Skip to main content

Overview

Slash provides an MCP server that lets AI agents interact with the Slash API. The server exposes tools to list endpoints, inspect schemas, and make API calls — all through the standard MCP protocol. Sensitive card data (PAN and CVV) is always RSA-encrypted before it reaches the agent, ensuring raw card numbers are never exposed to the AI.

Connection Parameters

ParameterRequiredDescription
apiKeyYesYour Slash API key. Pass as ?apiKey= query parameter or X-API-Key header.
rsaPublicKeyYesBase64-encoded RSA public key (no PEM markers). Pass as ?rsaPublicKey= query parameter or X-RSA-Public-Key header. Used to encrypt card data.

Setup

1. Generate an RSA key pair

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem
openssl rsa -in private.pem -pubout -out public.pem
Extract the base64 key content (no PEM markers): 
grep -v '^\-\-\-\-\-' public.pem | tr -d '\n'

2. Connect

Point any MCP client at: 
https://mcp.slash.com/mcp?apiKey=YOUR_API_KEY&rsaPublicKey=YOUR_BASE64_PUBLIC_KEY
The apiKey and rsaPublicKey can also be passed as X-API-Key and X-RSA-Public-Key headers.

Available Tools

ToolDescription
list_endpointsLists all Slash API endpoints with method, path, and description.
get_endpoint_schemaReturns the full schema for a specific endpoint, with all $ref references resolved.
call_api_endpointCalls a Slash API endpoint with the given method, path, query parameters, and body.

Card Data Encryption

When you request card details with include_pan=true or include_cvv=true, the PAN and CVV are returned as RSA-encrypted, base64-encoded ciphertext. The agent never sees the raw card numbers. The encryption uses RSA-OAEP with your public key.

Decrypting card data

Use your private key to decrypt the base64-encoded values: 
echo "ENCRYPTED_BASE64_VALUE" | base64 -d | \
  openssl pkeyutl -decrypt -inkey private.pem -pkeyopt rsa_padding_mode:oaep

Python

from base64 import b64decode
from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA

private_key = RSA.import_key(open("private.pem").read())
cipher = PKCS1_OAEP.new(private_key)

encrypted_pan = "ENCRYPTED_BASE64_VALUE"
pan = cipher.decrypt(b64decode(encrypted_pan)).decode("utf-8")

Node.js

import { privateDecrypt, constants } from 'crypto';
import { readFileSync } from 'fs';

const privateKey = readFileSync('private.pem', 'utf-8');
const encryptedPan = 'ENCRYPTED_BASE64_VALUE';

const pan = privateDecrypt(
  { key: privateKey, oaepHash: 'sha1', padding: constants.RSA_PKCS1_OAEP_PADDING },
  Buffer.from(encryptedPan, 'base64'),
).toString('utf-8');
Keep your private key secure. It should never be shared, committed to source control, or exposed to the AI agent.