Connect any MCP-compatible AI tool (Grok Build, Cursor, Claude, VS Code, and others) directly to the X API. The model can then search the full archive, look up users, manage bookmarks, fetch trends and news, and draft Articles — all with your own X account’s permissions.The X API exposes a hosted Streamable HTTP MCP server at https://api.x.com/mcp (protocol 2025-06-18, serverInfo: xmcp). You reach it through the open-source xurl mcp bridge, which handles OAuth for you and injects a fresh Bearer token on every call.
X’s OAuth requires your own developer app. There is no dynamic client registration, and api.x.com/mcp does not advertise native MCP OAuth discovery. Instead of pointing your client at the URL directly, you run a tiny local bridge. The bridge owns the app identity, performs the one-time login, and keeps the token fresh.
The bridge runs via the npm launcher (npx), so there is no separate install step.
On first run with no cached token, it opens your browser for a one-time OAuth2 login, then caches and auto-refreshes the token forever after.
All diagnostics go to stderr; stdout stays a clean JSON-RPC channel.
Simple — App-only Bearer. Paste your app’s Bearer token into an Authorization header on the MCP client. No bridge, no browser login. Read-only endpoints; no user context (can’t act as you). Works with clients that support remote MCP with custom headers.
Full — xurl mcp bridge (OAuth 2.0 user context). A local bridge handles the OAuth 2.0 PKCE login and auto-refreshes tokens, so the model acts with your account’s scopes. Required for writes (bookmarks, Articles) and any user-context tool.
Register the redirect URIhttp://localhost:8080/callback on the app (required for the first-run browser login). To use a different one, set REDIRECT_URI and register that instead.
Copy your CLIENT_ID and CLIENT_SECRET — you’ll put them in the client config. If you ever run xurl auth oauth2 manually (e.g., the headless flow below), export them as environment variables in that shell first — the login fails in the browser without them.
First login needs a browser. On a headless/remote box, authenticate out-of-band first with xurl auth oauth2 --headless (paste-a-code flow), then the bridge just reuses the cached token. See Headless.
Then open Cursor → Settings → MCP, confirm xapi shows a green dot and its tools. On first use Cursor spawns the bridge and your browser opens for login; the tool list populates once the handshake completes.
The bridge authenticates as you (PKCE flow), so tools act with your account’s scopes. Resolution order for credentials: CLIENT_ID/CLIENT_SECRET env vars → the active app in ~/.xurl. The bridge caches tokens in ~/.xurl and refreshes them automatically (including a forced refresh after a 401).
With no cached token, the bridge prints to stderr and opens your browser:
[xurl mcp] no valid OAuth2 token; opening the browser to sign in -- complete the login to start the bridge...[xurl mcp] authentication complete; starting bridge
The MCP handshake is held until you finish — that’s why clients need a generous startup_timeout_sec.
No reachable browser? Authenticate once out-of-band, then start the client:
# Required: the env block in your client config only applies to the bridge,# not to manual xurl runs — export the credentials in this shell first.export CLIENT_ID="YOUR_X_APP_CLIENT_ID"export CLIENT_SECRET="YOUR_X_APP_CLIENT_SECRET"xurl auth oauth2 --headless # prints an auth URL; you paste back the redirect URL/codexurl auth oauth2 --app my-app --headless # for a specific app
For read endpoints, you can skip the bridge and point a client straight at the URL with a static App-only Bearer token. This is useful for clients that support remote MCP with custom headers:
The OAuth login authorizes whichever X account is logged in when the browser opens — not necessarily the account that owns the app. If you’re posting on behalf of a secondary/bot account, switch to that account in your browser before completing the login (or use -u to pick a previously authorized user).
xurl --app my-app mcp # bridge using a specific registered appxurl mcp -u alice https://api.x.com/mcp # act as a specific OAuth2 user
In a client config, add "--app", "my-app" or "-u", "alice" to args.
grok mcp doctor xapi # Grok Build: end-to-end check# or test the bridge by hand (Ctrl-C to exit):npx -y @xdevplatform/xurl mcp https://api.x.com/mcp
Symptom
Cause / Fix
Client times out on startup
Raise startup_timeout_sec to 300+; the bridge is waiting on your browser login
Browser never opens
No display (headless) → run xurl auth oauth2 --headless first; ensure npx resolves
401 / token refresh failed
App credentials wrong, or refresh token revoked → re-run the login (xurl auth oauth2 [--app NAME])
Browser shows “Something went wrong — You weren’t able to give access to the App”
CLIENT_ID/CLIENT_SECRET not set where xurl runs → put them in the client’s env block, or export them in your shell before running xurl auth oauth2 manually
Redirect/callback error in browser
http://localhost:8080/callback not registered on the app (or REDIRECT_URI mismatch)
client-not-enrolled after login
App isn’t in the right X package/environment → in the portal move it to Pay-per-use + Production
npx pulls a stale version
A private registry mirror is default → pin --registry=https://registry.npmjs.org/ in args
Empty/garbled tool output
Don’t run the client with --verbose; stdout must stay a clean JSON-RPC channel
Treat ~/.xurl and access tokens as secrets — don’t paste them into chats, logs, or shared configs. Prefer per-project .mcp.json/.grok/config.toml that reference env vars over committing raw secrets.
Use a dedicated app for MCP with only the scopes you need.
Writes count against rate limits (bookmarks, article_publish) and are stricter than reads; expect occasional 429s and back off.
The bridge is local — your credentials never leave your machine except as a Bearer token sent over TLS to api.x.com.
X hosts an MCP server for the X API documentation at https://docs.x.com/mcp. Connect it to your AI tool to search and read documentation pages without leaving your workflow.
This is useful when you’re building with the X API and want your AI assistant to look up endpoint details, authentication guides, or code examples on the fly.
You can connect both MCP servers simultaneously. This gives your AI assistant the ability to both look up documentation and call the API.Grok Build (~/.grok/config.toml):