New Version 1.0.13 is now available with automatic secret redaction and enhanced security
HAL Logo

HAL HTTP API Layer

A Model Context Protocol server that provides HTTP API capabilities to Large Language Models. Make secure HTTP requests and optionally integrate with OpenAPI/Swagger specifications.

Add to your Claude Desktop config:

{
  "mcpServers": {
    "hal": {
      "command": "npx",
      "args": ["hal-mcp"]
    }
  }
}

Core Features

Everything you need for HTTP API integration with AI

Complete HTTP Support

All HTTP methods supported

GET, POST, PUT, PATCH, DELETE, OPTIONS, and HEAD requests to interact with any HTTP endpoint.

Secure Secret Management

Environment-based secret handling

Use template substitution with {secrets.key} syntax to keep sensitive information secure.

OpenAPI Integration

Automatic tool generation

Automatically generate tools from OpenAPI/Swagger specifications for seamless API integration.

Built-in Documentation

Self-documenting API reference

Access comprehensive usage examples through the built-in documentation resource.

Security First

Multiple layers of protection

URL filtering, namespace restrictions, and isolated execution environment for maximum security.

Fast & Modern

TypeScript and performance optimized

Built with TypeScript and optimized for performance with the latest MCP standards.

Quick Setup

Get HAL running with Claude Desktop in minutes

1. Configure Claude Desktop

Add this to your Claude Desktop configuration (npx will automatically install and run HAL):

{
  "mcpServers": {
    "hal": {
      "command": "npx",
      "args": ["hal-mcp"]
    }
  }
}

2. Start Making HTTP Requests

Ask Claude to make HTTP requests using HAL's tools:

"Can you fetch the latest commits from the GitHub API for the microsoft/vscode repository?"

Advanced Capabilities

Professional features for production use

Namespace Management

Organize secrets by service with URL restrictions for enhanced security

Use multi-level namespaces to organize secrets and restrict access to specific URLs:

Environment Setup

# Azure Storage secrets
HAL_SECRET_AZURE-STORAGE_ACCESS_KEY="azure_storage_key_xxxxx"
HAL_ALLOW_AZURE-STORAGE="https://*.blob.core.windows.net/*"

# GitHub API secrets  
HAL_SECRET_GITHUB_API_KEY="github_pat_xxxxx"
HAL_ALLOW_GITHUB="https://api.github.com/*,https://*.github.com/*"

# Google Cloud secrets
HAL_SECRET_GOOGLE-CLOUD_SERVICE_ACCOUNT="google_service_account_json"
HAL_ALLOW_GOOGLE-CLOUD="https://*.googleapis.com/*"

Usage in Requests

{
  "url": "https://mystorageaccount.blob.core.windows.net/container/file.txt",
  "headers": {
    "Authorization": "SharedKey mystorageaccount:{secrets.azure.storage.access_key}"
  }
}

✓ Secure: This secret can only be used with Azure Storage URLs

URL Filtering

Control which URLs can be accessed with whitelist or blacklist patterns

Whitelist Mode

Only allow specific APIs (maximum security)

# Only allow trusted APIs
HAL_WHITELIST_URLS="https://api.github.com/*,https://*.googleapis.com/*,https://api.stripe.com/*"

# Optional: Add secrets for allowed APIs
HAL_SECRET_GITHUB_TOKEN="your-github-token"
HAL_SECRET_GOOGLE_API_KEY="your-google-key"

Blacklist Mode

Block internal networks and sensitive endpoints

# Block internal networks
HAL_BLACKLIST_URLS="http://localhost:*,https://192.168.*,https://10.*,https://172.16.*,https://admin.internal.com/*"

# Allow all external APIs
HAL_SECRET_API_KEY="your-external-api-key"

💡 Tip: Combine namespace restrictions with URL filtering for maximum security in production environments.

OpenAPI/Swagger Integration

Automatically generate tools from API specifications

Configuration

# Point to your OpenAPI spec
HAL_SWAGGER_FILE="/path/to/your/openapi.json"
HAL_API_BASE_URL="https://api.example.com"

# Add API credentials
HAL_SECRET_API_KEY="your-api-key"

Auto-generated Tools

swagger_getUserById

→ GET /users/{id}

swagger_createPayment

→ POST /payments

swagger_updateOrder

→ PUT /orders/{id}

Latest Release

Version 1.0.13

Automatic secret redaction and enhanced security

Automatic redaction of secret values from all AI responses, preventing credential exposure in error messages and API responses.