MCP
A stateless Streamable HTTP server with scope-filtered tools for catalogs, quotes, orders, payments, shipments, results, raw instrument files, and webhooks.
Open the MCP guide →Use one customer-bound credential to discover the live catalog, lock server-priced quotes, place test orders, follow every sample, and retrieve only QA-published results. Choose REST for deterministic software integrations or MCP for AI agents.
A stateless Streamable HTTP server with scope-filtered tools for catalogs, quotes, orders, payments, shipments, results, raw instrument files, and webhooks.
Open the MCP guide →Versioned JSON endpoints backed by the same service layer, plus an OpenAPI 3.1 document for contract inspection and request planning.
Open the API guide →Order testing from a product, sync lab status, and attach published COAs to the exact mapped product without exposing a GSA credential to shoppers.
View the WooCommerce integration →Inspect the current machine-readable route and security contract directly. Monetary values are integer USD cents. Order, payment, and webhook mutations add operation-specific confirmation and idempotency controls.
Open the JSON specification →| Capability | REST | MCP tool |
|---|---|---|
| Live catalog | GET /catalog | gsa.catalog.list |
| Locked quote | POST /quotes | gsa.quote.create |
| Place an order | POST /orders | gsa.order.create |
| Published COA | GET /results/{reference} | gsa.result.get |
| Released raw data | GET /orders/{reference}/raw-data | gsa.order.raw_data.get |
Keys are bound to one GSA customer and can carry expiration, CIDR allowlists, exact scopes, per-order limits, and daily spending limits. Missing-scope MCP tools are hidden, and REST resources collapse absent, unpublished, and cross-customer lookups into the same response. Result reads expose only published COAs; raw-data reads add an explicit release preference and one-hour signed file manifests.
Safe default: create separate keys for production, staging, every AI agent, and every store. Start read-only, keep human approval enabled for mutations, and revoke a key immediately if it is ever pasted into a public issue, chat, or URL.
Email cs@goldstandardanalytics.com with the integration name and the least-privilege scopes you need. Do not send an API key or webhook secret by email.