Skip to main content

Overview

Every generated MCP server includes multiple layers of resilience and security, protecting both the AI agent and the target API. All features are configurable via the .env file.

Retry with exponential backoff

Failed requests are automatically retried with increasing delays:
AttemptDelay
1stImmediate
2nd~2 seconds
3rd~4 seconds
Retries are triggered on transient errors: HTTP 429 (rate limited), 500, 502, 503, and 504.
.env
Set MAX_RETRIES=0 to disable retries.

Circuit breaker

Prevents cascading failures when the target API is down. Instead of repeatedly hitting a failing endpoint, the circuit breaker temporarily blocks requests and returns an error immediately. States:
  • Closed (normal) — Requests pass through. Failures are counted.
  • Open (blocking) — Requests are blocked immediately. Entered after consecutive failures exceed the threshold.
  • Half-open (testing) — After a timeout, a limited number of requests are allowed through to test recovery.
.env

Rate limiting

Prevents your server from overwhelming the target API. Uses a token bucket algorithm — requests consume tokens, tokens regenerate at a configured rate. When the bucket is empty, requests are delayed.
.env

Timeouts

Multi-layer timeout configuration prevents hanging requests:
.env

Connection pool

HTTP connections are reused for efficiency:
.env
Cookies are disabled across requests for safety in multi-tenant scenarios.

Input validation

All request parameters are validated using Pydantic models before any HTTP request is made:
  • Type checking — Correct types enforced (string, integer, boolean, etc.)
  • Required fields — Missing required parameters are rejected with clear error messages
  • Format validation — Dates, emails, UUIDs, IP addresses validated against 50+ formats (full OAS Format Registry coverage)
  • Strict mode — Unknown/extra fields are rejected

Response validation

Optionally validate API responses against the OpenAPI response schema:
.env
ModeBehavior
offNo response validation (fastest)
warnValidate and log warnings, but return data anyway (default)
strictBlock invalid responses — returns error if response doesn’t match schema

Response sanitization

Optionally redact sensitive fields from API responses before returning them to the AI agent:
.env
LevelFields redacted
LOWpassword, token, secret, private_key
MEDIUM+ access_token, credentials, authorization
HIGH+ session_id, cookie, api_key, ip_address