A comprehensive API server providing Model Context Protocol (MCP) support, RESTful endpoints for file operations, command execution, project management, and AI integration.
- MCP Server: Model Context Protocol compatible server for AI assistants
- REST API: RESTful endpoints for remote development control
- Real-time Communication: Server-Sent Events (SSE) for MCP
- Security: API key authentication, rate limiting, input validation
- Monitoring: Request logging and statistics dashboard
- Documentation: Interactive Swagger/OpenAPI documentation
The API key is stored in Replit Secrets as API_KEY. All authenticated endpoints require this key.
Visit the root URL (/) to access the API dashboard with:
- Real-time statistics
- Request logs
- Endpoint documentation
- Security information
Visit /docs for interactive Swagger documentation.
All API endpoints (except /, /docs, /api/stats, /api/logs) require authentication via either:
- HTTP Header (recommended for REST API):
curl -X GET \
-H "X-API-KEY: your-api-key" \
https://your-repl.repl.co/api/project- Query Parameter (for SSE connections):
GET /mcp?api_key=your-api-key
POST /api/files
Content-Type: application/json
X-API-KEY: your-api-key
{
"path": "src/hello.ts",
"content": "console.log('Hello World');"
}GET /api/files/src/hello.ts
X-API-KEY: your-api-keyDELETE /api/files/src/hello.ts
X-API-KEY: your-api-keyExecute safe shell commands (whitelisted commands only):
POST /api/execute
Content-Type: application/json
X-API-KEY: your-api-key
{
"command": "ls -la",
"timeout": 10000
}Allowed Commands: ls, cat, head, tail, wc, grep, find, echo, pwd, date, whoami, env, node, npm, npx, pnpm, yarn, git, which, mkdir, touch, cp, mv, rm
GET /api/project?depth=3
X-API-KEY: your-api-keyPOST /api/ai
Content-Type: application/json
X-API-KEY: your-api-key
{
"prompt": "Explain this code",
"context": "function add(a, b) { return a + b; }",
"maxTokens": 1000
}The MCP (Model Context Protocol) server is available at /mcp and supports:
Connect via Server-Sent Events for real-time MCP communication:
// Use query parameter for authentication (EventSource doesn't support custom headers)
const eventSource = new EventSource('/mcp?api_key=your-api-key');
eventSource.addEventListener('message', (event) => {
const data = JSON.parse(event.data);
console.log('Received:', data);
});
// Handle connection open
eventSource.onopen = () => {
console.log('MCP connection established');
};
// Handle errors
eventSource.onerror = (error) => {
console.error('MCP connection error:', error);
};Note: The SSE endpoint supports api_key query parameter since EventSource API doesn't support custom headers.
Send MCP tool calls via HTTP:
POST /mcp
Content-Type: application/json
X-API-KEY: your-api-key
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "read_file",
"arguments": {
"path": "package.json"
}
}
}| Tool | Description |
|---|---|
read_file |
Read file contents |
write_file |
Create or update files |
list_files |
List directory contents |
delete_file |
Delete files or directories |
execute_command |
Run safe shell commands |
get_project_structure |
Get file tree |
create_directory |
Create new directories |
Replit supports SSH access for remote development with VSCode, Cursor, or any SSH client.
If you don't have SSH keys, generate them:
ssh-keygen -t ed25519 -C "your_email@example.com"- Go to Replit Account Settings
- Navigate to "SSH Keys" section
- Click "Add SSH Key"
- Paste your public key (
~/.ssh/id_ed25519.pub) - Save the key
- Open your Repl
- Click on the three dots menu
- Select "Connect via SSH"
- Copy the SSH address (format:
ssh <repl-id>@ssh.replit.com)
Add to your ~/.ssh/config:
Host replit
HostName ssh.replit.com
User YOUR_REPL_ID
IdentityFile ~/.ssh/id_ed25519
ForwardAgent yes
ServerAliveInterval 60
ServerAliveCountMax 3
Replace YOUR_REPL_ID with your actual Repl ID.
ssh replit- Install "Remote - SSH" extension
- Press
Ctrl+Shift+P→ "Remote-SSH: Connect to Host" - Select "replit" from the list
- VSCode will open a new window connected to your Repl
- 100 requests per 15 minutes per IP
- Returns
429 Too Many Requestswhen exceeded
- All inputs validated with Zod schemas
- File paths sanitized to prevent directory traversal
- Commands whitelisted for safe execution
- Paths normalized and validated
..patterns rejected- All file operations confined to project directory
- Only whitelisted commands allowed
- Shell operators (
|,;,&&, etc.) blocked - Timeout enforcement on all commands
GET /api/statsReturns:
- Total requests
- Success/failure counts
- Average response time
- Server uptime
GET /api/logs?limit=100Returns recent API requests with:
- Timestamp
- Method and path
- Status code
- Response time
All errors return JSON responses:
{
"error": "Error Type",
"message": "Detailed error message"
}Common status codes:
400- Bad Request (invalid input)401- Unauthorized (missing API key)403- Forbidden (invalid API key)404- Not Found (resource doesn't exist)429- Too Many Requests (rate limited)500- Internal Server Error
npm run dev├── client/ # React frontend
│ └── src/
│ ├── pages/ # Page components
│ └── components/
├── server/ # Express backend
│ ├── middleware/ # Auth, logging, security
│ ├── services/ # File, command, MCP services
│ ├── routes.ts # API routes
│ └── swagger.ts # OpenAPI spec
├── shared/ # Shared types/schemas
│ └── schema.ts
└── README.md
MIT License