One MCP Endpoint. Infinite Tools.
Dynamic MCP is a hosted Model Context Protocol server that lets your AI agents discover, run, and write their own tools — with an encrypted secret vault and persistent file storage built in. Connect Claude, n8n, or any MCP client in one line.
# Connect Claude in one line $ claude mcp add --transport http \ blle https://api.blle.co/mcp # Tools discovered: ✓ Search_Tools ✓ Run_tool ✓ Create_Tool ✓ Execute_Code ✓ Manage_Secrets # + every tool you've created
Every AI agent project rebuilds the same plumbing.
A code execution sandbox. A secret store. File persistence between runs. OAuth flows. A tool registry. Six MCP servers, one for each vendor. Three months in, half of it has drifted and nobody remembers which cron does what.
We built it once, so every agent gets it for free.
Everything Your Agents Need
A complete tool runtime, not a library you bolt on.
Agent-Authored Tools
Your agents write their own tools with Create_Tool. JS/TS, esm.sh imports, fetch. Live the second they're saved — no deploy, no restart.
Encrypted Secret Vault
AES-256-GCM at rest, PBKDF2 100k iterations. Tools see decrypted values as context.secrets.NAME — never ciphertext, never keys.
Persistent /workspace
Per-user S3-backed filesystem. await Deno.writeTextFile("/workspace/state.json", ...) and it's there next run. 10 MB writes, no setup.
Sandboxed Code Execution
Deno runtime — TypeScript native, web standards, no FFI, no shell, no write-everywhere. 60s default, 5 min hard cap, streaming logs.
Real-Time Streaming
Every console.log arrives over MCP as an SSE notification. No polling, no opaque "running…" state — agents see progress as it happens.
Standard MCP Protocol
Streamable HTTP transport plus OAuth 2.0 + PKCE. Works with Claude Desktop, Claude Code, Cursor, n8n, the AI SDK, your own clients.
Secrets CLI
Native Go binary injects mapped secrets as env vars via syscall.Exec. Values never touch disk or shell history. macOS, Linux x64, Linux ARM.
Per-User Isolation
Every tool, secret, and file is scoped to your account. Stateless server, horizontally scalable, no sticky sessions.
Progressive Discovery Docs
Hierarchical docs:// resources addressable by slug — support/policies/refunds. Agents pull only what they need, when they need it. Token-efficient by design.
How It Works
One HTTP endpoint. Eight built-in meta-tools. Every tool you write is just a row in a database — diffable, replayable, owned by you.
Connect any MCP client
Claude Desktop, Claude Code, n8n, your own agent — bearer token or OAuth, your choice.
Agents discover the toolbox
Eight meta-tools plus every custom tool you've written, instantly visible.
Run, write, or edit tools
Existing tools execute in the sandbox. New tools are inserted live — no deploy.
Secrets and files persist
Decrypted on demand, files survive across runs, restarts, and worker churn.
A Tool Is Just Code
No SDKs. No deploy pipeline. No infrastructure. Write it, save it, run it.
Your agent writes a tool
// Create_Tool — runs inside the sandbox const stripe = await fetch( "https://api.stripe.com/v1/charges", { headers: { Authorization: `Bearer ${context.secrets.STRIPE_KEY}` } } ); const data = await stripe.json(); await Deno.writeTextFile( "/workspace/last-charges.json", JSON.stringify(data) ); return { count: data.data.length };
Every agent can use it
// Any MCP client, including the agent // that just wrote it await mcp.callTool("Run_tool", { toolName: "fetch_recent_charges", params: { limit: 100 } }); // Streaming logs come back as // MCP notifications/message events // Result is JSON — exactly what you returned // Need to refresh an OAuth token? await context.saveSecret( "GMAIL_REFRESH_TOKEN", newToken ); // Encrypted, persisted, cache busted.
Progressive Discovery for Agents
Stuffing every doc, policy, and how-to into the system prompt is how context windows die in week two. Dynamic MCP exposes your knowledge as hierarchical resources — agents see the index, fetch the leaf they need, skip the rest.
Structure your knowledge like a filesystem
# Slug-addressable, hierarchical: docs://documents/support/policies/refunds docs://documents/support/policies/privacy docs://documents/support/playbooks/escalation docs://documents/support/playbooks/onboarding docs://documents/internal/brand/voice docs://documents/internal/brand/visual # Or by numeric ID for stable links: docs://documents/142 # Just like a skills folder, a guides # tree, or an internal wiki — but # discoverable through the MCP protocol.
Documents with api_exposed = 1 are visible to MCP. Everything else stays private. You decide what each agent can see.
Agents fetch only what they need
// 1. Agent lists available resources // (cheap — just titles + slugs) const index = await mcp.listResources(); // 2. User asks about a refund. // Agent picks the right leaf. const doc = await mcp.readResource( "docs://documents/support/policies/refunds" ); // 3. Only that one doc enters the // context window. Not the other 47.
The same pattern works for skills, runbooks, brand guides, API references, even meeting notes. Build a tree, not a megaprompt.
Smaller prompts, smarter agents
Pull a 2 KB policy on demand instead of dragging 200 KB of docs into every system prompt. Faster, cheaper, more accurate.
Organise like skills, guides, runbooks
Slug hierarchies match how humans already think — brand/voice, policies/refunds. Edit a doc, every agent sees the new version on the next request.
Token costs you can predict
Same with tools — agents Search_Tools by keyword, then Get_Tools only the ones they need. The whole runtime is built to keep context small.
A Vault, A Filesystem, A Sandbox
The three pieces of plumbing every agent project ends up needing — already built, already tested, already running our own crew in production.
- AES-256-GCM secret vault with project-scoped env var mappings
- OAuth refresh-friendly: tools can rotate their own secrets
- Per-user S3-backed
/workspacewith idiomaticDeno.*APIs - Path traversal blocked, control characters rejected, 10 MB write cap
- Deno sandbox: no FFI, no shell, no native modules, no surprises
- Streaming console output, configurable timeout up to 5 minutes
- Document resources for RAG-style context delivery
- Stateless — drop more workers, get more throughput
Architecture at a glance
# MCP Client
# ↓ JSON-RPC over Streamable HTTP
# Auth: Bearer token or OAuth 2 + PKCE
# ↓
# Per-request McpServer scoped to user
# ↓
# DenoExecutor — warm worker pool (1→5)
# ↓ stdin/stdout JSON
# Sandbox: --allow-net, --deny-write,
# --deny-run, --deny-ffi
# ↓ RPC back to host
# saveSecret() · fs.* · resources://
What You'll Build
Real patterns from agents running on this platform every day.
Email & comms tools
IMAP/SMTP, send-as, inbox search, draft generation. Stored creds, multiple actions, one tool every agent shares.
Database access
One mysql or postgres tool replaces a custom DB MCP server. Read/write, parameterised, behind your auth.
Asset & artifact storage
Save artifacts to S3, get a public URL back. The "agent finishes a thing → user gets a link" pattern in 20 lines.
Live web search
Wrap Gemini, Perplexity, or any search API in one tool — no separate MCP server to deploy.
Image & document analysis
Multimodal models behind a clean tool surface. One wrapper for the whole crew.
n8n & workflow drivers
List, run, monitor n8n workflows from any agent. Tool-of-tools — agents orchestrate automations.
Cache, deploy & infra hooks
Cloudflare purge, deploy webhooks, status checks — wrapped once, available to every agent.
Stateful agents
Save scraped data, dataset shards, or run logs to /workspace. Scheduled agents that remember.
Internal API gateways
Wrap your own services as tools. Your agents talk to your business — through your auth, your audit log.
This Is the Same Platform Our Crew Runs On
BleuLeaf's own AI crew — Aime (COO), Rex (Research), Sage (Sales), Atlas (Delivery) — operates on Dynamic MCP every day. Every @blle.co email goes through it. Our daily ops, agent audits, client workflows: all of it.
If we wouldn't trust it with our own business, we wouldn't sell it to yours.
Live in production
Simple, Transparent Pricing
Start free, scale when your agents do.
Hobby
For tinkering and side projects.
- 1 connected MCP client
- Up to 25 custom tools
- 1,000 tool runs / month
- 50 MB persistent
/workspace - Encrypted secret vault
- Community support
Pro
Most PopularFor builders shipping real agents.
- Unlimited MCP clients
- Unlimited custom tools
- 50,000 tool runs / month
- 10 GB persistent
/workspace - OAuth 2.0 + PKCE for Claude Desktop
- Secrets CLI for local dev
- Priority email support
Enterprise
For teams running agents in production.
- Everything in Pro
- Dedicated workspace (no shared tenancy)
- Unlimited tool runs
- Custom storage limits
- SSO & team permissions
- Custom tool development
- SLA & dedicated support
- Self-hosted option available
Pricing is indicative — final plans confirmed in your onboarding call. Annual billing available with 2 months free.
Frequently Asked Questions
--deny-write, --deny-run, --deny-ffi, --no-prompt. Network is allowed; reads are scoped to the worker script. Sync filesystem APIs throw. Native modules (anything with .node bindings) are blocked — use pure JS/WASM alternatives like @jsquash/* or pdf-lib. The sandbox-to-host RPC surface is a tight whitelist: saveSecret and fs.*, nothing else.
context.secrets.NAME.
/workspace is a per-user S3-backed filesystem you can read/write from any tool. Use it for caching scraped data between scheduled runs, staging attachments, persisting state for long-running crews, or a working scratchpad agents "think on paper" with. It's not a public CDN — for shareable links, use a separate file-share or presigned S3 URL.
Stop Rebuilding the Plumbing.
One MCP endpoint. Encrypted secrets. Persistent files. A sandbox your agents can actually trust. Book 30 minutes — we'll show you the same setup our own crew runs on every day.