# Policy Doctor MCP: Agent Guide

Use this guide to connect an MCP-compatible agent to this server.

## Endpoint

- MCP endpoint: `/mcp`

## Authentication

Send bearer token on every request:

```http
Authorization: Bearer <token>
```

## Required HTTP Headers

### On `POST /mcp`

- `Authorization: Bearer <token>`
- `Accept: application/json, text/event-stream`
- `Content-Type: application/json`
- `MCP-Protocol-Version: <negotiated-version>` on requests after initialize
- `Mcp-Session-Id: <session-id>` on requests after initialize

### On `GET /mcp`

- `Authorization: Bearer <token>`
- `Accept: text/event-stream`
- `MCP-Protocol-Version: <negotiated-version>` after initialize
- `Mcp-Session-Id: <session-id>` when reusing an existing session

### On `DELETE /mcp`

- `Authorization: Bearer <token>`
- `MCP-Protocol-Version: <negotiated-version>`
- `Mcp-Session-Id: <session-id>`

## Session Flow (required)

1. `POST /mcp` with MCP `initialize` payload.
2. Read `mcp-session-id` from response headers.
3. Send MCP `notifications/initialized` via `POST /mcp` with the same session id.
4. Start normal operation (for example `tools/list`, then tool calls) with the same session id.
5. Close with `DELETE /mcp` and the same session id.

This server also supports optional session bootstrap with `GET /mcp` (SSE), but the initialization lifecycle above is still required before normal operations.

If a session is missing or expired, create a new session and retry.

## Retry Guidance

- Retry with backoff on transient failures.
- Re-initialize and retry once if session context is no longer valid.
- Do not repeatedly retry authentication failures.

## Correlation

- You can send `x-request-id`; server echoes it back.

## Security

- Keep API credentials secret and never include them in logs.
- If credentials are exposed, rotate them immediately.