← Back to Docs

Agent Tools

Scoped API keys for AI agents and a shared MCP server registry for team discovery. Built for the agentic era.

On this page

Overview

In the agentic era, AI agents need infrastructure that's designed for them — not repurposed from human workflows. Stunl's Agent Tools provide two team-scoped features:

Agent API Keys

Scoped, temporal, usage-limited keys purpose-built for AI agents. Not full user keys — limited-scope keys for specific tasks.

MCP Server Registry

Register, discover, and monitor shared MCP servers within your team. Know what's online, what tools are available, and how they're being used.

Both features are available on Team and Business tiers and are managed through the Agent Tools tab in your team dashboard.

Agent Keys

Key Format

Agent keys use the prefix st_agent_ followed by 64 hex characters. The key is shown exactly once at creation time — after that, only the prefix is visible.

st_agent_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

Scopes

Each key can be assigned one or more scopes to limit what the agent can do:

Scope Permissions
tunnel:read List and view tunnel details
tunnel:write Create and manage tunnels
mcp:read List and view MCP servers
mcp:write Register and manage MCP servers
secrets:read Read team secrets (injected at runtime)

Expiry & Usage Limits

Keys can optionally be configured with:

Revocation

Team admins can revoke any agent key immediately. Revoked keys cannot be re-activated. The revocation is recorded in the team activity feed with the revoking user's identity.

MCP Server Registry

Registration

Team admins can register MCP servers in the team registry. Each server entry includes:

Protocols

Protocol Use Case
sse Server-Sent Events — most common for remote MCP servers
stdio Standard I/O — for locally-run MCP servers
streamable-http Streamable HTTP — the newer MCP transport protocol

Heartbeat

MCP servers can send heartbeat signals to update their status. The registry tracks:

Connecting Your Agent

Claude Desktop

Add your MCP server to Claude Desktop's configuration:

{
  "mcpServers": {
    "my-server": {
      "url": "https://my-server.stunl.io/mcp",
      "headers": {
        "Authorization": "Bearer st_agent_..."
      }
    }
  }
}

Cursor

Add to your .cursor/mcp.json:

{
  "mcpServers": {
    "my-server": {
      "url": "https://my-server.stunl.io/mcp",
      "headers": {
        "Authorization": "Bearer st_agent_..."
      }
    }
  }
}

Custom Agent

Use the agent key as a Bearer token in your HTTP requests:

curl -H "Authorization: Bearer st_agent_..." \
  https://my-server.stunl.io/mcp

Integration Events

Agent tools fire events that appear in your team activity feed and can trigger integrations (webhooks, Slack, Discord):

Event Description
agent_key_created A new agent key was created
agent_key_revoked An agent key was revoked
mcp_server_registered A new MCP server was registered
mcp_server_deregistered An MCP server was removed
mcp_server_online An MCP server came online
mcp_server_offline An MCP server went offline
mcp_tool_called A tool was invoked on an MCP server

Agent API

Agent keys (st_agent_) can authenticate directly to the portal REST API at /api/agent/*. This lets agents discover MCP servers, register tunnels, and read team secrets without a user JWT. 

# Discover MCP servers
curl -H "Authorization: Bearer st_agent_..." \
     https://portal.stunl.com/api/agent/mcp/discover

# List team tunnels (requires tunnel:read scope)
curl -H "Authorization: Bearer st_agent_..." \
     https://portal.stunl.com/api/agent/tunnels

# Register an MCP server (requires mcp:write scope)
curl -X POST -H "Authorization: Bearer st_agent_..." \
     -d '{"name":"my-tools","protocol":"streamable-http"}' \
     https://portal.stunl.com/api/agent/mcp-servers

Available Endpoints

Endpoint Scope Description
GET /api/agent/mcp/discover (none) Discover online MCP servers in your team
GET /api/agent/mcp-servers mcp:read List all MCP servers (including offline)
POST /api/agent/mcp-servers mcp:write Register a new MCP server
GET /api/agent/tunnels tunnel:read List active team tunnels
GET /api/agent/secrets secrets:read List team secrets (masked values)

stunl mcp CLI

The stunl mcp commands let you expose local MCP servers, list team servers, and connect to remote ones.

Expose a Local MCP Server

# Expose a local MCP server and auto-register it
stunl mcp expose --port 3000 --name my-tools

# With custom subdomain and public visibility
stunl mcp expose --port 3000 --name db-tools \
     --subdomain db-tools --visibility public

This probes the local MCP server for tools/resources/prompts, creates a tunnel, and registers it in your team's MCP server registry.

List Team Servers

stunl mcp list

NAME                STATUS   TOOLS  PROTOCOL           URL
database-tools      online   3      streamable-http    https://db-tools.stunl.io/mcp
file-browser        offline  5      sse                https://file-browser.stunl.io/mcp

Connect (stdio Bridge)

# Add to Claude Desktop config:
{
  "mcpServers": {
    "my-tools": {
      "command": "stunl",
      "args": ["mcp", "connect", "my-tools"]
    }
  }
}

MCP Gateway

When an MCP server is linked to a tunnel (via stunl mcp expose), the tunnel proxy validates agent keys on incoming requests. Unauthorized requests get a 401.

Tool calls (tools/call JSON-RPC method) are automatically logged and visible in the portal's Agent Tools tab. You can see per-tool call counts, recent invocations, and error rates.

Public MCP Directory

MCP servers with public visibility are listed in the MCP Server Directory. Anyone can browse and connect to public servers. Set visibility to public when registering a server to share your tools with the community.

Ready to connect your agents?

Agent tools are available on Team and Business plans.

Get Started