Express has no built-in OpenAPI. What are my options?

Three solid paths today: (1) swagger-jsdoc — annotate route handlers with JSDoc @openapi blocks; the build assembles them into a spec. (2) @asteasolutions/zod-to-openapi — define Zod schemas for inputs and outputs, then convert them; recommended if your codebase is TypeScript-first. (3) express-openapi-validator — write the OpenAPI spec by hand, then attach it as request-validation middleware so the spec and runtime stay in sync. wmcp.sh ingests any of them.

Node 22 LTS is the recommended target — it ships native fetch, ESM by default in many configs, and the most stable AbortController behavior. Node 20 LTS works identically. Express 4.x and 5.x both work; the example uses Express 4 because it's still the more common production version, but Express 5 (released GA in 2024) has identical route handler shape.

How does authentication flow through?

Declare your auth scheme in the OpenAPI spec under securitySchemes — bearerAuth, apiKey, oauth2 are all standard. wmcp.sh reads it and forwards credentials. For OAuth 2.1 with Dynamic Client Registration upstreams, the /mcp/ proxy handles the full flow on behalf of MCP clients that can't drive it themselves. Common Express middleware (passport-jwt, express-jwt, helmet) is unaffected.

What about Fastify, Koa, Hapi, or Hono?

All work the same way — wmcp.sh consumes OpenAPI, not framework-specific shapes. Fastify ships an official OpenAPI plugin (@fastify/swagger). Hono has @hono/zod-openapi. Koa works with koa-swagger. The integration model is identical: emit a spec, point wmcp.sh at it. Pick whichever Node framework you prefer; the MCP exposure path doesn't change.

Can I gate which Express routes become MCP tools?

Yes. In your OpenAPI spec, tag each operation; the agent-callable ones get a 'agent' tag. Pass &tag=agent to wmcp.sh's ingest URL. Internal admin routes that aren't in the spec stay invisible to MCP clients.

integration · Express

Express MCP integration.

Your Express app already handles JSON traffic across app.get / app.post / router.use; here's how to expose those routes as MCP tools an agent can call — without trading Express for a "modern" framework.

wmcp.sh is not affiliated with the OpenJS Foundation or Anthropic. Express, swagger-jsdoc, and zod-to-openapi are open-source projects.

The gap

Express has no built-in OpenAPI. Pick a generator; we handle the rest.

What you have today

Express 4 or 5 with route handlers, middleware (helmet, cors, express-jwt), and either JSDoc or Zod schemas inside the handlers. Running on Node 20 or 22 LTS.

What agents need

A Model Context Protocol server with typed tool schemas. wmcp.sh consumes OpenAPI 3 from swagger-jsdoc, @asteasolutions/zod-to-openapi, or a hand-written spec — and emits MCP at https://wmcp.sh/mcp/<your-id>.

The wiring

An Express route, exposed as a tool.

TypeScript Express + Zod + @asteasolutions/zod-to-openapi. Node 22.

// server.ts — Express 4 + Zod, Node 22 LTS
import express, { Request, Response } from 'express';
import { z } from 'zod';
import { OpenAPIRegistry, OpenApiGeneratorV3 } from '@asteasolutions/zod-to-openapi';

const app = express();
app.use(express.json());
const registry = new OpenAPIRegistry();

const CreateOrder = z.object({
  sku: z.string().min(1),
  qty: z.number().int().positive(),
});

registry.registerPath({
  method: 'post', path: '/orders', tags: ['agent'],
  request: { body: { content: { 'application/json': { schema: CreateOrder } } } },
  responses: { 201: { description: 'created' } },
});

app.post('/orders', async (req: Request, res: Response) => {
  const body = CreateOrder.parse(req.body);
  const order = await createOrder(body);
  res.status(201).json(order);
});

const spec = new OpenApiGeneratorV3(registry.definitions).generateDocument({
  openapi: '3.0.0', info: { title: 'Acme Inventory', version: '1.0.0' },
});
app.get('/openapi.json', (_req, res) => res.json(spec));
app.listen(3000);

// curl 'https://wmcp.sh/api/v1/tools?url=https://acme.example.com/openapi.json&tag=agent'

Side-by-side

Hand-rolled MCP server vs wmcp.sh on Express.

Capability	Hand-rolled	wmcp.sh + OpenAPI
Spec generator choice	⚠️ N/A; you redo schemas	✅ swagger-jsdoc, zod-to-openapi, or hand-written — all ingestible
Existing middleware preserved	⚠️ Re-implement at MCP layer	✅ helmet, cors, express-jwt, passport — all still run on the origin
MCP transport (Streamable HTTP, SSE)	⚠️ You build it	✅ Served at `https://wmcp.sh/mcp/<your-id>`
Auth forwarding	⚠️ Per-route adapter	✅ Bearer / API-key / OAuth 2.1 declared in spec
Per-route gating	⚠️ Manual allowlist	✅ Tag operations; `&tag=agent` at ingest
Spec drift detection	❌ Silent	✅ Re-ingest in CI; mismatches surface immediately

FAQ

Common questions from Node / Express teams.

Express has no built-in OpenAPI — what should I use?

Three solid paths: (1) swagger-jsdoc for JSDoc-annotated routes. (2) @asteasolutions/zod-to-openapi for TypeScript-first codebases — recommended. (3) express-openapi-validator if you'd rather hand-write the spec and validate at runtime. wmcp.sh ingests all three.

Node and Express versions?

Node 22 LTS recommended; Node 20 LTS works. Express 4.x and 5.x both work — same route-handler shape.

How does auth flow through?

Declare securitySchemes in the spec — bearerAuth, apiKey, or oauth2. wmcp.sh forwards credentials. Common middleware (passport-jwt, express-jwt, helmet) is unaffected because it runs on your origin.

Fastify, Koa, Hono, Hapi?

All work the same way. @fastify/swagger, koa-swagger, @hono/zod-openapi — emit a spec, point wmcp.sh at it. Pick the framework you prefer; MCP exposure is identical.

Can I gate routes?

Yes. Tag agent-callable operations in the spec and pass &tag=agent at ingest. Untagged or undescribed routes stay invisible.

What about CommonJS vs ESM?

Either works on the origin — wmcp.sh only talks HTTP. The example is ESM-style imports but CJS Express apps emit identical OpenAPI specs.

Need this done for you?

Skip the wiring — we ship the OpenAPI + MCP for your Express app.

Audit your routes, wire up swagger-jsdoc or zod-to-openapi, deploy MCP at mcp.yourbrand.com. Starter $499 one-time setup; Managed Retainer $999/mo for ongoing maintenance; Enterprise $4,999+/mo for SLA + private deploy.

See /managed → Submit (free)

Express has no built-in OpenAPI. Pick a generator; we handle the rest.

What you have today

What agents need

An Express route, exposed as a tool.

Hand-rolled MCP server vs wmcp.sh on Express.

Common questions from Node / Express teams.

Other frameworks.

Skip the wiring — we ship the OpenAPI + MCP for your Express app.