Skip to content
mor

HTTP Server

Run a note server and access it from anywhere.

Start the server

Section titled “Start the server”
Terminal window
mor serve --port 7677

Or with authentication and MCP:

Terminal window
mor serve --port 7677 --token secret --mcp

Options

Section titled “Options”
OptionDescriptionDefault
-p, --portPort to listen on7677
-H, --hostHost to bind to127.0.0.1
--tokenBearer token for authentication (also via MOR_TOKEN env var)none
--mcpEnable MCP protocol endpoint at /mcpdisabled

Token precedence: --token flag > MOR_TOKEN env var > config file.

Options can also be set in ~/.config/mor/config.json:

{
  "serve": {
    "port": 7677,
    "host": "127.0.0.1",
    "token": "your-secret-token",
    "mcp": true
  }
}

REST API

Section titled “REST API”

See the API Reference for the full route list, request/response schemas, and authentication details.

List, search, and grep endpoints return paginated responses:

{
  "data": [...],
  "total": 42,
  "offset": 0,
  "limit": 20
}

Authentication

Section titled “Authentication”

When --token is set, all routes require authentication. Two methods work on every endpoint:

  • Bearer tokenAuthorization: Bearer <passphrase> or ?token=<passphrase>
  • OAuth access token — obtained via the OAuth flow (see below)

Unauthenticated requests receive a 401 with a WWW-Authenticate header pointing to the OAuth discovery endpoint.

OAuth flow

Section titled “OAuth flow”

The server implements MCP-spec OAuth 2.0 so clients can connect with just a URL — no secret in the config. The flow:

  1. Client hits a protected endpoint, gets 401 with WWW-Authenticate
  2. Client discovers OAuth metadata at /.well-known/oauth-authorization-server
  3. Client registers via dynamic client registration at /oauth/register
  4. User authorizes in the browser (enters the server passphrase)
  5. Client exchanges the auth code for access and refresh tokens

MCP clients (Claude Code, Claude Desktop, claude.ai) handle this automatically. For the CLI, use mor login.

OAuth state (clients, tokens, auth codes) is persisted in a separate oauth.db SQLite database and survives server restarts.

EndpointDescription
GET /.well-known/oauth-authorization-serverOAuth AS metadata (RFC 8414)
GET /.well-known/oauth-protected-resource/mcpProtected resource metadata (RFC 9728)
POST /oauth/registerDynamic client registration
GET /oauth/authorizeAuthorization (serves passphrase form)
POST /oauth/tokenToken exchange (auth code + PKCE)
POST /oauth/revokeToken revocation

MCP over HTTP

Section titled “MCP over HTTP”

When --mcp is enabled, the server exposes a streamable HTTP MCP transport at /mcp. This allows claude.ai and other remote MCP clients to connect.

The MCP endpoint:

  • Uses session-based transport (each client gets a session ID)
  • Supports POST (requests), GET (SSE streams), and DELETE (session cleanup)

Security

Section titled “Security”
  • Bearer token — timing-safe comparison, required on all endpoints when configured
  • OAuth — PKCE (S256), atomic token consumption prevents replay, tokens stored in SQLite with TTL-based cleanup
  • DNS rebinding protection — when bound to loopback (127.0.0.1/localhost), rejects requests with non-loopback Host headers
  • MCP opt-in — the /mcp endpoint is disabled unless explicitly enabled with --mcp