MCP Server
The Secberus compliance service exposes a Model Context Protocol (MCP) interface, letting AI clients such as Claude Desktop, Cursor, and custom agents call the Secberus agents directly — including expert_chat and the document-corpus tools — without writing REST code.
This page covers the agent-facing MCP tools. The same MCP server also exposes the Pipeline mapping tools; see the Pipeline MCP reference for map_document and list_frameworks and for the full protocol handshake, client setup, and error handling.
| Property | Value |
|---|---|
| Endpoint | POST https://compliance.secberus.ai/mcp |
| Transport | MCP Streamable HTTP (spec 2025-03-26) |
| Protocol | JSON-RPC 2.0 |
| Auth | authorization: YOUR_API_KEY |
Agent tools overview
| Tool | Description |
|---|---|
expert_chat |
Ask the GRC expert. Multi-turn, cross-framework synthesis, and validation of uploaded documents. |
upload_document |
Upload a document (policy, evidence, questionnaire, or custom framework) for use by expert_chat. |
list_documents |
List documents previously uploaded by the current user. |
delete_document |
Delete a previously uploaded document. |
All tools are invoked via tools/call:
{
"jsonrpc": "2.0",
"id": <number>,
"method": "tools/call",
"params": { "name": "<tool_name>", "arguments": { ... } }
}
Results come back in the standard envelope; on failure isError is true and the text holds the error detail.
expert_chat
Ask a GRC compliance question. Supports multi-turn conversation, cross-framework synthesis, and validating uploaded documents against framework controls. This is the MCP equivalent of the Expert Chat API.
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
messages |
array[Message] | Yes | Conversation history. The last message should have role user. |
frameworks |
array[string] | No | Framework IDs to include in context. Detected automatically if omitted. |
document_ids |
array[string] | No | Uploaded document IDs to include in context. |
Message Object
| Field | Type | Required | Description |
|---|---|---|---|
role |
string | Yes | user or assistant |
content |
string | Yes | Message text |
Example
curl -X POST https://compliance.secberus.ai/mcp \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 3,
"method": "tools/call",
"params": {
"name": "expert_chat",
"arguments": {
"messages": [
{ "role": "user", "content": "Does my uploaded policy meet PCI DSS password requirements?" }
],
"frameworks": ["pci_dss_v4"],
"document_ids": ["doc_01h9z…"]
}
}
}'
The agent's answer is returned as text in the result envelope.
Slash-command workflows like
/policy-coverageand/policy-generatorwork over MCP too — pass the command as thecontentof the lastusermessage.
upload_document
Upload a user document for use by expert_chat. Over MCP the content is passed inline as plain text (use the REST Documents API for binary files such as PDFs or screenshots).
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
filename |
string | Yes | Name to store the document under. |
type |
string | Yes | One of questionnaire, evidence, policy, custom_framework. |
content |
string | Yes | Plain-text content of the document. |
Example
curl -X POST https://compliance.secberus.ai/mcp \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 4,
"method": "tools/call",
"params": {
"name": "upload_document",
"arguments": {
"filename": "access-control-policy.txt",
"type": "policy",
"content": "All user passwords must be at least 14 characters and rotated every 90 days…"
}
}
}'
The result includes the new document_id.
list_documents
List documents previously uploaded by the current user.
Parameters: None
curl -X POST https://compliance.secberus.ai/mcp \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 5,
"method": "tools/call",
"params": { "name": "list_documents", "arguments": {} }
}'
Returns the array of Document objects.
delete_document
Delete a previously uploaded document.
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
document_id |
string | Yes | ID of the document to delete. |
curl -X POST https://compliance.secberus.ai/mcp \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 6,
"method": "tools/call",
"params": {
"name": "delete_document",
"arguments": { "document_id": "doc_01h9z…" }
}
}'
Connecting AI Clients
Point any MCP Streamable HTTP (2025-03-26) client at https://compliance.secberus.ai/mcp with your API key in the authorization header. For Claude Desktop and Cursor configuration snippets and the full initialize handshake, see the Pipeline MCP reference.
{
"mcpServers": {
"secberus-compliance": {
"url": "https://compliance.secberus.ai/mcp",
"headers": { "authorization": "YOUR_API_KEY" }
}
}
}