Home Help Agents MCP

Model Context Protocol

Connect an MCP client to pastebin.ca
Endpoint

Server URL

Point your MCP client at:

https://pastebin.ca/mcp

Discovery documents (no client config needed):

  • /.well-known/oauth-protected-resource/mcp — RFC 9728 Protected Resource Metadata
  • /.well-known/oauth-authorization-server — RFC 8414 Authorization Server Metadata
Authentication

Two ways to authenticate

pastebin.ca's MCP server accepts either OAuth 2.1 (recommended for desktop clients) or a long-lived bearer API key (recommended for server-side automation).

  1. OAuth 2.1 + PKCE — Most modern MCP clients (Claude Desktop, Cursor, the Inspector) discover this automatically. They register themselves dynamically (RFC 7591), open a passkey sign-in + consent page, and receive an audience-bound token. No manual configuration.
  2. Static API key — Mint a key under Account → Automation tokens.

Note: this is a stateless streamable-HTTP MCP server. GET requests for SSE are intentionally not supported — all traffic is JSON-RPC over POST /mcp.

Clients

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (or on Linux ~/.config/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "pastebin": {
      "url": "https://pastebin.ca/mcp"
    }
  }
}

On first use Claude opens a browser tab where you sign in with a passkey and approve the requested scopes. The token is stored locally; the server only sees the bearer on each MCP call.

Cursor / Windsurf

Edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "pastebin": { "url": "https://pastebin.ca/mcp" }
  }
}

MCP Inspector

Launch the official inspector against the live URL:

npx @modelcontextprotocol/inspector

Enter https://pastebin.ca/mcp as the server URL and choose OAuth when prompted.

Manual API-key configuration

If your client doesn't speak OAuth, hand it a bearer header directly:

{
  "mcpServers": {
    "pastebin": {
      "url": "https://pastebin.ca/mcp",
      "headers": { "Authorization": "Bearer pbca_live_…" }
    }
  }
}
Tools

What MCP clients can do

Use tools/list to discover the full surface — every tool ships with an inputSchema, an outputSchema, and a human-readable description. The current inventory:

  • create_paste — create a plaintext paste. Body can be sent as UTF-8 text (body) or base64-encoded UTF-8 bytes (body_b64).
  • get_paste — fetch a paste you own or any public paste. body_format=base64 returns raw bytes as body_b64 for safe transport.
  • get_encrypted_paste — fetch ciphertext + cipher metadata for an encrypted paste; decrypt out-of-band.
  • list_my_pastes — page through your own pastes, with an opaque next_cursor.
  • amend_paste — add a new version to a paste lineage, with optional title and change_note.
  • update_visibility — flip a plaintext paste between public and unlisted (encrypted and read-limited pastes are immutable).
  • delete_paste — soft-delete a paste you own.
  • list_paste_versions — return the full amendment chain for any paste in a lineage in one call (oldest first), with deleted versions tombstoned in place.
  • diff_pastes — return a standard unified diff between two pastes in the same lineage. Plaintext only.
  • search_my_pastes — full-text search across your own public pastes; returns highlighted snippets and paste:// URIs. Private, unlisted, and encrypted pastes are never indexed.
  • whoami — confirm the authenticated account, scopes, and (for OAuth) the bound audience. No scope required.

Recipient flows (sending and reading inbox pastes) are intentionally not exposed over MCP because the server would briefly hold plaintext during sealing — use the REST API for those.

Resources

paste:// resource URIs

The MCP resources capability lets clients address any paste by URI. The template is:

paste://{id}

resources/read returns the body as a text part (when valid UTF-8) or a base64 blob part (binary). Authorization mirrors get_paste: owners may read any of their own pastes; anyone may read public pastes.

Plain pastebin.ca view links following the canonical id pattern (10 chars, first char 2-9) are accepted too — clients may pass https://pastebin.ca/{id} URLs anywhere the protocol expects paste://{id} URIs, and tools that take an id (get_paste, amend_paste, update_visibility, delete_paste) accept all three forms.

resources/list returns empty by design — pastes are not enumerated as resources. Use list_my_pastes for discovery.

Scopes

OAuth tokens may request a subset of these scopes; the consent page shows which ones the client asked for.

  • paste:create — create new pastes
  • paste:read — read pastes you own or have a link to
  • paste:list — list your own pastes
  • paste:edit — amend pastes you own and toggle their visibility between public and unlisted
  • paste:revoke — delete pastes you own

Revoking access

All tokens issued to MCP clients show up under Connected apps on your account page. Hit Revoke to invalidate the token immediately — the client will need to re-run the OAuth flow on its next call.