> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Matcher MCP server

> Connect AI assistants to Matcher through the Model Context Protocol — a secure, token-relayed tool surface over the reconciliation engine.

The **Matcher MCP server** exposes Matcher's reconciliation surface as [Model Context Protocol](https://modelcontextprotocol.io) tools, so an AI assistant — or any MCP client — can operate Matcher on your behalf: inspect contexts, start reconciliation runs, work exceptions, and pull reports, all with the same permissions you already have.

<Warning>
  Matcher is only available if you've acquired the Matcher product. Want access? [Get in touch with our team](https://lerian.studio/contact) to learn more.
</Warning>

## How it connects

***

The server speaks **Streamable HTTP**. It runs as its own service alongside the Matcher API and exposes a single MCP endpoint (`POST /mcp`) plus a plain liveness probe (`GET /healthz`). There is no stdio transport: every client connects to it as a *remote* server over the network.

Point any Streamable-HTTP MCP client at the endpoint your platform team provides and send your Matcher bearer token on the connection. For example, with Claude Code:

```bash theme={null}
claude mcp add --transport http matcher https://your-matcher-mcp.example.com/mcp \
  --header "Authorization: Bearer <matcher-jwt>"
```

For local development, the relay is also published as a public npm package — start it pointed at your Matcher API and connect to `http://localhost:4019/mcp`:

```bash theme={null}
MATCHER_API_URL=https://your-matcher-api npx @lerianstudio/matcher-mcp
```

Any MCP client that supports Streamable HTTP works the same way: give it the URL and the `Authorization: Bearer <matcher-jwt>` header.

## Auth posture

***

The server is a **stateless credential relay** — it adds no identity of its own:

* **Your token, relayed verbatim.** The client sends the same Matcher JWT you'd use against the API directly (issued by your Access Manager). The server forwards it to the Matcher API on every tool call and never logs, stores, or echoes it.
* **Fail-closed.** A tool call arriving without a bearer token is rejected before any request reaches Matcher. There is no anonymous or default-tenant fallback.
* **Tenant follows the token.** No tool accepts a tenant parameter; Matcher resolves your tenant entirely from the relayed JWT, so the MCP surface can never cross tenant boundaries.
* **No session state.** Each request builds a fresh in-memory server, so the relay can be scaled and restarted freely.

To verify your client is wired correctly, call the `mcp_whoami` tool after connecting — it reports only whether the credential arrived, never its value.

## What you can do with it

***

The server exposes curated tool families covering configuration, reconciliation runs, exceptions and disputes, ingestion, and reporting, plus a generic escape hatch over the full Matcher API. See [Matcher MCP tools](/en/matcher/mcp/matcher-mcp-tools) for the catalog.
