Deploy via OpenAPI Import
Thousands of APIs already publish an OpenAPI or Swagger specification — payment processors, CRMs, project management tools, cloud infrastructure, monitoring platforms, communication services. Every major SaaS product has one.
Vinkius Cloud turns any of them into a fully functional MCP server in under 30 seconds. Paste the spec URL, and the platform auto-discovers every endpoint, generates typed MCP tools with semantic annotations, configures authentication, and deploys to the global edge. No code to write, no SDK to install, no infrastructure to manage.
That means every API that already has a spec is one click away from being callable by AI models.
Why this changes everything
Before Vinkius Cloud, connecting an AI model to a REST API required writing a custom MCP server — defining tools by hand, mapping parameters, handling authentication, implementing error handling, and deploying infrastructure. For a 20-endpoint API, that could mean days of work.
With OpenAPI Import, the entire surface area of an existing API becomes available to AI in seconds. The spec already describes every endpoint, every parameter type, every response shape. Vinkius Cloud reads that machine-readable contract and transforms it into MCP tools automatically — complete with:
- Typed input schemas derived from your spec's parameter definitions
- Semantic annotations (read-only, destructive, idempotent) inferred from HTTP verbs
- Authentication injection configured once, applied to every upstream request
- DLP and FinOps governance active from the first tool call
The result: any API that publishes a spec is instantly AI-ready. No glue code. No custom server. No deployment pipeline.
The deployment wizard is a split-screen experience. On the left, a contextual sidebar explains what's happening at each step. On the right, a minimal form collects only what's needed. Three steps — or two, if your API is public.
Step 1 — Connection
Paste your OpenAPI / Swagger spec URL. The platform fetches it live and detects:
- Endpoint count — displayed instantly as "24 endpoints ready for AI"
- Server name — auto-filled from
info.title - Base URL — auto-filled from
servers[0].url, override if needed - Auth type — detected from the
securityblock and suggested in the next step
Supported formats
OpenAPI 2.0, 3.0, 3.1. JSON or YAML. External $ref references are resolved recursively.
Step 2 — Security
If the spec declares a security block, the wizard detects and suggests the right authentication type. You choose:
| Auth type | What to provide |
|---|---|
| None — Public API | Nothing. Step is skipped entirely. |
| Bearer Token | Your API token or access key |
| Basic Auth | Username and password |
| Custom Header | Header name (e.g., X-API-Key) and value |
Credentials are AES-256 encrypted at rest, decrypted in-memory only when an AI model invokes a tool, and immediately discarded after the upstream call. They never appear in logs, dashboards, or API responses — not even to team admins.
Public APIs
If no security block is present in the spec and you leave auth as "None", this entire step is auto-skipped. The wizard jumps directly to Governance.
Step 3 — Governance
Both controls are enabled by default and toggle on/off with a single switch:
- Zero-Trust PII Redaction — Scans every API response for emails, SSNs, credit cards, and personal identifiers. Masks them in-memory before the data reaches any AI model. GDPR-compliant by default.
- Smart Array Truncation — When an API returns arrays with hundreds or thousands of items, the truncation engine shrinks them automatically. The AI gets the same intelligence with fewer tokens. Cost control without losing context.
What happens when you deploy
Click Deploy to Edge. In real-time, the wizard shows each phase:
Each phase runs sequentially in the background:
- Parsing OpenAPI specs — The platform parses your spec, extracts every path/verb combination, and builds typed input schemas from parameter definitions.
- Sealing V8 Isolate Sandbox — Your server is sealed inside a V8 Isolate — no filesystem, no network escape, no process injection. The sandbox enforces strict memory and execution limits.
- Injecting Zero-Trust DLP — The PII redaction engine and array truncation rules are compiled into the request pipeline. Every tool call passes through governance controls before data reaches the AI.
- Distributing to Global Edge — The sealed bundle is distributed to edge nodes worldwide. Your MCP server is live and reachable from any AI client within seconds.
After deployment: you're live
When deployment completes, the wizard transitions to the success screen. You receive three outputs:
Connection tokens
Every deployed server is protected by connection tokens — HMAC-SHA256 authenticated credentials that AI clients use to establish SSE connections.
- Tokens are generated on deploy and shown exactly once. The plaintext is never stored on the server side — only the HMAC hash is persisted.
- You can generate additional tokens from the server's Connection Tokens page, each labeled by client (e.g., "Cursor — Production", "Claude — Staging").
- Every token can be revoked individually without affecting other connected clients.
Kill switch: 40ms global revocation
When an AI model has access to your production APIs, the ability to cut that access instantly is a security requirement. Vinkius Cloud revokes any connection token globally in 40 milliseconds.
Why 40ms matters
An AI model with a compromised token can make dozens of tool calls per second — accessing production data, creating records, or triggering destructive actions. In enterprise environments, the window between compromise and revocation determines the blast radius. At 40ms, that window is effectively closed before the next tool call completes.
Post-deploy security architecture
Your deployed MCP server runs inside a multi-layered security perimeter:
What you get after deploy
Your OpenAPI spec is transformed into a fully functional MCP server. Every endpoint becomes a tool that AI models can discover, understand, and call. But the platform doesn't just convert — it solves three problems that every team deploying AI on top of APIs will face.
Problem 1 — Tool fatigue
When you expose a large API (50, 100, 200+ endpoints) to an AI model, every tool definition consumes tokens from the model's context window. Research shows that AI performance degrades significantly after just 10–15 tools — the model starts choosing wrong tools, hallucinating parameters, or entering retry loops.
How Vinkius Cloud solves this:
Problem 2 — Context window overflow
When an API returns arrays with hundreds or thousands of items — a list of all customers, all orders, all products — the raw response can consume the AI's entire context window in a single tool call. The model loses the ability to process the data, and the conversation stalls.
How Vinkius Cloud solves this:
Smart Array Truncation shrinks oversized arrays automatically. A /customers endpoint that returns 2,000 records is truncated to 50 items. The AI gets the same intelligence in a fraction of the tokens. You control the threshold — globally or per server.
Problem 3 — Safe vs. destructive operations
AI models don't inherently know which API calls are safe and which aren't. A GET /orders is read-only; a DELETE /orders/{id} is destructive. Without annotations, the model treats both the same — which can lead to unintended data changes.
How Vinkius Cloud solves this:
Every generated tool receives MCP annotations inferred from the HTTP verb:
What you can customize after deploy
Your server is live, but it's not locked. Everything generated automatically can be refined from the dashboard:
Real-world use cases
Next steps
Frequently Asked Questions
Which OpenAPI versions does Vinkius Cloud support?
Vinkius Cloud supports OpenAPI 2.0 (Swagger), OpenAPI 3.0, and OpenAPI 3.1 specifications in both JSON and YAML formats. You can paste a public URL to the spec or upload the file directly.
How does the platform convert OpenAPI endpoints into MCP tools?
The platform parses every path and operation in your spec, generates typed MCP tools with names, descriptions, and input schemas derived from your OpenAPI parameters and request bodies, and applies semantic annotations (read-only, idempotent, or destructive) based on the HTTP verb.
Can I control which endpoints become MCP tools?
Yes. After import, all tools are enabled by default, but you can toggle individual tools on or off from the server detail page. You can also edit their descriptions, rename them, or adjust input schemas — without modifying the original spec.
What authentication methods are supported for the upstream API?
Vinkius Cloud supports Bearer Token, Basic Auth, Custom Header, and None (public APIs). Credentials are AES-256 encrypted at rest and decrypted only in-memory at the moment the AI calls the tool.
Do I need to host the OpenAPI spec myself?
No. You can use any publicly accessible URL — GitHub raw file links, Swagger UI endpoints, API documentation pages that serve the spec. The platform fetches the spec once at import time.
What happens if I update my API specification later?
You can re-import the spec at any time from the server detail page. Vinkius Cloud will detect new, modified, and removed endpoints and update your MCP tools accordingly — no need to create a new server.