Documentation menu
mcpaiclaudeintegration

MCP Server — Connect AI Models to Your Logs

Connect Claude, Cursor, Windsurf, or any MCP-compatible AI tool directly to your ScryWatch logs for natural-language queries and debugging.

MCP Server

ScryWatch exposes a built-in Model Context Protocol (MCP) server that lets AI assistants — Claude Code, Claude Desktop, Cursor, Windsurf, and any MCP-compatible client — query your logs, patterns, alerts, and sessions using natural language.

Instead of switching to the dashboard, ask your AI assistant: “Show me the errors from the last hour” or “What patterns are firing in production?” and it queries ScryWatch directly.

What you’ll need

  • A ScryWatch project API key (create one in Settings > API Keys)
  • An MCP-compatible client (Claude Code, Claude Desktop, Cursor, Windsurf, etc.)

Step 1: Get your API key

  1. Open the ScryWatch dashboard and go to Settings > API Keys.
  2. Click Create API Key.
  3. Copy the key — you’ll only see it once.

The key is scoped to a specific project. All MCP queries will return data from that project only.

Step 2: Configure your MCP client

Claude Code (CLI)

Create or edit .mcp.json in your project root:

{
  "mcpServers": {
    "scrywatch": {
      "type": "http",
      "url": "https://api.scrywatch.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_SCRYWATCH_API_KEY"
      }
    }
  }
}

Restart Claude Code. The ScryWatch tools will appear in your tool list.

Claude Desktop

Open Settings > Developer > MCP Servers and add:

{
  "scrywatch": {
    "type": "http",
    "url": "https://api.scrywatch.com/mcp",
    "headers": {
      "Authorization": "Bearer YOUR_SCRYWATCH_API_KEY"
    }
  }
}

Cursor

Open Settings > MCP and click Add MCP Server. Use:

  • Name: ScryWatch
  • Type: HTTP
  • URL: https://api.scrywatch.com/mcp
  • Headers: Authorization: Bearer YOUR_SCRYWATCH_API_KEY

Windsurf

Add to your MCP configuration file:

{
  "mcpServers": {
    "scrywatch": {
      "type": "http",
      "url": "https://api.scrywatch.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_SCRYWATCH_API_KEY"
      }
    }
  }
}

Any MCP Client

ScryWatch implements the MCP 2025-03-26 specification. It supports two transports:

  • Streamable HTTP (POST /mcp) — the current standard. Send JSON-RPC in the request body; include Accept: text/event-stream to receive SSE-streamed responses.
  • Legacy SSE (GET /mcp) — for older clients. Open a persistent SSE stream; the server sends an endpoint event with the POST URL, then keepalive comments every 15 seconds.

Any MCP-compatible client can connect to https://api.scrywatch.com/mcp with a Bearer token.

Step 3: Try it out

Once connected, try asking your AI assistant:

  • “Search my logs for errors in the last hour”
  • “What are the most frequent log patterns?”
  • “Show me recent alert firings”
  • “List all sessions with errors”
  • “What does the error distribution look like?”

The assistant will call the appropriate ScryWatch tools to answer your question.

Available tools

Your AI assistant gets access to 14 read-only tools:

ToolWhat it does
search_logsSearch and filter log events with full-text search, level/service/environment filters, and pagination
get_logFetch a single log event by ID with full metadata
get_log_statsAggregate event counts grouped by level, type, and hour
get_log_facetsValue counts for level, type, service, environment, and device_type
list_alertsList all alert rules configured for the project
get_alert_historyRecent alert firings with timestamps and matched event counts
list_sessionsUser sessions with event counts and severity breakdowns
get_log_patternsLog patterns ranked by frequency — identifies recurring issues
list_issuesList grouped error/crash issues — deduplicated root-cause groups with occurrence and affected-user counts
get_issueFetch one issue by ID with its stats, deploy correlation, and recent occurrences
list_deploysList recent deploy markers for the project, most recent first
diff_deployShow what changed after a deploy — new/increased/decreased error patterns and the most-impacted services
list_checksList synthetic uptime / response-time checks with their current status (up/down/degraded)
get_checkFetch one check’s 24h uptime % and latency (avg/p50/p95/p99), plus deploy/issue correlation

All tools are read-only. The MCP server cannot modify, delete, or create any data in your project.

How it works

ScryWatch implements the MCP 2025-03-26 specification over two transports.

Streamable HTTP (current standard)

Send JSON-RPC 2.0 requests to POST /mcp. The server follows the standard MCP lifecycle:

  1. initialize — client connects; server returns capabilities and an Mcp-Session-Id header
  2. notifications/initialized — client confirms ready (server returns 204 No Content)
  3. tools/list — client requests available tools
  4. tools/call — client invokes a tool; server queries your project data and returns results

Include Accept: text/event-stream to receive responses in SSE format (required for streaming-capable clients).

Legacy SSE (for older clients)

Open a persistent GET /mcp connection. The server immediately sends an endpoint event containing the absolute POST URL, then sends keepalive comments every 15 seconds. Submit JSON-RPC requests to that URL as usual.

Every request is authenticated with your API key. All queries are automatically scoped to your project — there is no way to access data from other projects or organizations.

Example: debugging a production issue

Imagine you’re investigating a spike in errors. Instead of switching to the dashboard:

You: “Search for error logs from the last 30 minutes in the payment service”

Assistant: (calls search_logs with level: "error", service: "payment", from: <30 min ago>)

Found 47 errors (showing 47)

[2026-03-16T14:32:01Z] [ERROR] [api_call] Connection refused to db-primary:5432 (service: payment) …

You: “What pattern is that? Is it new?”

Assistant: (calls get_log_patterns)

The pattern “Connection refused to {host}:{port}” has 47 occurrences. First seen 28 minutes ago.

You: “Are there any alerts configured for this?”

Assistant: (calls list_alerts)

You have 2 alert rules. “Error spike” triggers when error count > 10 in 5 minutes. It fired 25 minutes ago.

All of this happens without leaving your editor.

Security

  • Read-only access — the MCP server only exposes SELECT queries. No writes, deletes, or mutations.
  • Project-scoped — your API key is tied to a single project. Cross-project access is impossible.
  • Standard auth — uses the same requireApiKey middleware as the ingest endpoint. Keys are stored hashed with timing-safe comparison.
  • No data leaves Cloudflare — queries run on Cloudflare Workers against your D1 database. Log data is sent only to the MCP client that requested it.

Tip: Create a dedicated API key for MCP use. You can revoke it independently if needed without affecting your ingest pipeline.

Troubleshooting

“Tool not found” or empty tool list

  • Make sure the URL is exactly https://api.scrywatch.com/mcp (no trailing slash)
  • Restart your MCP client after adding the configuration

401 Unauthorized

  • Check that your API key is valid and hasn’t been revoked
  • Ensure the Authorization header format is Bearer <key> (with a space after Bearer)

Empty results

  • The API key must be associated with a project that has ingested logs
  • Check the time range — by default most tools query the last 24 hours

You’re done

You now have AI-powered access to your production logs from inside your editor. No context switching, no dashboard tabs, no manual queries.