Skip to content
Critique/docs
Platform

Connections, MCP & Platform API

Connect Linear and Slack, issue Critique API keys, call MCP or REST v1 — and use the Merge Gate API for agent orchestration.

Critique’s Platform API (/api/v1/* + POST /api/mcp) lets external tools queue reviews, read structured verdicts, subscribe to lifecycle webhooks, and integrate IDE agents — without scraping the dashboard or GitHub comment threads.

Deep reference for agent integrators: Merge Gate API — queue → webhook/poll → findings[], MCP, Checkpoint pre-filter, writer/judge separation.

Product page with cookbooks: /merge-gate-api.

This page covers Connections (Linear, Slack, crt_ keys), MCP, and the full REST v1 catalog. Operators need CRITIQUE_SECRETS_ENCRYPTION_KEY before users can save keys.

Platform API surfaces (pick one)

SurfaceYou want to…Start here
Merge Gate APIGate agent PRs — PASS/FAIL + structured findingsPOST /api/v1/reviews, webhooks, MCP queue_review
Coding Agent APIRun OpenCode in E2B — patch / draft PR outPOST /api/v1/coding-agent/runs
Critique IntakeCapture user bug reports and generate agent-ready packets/intake/widget.js, POST /api/intake/report
Inference APIRaw chat completions on Critique creditsPOST /api/v1/chat/completions
This pageLinear/Slack, scopes, MCP tool list, passport exportConnections + REST catalog

All three HTTP surfaces share the same crt_ key family. One key can call merge gate, coding agent, and inference if scopes allow.

flowchart LR
  subgraph writers [Writer agents]
    Cursor[Cursor / Devin / Codex]
  end
  subgraph critique [Critique Platform API]
    Gate[Merge gate REST + MCP]
    Builder[Coding Agent API]
  end
  GH[GitHub PR] --> Gate
  Cursor --> GH
  Gate -->|findings[]| Fix[Fix agent or Remedy]
  Builder -->|optional draft PR| GH

Zapier vs MCP vs native (read this first)

PathWhat it isWhat it is not
ZapierAutomate Slack, Jira, Sentry, Vercel, and 8,000+ apps with ZapsNot MCP; not stored per-app keys in Critique
MCP + crt_ keysIDE agents (Cursor, Claude) and CI call CritiqueNot Zapier; not for wiring Jira to Slack
Native Linear / SlackDeep Critique Chat (issue search, Slack post)Optional if Zapier already covers your stack
BYOK / BYOAModel and fix-agent keys in SettingsSeparate from Connections

For Slack, Jira, Sentry, Vercel, and most of your stack, use Zapier instead of pasting keys for each app in Critique. Combine Webhooks by Zapier with Critique crt_ API keys and MCP when agents need passport data.

Optional native Linear and Slack keys below are only for deep Critique Chat features (issue search, confirmed Slack posts).

Three ways to “connect” Critique

KindWhere you configureWhat it pays for / unlocks
BYOK (models)Settings → LLM Gateway, OpenRouter, or CrofAICritique Chat and review models bill your LLM Gateway, OpenRouter, or Crof account. See BYOK.
BYOA (fix agents)Settings → Cursor, Anthropic, OpenAIQueue Cloud Agents, Claude Managed Agents, or Codex from review runs. See BYOA.
App connectionsSettings → ConnectionsThird-party product APIs (Linear and Slack today; native Sentry, Jira, and broader cards remain roadmap). Powers chat tools and dashboard context — not model inference.
Critique API keys (crt_…)Connections page → Critique API keysProgrammatic access for your user: MCP server and REST v1. Acts as you, scoped to repos your GitHub App installation controls.

BYOK and BYOA stay on Settings. Linear and future integrations live under Connections so agents and chat can reuse the same encrypted credential store.

flowchart TB
  subgraph settings [Settings]
    BYOK[OpenRouter / Crof BYOK]
    BYOA[Cursor / Anthropic / OpenAI BYOA]
  end
  subgraph connections [Connections]
    Apps[Linear Slack Sentry …]
    CRT[crt_ API keys]
  end
  Chat[Critique Chat] --> BYOK
  Review[PR review] --> BYOK
  Fix[Queue fix agents] --> BYOA
  Chat --> Apps
  Agent[External agent MCP client] --> CRT
  CRT --> MCP["POST /api/mcp"]
  CRT --> REST["GET /api/v1/…"]

App connections (Linear and catalog)

Open Settings → Connections.

Linear (available now)

  1. Create a Personal API key in Linear → Settings → API.
  2. In Critique, open Linear → paste the key → Save.
  3. Use Test connection to confirm Critique can reach Linear.
  4. Toggle Enable for Chat (and other surfaces when they ship) so agents may call Linear-backed tools.

When Linear is connected and enabled for chat, Critique Chat can call searchIssuesAndRoadmap — search issues, see assignee context, and relate PR work to your roadmap without leaving the thread. See Chat tools.

Legacy Settings → Linear API key redirects to the same Linear card on the Connections page.

Slack (available now)

Connect with either:

  1. Bot token (xoxb-…) from Slack API apps — needs chat:write (and channel access). Optional default channel (for example #eng-reviews).
  2. Incoming webhook URL (https://hooks.slack.com/services/…) — fastest setup; posts to one channel only.

Use Test connection after save. When Slack is connected and Chat is enabled, Critique Chat can postToSlack — a confirmation card appears before anything is posted.

Other apps

Sentry, Jira, and Vercel are not configured as separate native Connections cards today. Use Zapier or Control Board incident webhooks (Change control) for now.

Current beta priorities:

  • P0: agent orchestration docs and cookbook coverage for merge gate + Checkpoint webhooks
  • P1: skills marketplace API-key scopes such as read:skills and install:skills
  • P2: ship native Sentry and Jira OAuth cards instead of leaving them webhook-only

See the connections roadmap.

Operator requirement

If the UI says secrets storage is not configured, your deployment is missing CRITIQUE_SECRETS_ENCRYPTION_KEY. Generate a 32-byte base64 key (see Environment variables) and redeploy. The same key encrypts BYOK/BYOA keys, repository secrets, connection credentials, and API key hashes.

Critique API keys

API keys authenticate as your Critique user to automation endpoints. They are not OpenRouter keys and not Linear keys.

  1. Go to Settings → ConnectionsCritique API keys.
  2. Name the key (for example Cursor MCP or CI bot) → Create.
  3. Copy the full key once — it starts with crt_ and is only shown at creation.
  4. Store it in your agent or secret manager; Critique stores only a hash and a short prefix.

Default scopes on new keys:

ScopeAllows
read:passportsGET /api/v1/passports, GET /api/v1/passports/:passportId/export
read:reviewsGET /api/v1/review-runs/:id, insights read routes, suppressions list
write:reviewsPOST /api/v1/reviews, MCP queue_review / queue_remedy, checkpoint policy, suppressions write, merge-policy compile
read:insightsGET /api/insights/* read routes
write:insightsPOST /api/insights/reports, POST /api/insights/compliance-export, POST /api/insights/fleet
read:builderGET /api/v1/coding-agent/runs, GET /api/v1/coding-agent/runs/:id
write:builderPOST /api/v1/coding-agent/runs, POST /api/v1/coding-agent/runs/:id/messages
read:inferenceGET /api/v1/models
write:inferencePOST /api/v1/chat/completions
manage:webhooksGET/POST /api/v1/webhook-endpoints, GET/DELETE /api/v1/webhook-endpoints/:id

Older keys created before the Coding Agent API or Inference API shipped may lack read:builder / write:builder or inference scopes — rotate the key in Connections if automation returns 403.

Inference API keys, limits, and usage: Inference API. Mini panel and caps live on this Connections page; full charts at /inference-dashboard.

Marketplace-oriented scopes such as read:skills and install:skills are planned but not live yet.

Browser session cookies do not satisfy scoped v1 checks. Use a crt_ key with the required scope for REST v1 and MCP.

OpenAPI: GET /api/v1/openapi (YAML). Machine-readable contract for passports, reviews, insights, repository policy, Coding Agent, and inference routes.

MCP server (beta, v0.1.0)

Critique exposes an MCP-compatible JSON-RPC endpoint for external clients (Cursor, Claude Desktop, custom agents).

ItemValue
URLhttps://critique.sh/api/mcp (or your NEXT_PUBLIC_APP_URL + /api/mcp)
MethodPOST
AuthAuthorization: Bearer crt_…
ProtocolMCP 2024-11-05 subset (initialize, tools/list, tools/call, ping)

This is a beta distribution surface. Tools enforce the same crt_ scopes as REST v1.

Tools

ToolScopeDescription
list_passportsread:passportsUp to 20 change passports visible to your account
get_passportread:passportsOne passport by id
get_review_runread:reviewsReview run snapshot — all findings (not capped at 5)
list_review_runsread:reviewsRecent review runs (installation-scoped)
queue_reviewwrite:reviewsQueue a PR review (repositoryFullName, pullRequestNumber, headSha)
queue_remedywrite:reviewsQueue Remedy for an existing review run
get_remedy_statusread:reviewsPoll Remedy status and progress events
get_workspace_statusread:reviewsWorkspace snapshot and recommended next step
search_finding_memoryread:reviewsSearch durable finding memory
compile_merge_policy_draftwrite:reviewsCompile merge policy from natural language

Example tools/call body (JSON-RPC):

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "list_passports",
    "arguments": { "limit": 10 }
  }
}

Configure your MCP client with the Critique URL and a crt_ key. MCP does not replace GitHub App install — the repository must already be on an installation you control.

REST API v1

HTTP JSON for the same account. Use a crt_ key with the required scope; authenticated browser sessions do not satisfy scoped v1 checks.

OpenAPI: GET /api/v1/openapi — YAML contract for automation teams.

Merge gate deep dive

For POST /api/v1/reviews, GET /api/v1/review-runs/:id?findings=all, webhook payload shapes, MCP agent loops, and Checkpoint integration, read the dedicated Merge Gate API doc. The sections below are the catalog summary.

Passports & reviews

EndpointScopeDescription
GET /api/v1/passports?limit=20read:passportsChange passport queue (max 100)
GET /api/v1/passports/:passportId/exportread:passportsSigned, redacted compliance bundle JSON for one passport
POST /api/v1/reviewswrite:reviewsQueue a PR review (repositoryFullName, pullRequestNumber, headSha, optional webhook)
GET /api/v1/review-runs/:idread:reviewsReview run snapshot; add ?findings=all for full structured findings

Lifecycle webhooks (installation subscriptions)

Subscribe your HTTPS endpoint to review, Remedy, Checkpoint, merge-policy, and passport events for a GitHub App installation. V1 delivers each event once (no automatic retries); use GET /api/v1/review-runs/:id as a fallback if delivery fails.

EndpointScopeDescription
GET /api/v1/webhook-endpointsmanage:webhooksList webhook endpoints for installations you control
POST /api/v1/webhook-endpointsmanage:webhooksCreate endpoint (installationId, url, secret, optional events)
GET /api/v1/webhook-endpoints/:idmanage:webhooksFetch one endpoint
DELETE /api/v1/webhook-endpoints/:idmanage:webhooksDelete endpoint and delivery history

Default events when omitted: review.run.completed, review.run.failed. Opt in to additional events explicitly (for example remedy.run.completed, checkpoint.gate.evaluated, passport.snapshot.created, merge_policy.evaluated).

EventWhen fired
review.run.queuedPR review run queued or requeued
review.run.completedReview pipeline finished successfully
review.run.failedReview pipeline failed
review.run.cancelledReserved for future cancel support
remedy.run.completedRemedy run finished with a pushed or recorded patch
remedy.run.failedRemedy run failed
remedy.run.haltedRemedy run halted before completion
checkpoint.gate.evaluatedCheckpoint gate evaluated for a PR
passport.snapshot.createdChange Passport snapshot generated
merge_policy.evaluatedMerge policy evaluated after review

Each delivery is an HTTPS POST with:

HeaderValue
User-AgentCritique-Lifecycle-Webhook/1.0
X-Critique-Webhook-IDUnique delivery id
X-Critique-Webhook-EventEvent name from the table above
X-Critique-Webhook-Signaturesha256=<hex HMAC> over the raw JSON body using your endpoint secret
import crypto from 'node:crypto'

export function verifyCritiqueLifecycleWebhook(secret: string, rawBody: string, signature: string) {
  const expected = `sha256=${crypto.createHmac('sha256', secret).update(rawBody).digest('hex')}`
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
}

review.run.completed payloads include findings[] (structured severity, title, summary, file path, lines, fingerprint) and findingsCount. Poll GET /api/v1/review-runs/:id?findings=all if you need the full list after delivery.

Per-run review webhooks

Pass an optional webhook object on POST /api/v1/reviews (same shape as Coding Agent API runs: url, secret ≥32 chars, optional events). Critique delivers to that URL with User-Agent: Critique-Review-Webhook/1.0 and the same HMAC header names as lifecycle webhooks.

EventWhen fired
review.queuedRun queued from API
review.completedPipeline finished — includes verdict + findings
review.failedPipeline failed

Installation lifecycle webhooks (review.run.completed, etc.) still fire in parallel when subscribed. Coding Agent run webhooks remain separate (Critique-Coding-Agent-Webhook/1.0).

Cookbooks and agent-loop examples: /merge-gate-api and Merge Gate API docs.

Signed-in dashboard (session cookie, not crt_):

EndpointDescription
GET /api/passports/:passportId/exportSame single-passport bundle as v1
POST /api/passports/exportBatch export JSON for up to 25 passport ids ({ "passportIds": ["…"] })

Coding Agent API

OpenCode-backed sandbox runs with optional draft PR publish. Full reference: Coding Agent API.

EndpointScopeDescription
POST /api/v1/coding-agent/runswrite:builderStart a run (repository, prompt, billing, publish, …)
GET /api/v1/coding-agent/runsread:builderList runs (?limit=, ?events=1, ?patch=1)
GET /api/v1/coding-agent/runs/:idread:builderPoll status, summary, patch, draft PR metadata
POST /api/v1/coding-agent/runs/:id/messageswrite:builderQueue a follow-up after the run completes

Overview and curl examples: /coding-agent-api.

Inference API

OpenAI-compatible chat completions on Critique credits. Full reference: Inference API.

EndpointScopeDescription
GET /api/v1/modelsread:inference or read:builderModel catalog (deepseek/deepseek-v4-flash, tencent/hy3, nvidia/nemotron-3-ultra-550b-a55b)
POST /api/v1/chat/completionswrite:inference or write:builderChat completions; credits metered per model rate card

Overview, privacy copy, and key gate: /inference-api.

Account settings (signed in): GET / PATCH /api/settings/inference-api. Usage summary: GET /api/dashboard/inference-api.

Review-run BYOA exports (session or automation)

Handoff JSON for external agents from a completed review run (same blueprint as dashboard queue buttons):

EndpointDescription
GET /api/review-runs/:reviewRunId/byoa/cursorCursor Cloud Agent handoff (?download=1 for attachment)
GET /api/review-runs/:reviewRunId/byoa/claudeClaude Managed Agent handoff
GET /api/review-runs/:reviewRunId/byoa/codexOpenAI Codex / Responses handoff

Queueing still requires saved keys in Settings → Agents. See BYOA.

Example:

curl -sS \
  -H "Authorization: Bearer crt_YOUR_KEY" \
  "https://critique.sh/api/v1/passports?limit=5"

Responses are no-store and scoped to installations linked to your user.

Dashboard integration hub

Dashboard → Overview includes an integrations section when you have GitHub connected: connection status, Linear issue previews, passport queue snippets, and a Manage connections link to /settings/connections. Use it as a control-room view alongside review runs and usage.

Security practices

  • Treat crt_ keys like passwords — revoke in Connections if leaked.
  • Use separate keys per agent or environment so revocation is surgical.
  • Linear and other connection secrets are encrypted at rest; Critique never returns full secrets to the browser after save.
  • MCP and REST act only within your Critique permissions — they cannot access another user’s repositories.