Agent Keys & MCP Server

Connect an AI agent (Claude Desktop, Cursor, or your own) to theStacc to plan, generate, edit, and publish blogs. Learn how agent keys work, how they differ from the Public Blog API key, and the full tool catalog with its limits.

The theStacc MCP server lets an AI agent drive your blog workflow for you. Instead of clicking through the dashboard, you can ask an agent like Claude Desktop or Cursor to *"review my content plan, generate the next post, and show me the draft."* The agent does the work; you stay in control of what gets published.

This page explains what the MCP server is, how the agent key that connects it works, and every tool the agent can use (with its limits). It's written for the person setting this up, technical or not.

What the MCP server is#

MCP (Model Context Protocol) is an open standard that lets AI agents use external tools. The theStacc MCP server is a small program that gives your agent a set of tools for your blog project: see your plan, generate and edit drafts, swap in your own images, and publish posts you've approved.

A few things make it easy to use:

Nothing to install. Your agent client launches the server on demand with npx. You don't install anything globally.
Runs locally. It runs on your own machine as a Node.js process and talks to theStacc over a secure connection. It needs Node.js 18 or newer (npx ships with it).
Works with any MCP-capable client — Claude Desktop, Cursor, or your own agent runtime.

The server is published as @thestacc/mcp-server. It's configured with two environment variables:

THESTACC_AGENT_KEY (required) — your project agent key, starting with sk_agent_. This is how the server proves it's allowed to act on your project.
THESTACC_API_URL (optional) — the theStacc blog service address. You almost never need to set this; it defaults to https://api.thestacc.com/blog.

Connecting it to your agent#

In Claude Desktop, open Settings > Developer > Edit Config and add a thestacc server. In Cursor, add the same block to ~/.cursor/mcp.json (global) or .cursor/mcp.json (per-project). The shape is identical:

JSON

{
  "mcpServers": {
    "thestacc": {
      "command": "npx",
      "args": ["-y", "@thestacc/mcp-server"],
      "env": {
        "THESTACC_AGENT_KEY": "sk_agent_your-key-here"
      }
    }
  }
}

Restart the client and ask your agent: *"Use thestacc to review my content plan."* If the key is missing, wrong, or revoked, you'll get an authentication error.

When you generate a key in theStacc (see below), the app gives you this exact snippet, pre-filled with your key, ready to paste.

Agent keys#

An agent key is a secret that connects one agent to one project. Think of it like a password for your AI assistant — it lets the agent act on your project on your behalf, with editor-level permissions.

How to create one#

Agent keys are managed in the dashboard under Content SEO > Settings > Publishing > Agent access (currently labelled Beta). Only a project owner or admin can create or manage them.

Go to Settings > Publishing and find the Agent access section.
Optionally type a label (e.g. "My laptop" or "Cursor") so you can tell your keys apart later. Labels can be up to 120 characters.
Click Generate agent key.
A dialog shows the full key (it starts with sk_agent_) and a ready-to-paste config snippet. Copy it now.
Click I've saved it to close the dialog.

Important things to know#

Shown once. The full secret is displayed exactly one time, at creation. theStacc never stores the secret itself — only a one-way hash — so it can't show it to you again. If you lose it, revoke it and create a new one.
Project-scoped. A key works on the one project it was created for, and nothing else. If you have several projects, each needs its own key.
Prefix for identification. In the dashboard, each key is shown by its first 16 characters (the prefix) followed by dots, e.g. sk_agent_AbC123••••. That prefix is just for you to recognize the key in the list — the rest stays secret.
Revocable any time. Click Revoke next to a key. Any agent using it stops working immediately. Revoking can't be undone — create a new key if you need access again.
Usage tracking. The list shows each key's label and when it was last used, so you can spot keys you no longer need.
theStacc shows up to 100 keys per project in the Agent access list. In practice you'll only need one or two.

Agent key vs. the Public Blog API key#

theStacc has two different kinds of project keys. They are not interchangeable:

	Agent key (`sk_agent_...`)	Public Blog API key (`pk_live_...`)
Purpose	Let an AI agent plan, generate, edit, and publish	Read your published posts to show on a website
Access	Read and write (editor-level, approval-gated publish)	Read-only
Where it goes	In your private agent client config	Embedded in a website or static-site build
Created by	Project owner/admin, under Agent access	Project owner/admin, under API Access
Shown	Once, at creation	Retrievable in settings (it's meant to be embedded)

In short: the Public Blog API key is safe to put in a website because it can only read published content. The agent key is a powerful secret — it can change and publish your content — so it must stay private. Never swap one for the other.

For the read-only key and the public read API, see Public Blog API.

Tool catalog#

Once connected, your agent has 12 tools. You don't call these directly — you ask in plain language and the agent picks the right tool. Here's what each one does so you know what's possible.

See your project and plan#

get_project_context — Returns which project this key is scoped to (id, account, name). A good sanity check that the key is wired up correctly.
review_content_plan — Shows your current content plan: the list of planned and draft blogs (id, title, status, scheduled date) plus plan metadata. This is the natural place to start a session.

Create content#

generate_blog — Starts generating a blog that's already in your plan. It returns immediately with a generating status; the agent polls until it's done. You can pass optional extra steering of up to 2,000 characters.
generate_more — Adds new planned blogs to your project. The agent adds them in small batches (1 to 10 at a time); they land in an *awaiting date* state, and a human picks publish dates in the dashboard before they can be generated. (The underlying service won't accept more than 200 new blogs in a single request.)
draft_from_abstract — Originates a brand-new blog from your own pointers instead of the auto-plan. You give it a short brief — between 10 and 4,000 characters — and it starts generating. You can optionally pass a blog type (e.g. how_to).
generation_status — Polls progress for a blog that's generating: status, word count, and how many images are done.

Refine a draft#

get_blog — Fetches one draft in full: content, title, meta, and status.
edit_blog — Edits a draft's text or metadata (title, content, excerpt, meta title, meta description). Note: editing the content of an already-reviewed blog moves it back to a *pending review* state, so a human re-checks the change.
regenerate_section — Rewrites one section of a draft. Tone and length are 0–100 sliders (0 = more formal/shorter, 100 = more casual/longer). The section can be up to 100,000 characters of HTML, and you can add a custom prompt of up to 1,000 characters.
regenerate_image — Regenerates one image in a draft. Style is a 0–100 slider (0 = modern, 50 = abstract, 100 = realistic), with an optional custom prompt up to 1,000 characters.
upload_image — Drops *your own* image (e.g. a product screenshot) into a blog as real media instead of an AI image. It reads a local file and, by default, replaces the first image in the post. Other placements: append adds it at the end, and none only stores it and returns an image snippet to place yourself with edit_blog. Uploaded images can be up to 15 MB.

Publish#

publish_blog — Publishes a blog to your connected site. This only works on a blog you've approved (see below).

Publishing is human-gated#

This is the most important rule, and it's enforced by the server itself:

publish_blog only works on a blog that a human has set to *Approved* in the dashboard. The agent can draft, edit, and prepare a post, but it cannot approve its own work — only you can click Approve. This keeps a person in the loop before anything goes live.

If you ask the agent to publish a blog that isn't approved, the publish fails with a not_approved error (HTTP 409), telling you to approve it first.
If a post is held back by a compliance check, publishing comes back as unsuccessful and the agent surfaces the reason. The agent cannot override a compliance hold.

A natural workflow: ask the agent to *"review the plan, generate the next post, and show me the draft."* Edit with the agent until you're happy. Then you click Approve in the dashboard, and ask it to *"publish the approved post."*

To understand the stages a blog moves through — generated, pending review, approved, published — see the blog statuses in the Content SEO overview and the approval modes in Publishing.

Status & error codes#

When something goes wrong, the agent receives a clear code. The common ones:

401 — invalid or revoked key. The agent key is wrong, missing, or has been revoked. Check THESTACC_AGENT_KEY, or generate a new key.
403 — wrong project or not allowed. The key isn't authorized for the project or action you asked for.
404 — not found. The blog id doesn't exist (or isn't in this project).
409 — not approved. You tried to publish a blog that hasn't been approved by a human yet. Approve it in the dashboard first.
413 — too large. An upload exceeded a size limit (e.g. an image over 15 MB).
422 — validation error. An input was out of range or malformed (for example, an abstract shorter than 10 characters).
5xx — temporary server error. A transient hiccup on our side. These are safe to retry after a moment.

Security#

Agent keys are powerful, so handle them like passwords:

Stored safely. theStacc never keeps the plaintext key. Only a SHA-256 hash is stored, so even we can't read your key back to you — which is why it's shown only once.
Keep it private. Never embed an agent key in a website, a public repo, a shared document, or client-side code. It belongs in your private agent client config. If a key leaks, revoke it immediately and create a new one.
Scoped and revocable. A key only ever touches its one project, and you can shut it off instantly from Agent access.
Safe publishing targets. When the agent publishes to a connected site, theStacc's standard safeguards still apply — including protections that block publishing to internal or private network addresses (SSRF guards). The agent can't reach anything it shouldn't.

Public Blog API — the read-only key for displaying published posts on any site
Webhook Reference — the payload theStacc sends when a post is published
Content SEO overview — the blog status lifecycle from draft to published
Publishing — approval modes and connecting your site

Previous Webhook Reference

Next MCP Tools Reference