Skip to main content

Agent Visibility

From private to fully public — one setting. Every Virtual API can be exposed as an AI agent endpoint via the Model Context Protocol (MCP). The Visibility setting controls who can discover your agent, whether authentication is required, and whether it appears in the DataHarbor catalog.

Visibility levels

Visibility is a single, escalating setting — each level opens access further:
VisibilityAgent CardCatalogMCP AuthDescription
DisabledNot servedNoN/ANot an agent. Nobody can discover or connect to it.
PrivateAuth onlyNoRequiredOnly authenticated clients can find and use it. Internal use only.
Unlisted OpenPublicNoOpenAnyone with the link can use it freely, but it won’t appear in the catalog.
Listed OpenPublicYesOpenFully public — discoverable in the catalog, open to all.

Disabled

The default state. The Virtual API functions normally for REST delivery but does not serve an agent card. Requests to the agent card endpoint return 404.

Private

The agent serves a card only to authenticated clients. Anonymous requests receive a minimal stub card — enough to know the agent exists and how to authenticate, but no operational details. Authenticated clients see the full agent card including:
  • Security schemes and requirements
  • Extended card with skill details and parameters
MCP sessions require OAuth authentication.

Unlisted Open

The agent card is fully public with no security schemes — anyone can read it and connect without authentication. However, the agent does not appear in the DataHarbor catalog. This is ideal for:
  • Embedding agents in specific applications
  • Direct integrations where you share the URL
  • Testing before listing publicly

Listed Open

Like Unlisted Open, but the agent is indexed in the DataHarbor catalog and fully discoverable. This is the most open setting — anyone can find it, connect, and use it without authentication.

Agent cards

An agent card is a machine-readable description of your agent’s capabilities, following the Model Context Protocol spec. DataHarbor generates it automatically from your Virtual API configuration.

What’s in an agent card

FieldDescription
Name and descriptionFrom your Virtual API configuration
SkillsAuto-generated from your API’s endpoints and schema
Security schemesOAuth requirements (Private only)
Extended card URLLink to full details (Private only)

Stub vs. full card

For Private visibility, unauthenticated requests receive a stub card: 
{
  "name": "customer-data-agent",
  "description": "Customer data with PII controls",
  "securitySchemes": {
    "oauth2": {
      "type": "oauth2",
      "flows": { "..." }
    }
  }
}
Authenticated requests receive the full card with skills, parameters, and the extended card URL. For Unlisted Open and Listed Open, all requests receive the full card — no security schemes are included, and the extended card endpoint is not served.

Choosing a visibility level

ScenarioRecommended
Not using MCP deliveryDisabled
Internal agents for your own AI toolsPrivate
Sharing an agent with a specific partnerUnlisted Open
Publishing an agent for anyone to useListed Open

Next steps

MCP Server Delivery

Configure MCP endpoints

Global Marketplace

List and monetize your agents