Skip to content

For Agents

Bring your AI assistant to SuperHomes.

WebMCP lets Claude Desktop, Cursor, and any MCP-compatible client query your listings + leads, draft replies, and update statuses — using a personal API token you generate in your dashboard.

Generate a tokenSetup guides

Endpoint: https://www.superhomes.my/api/mcp · MCP 2024-11-05 (Streamable HTTP)

What an MCP client can do

Public tier

No token required. IP rate-limited. Read-only.

  • search_propertiesSearch the public listings catalogue with filters + pagination.
  • get_propertyFetch a single property by id or permalink.
  • get_market_statsMedian price/rent + listing counts for a state/district/type.

Agent tier

Bearer token, scoped per-tool, audited.

  • list_my_listingsread:listings
    Your own active or inactive listings, paginated.
  • list_my_leadsread:leads
    Leads assigned to or claimed by you. Buyer phone is masked unless you are the claimer.
  • get_inquiryread:leads
    A single lead with its full message thread.
  • respond_to_inquirywrite:inquiries
    Send a WhatsApp reply or record a note. Two-step: dry-run preview → confirm.
  • update_listing_statuswrite:listings
    Toggle a listing's active state. Two-step + audited.

Designed for AI’s sharp edges

AI assistants can be tricked by stored content (a malicious lead message, a poisoned listing description). WebMCP’s defaults assume that.

Dry-run on every write

respond_to_inquiry and update_listing_status require a two-step: AI gets a preview + 5-min confirm token, you review, then the AI confirms. Server enforces the round-trip.

Untrusted content wrappers

Every user-generated string in tool output (lead messages, listing titles) is wrapped in <untrusted_user_content> markers so the AI treats them as data, not instructions.

Full audit log

Every write records token id, agent id, the exact message body sent, and before/after state. View it in your dashboard. 90-day retention.

Scoped tokens

Read-only by default. Add write scopes only when you need them; revoke at any time. A leaked read token can never write.

Agent-isolated by SQL

Every authenticated query joins on your contact ids. Another agent's token never sees your leads, listings, or inquiries.

PII gated by claim status

list_my_leads returns masked phone for leads you haven't claimed. Unmasked contact info only appears once you've taken ownership.

Connect your AI client

Generate a token in your dashboard, then drop it into your client’s MCP config.

Claude Desktop

Paste a config block, restart, you’re live.

Setup guide

Cursor

Speaks HTTP natively — no proxy needed.

Setup guide

For tooling authors

Discovery follows the MCP convention. Fetch the well-known doc to learn the endpoint, transport, and tool surface:

curl https://www.superhomes.my/.well-known/mcp
Manage tokens View audit log