Our setup

This application runs on Laravel with the official laravel/mcp package. The MCP HTTP endpoint is:

https://mcp.richbot9000.com/mcp

Use HTTPS POST with JSON-RPC 2.0 messages (see the MCP spec). Authenticate with a Sanctum personal access token (Bearer)—not your browser session cookie. Session cookies are for the Blade admin only. There is one registered MCP server class and one URL; it is “dynamic” in that each request rebuilds the tool list from the database according to the token’s tool group—not one URL per user or per account.

What validates the token?

Laravel auth:sanctum resolves the user from the PAT. Our middleware then reads the ability mcp:tool-group:{id}, loads that tool group, and checks tool_group_user (unless your user has an elevated role). That same group filters tools/list and tools/call.

Stack in one place

• Transport: laravel/mcp Mcp::web('/mcp', …)
• Auth: Sanctum PAT + custom middleware resolving tool group
• Data: MySQL — tools, parameters, tool_groups, pivots
• Execution: ToolSchemaFactory + ToolDispatcher → copied RichBot executors
• Web UI RBAC: Spatie roles for who can mint tokens / run imports

Step-by-step for IDEs: Client configuration →