Setup guide

Cursor

Connect your SuperHomes account to Cursor. Cursor speaks Streamable HTTP natively — no proxy needed, simpler config than Claude Desktop.

Prerequisites

✓A SuperHomes agentaccount (buyer accounts can’t generate MCP tokens)
✓Cursor installed
✓An MCP token — generate one at Dashboard → MCP Tokens. See the Claude Desktop guide step 1 for the full walkthrough — the token-generation flow is identical.

Add SuperHomes to Cursor

Cursor reads MCP config from one of two locations (both work; Cursor merges them):

Scope	Path
Global (all projects)	~/.cursor/mcp.json
Project-scoped	<repo>/.cursor/mcp.json

Open the global file (or create it). If it already has other servers, append— don’t replace existing entries.

{
  "mcpServers": {
    "superhomes": {
      "url": "https://www.superhomes.my/api/mcp",
      "headers": {
        "Authorization": "Bearer shmcp_PASTE_YOUR_TOKEN_HERE"
      }
    }
  }
}

Replace shmcp_PASTE_YOUR_TOKEN_HERE with your token. The JSON shape is intentionally simple — url and headers at the top level of the server entry, no transport wrapping.

Verify in Cursor

Reload the Cursor window: Cmd/Ctrl + Shift + P → Developer: Reload Window.
Open the MCP panel: Cmd/Ctrl + Shift + P → MCP: List Servers. You should see superhomes listed as connected.
Open the agent chat (Cmd/Ctrl + L) and try:
“Use the SuperHomes MCP to list my five most recent leads.”

Verifying the audit log: every authenticated tool call lands in your audit log. Open Dashboard → MCP Audit and you should see a row appear within seconds.

Project-scoped config

If you only want WebMCP available inside one project (e.g. a marketing automation repo), put the same JSON at <repo>/.cursor/mcp.json instead of (or in addition to) the global path. Cursor merges both files.

Security

The same rules from the Claude Desktop security section apply equally here. The three key reminders:

Token = SSH key

Don’t paste it anywhere it could be logged or screenshot. Never commit it to git — even a private repo. Generate one per machine so you can revoke individually.

Don't co-host untrusted MCP servers

An AI session with SuperHomes (reads your leads) and an attacker-controlled MCP server can be tricked into exfiltrating buyer PII. Only connect servers you trust as much as a desktop app. Audit your ~/.cursor/mcp.json periodically.

Writes are dry-run by default

respond_to_inquiry and update_listing_statusalways require a confirm step. Read the preview before approving — especially when the buyer’s message contains anything that looks like instructions.

Troubleshooting

Server shows "disconnected" in MCP panel

JSON syntax error, or the url value has a typo. Run: cat ~/.cursor/mcp.json | jq to validate.

tools/list only shows public tools

Bearer token not being sent. Confirm the Authorization header has exactly Bearer (one space) before the shmcp_ value.

forbidden (-32001 "host not allowed")

The URL host isn't in the server's allowlist. The URL in this guide is allowlisted — don't substitute a custom proxy.

forbidden (-32001 "insufficient scope")

Token lacks the scope. Generate a new token with the right scopes in the dashboard.

authentication required (-32003)

Token malformed, expired, or revoked. Check your dashboard and regenerate.

rate limit exceeded (-32002)

Per-token cap: 120/min reads, 30/min writes. Wait a minute.

Calls succeed but no audit row appears

Audit log records authenticated writes. Reads succeed silently — that's by design. Try a write tool (with dry_run) to see it logged.

What’s next

Claude Desktop setup

Uses mcp-remote proxy for stdio → HTTP bridging.

Read guide

Manage tokens

Generate, rename, or revoke your MCP tokens.