Docs

Claude API integration

Give Claude direct access to Accessio.AI accessibility data via the Anthropic Messages API.

Use Accessio.AI from the Claude API

Accessio.AI exposes a public REST API at https://api.accessio.ai/v1. You can call it directly, or let Claude invoke it for you via Anthropic's mcp_servers parameter on the Messages API.

This page covers the programmatic (Bearer) flow. For the claude.ai consumer connector flow (OAuth), see the Custom Connectors guide (coming with Phase 2).

1. Create a service-account API key

In the dashboard, go to Settings → API keys, create a new key, and grant the scopes you need:

Scope	What it allows
`scans:read`	List scan sessions and their issues
`scans:write`	Run new scans
`alt-text:read`	List generated alt-text suggestions
`alt-text:write`	Create new alt-text generation jobs
`alt-text:approve`	Approve / reject alt-text suggestions
`embed:read`	Inspect embed scripts
`quota:read`	Check current-month usage

Keys are hashed at rest; the plaintext is shown once. Store it in your secret manager as ACCESSIO_API_KEY.

2. Call the REST API directly

curl -H "X-API-Key: $ACCESSIO_API_KEY" \
     "https://api.accessio.ai/v1/scans?limit=20"

Response:

{
  "success": true,
  "data": [
    {
      "id": "…",
      "embedScriptId": "…",
      "pageUrl": "https://example.com/",
      "totalIssues": 4,
      "criticalCount": 1,
      "seriousCount": 2,
      "moderateCount": 1,
      "minorCount": 0,
      "scanDurationMs": 1234,
      "createdAt": "2026-04-17T12:34:56.000Z"
    }
  ],
  "metadata": { "limit": 20, "nextCursor": null },
  "disclaimer": "Automated WCAG scan. Not a legal compliance certification.",
  "scanSchemaVersion": "1.0.0"
}

Every response carries:

disclaimer — the scan is automated and not a legal compliance certification.
scanSchemaVersion — semver of the scan output schema; agents that cache results must revalidate on change.
X-Request-Id response header — pass it back on support requests to locate the exact call in our audit log.

Paginate with ?cursor=<last-id>&limit=<n>. Maximum limit is 100.

3. Let Claude call the API for you

The Anthropic Messages API can invoke accessio.ai tools via mcp_servers. Your API key goes in authorization_token; Claude treats it as a Bearer token on the MCP transport.

curl https://api.anthropic.com/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "anthropic-beta: mcp-client-2025-11-20" \
  -H "content-type: application/json" \
  -d '{
    "model": "claude-opus-4-7",
    "max_tokens": 1024,
    "mcp_servers": [{
      "type": "url",
      "url": "https://mcp.accessio.ai",
      "name": "accessio",
      "authorization_token": "'"$ACCESSIO_API_KEY"'"
    }],
    "messages": [{
      "role": "user",
      "content": "List our 10 most recent accessibility scans and summarize the critical issues."
    }]
  }'

Tool surface (admin tier, Phase 1):

list_scans, get_scan, run_scan
list_alt_text, approve_alt_text, reject_alt_text
get_quota, list_embed_scripts

Each tool requires the scope shown in the .well-known/mcp.json server card at https://mcp.accessio.ai/.well-known/mcp.json.

4. Security notes

⚠️ Never paste your API key into a chat prompt. Keys go in environment variables on your server, in CI secrets, or in a secret manager. A key dropped into a Claude/ChatGPT conversation may be logged, cached, or trained on — treat it as leaked the moment it reaches a prompt.

Do not ship the key to a browser. The mcp_servers.authorization_token is a server-to-server secret. Use a backend proxy if your frontend needs scan data.
Rotate on leak. Revoke in the dashboard; Accessio supports a 30-day dual-active window so rotation does not break live Claude sessions.
Scope narrowly. Keys issued with only scans:read cannot invoke writes, even if Claude is tricked by a prompt-injected product title.
Rate limited. Each key is capped at 60 requests/minute per route in v1 (Phase 2 raises this and adds per-tool weights). Watch for 429 Rate limit exceeded and back off using the Retry-After header.
IP privacy. We coarsen client IPs (IPv4 → /24, IPv6 → /48) before they land in the audit log.
Audit log. Every tool call and REST call is recorded with principalId, organizationId, action, requestId, and a SHA-256 hash of the arguments. Raw arguments are never stored; audit rows are retained for 90 days by default.
Deprecation. When a route is scheduled for retirement we set Deprecation, Sunset, and Link: rel="successor-version" response headers per RFC 8594. Agents that cache responses must honor these.

OpenAPI spec

Machine-readable: api.accessio.ai/v1/openapi.json
Interactive explorer: api.accessio.ai