What is the Velocity MCP server endpoint?

The Model Context Protocol server is at https://velocity.andiamo.tech/api/agents/mcp. It uses the Streamable HTTP transport — a single endpoint that takes a POST per JSON-RPC request — and negotiates protocol version 2025-11-25 (falling back to 2025-06-18 or 2025-03-26).

How do I authenticate?

With a vel_* API key. Send it as X-MCP-Key (Claude Code / OpenClaw native) or as Authorization: Bearer (Codex, OpenAI Responses API, ChatGPT Developer Mode). If both headers are sent and disagree, the request is rejected. Velocity stores only a SHA-256 hash of the key, never the plaintext, and every tool call is authorized as the issuing user.

Where do I get an X-MCP-Key?

Sign in to Velocity, open the Agent Hub at /agents, go to the API Keys tab, label a key, and generate it. Copy the vel_* key immediately — it is shown only once. Treat it like a password; revoking a key from the API Keys tab takes effect immediately.

Which MCP clients are supported?

Claude Code and OpenClaw connect natively with X-MCP-Key. Codex, the OpenAI Responses API, and ChatGPT Developer Mode connect with Authorization: Bearer. Because the server exposes the canonical search and fetch tools the OpenAI / ChatGPT ecosystem probes for, it also slots into Responses-API remote MCP and deep-research workflows.

Are the tools safe to expose to an autonomous agent?

Yes — all 14 tools are read-only (readOnlyHint: true). Each ships a strict JSON Schema with additionalProperties:false and bounded inputs, validated on every call; unknown or out-of-range fields are rejected with a JSON-RPC -32602 error. search and fetch only ever return active, public trend fields and never echo user-supplied URLs.

What are the rate limits?

tools/call is rate-limited per user by subscription tier. Exceeding the limit returns HTTP 429 with a Retry-After header (or a -32000 rate-limit error). GET and DELETE on the endpoint return HTTP 405 — there is no SSE stream or session termination on the MCP transport itself.

MCP server for market & security intelligence

The Velocity MCP server

Connect Claude, ChatGPT, Codex, OpenClaw, or any agent to 14 read-only tools for trend search, intel briefs, real-time CVE alerts, and threat-actor lookups — over Streamable HTTP.

Mint an API key Full docs

Tools: 14
Tools
All read-only
Transport: HTTP
Transport
Streamable, JSON-RPC 2.0
Protocol: 2025‑11‑25
Protocol
Negotiates older too
API key: vel_*
API key
SHA-256 stored, never plaintext

Endpoint

One URL, Streamable HTTP, JSON-RPC 2.0

Implemented directly against the MCP spec for the Next.js App Router runtime.

Endpoint

https://velocity.andiamo.tech/api/agents/mcp

Transport

Streamable HTTP — a single endpoint, one JSON-RPC request per POST. Lifecycle: initialize → notifications/initialized → tools/list / tools/call.

Protocol version

Negotiates 2025-11-25, also 2025-06-18 and 2025-03-26.

Auth

X-MCP-Key: vel_… (Claude Code / OpenClaw) or Authorization: Bearer vel_… (Codex, OpenAI Responses, ChatGPT).

Tools

14 read-only tools

search and fetch use the canonical retrieval shape the OpenAI / ChatGPT remote-MCP ecosystem probes for.

The 14 Velocity MCP tools, their descriptions, and minimum tiers
Tool	Description	Min tier
`search`	Canonical retrieval: search active trends, return { results: [{ id, title, url, text, metadata }] }	Free
`fetch`	Canonical retrieval: fetch one trend by id, return { id, title, text, url, metadata }	Free
`velocity_search_trends`	Search trends by keyword, category, or velocity score	Free
`velocity_trend_details`	Full detail plus recent velocity history for one trend	Free
`velocity_intel_brief`	Top / emerging trends and a category breakdown for a window	Free
`velocity_watchlist_alerts`	List threshold breaches on the caller’s own watchlists	Free
`velocity_momentum_check`	Whether a trend is accelerating, plateauing, or fading	Pro
`velocity_correlation_lookup`	Pearson correlation of a trend’s velocity history vs. others	Pro
`security_vuln_lookup`	Look up a CVE / GHSA advisory and its details	Free
`security_build_stack_from_file`	Parse a dependency / lockfile into a watched tech stack	Free
`security_list_stack_watch`	List the tech stack the caller is watching	Free
`security_subscribe_stack_hits`	Subscribe so the agent is alerted when a new CVE matches the watched stack	Pro
`threat_actor_lookup`	Look up an APT / threat-actor group, aliases, origin, motivation, TTPs	Free
`threat_actor_search`	Search 200+ threat actors from MITRE ATT&CK, MISP, and CISA	Free

Each tool ships a strict JSON Schema (additionalProperties: false, bounded strings / numbers / enums), validated server-side on every call.

Get a key

Mint an X-MCP-Key

Keys are scoped to the issuing user; every tool call is authorized as that user.

Sign in to Velocity and open the Agent Hub at /agents.
In the API Keys tab, enter a label and click Generate key.
Copy the vel_* key immediately — it is shown only once. Velocity stores only a SHA-256 hash, never the plaintext.

Treat the key like a password: never commit it, log it, or put it in a URL. If a key is exposed, revoke it from the API Keys tab — revoking takes effect immediately.

Setup

Connect your client

Exact snippets for Claude Code, the OpenAI Responses API, and ChatGPT Developer Mode.

Claude Code

claude mcp addbash

# Options come BEFORE the positional name + url
claude mcp add --transport http \
  --header "X-MCP-Key: vel_your_api_key" \
  velocity https://velocity.andiamo.tech/api/agents/mcp

OpenAI Responses API (remote MCP)

responses.createts

import OpenAI from 'openai';

const client = new OpenAI();

const response = await client.responses.create({
  model: 'gpt-5',
  tools: [
    {
      type: 'mcp',
      server_label: 'velocity',
      server_url: 'https://velocity.andiamo.tech/api/agents/mcp',
      require_approval: 'never',
      authorization: process.env.VELOCITY_MCP_KEY,
    },
  ],
  input: 'Search Velocity for the biggest trending security stories and brief me.',
});

ChatGPT Developer Mode

Connector settingstext

# ChatGPT Developer Mode → add a Streamable HTTP connector
Server URL:  https://velocity.andiamo.tech/api/agents/mcp
Header:      Authorization: Bearer vel_your_api_key

Pasting a long-lived key into a hosted ChatGPT connector is appropriate for internal testing. Publishing a connector to other accounts requires OAuth 2.1 with PKCE and dynamic client registration — a separate follow-up. The X-MCP-Key / Bearer flow works for Claude Code, OpenClaw, Codex, and the Responses API regardless.

Verify

Smoke test the connection

Raw JSON-RPC against the live endpoint — initialize, list, and a safe read-only call.

smoke-test.shbash

KEY="vel_your_api_key"
URL="https://velocity.andiamo.tech/api/agents/mcp"

# 1. initialize
curl -s -X POST "$URL" \
  -H "Content-Type: application/json" -H "X-MCP-Key: $KEY" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-11-25"}}'

# 2. tools/list
curl -s -X POST "$URL" \
  -H "Content-Type: application/json" -H "X-MCP-Key: $KEY" \
  -H "MCP-Protocol-Version: 2025-11-25" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'

# 3. tools/call (safe, read-only)
curl -s -X POST "$URL" \
  -H "Content-Type: application/json" -H "X-MCP-Key: $KEY" \
  -H "MCP-Protocol-Version: 2025-11-25" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"velocity_search_trends","arguments":{"query":"ai","limit":3}}}'

Errors

JSON-RPC error codes

Protocol-level problems return a JSON-RPC error; tool-domain failures return isError: true with a generic message.

JSON-RPC error codes returned by the MCP server
Code	Meaning
`-32700`	Parse error (invalid JSON)
`-32600`	Invalid request (bad JSON-RPC / unsupported protocol version)
`-32601`	Method not found
`-32602`	Invalid params (unknown tool, invalid arguments)
`-32603`	Internal error
`-32000`	Rate limit exceeded
`-32001`	Unauthorized

FAQ

MCP server questions

What is the Velocity MCP server endpoint?
The Model Context Protocol server is at https://velocity.andiamo.tech/api/agents/mcp. It uses the Streamable HTTP transport — a single endpoint that takes a POST per JSON-RPC request — and negotiates protocol version 2025-11-25 (falling back to 2025-06-18 or 2025-03-26).
How do I authenticate?
With a vel_* API key. Send it as X-MCP-Key (Claude Code / OpenClaw native) or as Authorization: Bearer (Codex, OpenAI Responses API, ChatGPT Developer Mode). If both headers are sent and disagree, the request is rejected. Velocity stores only a SHA-256 hash of the key, never the plaintext, and every tool call is authorized as the issuing user.
Where do I get an X-MCP-Key?
Sign in to Velocity, open the Agent Hub at /agents, go to the API Keys tab, label a key, and generate it. Copy the vel_* key immediately — it is shown only once. Treat it like a password; revoking a key from the API Keys tab takes effect immediately.
Which MCP clients are supported?
Claude Code and OpenClaw connect natively with X-MCP-Key. Codex, the OpenAI Responses API, and ChatGPT Developer Mode connect with Authorization: Bearer. Because the server exposes the canonical search and fetch tools the OpenAI / ChatGPT ecosystem probes for, it also slots into Responses-API remote MCP and deep-research workflows.
Are the tools safe to expose to an autonomous agent?
Yes — all 14 tools are read-only (readOnlyHint: true). Each ships a strict JSON Schema with additionalProperties:false and bounded inputs, validated on every call; unknown or out-of-range fields are rejected with a JSON-RPC -32602 error. search and fetch only ever return active, public trend fields and never echo user-supplied URLs.
What are the rate limits?
tools/call is rate-limited per user by subscription tier. Exceeding the limit returns HTTP 429 with a Retry-After header (or a -32000 rate-limit error). GET and DELETE on the endpoint return HTTP 405 — there is no SSE stream or session termination on the MCP transport itself.

Connect an agent to Velocity in minutes

Mint a vel_* key, add the Streamable HTTP server to your client, and run the smoke test above.

Open the Agent Hub Browse agent tools