Does this work with Rails-as-API or full-stack Rails?

Both. The MCP exposure layer only needs controller actions that respond with JSON and a routes.rb that maps them to stable URLs. Full-stack Rails apps with HTML views and turbo work fine; the agent-callable subset lives under app/controllers/api/ (or wherever your JSON namespace is) and the rest of your views stay untouched.

Why rswag specifically?

Rails has no first-party OpenAPI generator. rswag is the most-used Ruby gem for emitting OpenAPI 3 specs because it derives them from RSpec request specs — meaning your tests double as the schema source. Alternatives include grape-swagger (if you use Grape), rspec-openapi, and hand-writing a static spec. wmcp.sh ingests any of them; rswag is the recommendation because the schema stays accurate as your test suite evolves.

How is authentication handled?

Declare your auth scheme in rswag's swagger_helper (bearerAuth, apiKey, oauth2) and it lands in the OpenAPI spec. wmcp.sh reads securitySchemes and forwards credentials accordingly. Common Rails patterns — Devise's API tokens, JWT via devise-jwt, OAuth via Doorkeeper — all map onto standard OpenAPI securitySchemes.

What about Rails strong parameters and Active Model validations?

Strong parameters and validations stay inside the controller; nothing changes. The OpenAPI spec describes the request body shape that the controller will accept, and the controller is still responsible for permitting + validating before persisting. The spec is a contract, not a replacement.

Can I expose only a subset of controller actions?

Yes. rswag operations are explicit — you describe each endpoint you want in the spec. Anything you don't describe is invisible to MCP clients. For finer control, tag operations and pass &tag=agent to the wmcp.sh ingest URL.

integration · Rails

Rails MCP integration.

Your Rails 7+ app already routes JSON traffic through controller actions backed by strong parameters and Active Model validations. Here's how to expose those actions as MCP tools an agent can call — without abandoning Rails conventions.

wmcp.sh is not affiliated with 37signals, the Rails Foundation, or Anthropic. Rails and rswag are open-source projects.

The gap

Rails has no first-party OpenAPI. rswag closes the gap.

What you have today

Controllers under app/controllers/api/, routes mapped in config/routes.rb, request specs in spec/requests/ exercising every endpoint. Devise + Doorkeeper or a JWT scheme on top.

What agents need

A Model Context Protocol server with typed tool schemas. rswag generates OpenAPI 3 from your request specs; wmcp.sh ingests it and emits MCP at https://wmcp.sh/mcp/<your-id>. Controllers untouched.

The wiring

A controller action, exposed as a tool.

Standard Rails 7 JSON API controller plus an rswag spec emitting OpenAPI.

# app/controllers/api/v1/orders_controller.rb
module Api::V1
  class OrdersController < ApplicationController
    before_action :authenticate_user!

    def update
      order = Order.find(params[:id])
      if order.update(order_params)
        render json: order, status: :ok
      else
        render json: { errors: order.errors }, status: :unprocessable_entity
      end
    end

    private
    def order_params
      params.require(:order).permit(:status, :tracking_number)
    end
  end
end

# spec/requests/api/v1/orders_spec.rb — rswag emits OpenAPI from this
require 'swagger_helper'
RSpec.describe 'Orders API', type: :request do
  path '/api/v1/orders/{id}' do
    patch 'Update order status' do
      tags 'Orders', 'agent'
      consumes 'application/json'
      parameter name: :id, in: :path, type: :string
      parameter name: :order, in: :body, schema: { type: :object, properties: { status: { type: :string } } }
      response '200', 'updated' do run_test! end
    end
  end
end

# rake rswag:specs:swaggerize publishes swagger/v1/swagger.yaml at /api-docs/v1/swagger.yaml
# curl 'https://wmcp.sh/api/v1/tools?url=https://acme.example.com/api-docs/v1/swagger.yaml&tag=agent'

Side-by-side

Hand-rolled MCP server vs wmcp.sh on Rails.

Capability	Hand-rolled	wmcp.sh + rswag
Tool schemas tied to tests	⚠️ Schema and tests drift independently	✅ rswag derives spec from request specs — tests are the schema
Strong params + validations	✅ Untouched (server-side concern)	✅ Untouched; spec documents the wire shape, controller enforces
Authentication	⚠️ Re-implement Devise/Doorkeeper at the MCP layer	✅ securitySchemes declared in swagger_helper flow through
MCP transport (Streamable HTTP, SSE)	⚠️ You build it	✅ Served at `https://wmcp.sh/mcp/<your-id>`
Per-action gating	⚠️ Manual	✅ Tag rswag operations + `&tag=agent` ingest filter
CI integration	⚠️ Separate sync step	✅ `rake rswag:specs:swaggerize` + re-ingest in CI

FAQ

Common questions from Rails teams.

Rails-as-API or full-stack Rails?

Both work. wmcp.sh only needs JSON controller actions with stable routes. The HTML view side of your app is irrelevant to MCP exposure.

Why rswag?

Rails has no first-party OpenAPI generator. rswag derives OpenAPI 3 from RSpec request specs so the spec stays accurate as your tests evolve. Alternatives: grape-swagger, rspec-openapi, or hand-writing a static spec. wmcp.sh ingests any of them.

How does Devise / Doorkeeper / JWT plug in?

Declare your auth scheme as securitySchemes in swagger_helper.rb. wmcp.sh reads the spec and forwards credentials. Devise API tokens map to apiKey, Doorkeeper to oauth2, JWT to bearerAuth.

Will strong params or validations be affected?

No. The spec describes what the controller accepts; the controller still permits and validates before persisting. Spec is a contract, not a replacement.

Can I expose only some actions?

Yes. rswag operations are explicit. Anything not described in spec/requests/ is invisible to MCP clients. Tag and filter for finer control.

Ruby and Rails versions?

Rails 7.0+ recommended; Rails 6 LTS works. Ruby 3.1+. rswag 2.13+ supports OpenAPI 3.0; for OpenAPI 3.1 features stick with hand-written specs or rspec-openapi.

Need this done for you?

Skip the wiring — we ship the OpenAPI + MCP for your Rails app.

Audit your controllers, wire up rswag, deploy MCP at mcp.yourbrand.com. Starter $499 one-time setup; Managed Retainer $999/mo for ongoing maintenance; Enterprise $4,999+/mo for SLA + private deploy.

See /managed → Submit (free)

Rails has no first-party OpenAPI. rswag closes the gap.

What you have today

What agents need

A controller action, exposed as a tool.

Hand-rolled MCP server vs wmcp.sh on Rails.

Common questions from Rails teams.

Other frameworks.

Skip the wiring — we ship the OpenAPI + MCP for your Rails app.