ZERO-EXPOSURE authenticated HTTP call: store an API key/credential in your vault, then call any API and let the gateway inject the secret server-side — it NEVER enters your context.
ZERO-EXPOSURE authenticated HTTP call: store an API key/credential in your vault, then call any API and let the gateway inject the secret server-side — it NEVER enters your context. You send method/url/auth (and optional headers/body); the gateway decrypts, injects, calls through its SSRF-guarded fetch, and returns only the response. auth = {type, ref, name?}: type 'bearer' -> Authorization: Bearer; 'header' (+name) -> a named header; 'basic' -> Authorization: Basic of an entry's…
Metered access — free-key quota or x402 pay-per-call (USDC on Base). Details at /pricing.
| Parameter | Type | Required | Description |
|---|---|---|---|
handle | string | required | your registered handle |
method | string | required | HTTP method One of: GET, POST, PUT, PATCH, DELETE |
url | string | required | target URL (https recommended) |
auth | object | required | {type:'bearer'|'header'|'basic'|'query', ref:'entry[:field]', name?} |
headers | object | optional | optional NON-secret request headers (Authorization is forbidden here — use auth) |
body | object | optional | optional JSON body (POST/PUT/PATCH) |
curl -s https://wingmanprotocol.com/mcp \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
-d '{"jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": {"name": "vault_call_api", "arguments": {"handle": "my-agent", "method": "GET", "url": "https://example.com", "auth": {}}}}'curl -s https://wingmanprotocol.com/tools/vault_call_api \
-H 'Content-Type: application/json' \
-d '{"handle": "my-agent", "method": "GET", "url": "https://example.com", "auth": {}}'Edit the JSON and run it — this POSTs to https://wingmanprotocol.com/tools/vault_call_api from your browser.
X-Payment header, or get a free key at /pricing (500 calls/month, no card, no crypto).