
HAL HTTP API Layer
A Model Context Protocol server that provides HTTP API capabilities to Large Language Models. Make secure HTTP requests and optionally integrate with OpenAPI/Swagger specifications.
Add to your Claude Desktop config:
{
"mcpServers": {
"hal": {
"command": "npx",
"args": ["hal-mcp"]
}
}
}
Core Features
Everything you need for HTTP API integration with AI
Complete HTTP Support
All HTTP methods supported
GET
, POST
, PUT
, PATCH
, DELETE
, OPTIONS
, and HEAD
requests to interact with any HTTP endpoint.
Secure Secret Management
Environment-based secret handling
Use template substitution with {secrets.key}
syntax to keep sensitive information secure.
OpenAPI Integration
Automatic tool generation
Automatically generate tools from OpenAPI/Swagger specifications for seamless API integration.
Built-in Documentation
Self-documenting API reference
Access comprehensive usage examples through the built-in documentation resource.
Security First
Multiple layers of protection
URL filtering, namespace restrictions, and isolated execution environment for maximum security.
Fast & Modern
TypeScript and performance optimized
Built with TypeScript and optimized for performance with the latest MCP standards.
Quick Setup
Get HAL running with Claude Desktop in minutes
1. Configure Claude Desktop
Add this to your Claude Desktop configuration (npx will automatically install and run HAL):
{
"mcpServers": {
"hal": {
"command": "npx",
"args": ["hal-mcp"]
}
}
}
2. Start Making HTTP Requests
Ask Claude to make HTTP requests using HAL's tools:
"Can you fetch the latest commits from the GitHub API for the microsoft/vscode repository?"
Advanced Capabilities
Professional features for production use
Namespace Management
Organize secrets by service with URL restrictions for enhanced security
Use multi-level namespaces to organize secrets and restrict access to specific URLs:
Environment Setup
# Azure Storage secrets
HAL_SECRET_AZURE-STORAGE_ACCESS_KEY="azure_storage_key_xxxxx"
HAL_ALLOW_AZURE-STORAGE="https://*.blob.core.windows.net/*"
# GitHub API secrets
HAL_SECRET_GITHUB_API_KEY="github_pat_xxxxx"
HAL_ALLOW_GITHUB="https://api.github.com/*,https://*.github.com/*"
# Google Cloud secrets
HAL_SECRET_GOOGLE-CLOUD_SERVICE_ACCOUNT="google_service_account_json"
HAL_ALLOW_GOOGLE-CLOUD="https://*.googleapis.com/*"
Usage in Requests
{
"url": "https://mystorageaccount.blob.core.windows.net/container/file.txt",
"headers": {
"Authorization": "SharedKey mystorageaccount:{secrets.azure.storage.access_key}"
}
}
✓ Secure: This secret can only be used with Azure Storage URLs
URL Filtering
Control which URLs can be accessed with whitelist or blacklist patterns
Whitelist Mode
Only allow specific APIs (maximum security)
# Only allow trusted APIs
HAL_WHITELIST_URLS="https://api.github.com/*,https://*.googleapis.com/*,https://api.stripe.com/*"
# Optional: Add secrets for allowed APIs
HAL_SECRET_GITHUB_TOKEN="your-github-token"
HAL_SECRET_GOOGLE_API_KEY="your-google-key"
Blacklist Mode
Block internal networks and sensitive endpoints
# Block internal networks
HAL_BLACKLIST_URLS="http://localhost:*,https://192.168.*,https://10.*,https://172.16.*,https://admin.internal.com/*"
# Allow all external APIs
HAL_SECRET_API_KEY="your-external-api-key"
💡 Tip: Combine namespace restrictions with URL filtering for maximum security in production environments.
OpenAPI/Swagger Integration
Automatically generate tools from API specifications
Configuration
# Point to your OpenAPI spec
HAL_SWAGGER_FILE="/path/to/your/openapi.json"
HAL_API_BASE_URL="https://api.example.com"
# Add API credentials
HAL_SECRET_API_KEY="your-api-key"
Auto-generated Tools
swagger_getUserById
→ GET /users/{id}
swagger_createPayment
→ POST /payments
swagger_updateOrder
→ PUT /orders/{id}
Latest Release
Version 1.0.13
Automatic secret redaction and enhanced security
Automatic redaction of secret values from all AI responses, preventing credential exposure in error messages and API responses.