{"id":"agoda-com-api-agent","name":"api-agent","homepage":null,"repo_url":"https://github.com/agoda-com/api-agent","category":"devtools","subcategories":[],"tags":["mcp","api-integration","graphql","rest","duckdb","sql","agents","openapi","observability","python"],"what_it_does":"Provides a universal MCP server that exposes GraphQL and REST APIs as MCP tools. It introspects a target GraphQL endpoint or OpenAPI/Swagger spec, answers questions in natural language, fetches data, stores results in DuckDB, and performs SQL post-processing. It also supports “recipe learning” to cache reusable query pipelines as additional dynamic MCP tools.","use_cases":["Natural-language querying over unfamiliar GraphQL/REST APIs","Post-processing API data with SQL (ranking, filtering, joins, aggregations) even if the upstream API lacks those capabilities","Rapid creation of MCP tools over many APIs without writing custom glue code","Read-only API exploration and analytics; optionally controlled unsafe operations via allowlisting","Reusing successful query patterns via cached recipes"],"not_for":["Production workloads requiring strict data governance unless additional controls are added","APIs that require complex authentication flows not representable via static headers","Environments that cannot tolerate storing fetched data in DuckDB","Use cases requiring guaranteed pagination completeness from upstream APIs (unless explicitly handled)","Use cases needing strong, audited mutation semantics (mutations only “blocked unless explicitly allowed”)"],"best_when":"You want an agent/MCP client to explore and analyze external GraphQL/REST APIs quickly using a consistent tool interface, and you accept that results may involve SQL post-processing over fetched data.","avoid_when":"You need deterministic, contract-first correctness (e.g., strict schema-to-query validation) or you must minimize data retention/storage, or you cannot safely supply auth headers to a server that will call third-party endpoints.","alternatives":["Build a dedicated MCP server per API using the official MCP framework and known schemas","Use a GraphQL engine/query planner (e.g., schema-aware clients) for GraphQL-only cases","Use OpenAPI-to-code generators plus a custom agent workflow for REST APIs","Use an ETL + SQL layer (extract to warehouse/DuckDB) with a separate NL-to-SQL system"],"af_score":59.5,"security_score":53.5,"reliability_score":26.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:35:00.943417+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:3000/mcp (example)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Environment variable for LLM provider: OPENAI_API_KEY (and optional OPENAI_BASE_URL)","Target API auth via MCP client headers: X-Target-Headers (static JSON headers such as Authorization: Bearer …)"],"oauth":false,"scopes":false,"notes":"The README describes passing downstream API authentication as static HTTP headers (X-Target-Headers). It also notes read-only-by-default behavior and an unsafe method allowlist controlled by X-Allow-Unsafe-Paths."},"pricing":{"model":"OpenAI model (default stated as gpt-5.2); cost dep","free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing for the server itself is stated in the provided content; it appears to rely on OpenAI API usage plus your infrastructure/runtime."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":59.5,"security_score":53.5,"reliability_score":26.2,"mcp_server_quality":85.0,"documentation_accuracy":78.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":70.0,"rate_limit_clarity":20.0,"tls_enforcement":70.0,"auth_strength":55.0,"scope_granularity":35.0,"dependency_hygiene":45.0,"secret_handling":60.0,"security_notes":"TLS enforcement is not explicitly stated; examples use localhost HTTP for the MCP server. Downstream API auth is passed via X-Target-Headers (static headers) which is flexible but can be risky if logged or mishandled by clients/servers. The tool set is read-only by default with an explicit unsafe-path allowlist for write operations, which is a good control, but scope granularity for authorization is not described. No security posture details (logging redaction, secret handling practices, SSRF protections, path/path-matching safety beyond glob patterns) are provided in the README content.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":30.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"unknown","retry_guidance_documented":false,"known_agent_gotchas":["Rate limits and pagination behavior of the upstream API are not described in the provided content; agent may fetch partial data unless the upstream API/data volume is handled explicitly.","Auth is provided via static headers; if tokens expire, long-running agents may fail without a refresh mechanism.","Results are stored in DuckDB; large responses may increase memory/disk usage and affect reliability.","Recipes depend on schema hash; schema changes can invalidate cached tools."]}}