Install
Connect Claude Code, Cursor, Windsurf, or Claude.ai web to the Amba MCP server.
The fastest way to connect any MCP-aware AI coding agent to Amba is to let the CLI do it:
When invoked from a coding agent's bash tool (non-TTY), amba init runs headlessly — no browser, no prompts. It signs you up over HTTPS, provisions a sandbox-tier project, writes .env.local + AMBA.md into your current directory, installs the /amba skill into every detected agent skill directory, and merges an amba entry into every MCP client config it finds on disk.
The install is complete the moment the CLI exits. The MCP entry has been persisted; it activates automatically on the next launch of your MCP client (Claude Code, Cursor, Windsurf). For tool calls in the current session — useful when the agent that just ran the CLI wants to keep working without you closing it — pass pat as an inline argument on every amba_* tool call (the PAT lives in ~/.amba/credentials.json and was emitted in the CLI output).
When you're ready to bind the sandbox account to a real email and lift the caps to the Free tier (1,000 MAU, 500 MB DB), run:
You'll get a one-click magic link in your inbox; clicking it promotes the project and lets you sign in from a browser if you ever need to.
What the CLI configures
The amba init flow probes these locations and merges into the ones that exist (or scaffolds the global ones if missing):
| Client | Config path |
|---|---|
| Claude Code (global) | ~/.claude.json |
| Claude Code (project-local) | <cwd>/.mcp.json (only if it already exists) |
| Cursor (global) | ~/.cursor/mcp.json |
| Cursor (project-local) | <cwd>/.cursor/mcp.json (only if it already exists) |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
The merged entry is:
Existing mcpServers.* entries are preserved — only mcpServers.amba is overwritten.
Useful flags
amba init auto-detects non-TTY invocations (the bash-tool case) and routes through the sandbox-signup path. Explicit --sandbox and --json flags also force it. There is no separate "sandbox vs full" mode on the wire — the only thing the headless path adds is generating an email + password.
In-agent signup (via MCP)
If an agent is already pointed at the Amba MCP server but no developer account exists yet, it can provision one inline by calling the public amba_developer_signup tool. The response includes ready-to-paste config snippets — one per MCP client — so the agent can write the right snippet to disk without inventing JSON shapes:
The agent uses the PAT inline on every subsequent amba_* tool call in the same session (no restart, no client config change needed mid-session) and writes the matching snippet to the customer's MCP config so future sessions pick the PAT up as the inbound Bearer automatically.
amba_developer_login returns the same mcp_config shape for returning customers.
Lifting the sandbox cap
Two paths, depending on whether the developer wants to bind a real email address.
Recommended (binds a real email): run npx @layers/amba claim me@example.com from the terminal. Agents without shell access can POST { "email": "<target>" } to /v1/auth/developer/claim with Authorization: Bearer <pat> directly. The backend emails a one-click magic link to that address; clicking it promotes the developer from agent_sandbox to verified_free AND updates developers.email so they can sign in from a browser later.
Headless (keeps the auto-generated sandbox email): call amba_developer_verify with the verify_token from the signup response. This lifts the MAU cap immediately but keeps the developer's email as the sandbox-generated sandbox-<epoch>-<nonce>@layers.com. Useful for fully-autonomous CI flows that never have a real inbox to claim against.
The tool returns the developer record with the upgraded tier:
Tokens are single-use and expire after 7 days. A re-call with the same token after the developer is verified returns 200 with already_verified: true — safe to retry on a flaky network. The browser-clickable verify_url carries the same token; either path consumes it. The response does not echo the developer email — agents that need it should call amba_developer_me with the inbound PAT.
When to use the in-agent path
For most flows the CLI (amba init) is the canonical path because it also writes .env.local, AMBA.md, the /amba skill bundle, and (where applicable) updates project-local MCP configs. Use the in-agent path (amba_developer_signup + inline pat on subsequent calls) when no shell is available, or when iterating against an MCP client that doesn't expose terminal access to the agent.
Call the MCP server directly via HTTP
https://mcp.amba.dev/mcp is a plain Streamable-HTTP endpoint, not a stdio process — any agent with curl or fetch can call the full tool surface without configuring mcpServers in a host client at all. This is the path to use when:
- You ran
amba initand the MCP entry persisted, but the typedmcp__amba__*tools haven't loaded into your agent's tool list yet (e.g., Claude Code, Codex, Windsurf — they readmcpServersonce at session startup). - You're driving Amba from a non-MCP-aware agent or a CI script.
- You want the full 500+ tool surface without picking which subcommand the
ambaCLI exposes.
Wire shape — standard JSON-RPC 2.0 tools/call:
The response wraps the tool's actual payload at result.content[0].text as a JSON string:
Pre-auth tools (amba_developer_signup, amba_developer_login, amba_developer_refresh) work without the Authorization header — the rest require a Bearer (PAT or OAuth access token). Standard MCP methods (initialize, tools/list, ping) also work without a Bearer if you want to enumerate the catalog.
Manual setup
If your MCP client isn't in the list above (or you skipped the auto-write with --no-mcp-config), drop the snippet below into its config file.
Mint a Bearer token at app.amba.dev/settings/api-keys, or run npx @layers/amba login to write one to ~/.amba/credentials.json.
Claude Code
Edit ~/.claude.json:
Cursor
Edit ~/.cursor/mcp.json (global) or .cursor/mcp.json (project):
Windsurf
Edit ~/.codeium/windsurf/mcp_config.json:
Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
The new config takes effect the next time you launch the MCP client. (Claude Code, Codex, and Windsurf load mcpServers at startup; Cursor watches the file and picks up changes on the next message.)
Browser-only clients (Claude.ai web)
Claude.ai connectors use OAuth 2.1 + PKCE — there is no static Bearer to paste. When you add Amba as a connector, Claude.ai's MCP client:
- Discovers the authorization server at
https://mcp.amba.dev/.well-known/oauth-authorization-server. - Sends you to
https://mcp.amba.dev/authorizeto sign in with your Amba developer credentials (the same email + password you use forapp.amba.dev). - Exchanges the resulting one-time code for an access token at
https://mcp.amba.dev/token, with PKCE (S256) enforced. - Refreshes the access token automatically before it expires (1h access token, 30-day refresh).
To connect:
- In Claude.ai, open Settings → Connectors → Add custom connector.
- Server URL:
https://mcp.amba.dev/mcp. - Click Authorize. You'll be redirected to the Amba sign-in page; complete it and you'll return to Claude.ai with the connector active.
What the server publishes
The MCP server exposes the standard OAuth 2.1 surface for inspection:
GET /.well-known/oauth-authorization-server— RFC 8414 authorization-server metadata.GET /.well-known/oauth-protected-resource— RFC 9728 protected-resource metadata.GET /authorize— interactive consent (HTML form).POST /token— code → access + refresh token; supportsgrant_type=refresh_tokenrotation.GET /jwks— public RSA key (kid: amba-mcp-1) for verifying issued access tokens.
PKCE is mandatory — only code_challenge_method=S256 is accepted. The implicit, password, and client-credentials grants are not supported.
Authentication
The MCP middleware accepts either:
- A Bearer token from
amba_developer_signup/amba_developer_login/ any PAT minted in the dashboard (used by Claude Code, Cursor, Windsurf, and the CLI). - An OAuth-issued access token from the flow above (used by Claude.ai web).
Both resolve to the same developer identity for downstream tool calls.
Verifying
After connecting, ask your agent:
List all my Amba projects.
If the agent calls amba_projects_list and returns your projects, you're connected. A 401 means the token is wrong, expired, or (for OAuth) failed signature verification; a MISSING_AUTHORIZATION means the header isn't being sent.