FlowZap MCP Server Documentation
π€ This documentation is optimized for LLM and AI Agent consumption
Version 1.3.5 | Last Updated: February 2026 | Security fixes: MCP SDK ReDoS, hono JWT/XSS, ajv ReDoS, qs DoS
Overview
The FlowZap MCP (Model Context Protocol) Server enables AI agents to create, validate, and share professional workflow diagrams using FlowZap Codeβa domain-specific language designed for machine-readable diagram generation.
What is FlowZap?
| Purpose | Convert text-based code into visual workflow diagrams |
| Optimized For | AI-first generation, agentic workflows (n8n, Make.com, Zapier) |
| Unique Feature | Triple-view rendering - same code renders as workflow, sequence, AND architecture diagrams |
| Sharing | Instant shareable URLs without authentication |
Security Guarantees
The FlowZap MCP Server implements enterprise-grade security measures to protect users:
Network Security
| Protection | Implementation |
|---|---|
| SSRF Prevention | Only connects to flowzap.xyz and www.flowzap.xyz via HTTPS |
| URL Validation | All returned URLs are verified to originate from FlowZap domains |
| Request Timeout | 30-second timeout prevents hanging connections |
Input Validation
| Limit | Value | Purpose |
|---|---|---|
| Max Code Length | 50,000 characters | Prevents memory exhaustion |
| Max Input Length | 100,000 characters | Protects against payload attacks |
| Null Byte Removal | Automatic | Prevents injection attacks |
| Control Character Sanitization | Automatic | Removes non-printable characters |
Rate Limiting
| Parameter | Value |
|---|---|
| Max Requests | 30 per minute |
| Window Duration | 60 seconds |
| Behavior | Returns retry-after time when exceeded |
Data Privacy
- No Authentication Required - Public endpoints only
- No User Data Stored - Playground sessions are ephemeral (60-minute TTL, non-guessable cryptographic tokens)
- No Tracking - No cookies or persistent identifiers
- Logs to stderr only - Security events never exposed to MCP clients
Available Tools
1. flowzap_get_syntax
Purpose: Retrieve complete FlowZap Code syntax documentation.
When to Use: Before generating any FlowZap Code, call this tool to learn the correct syntax.
Input Schema:
{
"type": "object",
"properties": {}
}Output: Complete syntax guide including global constraints, shape types, node syntax, edge syntax, loop syntax, and common mistakes to avoid.
2. flowzap_validate
Purpose: Validate FlowZap Code syntax before creating a diagram.
When to Use: Always validate code before calling flowzap_create_playground. This prevents errors and provides actionable feedback.
Input Schema:
{
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "FlowZap Code to validate"
}
},
"required": ["code"]
}Success Output:
β
FlowZap Code is valid!
Stats:
- Lanes: 2
- Nodes: 5
- Edges: 4Failure Output:
β Validation failed:
- Line 3: Unknown shape "oval". Valid shapes: circle, rectangle, diamond, taskbox
- Line 5: Edge missing handle syntax. Use: n1.handle(right) -> n2.handle(left)3. flowzap_create_playground
Purpose: Create a shareable playground URL with the diagram.
When to Use: After validation passes, create a playground to give users an interactive diagram they can view and edit.
Input Schema:
{
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "FlowZap Code to load in the playground"
},
"view": {
"type": "string",
"enum": ["workflow", "sequence", "architecture"],
"description": "Initial view mode. Default: workflow"
}
},
"required": ["code"]
}Output:
β
Playground created!
π **View your diagram:** https://flowzap.xyz/playground/abc123?view=architecture
The diagram is ready to view and edit. Share this link with anyone!View Modes:
| View | Best For |
|---|---|
| workflow | Step-by-step process flows (default) |
| sequence | Message exchanges between participants |
| architecture | System-level overview showing lanes as systems |
Important Notes:
- Automatically validates code before creating playground
- Returns validation errors if code is invalid
- Playground URLs expire after 60 minutes
- No authentication required to view
- Use
view="architecture"for system-level overview of multi-lane diagrams
Validation Rules Reference
The validator performs comprehensive validation checks across multiple categories. Understanding these helps generate valid code on the first attempt.
Error Codes (Block Diagram Creation)
| Code | Description | Fix |
|---|---|---|
| CONTAINS_EMOJI | Emoji characters detected | Use UTF-8 plain text only |
| NESTED_LANE | Lane defined inside another lane | Flatten lane structure |
| UNMATCHED_BRACE | Closing } without opening { | Check brace balance |
| UNCLOSED_BRACE | Missing closing } | Add closing brace |
| DUPLICATE_NODE_ID | Same node ID used twice | Use unique IDs: n1, n2, n3... |
| INVALID_SHAPE | Unknown shape type | Use: circle, rectangle, diamond, taskbox |
| MISSING_LABEL | Node without label (except taskbox) | Add label:"Text" |
| NODE_OUTSIDE_LANE | Node defined outside any lane | Move inside a lane block |
| MISSING_HANDLES | Edge without handle syntax | Use n1.handle(right) -> n2.handle(left) |
| INVALID_EDGE_SYNTAX | Malformed edge definition | Check arrow syntax -> |
| INVALID_DIRECTION | Unknown handle direction | Use: left, right, top, bottom |
| EDGE_OUTSIDE_LANE | Edge defined outside any lane | Move inside a lane block |
| UNDEFINED_LANE_REF | Cross-lane ref to non-existent lane | Check lane name spelling |
| INVALID_LOOP_SYNTAX | Malformed loop definition | Use loop [condition] n1 n2 |
| LOOP_OUTSIDE_LANE | Loop defined outside any lane | Move inside a lane block |
| MISPLACED_COMMENT | Comment in wrong location | Comments only after lane { |
| COMMENT_OUTSIDE_LANE | Comment outside any lane | Move inside lane after { |
| UNDEFINED_NODE | Edge references undefined node | Define node before referencing |
| NON_SEQUENTIAL_NUMBERING | Gap in node numbering | Use n1, n2, n3... sequentially |
| EMPTY_DIAGRAM | No nodes defined | Add at least one node |
| WRONG_DSL_FORMAT | Mermaid/PlantUML detected | Use FlowZap syntax only |
Warning Codes (Best Practice Violations)
| Code | Description | Recommendation |
|---|---|---|
| NON_PRINTABLE_CHARS | Control characters detected | Use plain text only |
| DUPLICATE_LANE | Same lane defined twice | Merge into single block |
| MISSING_LANE_LABEL | Lane without # Display Name | Add display label |
| NON_STANDARD_NODE_ID | ID not in n1, n2, n3 format | Use standard numbering |
| WRONG_LABEL_SYNTAX | label="Text" instead of label:"Text" | Use colon for node attributes |
| TASKBOX_MISSING_PROPS | Taskbox without owner/description | Add required properties |
| WRONG_EDGE_LABEL_SYNTAX | [label:"Text"] instead of [label="Text"] | Use equals for edge labels |
| LOOP_TOO_FEW_NODES | Loop with only 1 node | Include at least 2 nodes |
| ORPHAN_NODE | Node not connected to any edge | Connect or remove |
| UNKNOWN_ATTRIBUTE | Non-standard attribute used | Use: label, owner, description, system |
| LABEL_TOO_LONG | Label exceeds 50 characters | Keep labels concise |
FlowZap Code Syntax Quick Reference
Global Constraints
β UTF-8 plain text only (no emojis)
β Node IDs: n1, n2, n3... (globally unique, sequential, no gaps)
β Shapes: circle, rectangle, diamond, taskbox
β Attributes: label, owner, description, system
β Comments: Only "# Display Label" after lane opening brace
β No Mermaid, PlantUML, or other DSL syntaxBasic Structure
laneName {
# Lane Display Name
n1: circle label:"Start"
n2: rectangle label:"Process"
n1.handle(right) -> n2.handle(left)
}Shape Types
| Shape | Purpose | Example |
|---|---|---|
| circle | Start/End events | n1: circle label:"Start" |
| rectangle | Tasks/Activities | n2: rectangle label:"Process Order" |
| diamond | Decision gateways | n3: diamond label:"Valid?" |
| taskbox | Assigned tasks | n4: taskbox owner:"Alice" description:"Deploy" |
Edge Syntax
# Basic edge
n1.handle(right) -> n2.handle(left)
# Edge with label
n2.handle(bottom) -> n3.handle(top) [label="Yes"]
# Cross-lane edge (prefix with lane name)
n3.handle(right) -> fulfillment.n4.handle(left) [label="Send"]Handle Directions
| Direction | Position |
|---|---|
| left | Left side of node |
| right | Right side of node |
| top | Top of node |
| bottom | Bottom of node |
Loop Syntax
loop [retry up to 3 times] n1 n2 n3- Must be inside a lane block
- Cannot be nested
- Should reference at least 2 nodes
Complete Example
sales {
# Sales Team
n1: circle label:"Order Received"
n2: rectangle label:"Validate Order"
n3: diamond label:"Valid?"
n1.handle(right) -> n2.handle(left)
n2.handle(right) -> n3.handle(left)
n3.handle(right) -> fulfillment.n4.handle(left) [label="Yes"]
n3.handle(bottom) -> n6.handle(top) [label="No"]
n6: rectangle label:"Reject Order"
}
fulfillment {
# Fulfillment
n4: rectangle label:"Process Order"
n5: circle label:"Complete"
n4.handle(right) -> n5.handle(left)
}Recommended Workflow for AI Agents
- Step 1: Learn Syntax
{"name": "flowzap_get_syntax", "arguments": {}}} - Step 2: Generate Code
Based on user request, generate FlowZap Code following the syntax rules. - Step 3: Validate
{"name": "flowzap_validate", "arguments": {"code": "..."}} - Step 4: Fix Errors (if any)
Parse error messages and correct the code. - Step 5: Create Playground
{"name": "flowzap_create_playground", "arguments": {"code": "..."}} - Step 6: Present to User
Share the playground URL with the user.
Common Mistakes to Avoid
| Mistake | Incorrect | Correct |
|---|---|---|
| Lane comment on separate line | laneName { # Label | laneName { # Label |
| Abbreviated shapes | n1: rect | n1: rectangle |
| Missing handles | n1 -> n2 | n1.handle(right) -> n2.handle(left) |
| Wrong node attribute syntax | label="Text" | label:"Text" |
| Wrong edge label syntax | [label:"Text"] | [label="Text"] |
| Emojis in labels | label:"Start π" | label:"Start" |
| Unknown attributes | priority:"high" | (remove - not supported) |
| Non-sequential IDs | n1, n3, n5 | n1, n2, n3 |
| Undefined lane refs | undefined.n5 | Use actual lane name |
API Endpoints (Direct Access)
For agents that prefer direct HTTP calls instead of MCP:
POST /api/validate
URL: https://flowzap.xyz/api/validate
Rate Limit: 30 requests/minute per IP
Request:
{
"code": "process { # P n1: circle label:\"Start\" }"
}Response:
{
"valid": true,
"errors": [],
"warnings": [],
"stats": {
"lanes": 1,
"nodes": 1,
"edges": 0,
"loops": 0
}
}POST /api/playground/create
URL: https://flowzap.xyz/api/playground/create
Rate Limit: 5 requests/minute, 50/day per IP
Request:
{
"code": "process { # P n1: circle label:\"Start\" }"
}Response:
{
"url": "https://flowzap.xyz/playground?session=abc123"
}Installation
The FlowZap MCP Server works with any tool that supports the Model Context Protocol (MCP). Here is the complete list of compatible tools:
All Compatible Coding Tools
| Tool | How to Configure |
|---|---|
| Claude Desktop | Add to claude_desktop_config.json:macOS: ~/Library/Application Support/Claude/claude_desktop_config.jsonWindows: %APPDATA%\Claude\claude_desktop_config.json |
| Claude Code | Run: claude mcp add --transport stdio flowzap -- npx flowzap-mcp@1.3.5Or add to .mcp.json in your project root. |
| Cursor | Open Settings β Features β MCP Servers β Add Server. Use the same JSON config. |
| Windsurf IDE | Add to ~/.codeium/windsurf/mcp_config.json |
| OpenAI Codex | Add to ~/.codex/config.toml:[mcp_servers.flowzap]command = "npx"args = ["flowzap-mcp@1.3.5"]Or run: codex mcp add flowzap -- npx flowzap-mcp@1.3.5 |
| Warp Terminal | Settings β MCP Servers β Click "+ Add" β Paste the JSON config. |
| Zed Editor | Add to settings.json:{"context_servers": {"flowzap": {"command": "npx", "args": ["flowzap-mcp@1.3.5"]}}} |
| Cline (VS Code) | Open Cline sidebar β MCP Servers icon β Edit cline_mcp_settings.json |
| Roo Code (VS Code) | Add to .roo/mcp.json in project or global settings. |
| Continue.dev | Create .continue/mcpServers/flowzap.yaml with:name: FlowZapmcpServers: - name: flowzap command: npx args: ["flowzap-mcp@1.3.5"] |
| Sourcegraph Cody | Add to VS Code settings.json via openctx.providers configuration. |
Windows Users: If tools don't appear, use the absolute path: "command": "C:\\Program Files\\nodejs\\npx.cmd". Find your npx path with: where.exe npx
JSON Configuration
All tools use the same JSON configuration format:
{
"mcpServers": {
"flowzap": {
"command": "npx",
"args": ["flowzap-mcp@1.3.5"]
}
}
}Windows Users: If tools don't appear, use the absolute path: "command": "C:\\Program Files\\nodejs\\npx.cmd". Find your npx path with: where.exe npx
Support & Resources
- β’ Syntax Documentation: https://flowzap.xyz/flowzap-code
- β’ Interactive Playground: https://flowzap.xyz/playground
- β’ Template Library: https://flowzap.xyz/templates
- β’ Agent API: https://flowzap.xyz/docs/agent-api
- β’ npm Package: https://www.npmjs.com/package/flowzap-mcp
- β’ Agent Skill (skills.sh): https://skills.sh/flowzap-xyz/flowzap-mcp/flowzap-diagrams
- β’ Skill Source: https://github.com/flowzap-xyz/flowzap-mcp/tree/main/skills/flowzap-diagrams
Install as Agent Skill (40+ agents)
npx skills add flowzap-xyz/flowzap-mcpCompatible with: Claude Code, Cursor, Windsurf, Codex, Gemini CLI, GitHub Copilot, Cline, Roo Code, Augment, OpenCode, and more.
Version History
| Version | Date | Changes |
|---|---|---|
| 1.3.5 | Feb 2026 | Security fixes: MCP SDK ReDoS, hono JWT/XSS, ajv ReDoS, qs DoS vulnerabilities |
| 1.3.3 | Feb 2026 | All 7 tools wired, Architecture view mode |
| 1.3.0 | Feb 2026 | Added Architecture view mode, triple-view rendering |
| 1.2.0 | Jan 2026 | Added new validation rules, comprehensive test coverage |
| 1.1.0 | Dec 2025 | Security hardening, rate limiting |
| 1.0.0 | Nov 2025 | Initial release |
This documentation is optimized for LLM consumption. For human-readable guides, visit flowzap.xyz/flowzap-code