@bolti/mcp
v2.0.1
Published
Bolti MCP server: drive Bolti voice agents, calls, tools, and telephony from any MCP client.
Maintainers
Readme
Bolti MCP server
Drive Bolti from Claude Desktop, Cursor, Claude Code, or any standards-compliant MCP (Model Context Protocol) client: manage voice agents, review calls and transcripts, manage approved HTTP tools, handle phone numbers and SIP trunks, and place outbound calls - all scoped to your workspace.
Full docs: https://docs.bolti.co.in/mcp/overview
Prerequisites
- Node.js 18+
- A Bolti Personal Access Token. Create one in the dashboard: profile
(bottom-left) -> Access Tokens. It starts with
mcp_and is shown once.
The token carries your workspace permissions; the server never has more access than you do. A token can be scoped to a single workspace.
Install
Claude Code
claude mcp add bolti --env BOLTI_API_TOKEN=mcp_YOUR_TOKEN -- npx -y @bolti/mcpCursor
One-click: use the "Add to Cursor" button in the docs, then paste your token.
Or add to ~/.cursor/mcp.json (or a project .cursor/mcp.json):
{
"mcpServers": {
"bolti": {
"command": "npx",
"args": ["-y", "@bolti/mcp"],
"env": { "BOLTI_API_TOKEN": "mcp_YOUR_TOKEN" }
}
}
}Claude Desktop
Add the same JSON block as above to your claude_desktop_config.json under
mcpServers.
Any MCP client (generic)
Run npx -y @bolti/mcp over stdio with BOLTI_API_TOKEN set in the environment.
Configuration
| Variable | Required | Default | Purpose |
|---|---|---|---|
| BOLTI_API_TOKEN | yes | - | Personal Access Token (mcp_...). |
| BOLTI_API_BASE_URL | no | https://api.bolti.co.in | Override for self-hosted/staging. |
| BOLTI_TOOL_TIMEOUT_MS | no | 15000 | Per-request timeout. |
| BOLTI_MAX_PAGE_SIZE | no | 100 | Upper bound on page size. |
| BOLTI_DEFAULT_PAGE_SIZE | no | 20 | Default page size for list tools. |
If no token is set, authenticate at runtime with the login_with_token tool.
Remote (HTTP) mode
By default the server runs over stdio (one local user). It can also run as a hosted, multi-tenant HTTP service using the MCP Streamable HTTP transport:
BOLTI_MCP_TRANSPORT=http BOLTI_MCP_HTTP_PORT=3000 npx -y @bolti/mcp| Variable | Default | Purpose |
|---|---|---|
| BOLTI_MCP_TRANSPORT | stdio | Set to http for hosted mode. |
| BOLTI_MCP_HTTP_PORT | 3000 | Port to listen on (PORT also accepted). |
| BOLTI_MCP_HTTP_PATH | /mcp | Endpoint path. |
| BOLTI_MCP_ALLOWED_HOSTS | (off) | Comma-separated Host allowlist; enables DNS-rebinding protection. |
| BOLTI_MCP_ALLOWED_ORIGINS | (off) | Comma-separated browser Origin allowlist. Requests without an Origin remain valid for non-browser clients. |
| BOLTI_INTERNAL_API_TOKEN | (none) | Shared credential used only by the hosted server to exchange caller credentials for short-lived backend delegation tokens. Required for readiness. |
| BOLTI_MCP_PUBLIC_URL | (none) | Public protected-resource URL. Required when hosted OAuth is enabled. |
| BOLTI_MCP_OAUTH_ENABLED | false | Enables OAuth discovery endpoints only when set exactly to true. |
| BOLTI_MCP_HTTP_MAX_BODY_BYTES | 1048576 | Maximum JSON request body size. |
| BOLTI_MCP_HTTP_MAX_SESSIONS | 1000 | Maximum active sessions per server process. |
| BOLTI_MCP_HTTP_MAX_SESSIONS_PER_TOKEN | 10 | Maximum active sessions per authenticated principal. |
| BOLTI_MCP_HTTP_SESSION_IDLE_TIMEOUT_MS | 1800000 | Idle session expiration in milliseconds. |
In HTTP mode each request authenticates with the caller's token. The hosted server exchanges that credential through the backend's authenticated internal API and stores only a one-way binding hash plus a short-lived, workspace-scoped delegation token in the MCP session. Tenants are isolated, and established sessions are re-authenticated on every request. OAuth 2.1 discovery is available when explicitly enabled and configured with a public resource URL.
Safety
- Read and write tools are separate. Destructive or billed actions
(deleting resources, placing outbound calls, revoking tokens) require an
explicit
confirm: trueargument, so the client can confirm with you first. - Secrets (tool auth, SIP passwords) are write-only and never returned.
- All access is enforced by the Bolti backend against your token's workspace.
Development
npm install
npm run build # tsc -> dist/
npm test # vitest
npm run dev # run from source with tsx
npm run bundle # build + pack a .mcpb bundle (needs network for the mcpb CLI)