AI agents (MCP)
Connect other clients
Any client that speaks MCP over streamable HTTP can connect to Popcorn Editor. The endpoint
is your app origin plus /mcp/popcorn — your exact URL is shown in the app under Settings →
Your agent access, where you also mint the agent token these clients send as a bearer header.
The examples below use https://app.example.com/mcp/popcorn as a placeholder.
Cursor
Add the server to .cursor/mcp.json in your project (or ~/.cursor/mcp.json to make it
available globally):
{
"mcpServers": {
"popcorn": {
"url": "https://app.example.com/mcp/popcorn",
"headers": {
"Authorization": "Bearer <token>"
}
}
}
}
Replace <token> with an agent token from Settings → Your agent access. The token is
shown once when you create it, so paste it right away.
VS Code (Copilot agent mode)
Add the server to .vscode/mcp.json:
{
"servers": {
"popcorn": {
"type": "http",
"url": "https://app.example.com/mcp/popcorn",
"headers": {
"Authorization": "Bearer <token>"
}
}
}
}
Copilot's agent mode picks up the server and can call the Popcorn tools
(validate-design, create-design, list-templates, and the rest — see the
tools reference).
Any MCP client
A client can connect if it supports:
- Streamable HTTP transport to
https://app.example.com/mcp/popcorn, and - either OAuth 2.1 (the server supports dynamic client registration, so leave any
Client ID/Secret fields blank — you sign in and authorize in the browser) or custom
request headers, so it can send
Authorization: Bearer <token>with an agent token.
Connector-style UIs (Claude.ai, Claude Desktop, ChatGPT) typically use OAuth — see Connect Claude and Connect ChatGPT. CLIs and IDEs typically use agent tokens, like Gemini CLI and the examples above.
Stdio-only clients
If a client only supports stdio servers (no remote HTTP), bridge it with mcp-remote.
Configure the client to run:
npx mcp-remote https://app.example.com/mcp/popcorn --header "Authorization: Bearer <token>"
The bridge runs locally as a stdio server and forwards everything to Popcorn over HTTP.
Limits and revocation
Requests are rate-limited to 60 per minute per user, and every call is workspace-scoped and
permission-checked server-side. To target a team workspace instead of your personal one, send
an optional X-Workspace header with the workspace uuid.
For token scopes (Read & write vs Read only), expiry options, and how to revoke access, see Tokens & security.