Skip to main content

Overview

Slash provides an MCP server that lets AI agents interact with the Slash API. The server exposes tools to list endpoints, inspect schemas, and make API calls — all through the standard MCP protocol. When an RSA public key is provided, sensitive card data (PAN and CVV) is RSA-encrypted before it reaches the agent, ensuring raw card numbers are never exposed to the AI. If no key is provided, raw card data will be returned as plaintext.

Connection Parameters

ParameterRequiredDescription
apiKeyYesYour Slash API key (get one here). Pass as ?apiKey= query parameter or X-API-Key header.
rsaPublicKeyNoBase64-encoded RSA public key (no PEM markers). Pass as ?rsaPublicKey= query parameter or X-RSA-Public-Key header. When provided, card data (PAN/CVV) is RSA-encrypted before being returned. When omitted, raw card data is returned as plaintext.

Available Tools

ToolDescription
list_endpointsLists all Slash API endpoints with method, path, and description.
get_endpoint_schemaReturns the full schema for a specific endpoint, with all $ref references resolved.
call_api_endpointCalls a Slash API endpoint with the given method, path, query parameters, and body.

Setup by AI Platform

Add the following to your Claude Desktop configuration file:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "slash": {
      "url": "https://mcp.slash.com/mcp?apiKey=YOUR_API_KEY"
    }
  }
}
Restart Claude Desktop to apply the changes.

Card Data Encryption

To encrypt card data before it reaches the agent, generate an RSA key pair and pass the public key: 
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem
openssl rsa -in private.pem -pubout -out public.pem
Extract the base64 key content (no PEM markers): 
grep -v '^\-\-\-\-\-' public.pem | tr -d '\n'
Then append the rsaPublicKey parameter to your connection URL: 
https://mcp.slash.com/mcp?apiKey=YOUR_API_KEY&rsaPublicKey=YOUR_BASE64_PUBLIC_KEY
The apiKey and rsaPublicKey can also be passed as X-API-Key and X-RSA-Public-Key headers. When you provide an rsaPublicKey and request card details with include_pan=true or include_cvv=true, the PAN and CVV are returned as RSA-encrypted, base64-encoded ciphertext. The agent never sees the raw card numbers. If no rsaPublicKey is provided, the PAN and CVV are returned as plaintext. The encryption uses RSA-OAEP with your public key.

Decrypting card data

Use your private key to decrypt the base64-encoded values: 
echo "ENCRYPTED_BASE64_VALUE" | base64 -d | \
  openssl pkeyutl -decrypt -inkey private.pem -pkeyopt rsa_padding_mode:oaep

Python

from base64 import b64decode
from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA

private_key = RSA.import_key(open("private.pem").read())
cipher = PKCS1_OAEP.new(private_key)

encrypted_pan = "ENCRYPTED_BASE64_VALUE"
pan = cipher.decrypt(b64decode(encrypted_pan)).decode("utf-8")

Node.js

import { privateDecrypt, constants } from 'crypto';
import { readFileSync } from 'fs';

const privateKey = readFileSync('private.pem', 'utf-8');
const encryptedPan = 'ENCRYPTED_BASE64_VALUE';

const pan = privateDecrypt(
  { key: privateKey, oaepHash: 'sha1', padding: constants.RSA_PKCS1_OAEP_PADDING },
  Buffer.from(encryptedPan, 'base64'),
).toString('utf-8');
Keep your private key secure. It should never be shared, committed to source control, or exposed to the AI agent.