Quickstart
Get Devici MCP running in your AI client in under ten minutes. You'll issue client credentials in Devici, paste them into your AI client config, and run your first tool call.
Before you start
You'll need:
- A Devici account, signed in to your workspace.
- An MCP-compatible AI client. The smoothest experience today is Cursor or Claude Desktop. Others are covered in Client setup.
- About ten minutes.
You don't need a local install or any developer environment.
Step 1 · Create an API token in Devici
In your Devici workspace, create an API token — it gives you a clientId and secret pair. The token's scopes are exactly what you grant it at creation, so pick the minimum the agent will need.
Copy both values now. The secret won't be shown again — Devici doesn't store it.
See Authentication for the detailed flow, the role-conditional UI path, rotation, and revocation.
Treat the secret like any API credential
Store it in a secret manager. Never paste it into chat, email, or source control. Rotate on a defined cadence.
Step 2 · Add Devici MCP to your AI client
Drop one of the two blocks below into your client's MCP server config — pick whichever auth form your client supports.
Option 1 — X-Devici-* custom headers (paste-friendly):
{
"mcpServers": {
"devici-mcp": {
"url": "https://mcp.devici.com/mcp",
"headers": {
"X-Devici-Client-Id": "your client id",
"X-Devici-Client-Secret": "your client secret"
}
}
}
}
Option 2 — HTTP Basic auth (for clients that only accept Authorization):
{
"mcpServers": {
"devici-mcp": {
"url": "https://mcp.devici.com/mcp",
"headers": {
"Authorization": "Basic <base64(clientId:secret)>"
}
}
}
}
For the base64 encoding command, see Authentication → Encoding the Basic auth header.
Any AI client that speaks remote MCP over Streamable HTTP works. Some clients use a JSON config file; others have a UI form for the same fields. Either way, the URL and the credentials are all you need.
For per-client placement (where each client expects this block, file paths, settings UI), see Client setup.
Step 3 · Verify the connection
Reload your AI client so it picks up the new server. Open a new chat and ask:
"List my Devici collections."
The agent will call the collection_search tool. If you see your real Devici collections come back, you're connected.
If you see an error instead, check Troubleshooting for the common ones.
Step 4 · Try your first real workflow
Now ask the agent to build a threat model from a description:
"Build a threat model in Devici for a small e-commerce site with a customer browser, a React frontend, a Node API, a Postgres database, and Stripe. Put it in the Online Store collection. Leverage the STRIDE threat framework and assign content from the codex."
In a couple of minutes the agent will create the collection if needed, build a complete diagram, identify threats using STRIDE, attach threats and mitigations from the codex, and return a link you can open in Devici.
For more end-to-end flows including the design-doc-to-threat-model playbook, see Playbooks.
What's next
| If you want to… | Go to |
|---|---|
| Use a different AI client | Client setup |
| Understand how credentials are issued, rotated, and revoked | Authentication |
| See every tool the MCP exposes | Tool reference |
| Run a real workflow | Playbooks |
| Diagnose an error | Troubleshooting |