fetchsandbox-mcp
v0.3.14
Published
Turn any OpenAPI spec into a working sandbox your AI agent can use. MCP server for Claude Code, Cursor, and any other MCP-compatible LLM IDE.
Maintainers
Readme
fetchsandbox-mcp
Turn any OpenAPI spec into a working sandbox your AI agent can use, right from your IDE.
This is the Model Context Protocol (MCP) server for FetchSandbox. It exposes three tools that let any MCP-compatible agent ingest an OpenAPI spec, list its workflows, and run them — with realistic, schema-validated responses for every endpoint.
Why
Agents read raw OpenAPI specs and hallucinate. They guess field names, invent IDs that won't exist, and produce broken curl commands. FetchSandbox turns the spec into a stateful, AJV-validated sandbox so the agent can actually call the API and see real-shaped responses.
Plug it into your IDE once, and any time you ask your agent "let me try the Stripe API" or "show me the GitHub issue lifecycle," it can do that — for real, end-to-end.
Install — by agent
The MCP runs as a stdio process spawned by your IDE. There's nothing to install globally — npx runs the latest published version on demand. Pick your tool below, paste the snippet, restart.
Claude Desktop
File: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)
{
"mcpServers": {
"fetchsandbox": {
"command": "npx",
"args": ["-y", "fetchsandbox-mcp@latest"]
}
}
}Quit and reopen Claude Desktop (Cmd+Q, then reopen — not just close window).
Claude Code
User-level (all projects): ~/.claude/settings.json. Or project-level: .mcp.json in the repo root.
{
"mcpServers": {
"fetchsandbox": {
"command": "npx",
"args": ["-y", "fetchsandbox-mcp@latest"]
}
}
}Restart the Claude Code session.
Cursor
File: ~/.cursor/mcp.json (global) or .cursor/mcp.json (project)
{
"mcpServers": {
"fetchsandbox": {
"command": "npx",
"args": ["-y", "fetchsandbox-mcp@latest"]
}
}
}Restart Cursor.
Cline (VS Code extension)
Open the Cline panel → settings cog → MCP Servers → add a new server with:
- Command:
npx - Args:
-y fetchsandbox-mcp@latest
Reload the VS Code window.
Continue.dev
File: ~/.continue/config.yaml
mcpServers:
- name: fetchsandbox
command: npx
args:
- -y
- fetchsandbox-mcp@latestRestart your IDE.
Codex CLI (OpenAI)
File: ~/.codex/config.toml
[mcp_servers.fetchsandbox]
command = "npx"
args = ["-y", "fetchsandbox-mcp@latest"]Restart Codex.
Zed
File: ~/.config/zed/settings.json
{
"context_servers": {
"fetchsandbox": {
"command": {
"path": "npx",
"args": ["-y", "fetchsandbox-mcp@latest"]
}
}
}
}GitHub Copilot
GitHub Copilot doesn't currently support the Model Context Protocol. Track github/copilot#feedback for updates. In the meantime, run any MCP-compatible chat (Claude Code, Cursor, Cline) alongside Copilot.
Anything else (Roo, Goose, etc.)
If your agent speaks MCP, it accepts a stdio command. Use:
- Command:
npx - Args:
["-y", "fetchsandbox-mcp@latest"]
Try it now
After restarting your agent, paste any of these prompts. Every prompt
starts with the ./fetchsandbox dispatch prefix — that's the routing
signal. The brain matches your symptom to a workflow + scenario,
reproduces it deterministically, and returns a public receipt URL as
proof. Variant prefixes also accepted: /fetchsandbox,
@fetchsandbox, fs:.
Stripe — investigate a webhook bug
./fetchsandbox stripe webhook bug in prod — payments getting marked paid 2-3 times. fix it with proof.
The brain matches the webhook_duplicate_side_effect pattern. The
agent reproduces the bug via accept_payment + webhook_retries
scenario, applies the fix from the brain's fix_pattern, re-runs to
confirm, and surfaces the brain's check_for items as the audit list.
Receipt URL is the proof artifact.
Stripe — silent card decline
./fetchsandbox stripe checkout fails silently when cards are declined — investigate and fix.
Brain matches card_decline_not_handled → reproduces via
payment_declined scenario → recommends the wrap-in-try/except fix
pattern with decline_code surfacing.
Stripe — webhook signature security
./fetchsandbox stripe webhook security audit failed — anyone can post to the endpoint. fix it.
Brain matches webhook_signature_unverified → reproduces via
auth_failure scenario → recommends the stripe.Webhook.construct_event
fix with STRIPE_WEBHOOK_SECRET env sourcing.
Build a new integration
./fetchsandbox help me integrate resend for transactional email
Brain surfaces Resend's discovery questions (SPF/DKIM, bounce handling, etc.), routes to the right send-email workflow, and walks the implementation against a curated Resend sandbox.
Any other API
./fetchsandbox <your question or bug report about any API>
For Stripe, Resend, Clerk, Privy, Surge, AgentMail, Twilio, PayPal,
Paddle, GitHub, OpenAI, Pinecone, Datadog, and 19 others, the brain
routes via curated knowledge. For specs we don't have curated configs
for, the engine auto-enumerates create + verify workflows for every
detected resource. Honest about what it shows: UUIDs instead of
vendor-style IDs, generic enum values instead of API-specific ones —
but the request/response shape and template substitution between steps
still work.
Tools
import_spec
Ingest an OpenAPI 3.x spec and get a sandbox you can call. Pass either a public URL or pasted content.
url: "https://raw.githubusercontent.com/stripe/openapi/master/openapi/spec3.json"
content: "<paste OpenAPI JSON or YAML here>"
name: "Optional friendly name"Returns spec_id, sandbox_id, base_url (proxy that serves real-shaped responses), workflows_preview (first 10), matched_bundled (true if we matched a curated config), and a dashboard_url to view everything in the browser.
list_workflows
List the named, runnable workflows the engine inferred or curated for an imported spec.
spec_id: "<id from import_spec>"run_workflow
Execute one workflow and return the step-by-step request/response trace. Template variables ({{step1.id}}) are resolved automatically between steps.
sandbox_id: "<id from import_spec>"
workflow_name: "<id or name from list_workflows>"Configuration
| Env var | Default | Purpose |
|---|---|---|
| FETCHSANDBOX_BASE_URL | https://fetchsandbox.com | Override for stage testing or self-hosted backends. |
| FETCHSANDBOX_TELEMETRY | (on) | Set to 0 to disable anonymous usage telemetry. |
What we record
When telemetry is on, each tool call records: an opaque per-machine session id (random UUID stored at ~/.fetchsandbox/session.json), the tool name, latency, success/failure, and the spec URL or "pasted". We do not record spec content, request bodies, or credentials. We use this to count daily-active sessions and learn which APIs people are bringing to the platform.
To opt out:
export FETCHSANDBOX_TELEMETRY=0License
MIT — see LICENSE.
