Connections, MCP & Platform API
Connect Linear and Slack, issue Critique API keys, call MCP or REST v1 — and use the Merge Gate API for agent orchestration.
Critique’s Platform API (/api/v1/* + POST /api/mcp) lets external tools queue reviews, read structured verdicts, subscribe to lifecycle webhooks, and integrate IDE agents — without scraping the dashboard or GitHub comment threads.
Deep reference for agent integrators: Merge Gate API — queue → webhook/poll → findings[], MCP, Checkpoint pre-filter, writer/judge separation.
Product page with cookbooks: /merge-gate-api.
This page covers Connections (Linear, Slack, crt_ keys), MCP, and the full REST v1 catalog. Operators need CRITIQUE_SECRETS_ENCRYPTION_KEY before users can save keys.
Platform API surfaces (pick one)
| Surface | You want to… | Start here |
|---|---|---|
| Merge Gate API | Gate agent PRs — PASS/FAIL + structured findings | POST /api/v1/reviews, webhooks, MCP queue_review |
| Coding Agent API | Run OpenCode in E2B — patch / draft PR out | POST /api/v1/coding-agent/runs |
| Critique Intake | Capture user bug reports and generate agent-ready packets | /intake/widget.js, POST /api/intake/report |
| Inference API | Raw chat completions on Critique credits | POST /api/v1/chat/completions |
| This page | Linear/Slack, scopes, MCP tool list, passport export | Connections + REST catalog |
All three HTTP surfaces share the same crt_ key family. One key can call merge gate, coding agent, and inference if scopes allow.
flowchart LR
subgraph writers [Writer agents]
Cursor[Cursor / Devin / Codex]
end
subgraph critique [Critique Platform API]
Gate[Merge gate REST + MCP]
Builder[Coding Agent API]
end
GH[GitHub PR] --> Gate
Cursor --> GH
Gate -->|findings[]| Fix[Fix agent or Remedy]
Builder -->|optional draft PR| GHZapier vs MCP vs native (read this first)
| Path | What it is | What it is not |
|---|---|---|
| Zapier | Automate Slack, Jira, Sentry, Vercel, and 8,000+ apps with Zaps | Not MCP; not stored per-app keys in Critique |
MCP + crt_ keys | IDE agents (Cursor, Claude) and CI call Critique | Not Zapier; not for wiring Jira to Slack |
| Native Linear / Slack | Deep Critique Chat (issue search, Slack post) | Optional if Zapier already covers your stack |
| BYOK / BYOA | Model and fix-agent keys in Settings | Separate from Connections |
Zapier (recommended)
For Slack, Jira, Sentry, Vercel, and most of your stack, use Zapier instead of pasting keys for each app in Critique. Combine Webhooks by Zapier with Critique crt_ API keys and MCP when agents need passport data.
Optional native Linear and Slack keys below are only for deep Critique Chat features (issue search, confirmed Slack posts).
Three ways to “connect” Critique
| Kind | Where you configure | What it pays for / unlocks |
|---|---|---|
| BYOK (models) | Settings → LLM Gateway, OpenRouter, or CrofAI | Critique Chat and review models bill your LLM Gateway, OpenRouter, or Crof account. See BYOK. |
| BYOA (fix agents) | Settings → Cursor, Anthropic, OpenAI | Queue Cloud Agents, Claude Managed Agents, or Codex from review runs. See BYOA. |
| App connections | Settings → Connections | Third-party product APIs (Linear and Slack today; native Sentry, Jira, and broader cards remain roadmap). Powers chat tools and dashboard context — not model inference. |
Critique API keys (crt_…) | Connections page → Critique API keys | Programmatic access for your user: MCP server and REST v1. Acts as you, scoped to repos your GitHub App installation controls. |
BYOK and BYOA stay on Settings. Linear and future integrations live under Connections so agents and chat can reuse the same encrypted credential store.
flowchart TB
subgraph settings [Settings]
BYOK[OpenRouter / Crof BYOK]
BYOA[Cursor / Anthropic / OpenAI BYOA]
end
subgraph connections [Connections]
Apps[Linear Slack Sentry …]
CRT[crt_ API keys]
end
Chat[Critique Chat] --> BYOK
Review[PR review] --> BYOK
Fix[Queue fix agents] --> BYOA
Chat --> Apps
Agent[External agent MCP client] --> CRT
CRT --> MCP["POST /api/mcp"]
CRT --> REST["GET /api/v1/…"]App connections (Linear and catalog)
Open Settings → Connections.
Linear (available now)
- Create a Personal API key in Linear → Settings → API.
- In Critique, open Linear → paste the key → Save.
- Use Test connection to confirm Critique can reach Linear.
- Toggle Enable for Chat (and other surfaces when they ship) so agents may call Linear-backed tools.
When Linear is connected and enabled for chat, Critique Chat can call searchIssuesAndRoadmap — search issues, see assignee context, and relate PR work to your roadmap without leaving the thread. See Chat tools.
Legacy Settings → Linear API key redirects to the same Linear card on the Connections page.
Slack (available now)
Connect with either:
- Bot token (
xoxb-…) from Slack API apps — needschat:write(and channel access). Optional default channel (for example#eng-reviews). - Incoming webhook URL (
https://hooks.slack.com/services/…) — fastest setup; posts to one channel only.
Use Test connection after save. When Slack is connected and Chat is enabled, Critique Chat can postToSlack — a confirmation card appears before anything is posted.
Other apps
Sentry, Jira, and Vercel are not configured as separate native Connections cards today. Use Zapier or Control Board incident webhooks (Change control) for now.
Current beta priorities:
- P0: agent orchestration docs and cookbook coverage for merge gate + Checkpoint webhooks
- P1: skills marketplace API-key scopes such as
read:skillsandinstall:skills - P2: ship native Sentry and Jira OAuth cards instead of leaving them webhook-only
See the connections roadmap.
Operator requirement
If the UI says secrets storage is not configured, your deployment is missing CRITIQUE_SECRETS_ENCRYPTION_KEY. Generate a 32-byte base64 key (see Environment variables) and redeploy. The same key encrypts BYOK/BYOA keys, repository secrets, connection credentials, and API key hashes.
Critique API keys
API keys authenticate as your Critique user to automation endpoints. They are not OpenRouter keys and not Linear keys.
- Go to Settings → Connections → Critique API keys.
- Name the key (for example
Cursor MCPorCI bot) → Create. - Copy the full key once — it starts with
crt_and is only shown at creation. - Store it in your agent or secret manager; Critique stores only a hash and a short prefix.
Default scopes on new keys:
| Scope | Allows |
|---|---|
read:passports | GET /api/v1/passports, GET /api/v1/passports/:passportId/export |
read:reviews | GET /api/v1/review-runs/:id, insights read routes, suppressions list |
write:reviews | POST /api/v1/reviews, MCP queue_review / queue_remedy, checkpoint policy, suppressions write, merge-policy compile |
read:insights | GET /api/insights/* read routes |
write:insights | POST /api/insights/reports, POST /api/insights/compliance-export, POST /api/insights/fleet |
read:builder | GET /api/v1/coding-agent/runs, GET /api/v1/coding-agent/runs/:id |
write:builder | POST /api/v1/coding-agent/runs, POST /api/v1/coding-agent/runs/:id/messages |
read:inference | GET /api/v1/models |
write:inference | POST /api/v1/chat/completions |
manage:webhooks | GET/POST /api/v1/webhook-endpoints, GET/DELETE /api/v1/webhook-endpoints/:id |
Older keys created before the Coding Agent API or Inference API shipped may lack read:builder / write:builder or inference scopes — rotate the key in Connections if automation returns 403.
Inference API keys, limits, and usage: Inference API. Mini panel and caps live on this Connections page; full charts at /inference-dashboard.
Marketplace-oriented scopes such as read:skills and install:skills are planned but not live yet.
Browser session cookies do not satisfy scoped v1 checks. Use a crt_ key with the required scope for REST v1 and MCP.
OpenAPI: GET /api/v1/openapi (YAML). Machine-readable contract for passports, reviews, insights, repository policy, Coding Agent, and inference routes.
MCP server (beta, v0.1.0)
Critique exposes an MCP-compatible JSON-RPC endpoint for external clients (Cursor, Claude Desktop, custom agents).
| Item | Value |
|---|---|
| URL | https://critique.sh/api/mcp (or your NEXT_PUBLIC_APP_URL + /api/mcp) |
| Method | POST |
| Auth | Authorization: Bearer crt_… |
| Protocol | MCP 2024-11-05 subset (initialize, tools/list, tools/call, ping) |
This is a beta distribution surface. Tools enforce the same crt_ scopes as REST v1.
Tools
| Tool | Scope | Description |
|---|---|---|
list_passports | read:passports | Up to 20 change passports visible to your account |
get_passport | read:passports | One passport by id |
get_review_run | read:reviews | Review run snapshot — all findings (not capped at 5) |
list_review_runs | read:reviews | Recent review runs (installation-scoped) |
queue_review | write:reviews | Queue a PR review (repositoryFullName, pullRequestNumber, headSha) |
queue_remedy | write:reviews | Queue Remedy for an existing review run |
get_remedy_status | read:reviews | Poll Remedy status and progress events |
get_workspace_status | read:reviews | Workspace snapshot and recommended next step |
search_finding_memory | read:reviews | Search durable finding memory |
compile_merge_policy_draft | write:reviews | Compile merge policy from natural language |
Example tools/call body (JSON-RPC):
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "list_passports",
"arguments": { "limit": 10 }
}
}Configure your MCP client with the Critique URL and a crt_ key. MCP does not replace GitHub App install — the repository must already be on an installation you control.
REST API v1
HTTP JSON for the same account. Use a crt_ key with the required scope; authenticated browser sessions do not satisfy scoped v1 checks.
OpenAPI: GET /api/v1/openapi — YAML contract for automation teams.
Merge gate deep dive
For POST /api/v1/reviews, GET /api/v1/review-runs/:id?findings=all, webhook payload shapes, MCP agent loops, and Checkpoint integration, read the dedicated Merge Gate API doc. The sections below are the catalog summary.
Passports & reviews
| Endpoint | Scope | Description |
|---|---|---|
GET /api/v1/passports?limit=20 | read:passports | Change passport queue (max 100) |
GET /api/v1/passports/:passportId/export | read:passports | Signed, redacted compliance bundle JSON for one passport |
POST /api/v1/reviews | write:reviews | Queue a PR review (repositoryFullName, pullRequestNumber, headSha, optional webhook) |
GET /api/v1/review-runs/:id | read:reviews | Review run snapshot; add ?findings=all for full structured findings |
Lifecycle webhooks (installation subscriptions)
Subscribe your HTTPS endpoint to review, Remedy, Checkpoint, merge-policy, and passport events for a GitHub App installation. V1 delivers each event once (no automatic retries); use GET /api/v1/review-runs/:id as a fallback if delivery fails.
| Endpoint | Scope | Description |
|---|---|---|
GET /api/v1/webhook-endpoints | manage:webhooks | List webhook endpoints for installations you control |
POST /api/v1/webhook-endpoints | manage:webhooks | Create endpoint (installationId, url, secret, optional events) |
GET /api/v1/webhook-endpoints/:id | manage:webhooks | Fetch one endpoint |
DELETE /api/v1/webhook-endpoints/:id | manage:webhooks | Delete endpoint and delivery history |
Default events when omitted: review.run.completed, review.run.failed. Opt in to additional events explicitly (for example remedy.run.completed, checkpoint.gate.evaluated, passport.snapshot.created, merge_policy.evaluated).
| Event | When fired |
|---|---|
review.run.queued | PR review run queued or requeued |
review.run.completed | Review pipeline finished successfully |
review.run.failed | Review pipeline failed |
review.run.cancelled | Reserved for future cancel support |
remedy.run.completed | Remedy run finished with a pushed or recorded patch |
remedy.run.failed | Remedy run failed |
remedy.run.halted | Remedy run halted before completion |
checkpoint.gate.evaluated | Checkpoint gate evaluated for a PR |
passport.snapshot.created | Change Passport snapshot generated |
merge_policy.evaluated | Merge policy evaluated after review |
Each delivery is an HTTPS POST with:
| Header | Value |
|---|---|
User-Agent | Critique-Lifecycle-Webhook/1.0 |
X-Critique-Webhook-ID | Unique delivery id |
X-Critique-Webhook-Event | Event name from the table above |
X-Critique-Webhook-Signature | sha256=<hex HMAC> over the raw JSON body using your endpoint secret |
import crypto from 'node:crypto'
export function verifyCritiqueLifecycleWebhook(secret: string, rawBody: string, signature: string) {
const expected = `sha256=${crypto.createHmac('sha256', secret).update(rawBody).digest('hex')}`
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
}review.run.completed payloads include findings[] (structured severity, title, summary, file path, lines, fingerprint) and findingsCount. Poll GET /api/v1/review-runs/:id?findings=all if you need the full list after delivery.
Per-run review webhooks
Pass an optional webhook object on POST /api/v1/reviews (same shape as Coding Agent API runs: url, secret ≥32 chars, optional events). Critique delivers to that URL with User-Agent: Critique-Review-Webhook/1.0 and the same HMAC header names as lifecycle webhooks.
| Event | When fired |
|---|---|
review.queued | Run queued from API |
review.completed | Pipeline finished — includes verdict + findings |
review.failed | Pipeline failed |
Installation lifecycle webhooks (review.run.completed, etc.) still fire in parallel when subscribed. Coding Agent run webhooks remain separate (Critique-Coding-Agent-Webhook/1.0).
Cookbooks and agent-loop examples: /merge-gate-api and Merge Gate API docs.
Signed-in dashboard (session cookie, not crt_):
| Endpoint | Description |
|---|---|
GET /api/passports/:passportId/export | Same single-passport bundle as v1 |
POST /api/passports/export | Batch export JSON for up to 25 passport ids ({ "passportIds": ["…"] }) |
Coding Agent API
OpenCode-backed sandbox runs with optional draft PR publish. Full reference: Coding Agent API.
| Endpoint | Scope | Description |
|---|---|---|
POST /api/v1/coding-agent/runs | write:builder | Start a run (repository, prompt, billing, publish, …) |
GET /api/v1/coding-agent/runs | read:builder | List runs (?limit=, ?events=1, ?patch=1) |
GET /api/v1/coding-agent/runs/:id | read:builder | Poll status, summary, patch, draft PR metadata |
POST /api/v1/coding-agent/runs/:id/messages | write:builder | Queue a follow-up after the run completes |
Overview and curl examples: /coding-agent-api.
Inference API
OpenAI-compatible chat completions on Critique credits. Full reference: Inference API.
| Endpoint | Scope | Description |
|---|---|---|
GET /api/v1/models | read:inference or read:builder | Model catalog (deepseek/deepseek-v4-flash, tencent/hy3, nvidia/nemotron-3-ultra-550b-a55b) |
POST /api/v1/chat/completions | write:inference or write:builder | Chat completions; credits metered per model rate card |
Overview, privacy copy, and key gate: /inference-api.
Account settings (signed in): GET / PATCH /api/settings/inference-api. Usage summary: GET /api/dashboard/inference-api.
Review-run BYOA exports (session or automation)
Handoff JSON for external agents from a completed review run (same blueprint as dashboard queue buttons):
| Endpoint | Description |
|---|---|
GET /api/review-runs/:reviewRunId/byoa/cursor | Cursor Cloud Agent handoff (?download=1 for attachment) |
GET /api/review-runs/:reviewRunId/byoa/claude | Claude Managed Agent handoff |
GET /api/review-runs/:reviewRunId/byoa/codex | OpenAI Codex / Responses handoff |
Queueing still requires saved keys in Settings → Agents. See BYOA.
Example:
curl -sS \
-H "Authorization: Bearer crt_YOUR_KEY" \
"https://critique.sh/api/v1/passports?limit=5"Responses are no-store and scoped to installations linked to your user.
Dashboard integration hub
Dashboard → Overview includes an integrations section when you have GitHub connected: connection status, Linear issue previews, passport queue snippets, and a Manage connections link to /settings/connections. Use it as a control-room view alongside review runs and usage.
Security practices
- Treat
crt_keys like passwords — revoke in Connections if leaked. - Use separate keys per agent or environment so revocation is surgical.
- Linear and other connection secrets are encrypted at rest; Critique never returns full secrets to the browser after save.
- MCP and REST act only within your Critique permissions — they cannot access another user’s repositories.
Related
- Merge Gate API — primary doc for agent integrators
- Merge Gate product page — cookbooks and key gate
- BYOK — OpenRouter / Crof model keys (Settings)
- BYOA — Cursor (Composer 2.5), Claude, Codex fix agents (Settings → Agents)
- Coding Agent API — Builder-style writer runs over HTTP
- Inference API — OpenAI-compatible chat on Critique credits
- PR review — triggers, pipeline, GitHub output
- Checkpoint — pre-review gates +
checkpoint.gate.evaluatedwebhooks - Agent Skill Marketplace — publish and install review skills
- Chat tools — including
searchIssuesAndRoadmap - Environment variables — v4 change-control flags, v4.1
CRITIQUE_SECRETS_ENCRYPTION_KEY, and v6 webhook/API scopes - Change control — passports, incident webhooks, model-feedback opt-in
Bring Your Own Agent (BYOA)
Route Critique review findings to Cursor Cloud Agents, Claude Managed Agents, OpenAI Codex, or paste-based agents — without double-paying for execution.
Merge Gate API
Machine-readable PR review for agents — queue reviews over REST or MCP, receive structured verdicts and findings via webhooks or poll.