as an image.
add_commentPost to the ticket's thread — visible to the reporter and team in the widget.
update_ticket_statusMove a ticket between open, in-progress and resolved.

list_tickets

Parameters: status (optional: open, in-progress, resolved), limit (1–50, default 25), cursor (from a previous page's nextCursor).

search_tickets

Parameters: q (required, 2–500 characters, natural language), status (optional), limit (1–25, default 10). Returns scored results; costs zero AI credits, searches the last 90 days. Rate-limited — batch questions rather than looping.

get_ticket

Parameters: ticket_id (required), include_screenshot (optional boolean). Returns the full ticket — AI triage, pinned element, suspected source, console, network failures, session events, comments, tracker links. With include_screenshot: true the screenshot arrives as an image block (PNG, up to 10 MB; the fetch times out at 20 seconds and fails gracefully rather than hanging the agent).

add_comment

Parameters: ticket_id, body (1–5,000 characters, plain text). Posted as the person who minted the token; @Full Name mentions notify that member.

update_ticket_status

Parameters: ticket_id, status (open, in-progress, resolved). Resolving removes the ticket's pin from the page and notifies watchers — do it only once a fix has actually landed.

A typical loop

  1. list_tickets with status: "open" — find what needs attention.
  2. get_ticket with include_screenshot: true — read the capture, look at the screenshot, start from the suspected file.
  3. Fix the code with the agent's own tools — Rebase never touches your code.
  4. add_comment — tell the reporter what changed.
  5. update_ticket_status to resolved — the pin disappears for everyone.

Limits and errors

Per-token rate limits: 120 reads / 30 writes / 30 searches per minute. Every API call has a 20-second timeout.

ErrorMeaning
401Token missing, mistyped, revoked or expired — deliberately indistinguishable.
402The project's subscription is inactive; writes pause until billing is restored.
403The token lacks the required scope — e.g. a read-only token trying to resolve.
404The ticket belongs to a different project than the token — one token, one project.

Security posture

  • Runs as a child process of your agent; stdio in, HTTPS out — nothing listens on the network.
  • No code execution, no file access, no secrets in logs; error messages carry only the HTTP status and the API's own text, never the token.
  • Rotate or revoke tokens any time from the widget — revocation takes effect immediately.