Documentation / MCP Publisher Guide

MCP Publisher Guide

MCP (Model Context Protocol) allows MCP servers to expose tools that AI assistants can use to perform actions inside Autodesk products. This guide covers everything you need to prepare, submit, and get your MCP server certified for the Autodesk App Store.

How to publish your MCP server

1

Create the MCP
Tool Manifest

Describe your tools, data, and third-party connections in a JSON file.

2

Complete the Publisher Declaration

Fill out the declaration form with your security attestations.

3

Submit for
approval

appsubmissions@autodesk.com

4

Publish and
monitor

After approval, monitor feedback through the Publisher Center.

You must submit an MCP Tool Manifest (JSON) and a completed Publisher Declaration Form. Make sure you've validated your tool and security declarations before submitting.

Complete the Publisher Declaration Form →

Define your tool declarations

The MCP Tool Manifest is a JSON file that lists all MCP tools, resources, prompts, and external connections used by your MCP server. It must include your app model, all tools, resources, prompts, external endpoints, Autodesk APIs used, and AI providers.

What to include

  • All tools with names and plain-language descriptions
  • Resources and prompts
  • External endpoints (use an empty list if none)
  • Autodesk APIs used
  • AI/LLM providers (if applicable)

Avoid these common issues:

  • Missing tools that your MCP server actually exposes
  • Undeclared external endpoints
  • Tool descriptions that contain instructions or references to sensitive data
  • Mismatches between the manifest and actual MCP server behavior

Example manifest

{
  "mcp_manifest_version": "1.0",
  "app_model": "A",
  "mcp_spec_version": "2025-11-25",
  "server": {
    "name": "my-plugin-mcp",
    "transport": "stdio"
  },
  "tools": [
    {
      "name": "get_wall_properties",
      "description": "Reads wall dimensions, material, and type from the Revit model"
    }
  ],
  "resources": [],
  "prompts": [],
  "external_endpoints": [],
  "autodesk_apis_used": ["Revit API - Wall properties"],
  "ai_llm_providers": []
}

Security and data access requirements

Tool descriptions and data access

  • Tool descriptions must clearly describe what the tool does in plain language.
  • Don't include instructions or references to sensitive data in tool descriptions.
  • Only access the minimum data required for functionality.
  • Access to sensitive or unrelated data is not allowed.

External endpoints and AI services

  • All external domains must be declared in both the manifest and declaration form.
  • All external connections must use HTTPS.
  • If your MCP server sends data to AI services, you must declare the provider.
  • Describe what data is sent and obtain user consent.
  • If a submission is rejected, address the issues and resubmit.

Important considerations

AI and privacy

Even if your app isn't AI-first, the MCP model means AI tools can access your MCP server. Consider AI-related privacy concerns in your design.

Strong security

All external requests must use HTTPS to prevent man-in-the-middle attacks, leaked tokens, and similar vulnerabilities.

Resubmission

If a submission is rejected, address the identified issues and resubmit with the concerns resolved.

MCP server submission FAQ

Getting started

Manifest

Security

Submission outcomes

Ready to submit?

Complete the declaration form, then make sure you've submitted everything on your checklist.

Publisher Declaration form