Skip to main content
The Tool Runtime for AI Agents

One MCP Endpoint. Infinite Tools.

Dynamic MCP is a hosted Model Context Protocol server that lets your AI agents discover, run, and write their own tools — with an encrypted secret vault and persistent file storage built in. Connect Claude, n8n, or any MCP client in one line.

See Pricing
Dynamic MCP Connected
# Connect Claude in one line
$ claude mcp add --transport http \
    blle https://api.blle.co/mcp

# Tools discovered:Search_ToolsRun_toolCreate_ToolExecute_CodeManage_Secrets
# + every tool you've created

Every AI agent project rebuilds the same plumbing.

A code execution sandbox. A secret store. File persistence between runs. OAuth flows. A tool registry. Six MCP servers, one for each vendor. Three months in, half of it has drifted and nobody remembers which cron does what.

We built it once, so every agent gets it for free.

Everything Your Agents Need

A complete tool runtime, not a library you bolt on.

Agent-Authored Tools

Your agents write their own tools with Create_Tool. JS/TS, esm.sh imports, fetch. Live the second they're saved — no deploy, no restart.

Encrypted Secret Vault

AES-256-GCM at rest, PBKDF2 100k iterations. Tools see decrypted values as context.secrets.NAME — never ciphertext, never keys.

Persistent /workspace

Per-user S3-backed filesystem. await Deno.writeTextFile("/workspace/state.json", ...) and it's there next run. 10 MB writes, no setup.

Sandboxed Code Execution

Deno runtime — TypeScript native, web standards, no FFI, no shell, no write-everywhere. 60s default, 5 min hard cap, streaming logs.

Real-Time Streaming

Every console.log arrives over MCP as an SSE notification. No polling, no opaque "running…" state — agents see progress as it happens.

Standard MCP Protocol

Streamable HTTP transport plus OAuth 2.0 + PKCE. Works with Claude Desktop, Claude Code, Cursor, n8n, the AI SDK, your own clients.

Secrets CLI

Native Go binary injects mapped secrets as env vars via syscall.Exec. Values never touch disk or shell history. macOS, Linux x64, Linux ARM.

Per-User Isolation

Every tool, secret, and file is scoped to your account. Stateless server, horizontally scalable, no sticky sessions.

Progressive Discovery Docs

Hierarchical docs:// resources addressable by slug — support/policies/refunds. Agents pull only what they need, when they need it. Token-efficient by design.

How It Works

One HTTP endpoint. Eight built-in meta-tools. Every tool you write is just a row in a database — diffable, replayable, owned by you.

Search_Tools Run_tool Create_Tool Update_Tool Delete_Tool Execute_Code Manage_Secrets Get_Tools
Connect any MCP client

Claude Desktop, Claude Code, n8n, your own agent — bearer token or OAuth, your choice.

Agents discover the toolbox

Eight meta-tools plus every custom tool you've written, instantly visible.

Run, write, or edit tools

Existing tools execute in the sandbox. New tools are inserted live — no deploy.

Secrets and files persist

Decrypted on demand, files survive across runs, restarts, and worker churn.

A Tool Is Just Code

No SDKs. No deploy pipeline. No infrastructure. Write it, save it, run it.

Your agent writes a tool
// Create_Tool — runs inside the sandbox
const stripe = await fetch(
  "https://api.stripe.com/v1/charges",
  {
    headers: {
      Authorization:
        `Bearer ${context.secrets.STRIPE_KEY}`
    }
  }
);

const data = await stripe.json();

await Deno.writeTextFile(
  "/workspace/last-charges.json",
  JSON.stringify(data)
);

return { count: data.data.length };
Every agent can use it
// Any MCP client, including the agent
// that just wrote it
await mcp.callTool("Run_tool", {
  toolName: "fetch_recent_charges",
  params: { limit: 100 }
});

// Streaming logs come back as
// MCP notifications/message events
// Result is JSON — exactly what you returned

// Need to refresh an OAuth token?
await context.saveSecret(
  "GMAIL_REFRESH_TOKEN",
  newToken
);
// Encrypted, persisted, cache busted.
Token-Efficient by Design

Progressive Discovery for Agents

Stuffing every doc, policy, and how-to into the system prompt is how context windows die in week two. Dynamic MCP exposes your knowledge as hierarchical resources — agents see the index, fetch the leaf they need, skip the rest.

Structure your knowledge like a filesystem
# Slug-addressable, hierarchical:
docs://documents/support/policies/refunds
docs://documents/support/policies/privacy
docs://documents/support/playbooks/escalation
docs://documents/support/playbooks/onboarding
docs://documents/internal/brand/voice
docs://documents/internal/brand/visual

# Or by numeric ID for stable links:
docs://documents/142

# Just like a skills folder, a guides
# tree, or an internal wiki — but
# discoverable through the MCP protocol.

Documents with api_exposed = 1 are visible to MCP. Everything else stays private. You decide what each agent can see.

Agents fetch only what they need
// 1. Agent lists available resources
//    (cheap — just titles + slugs)
const index = await mcp.listResources();

// 2. User asks about a refund.
//    Agent picks the right leaf.
const doc = await mcp.readResource(
  "docs://documents/support/policies/refunds"
);

// 3. Only that one doc enters the
//    context window. Not the other 47.

The same pattern works for skills, runbooks, brand guides, API references, even meeting notes. Build a tree, not a megaprompt.

Smaller prompts, smarter agents

Pull a 2 KB policy on demand instead of dragging 200 KB of docs into every system prompt. Faster, cheaper, more accurate.

Organise like skills, guides, runbooks

Slug hierarchies match how humans already think — brand/voice, policies/refunds. Edit a doc, every agent sees the new version on the next request.

Token costs you can predict

Same with tools — agents Search_Tools by keyword, then Get_Tools only the ones they need. The whole runtime is built to keep context small.

A Vault, A Filesystem, A Sandbox

The three pieces of plumbing every agent project ends up needing — already built, already tested, already running our own crew in production.

  • AES-256-GCM secret vault with project-scoped env var mappings
  • OAuth refresh-friendly: tools can rotate their own secrets
  • Per-user S3-backed /workspace with idiomatic Deno.* APIs
  • Path traversal blocked, control characters rejected, 10 MB write cap
  • Deno sandbox: no FFI, no shell, no native modules, no surprises
  • Streaming console output, configurable timeout up to 5 minutes
  • Document resources for RAG-style context delivery
  • Stateless — drop more workers, get more throughput
Architecture at a glance
# MCP Client
#   ↓ JSON-RPC over Streamable HTTP
# Auth: Bearer token or OAuth 2 + PKCE
#   ↓
# Per-request McpServer scoped to user
#   ↓
# DenoExecutor — warm worker pool (1→5)
#   ↓ stdin/stdout JSON
# Sandbox: --allow-net, --deny-write,
#          --deny-run, --deny-ffi
#   ↓ RPC back to host
# saveSecret() · fs.* · resources://

Per-user scoped
Stateless server
esm.sh imports
Auditable tool registry

What You'll Build

Real patterns from agents running on this platform every day.

Email & comms tools

IMAP/SMTP, send-as, inbox search, draft generation. Stored creds, multiple actions, one tool every agent shares.

Database access

One mysql or postgres tool replaces a custom DB MCP server. Read/write, parameterised, behind your auth.

Asset & artifact storage

Save artifacts to S3, get a public URL back. The "agent finishes a thing → user gets a link" pattern in 20 lines.

Live web search

Wrap Gemini, Perplexity, or any search API in one tool — no separate MCP server to deploy.

Image & document analysis

Multimodal models behind a clean tool surface. One wrapper for the whole crew.

n8n & workflow drivers

List, run, monitor n8n workflows from any agent. Tool-of-tools — agents orchestrate automations.

Cache, deploy & infra hooks

Cloudflare purge, deploy webhooks, status checks — wrapped once, available to every agent.

Stateful agents

Save scraped data, dataset shards, or run logs to /workspace. Scheduled agents that remember.

Internal API gateways

Wrap your own services as tools. Your agents talk to your business — through your auth, your audit log.

We Run On What We Sell

This Is the Same Platform Our Crew Runs On

BleuLeaf's own AI crew — Aime (COO), Rex (Research), Sage (Sales), Atlas (Delivery) — operates on Dynamic MCP every day. Every @blle.co email goes through it. Our daily ops, agent audits, client workflows: all of it.

If we wouldn't trust it with our own business, we wouldn't sell it to yours.

Live in production
BleuLeaf AI Crew
4 agents, daily ops
Slack assistants
Internal + client
Web chat widgets
Tool-calling agents
n8n workflows
Real client traffic
Daily auditors
Agent health checks
Runner agents
Claude Code, daily

Simple, Transparent Pricing

Start free, scale when your agents do.

Hobby

For tinkering and side projects.

$0 / month
  • 1 connected MCP client
  • Up to 25 custom tools
  • 1,000 tool runs / month
  • 50 MB persistent /workspace
  • Encrypted secret vault
  • Community support

Enterprise

For teams running agents in production.

Custom
  • Everything in Pro
  • Dedicated workspace (no shared tenancy)
  • Unlimited tool runs
  • Custom storage limits
  • SSO & team permissions
  • Custom tool development
  • SLA & dedicated support
  • Self-hosted option available

Pricing is indicative — final plans confirmed in your onboarding call. Annual billing available with 2 months free.

Frequently Asked Questions

Anything that speaks the standard Streamable HTTP MCP transport: Claude Desktop, Claude Code, Cursor, n8n, the Vercel AI SDK, custom clients. Auth via bearer token or OAuth 2.0 + PKCE — Claude Desktop's built-in flow works out of the box.

Most teams end up running six MCP servers (Slack, GitHub, Stripe, internal API, internal DB, custom) and a separate secret manager and a separate file store. Dynamic MCP is one endpoint that wraps all of them — agent-authored tools, encrypted secrets, persistent files, all in one auth surface. You can still run your own MCP servers alongside it.

Tools run in Deno with --deny-write, --deny-run, --deny-ffi, --no-prompt. Network is allowed; reads are scoped to the worker script. Sync filesystem APIs throw. Native modules (anything with .node bindings) are blocked — use pure JS/WASM alternatives like @jsquash/* or pdf-lib. The sandbox-to-host RPC surface is a tight whitelist: saveSecret and fs.*, nothing else.

AES-256-GCM with a 16-byte random IV per encrypt and a 16-byte auth tag verified on every decrypt. The key is derived from the platform's session secret via PBKDF2-SHA256 with 100,000 iterations. Tools never see ciphertext — values are decrypted host-side and injected into the sandbox as context.secrets.NAME.

/workspace is a per-user S3-backed filesystem you can read/write from any tool. Use it for caching scraped data between scheduled runs, staging attachments, persisting state for long-running crews, or a working scratchpad agents "think on paper" with. It's not a public CDN — for shareable links, use a separate file-share or presigned S3 URL.

Yes — self-hosting is available on the Enterprise tier. You get the same code, deployed to your infrastructure, with our team handling the install and ongoing updates. Talk to us about it on a call.

Yes. Most Enterprise engagements include some custom tool work — wrapping your internal APIs, your DB, your auth, your specific business logic. We've done it for our own crew and for client agents. Bring us the integration list and we'll quote it.

Stop Rebuilding the Plumbing.

One MCP endpoint. Encrypted secrets. Persistent files. A sandbox your agents can actually trust. Book 30 minutes — we'll show you the same setup our own crew runs on every day.

See Pricing