FAQ
General
What is APIFold?
APIFold is an open-source platform that converts any REST API into a live MCP (Model Context Protocol) server. MCP is the emerging standard for AI agents to interact with external tools and APIs.
What is MCP?
The Model Context Protocol (MCP) is a standard that allows AI agents (like Claude, Cursor, and Windsurf) to discover and call tools provided by external servers. APIFold bridges the gap between existing REST APIs and MCP-compatible AI agents.
Is APIFold open source?
Yes. The transformer package is MIT-licensed and can be used independently. The rest of the platform is AGPL-3.0 licensed. All source code is publicly available on GitHub.
Pricing & Billing
How is a "request" counted?
A request is any tool execution call to your MCP server. Health checks, dashboard traffic, webhook events, and internal calls are not counted.
Can I self-host for free?
Yes. Self-hosted deployments have no usage limits or billing. The paid plans apply only to the managed cloud platform.
What happens if I exceed my limits?
On the Free plan, requests are hard-capped at 1,000/month (HTTP 429). Starter and Pro plans charge overage at €0.50 per 10,000 extra requests. You're alerted at 80% and 100% of your quota.
Security
How are my API credentials stored?
Credentials are encrypted with AES-256-GCM before storage. The encryption key is derived from environment variables (VAULT_SECRET + VAULT_SALT) using PBKDF2 with 100,000 iterations. Plaintext credentials never touch disk.
Does APIFold have access to my upstream API data?
On the managed platform, request logs (method, path, status, duration) are stored per your plan's retention period. Request/response bodies are not logged. Self-hosters control all data storage.
Is there SSRF protection?
Yes. All outbound requests from the spec import flow go through SSRF protection that blocks private IPs, validates DNS resolution, and restricts ports to 80, 443, 8080, and 8443.
Compatibility
Which AI clients are supported?
Any client that implements the MCP protocol: Claude Desktop, Cursor, Windsurf, Continue, GitHub Copilot (with MCP support), and more. APIFold uses standard SSE transport.
Which OpenAPI versions are supported?
- OpenAPI 3.0.x
- OpenAPI 3.1.x
- Swagger 2.0
JSON and YAML formats are both accepted.
Can I use APIFold with private APIs?
Yes. You can import specs from private URLs (with appropriate authentication) or upload spec files directly. The MCP server proxies requests to your upstream API using stored credentials.
Self-Hosting
What infrastructure do I need?
A machine that runs Docker with at least 2 GB RAM. The Docker Compose stack includes: Next.js (dashboard), Express (runtime), PostgreSQL, and Redis.
Is there telemetry?
No telemetry by default. If you enable Plausible analytics (by setting NEXT_PUBLIC_PLAUSIBLE_DOMAIN), it collects privacy-respecting page view data with no cookies and no personal data.