Docs/Developer

MCP server (for Claude, ChatGPT, Cursor)

Connect Claude Desktop, ChatGPT, Cursor, or any MCP-compatible agent directly to your Trcker brand. Ask questions and run operations in natural language.

What it is

Trcker ships a remote Model Context Protocol server at https://trcker.io/api/mcp. Any MCP-compatible AI client can connect to it, scope itself to your brand via an API key, and read your affiliate performance data or run operational tasks (create offers, pause partners, adjust payouts, approve conversions, set caps) — all in natural language.

No SDK. No separate login. Just paste a config snippet and go.

What agents can do

Read: - get_partner_stats — performance by partner - get_offer_stats — performance by offer with pending/approved/paid breakdowns - get_offer_config — full config of one offer AND the offer's inbound postback URL (the https://trcker.io/api/postback/<brand>/<offer>?... URL that the brand hands to their advertiser/store backend — Trcker generates it deterministically). Also returns destination, payout, caps, outbound postbackUrlTemplate, whether a postback secret is set (boolean — value stays dashboard-only), allowed postback IPs, geo + device targeting - get_conversions — recent conversions, filter by status - get_fraud_summary — scored/flagged counts + top-risk partners - get_fraud_settings — current brand fraud mode / threshold / BotD toggle - list_pending_conversions — queue of pending / pending_review conversions awaiting approval - list_coupons — coupon codes by partner / status (used count, max uses) - get_top_publishers — rank partners by revenue, conversions, EPC, CVR, or profit

Write (audit-logged): - create_offer — spin up a new offer with payout rules - update_offer — edit name, destination URL, payout amounts, or postback URL template (the URL Trcker fires at the advertiser on conversion; supports {CLICK_ID} / {CONVERSION_ID} / {AMOUNT} / {TXN_ID} / {EVENT_TYPE} placeholders; pass null to clear) - pause_offer — pause an offer brand-wide; click handler refuses new clicks - rotate_offer_postback_secret — generate a new HMAC secret and return it ONCE; invalidates the advertiser's current integration until they copy the new value into their postback URL - pause_partner — pause a partner brand-wide - approve_partner_application — accept a self-applied partner (status pending → active); sends welcome + tracking-setup emails when address is on file - adjust_payout — set per-partner payout overrides on an offer - set_event_payout — set per-event payout overrides on an offer (signup vs trial vs purchase under one offer) - set_fraud_settings — adjust brand fraud mode / threshold / BotD toggle - approve_conversion — manually approve a conversion (also clears its fraud signal) - reject_conversion — manually reject a conversion (optional reason in audit trail) - set_cap — adjust daily/weekly/monthly caps on an offer - create_coupon — issue a per-partner coupon code (overrides click attribution when postback includes couponCode) - mark_payout_paid — flip a payout to paid (with method, optional reference/notes); cascades the covered approved conversions to paid so partner statements match money out

Every write emits a WorkOS audit event tagged to a synthetic mcp:<brand> actor so your audit log cleanly separates agent-driven writes from dashboard writes. Your IP and user-agent are forwarded into the audit context.

Setup — Claude Desktop

Generate a brand API key at Settings > API Keys.
Open ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows).
Add:

``json { "mcpServers": { "trcker": { "transport": { "type": "streamable-http", "url": "https://trcker.io/api/mcp", "headers": { "Authorization": "Bearer trk_..." } } } } }``

Restart Claude Desktop. The Trcker tools appear in the tool picker automatically.

Connecting with OAuth

Agent clients that support remote MCP OAuth (the "Add MCP server by URL" flow) can connect to https://trcker.io/api/mcp without an API key. Point the client at the URL and it discovers the rest automatically:

It reads /.well-known/oauth-protected-resource, which names WorkOS AuthKit (https://auth.trcker.io) as the authorization server.
It runs the OAuth sign-in, you authorize the connection for your brand's organization, and the client receives an access token scoped to Trcker's MCP endpoint.
Every subsequent request carries that token; Trcker resolves your brand from it. No key to copy, paste, or rotate.

API keys still work and are the simpler option for scripts and headless agents. OAuth is the better fit for interactive desktop clients.

Example prompts

``Which partners have the highest fraud scores this month?``

``Show me top 5 publishers by revenue in the last 14 days.``

``Pause partner abc-123 and lower their payout on offer xyz to 15%.``

``Approve conversion conv_9f2a if its fraud score is under 20.``

Claude will call the right tool, pass the right arguments, and summarize the result in context.

Safety

Every write tool is scoped to your brand — a key for Brand A can't touch Brand B.
Caps are soft by default — pause_partner doesn't cancel pending conversions, it just stops new click-throughs.
Rate-limited — 120 requests per minute per API key. Agents that spam get 429'd, not data-exfiltrated.
Confirmation hints — write tools carry destructiveHint / idempotentHint annotations so MCP clients can surface a harder confirm dialog before invoking.

Protocol details

Streamable HTTP transport (no SSE, stateless).
Protocol versions: 2025-06-18, 2025-03-26, 2024-11-05.
JSON-RPC 2.0 at the wire — single or batched.

Agent discovery

Trcker advertises the MCP server on the standard .well-known paths so AI agents resolve it without guessing:

GET /.well-known/mcp/server-card.json — MCP Server Card (SEP-1649): server
info, transport endpoint, auth, and the live tool list.
GET /.well-known/mcp-manifest — original Trcker manifest (same data; kept
for back-compat).
GET /.well-known/api-catalog — RFC 9727 API catalog (application/linkset+json)
anchoring on the MCP endpoint, with links to the server card, these docs, and
the health endpoint.
The homepage also sends an RFC 8288 Link header pointing to the catalog and
server card.
GET /.well-known/oauth-protected-resource (RFC 9728) and
GET /.well-known/oauth-authorization-server (RFC 8414) advertise the OAuth
flow so agent clients can connect without a pre-shared API key.

Full protocol + tool reference: docs/mcp.md on GitHub.

Example — raw JSON-RPC

``bash curl -s https://trcker.io/api/mcp \ -H "Authorization: Bearer $TRCKER_API_KEY" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_top_publishers","arguments":{"metric":"revenue","limit":5}}}'``

API — REST interface for integrations that don't speak MCP
Fraud detection — what get_fraud_summary actually surfaces
Integrations — connect to ad platforms + CRMs alongside MCP

← Previous

Postback Macros Reference

Payouts