Skip to main content
Point an agent framework at a Runlayer MCP proxy URL and your agent calls MCP tools as usual — Runlayer applies policy, scanning, and identity in the middle. Pick your framework below.
To instrument the tools your agent runs itself (shell, local functions, non-proxied MCP) and stream the full conversation into Sessions, use the Hooks SDK instead. Many agents use both.

Copy Prompt

Paste this into your coding agent to connect an existing project to Runlayer. It covers every framework on this page — the agent picks the right one: 
Read the Runlayer agent framework integration docs at https://docs.runlayer.com/agent-frameworks and connect my agent to Runlayer-hosted MCP servers.
The Claude Agent SDK supports MCP servers natively. Pass Runlayer MCP servers to query() and allow their tools with allowedTools.

Installation

npm install @anthropic-ai/claude-agent-sdk
Set your Anthropic API key:
export ANTHROPIC_API_KEY=your-anthropic-key

HTTP Transport (Production)

Use HTTP transport for production deployments with remote MCP servers. The TypeScript and Python SDKs share the same mcpServers / mcp_servers and allowedTools / allowed_tools shape:
import { query } from "@anthropic-ai/claude-agent-sdk";

for await (const message of query({
  prompt: "Get info about the vercel/ai repository",
  options: {
    mcpServers: {
      github: {
        type: "http",
        url: "https://mcp.runlayer.com/github-a1b2c3/mcp",
        headers: {
          "x-runlayer-api-key": process.env.RUNLAYER_API_KEY!
        }
      }
    },
    allowedTools: ["mcp__github__*"]
  }
})) {
  if (message.type === "result" && message.subtype === "success") {
    console.log(message.result);
  }
}
The server key sets the tool prefix. A server named github exposes tools as mcp__github__<tool>, so mcp__github__* allows all tools from that server.

Multiple MCP Servers

Add each server to mcpServers and allow each server’s tools:
import { query } from "@anthropic-ai/claude-agent-sdk";

for await (const message of query({
  prompt: "Create a GitHub issue and a Linear ticket for the bug report",
  options: {
    mcpServers: {
      github: {
        type: "http",
        url: "https://mcp.runlayer.com/github-a1b2c3/mcp",
        headers: { "x-runlayer-api-key": process.env.RUNLAYER_API_KEY! }
      },
      linear: {
        type: "http",
        url: "https://mcp.runlayer.com/linear-d4e5f6/mcp",
        headers: { "x-runlayer-api-key": process.env.RUNLAYER_API_KEY! }
      }
    },
    allowedTools: ["mcp__github__*", "mcp__linear__*"]
  }
})) {
  if (message.type === "result" && message.subtype === "success") {
    console.log(message.result);
  }
}

Agent Accounts

Use Agent Accounts when your Claude app should authenticate as an agent, not a user API key. Fetch an token, then pass it to Runlayer’s MCP proxy:
import { query } from "@anthropic-ai/claude-agent-sdk";

const tokenResponse = await fetch(`${process.env.RUNLAYER_URL}/api/v1/oauth/token`, {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: new URLSearchParams({
    grant_type: "client_credentials",
    client_id: process.env.RUNLAYER_CLIENT_ID!,
    client_secret: process.env.RUNLAYER_CLIENT_SECRET!
  })
});

const { access_token: accessToken } = await tokenResponse.json();

for await (const message of query({
  prompt: "List recent GitHub issues",
  options: {
    mcpServers: {
      github: {
        type: "http",
        url: `${process.env.RUNLAYER_URL}/api/v1/proxy/${process.env.SERVER_ID}/mcp`,
        headers: { Authorization: `Bearer ${accessToken}` }
      }
    },
    allowedTools: ["mcp__github__*"]
  }
})) {
  if (message.type === "result" && message.subtype === "success") {
    console.log(message.result);
  }
}
For on-behalf-of user calls, exchange the agent token (RFC 8693) with the delegated user’s email as subject_token. accessToken is the agent token minted in the M2M example above:
const userEmail = "alice@example.com"; // the delegated user

const { access_token: oboToken } = await (await fetch(`${process.env.RUNLAYER_URL}/api/v1/oauth/token`, {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: new URLSearchParams({
    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
    actor_token: accessToken,
    actor_token_type: "urn:ietf:params:oauth:token-type:access_token",
    subject_token: userEmail,
    subject_token_type: "urn:runlayer:token-type:user-email"
  })
})).json();
Migrating from the client_credentials OBO shortcut: earlier versions documented passing subject_token / subject_token_type directly on the client_credentials grant. That shape is still accepted for backward compatibility but deprecated — switch to the two-step flow: mint an agent token with client_credentials, then exchange it with grant_type=urn:ietf:params:oauth:grant-type:token-exchange (agent token in actor_token, user identity in subject_token, per RFC 8693 §2.1).
See Agent Account Authentication Recipes for UUID and WorkOS OBO variants.

Resources