Connect to Hue

Wire any MCP-capable LLM client to this Hue deployment in under a minute. Every URL below is tuned to this host — copy and paste.

What Hue is

Hue is the layer underneath your tabs. One space per client (plus a space for your agency itself), every service that client uses tied into a single live graph your team and your LLM can query over MCP. Nothing is copied; source services keep their data. The graph holds the relationships.

Point your LLM at this deployment, authenticate once, and every skill — Gmail, iCloud, Congress, Census, GA, GSC, Asana, DDC, threads, workflows, agents — becomes discoverable via registry.list and callable by name. See What is Hue for the week-in-the-life tour.

MCP server

Single JSON-RPC endpoint. Two meta-tools (discover + invoke) route every skill call.

MCP server URL

Point your MCP client here. Authorization header: Bearer <token>. First call the LLM should make after connecting: spaces.orient.

Claude Code one-liner

Paste into a terminal with Claude Code installed. Replaces ~/.claude.json's hue entry (or creates it).

MCP URL with access_token transport (RFC 6750 §2.3)

Use this shape when your MCP client cannot attach an Authorization header (Claude Code's type:url transport, for example). Same verifier; same permission grid.

Microsoft Copilot Studio

Paste-and-go path for Power Platform / Copilot Studio tenants. Swagger 2.0 custom-connector descriptor; Copilot Studio imports it as two tools (Discover + Invoke) that route to every skill behind one deterministic HTTP surface.

Copilot Studio connector URL

In Copilot Studio: Settings → Tools → + New tool → Custom connector → From URL. Paste this. Copilot Studio handles the OAuth2 authorize/token handshake automatically — same credentials as Claude.ai.

OAuth — automatic discovery

MCP clients that implement OAuth 2.0 Dynamic Client Registration (RFC 7591) need only this one URL. Every other endpoint is learned from the metadata document.

OAuth authorization server metadata

RFC 8414 metadata document. Returns issuer + authorization_endpoint + token_endpoint + registration_endpoint + supported scopes ('mcp').

OAuth — manual endpoints

For clients that don't auto-discover. Authorization Code + PKCE flow; also accepts refresh_token grants.

Authorization endpoint

Consent page. Redirects to /login when the operator hasn't signed in yet; comes back on success.

Token endpoint

Exchange authorization_code for access_token + refresh_token. Also exchanges refresh_token for a fresh access_token.

Dynamic client registration endpoint

POST a client_name + redirect_uris array; returns a client_id. No client_secret — public OAuth clients only.

Revocation endpoint

POST token=<token> to invalidate an access or refresh token.

First call after you connect

The canonical session seed is spaces.orient({ workspaceId }). One call returns:

  • Caller identity — which user this LLM is acting as + access tier.
  • Every enabled service, whether it has a live credential, and the reference types it exposes.
  • Cortex pins (soft defaults) and scope locks (!important boundaries) per reference type.
  • Available agent personalities — load one via agents.get to graduate from a blank LLM into a researcher, auditor, or compliance reviewer.
  • A stylesheet string — paste-into-context rendering of the full orient view.

From there: discoverinvoke → when a connection surfaces, threads.create with [label](ref://type/id) inline links to author the edge → graph.discover from any ref to walk three layers of what the team has connected.

Security posture

  • No self-serve signup. Humans are provisioned by a superadmin via admin.createUser.
  • Every skill call is audited with a hash-chained log. Per-space + per-skill access grid enforced in executeSkill.
  • Classification-tiered rate limits; idempotency is user-scoped (no cross-tenant collisions).
  • OAuth scopes: mcp (single scope; per-skill access is enforced server-side by the permission grid, not by scope strings).