Skip to content

docs: document X_API_TOOL_TAGS and X_API_TOOL_DENYLIST env vars #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mvanhorn wants to merge 1 commit into
base: master
Choose a base branch
from
+30 −5
Open

docs: document X_API_TOOL_TAGS and X_API_TOOL_DENYLIST env vars #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 28 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ FastMCP. Streaming and webhook endpoints are excluded.
- `X_API_DEBUG` (default `1`)
- Tool filtering (optional, comma-separated):
- `X_API_TOOL_ALLOWLIST`
- `X_API_TOOL_TAGS`
- `X_API_TOOL_DENYLIST`
- Optional Grok test client:
- `XAI_API_KEY`
- `XAI_MODEL` (default `grok-4-1-fast`)
Expand Down Expand Up @@ -70,17 +72,38 @@ The MCP endpoint is `http://127.0.0.1:8000/mcp` by default.
- Local client: point it to `http://127.0.0.1:8000/mcp`.
- Remote client: tunnel your local server (e.g., ngrok) and use the public URL.

## Whitelisting tools
## Filtering tools

Use `X_API_TOOL_ALLOWLIST` to load a small, explicit set of tools:
Three environment variables control which tools are loaded from the OpenAPI
spec. All are optional and comma-separated. Filtering is applied at startup,
so restart the server after changes.

- `X_API_TOOL_ALLOWLIST` - only load these operation IDs (explicit inclusion)
- `X_API_TOOL_TAGS` - only load operations tagged with these OpenAPI tags
(case-insensitive)
- `X_API_TOOL_DENYLIST` - exclude these operation IDs

When multiple filters are set, an operation must pass all of them. Tags are
checked first, then the allowlist, then the denylist.

Examples:

```
# Only load tools for posts and users
X_API_TOOL_TAGS=Posts,Users

# Load a small explicit set
X_API_TOOL_ALLOWLIST=getUsersByUsername,createPosts,searchPostsRecent

# Load everything except community notes
X_API_TOOL_DENYLIST=createCommunityNotes,deleteCommunityNotes,evaluateCommunityNotes

# Combine: only post tools, but exclude reposts
X_API_TOOL_TAGS=Posts
X_API_TOOL_DENYLIST=repostPost,unrepostPost
```

Whitelisting is applied at startup when the OpenAPI spec is loaded, so restart
the server after changes. See the full tool list below before building your
allowlist.
See the full tool list below before building your filters.

## OAuth1 flow (startup behavior)

Expand Down
2 changes: 2 additions & 0 deletions env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ MCP_PORT=8000

# Tool filtering (optional, comma-separated)
X_API_TOOL_ALLOWLIST=
X_API_TOOL_TAGS=
X_API_TOOL_DENYLIST=

# Optional Grok test client
XAI_API_KEY=
Expand Down