# AgentBack > AgentBack is an AI-native API/MCP framework for TypeScript: REST endpoints, > MCP tools, OpenAPI 3.1 docs, typed clients, tests, and runtime validation > all share one Zod contract, on an ESM port of LoopBack 4's DI core. > Alpha. MIT. Source: https://github.com/ninemindai/agentback Every page below is the raw markdown the HTML docs are built from. The full corpus in one file: https://agentback.dev/llms-full.txt ## Start - [Documentation index](https://agentback.dev/docs/index.md): A TypeScript dependency-injection framework with HTTP (REST) and MCP servers that plug into the **same container** and validate against the **same Zod schemas**. This is the place to learn the ideas and build with them. ## Concepts - [Dependency injection](https://agentback.dev/docs/concepts/dependency-injection.md): The DI container is the foundation the entire framework stands on. REST and MCP are just two ways to expose bindings that live in it. Understand this layer and the rest of the framework becomes "bind a class, tag it, a server finds it." - [Schema-first decorators](https://agentback.dev/docs/concepts/schema-first-decorators.md): This is the idea that makes REST and MCP feel like the same framework: you attach a **Zod schema to a decorator**, and that one schema becomes the runtime validator, the TypeScript type of your handler's input, the OpenAPI/MCP contract, and the rendered docs. - [Components, servers & lifecycle](https://agentback.dev/docs/concepts/components-servers-lifecycle.md): A `Component` is the unit of reuse. It's a class that declares bindings to add to the application: controllers, providers, classes, servers, and lifecycle observers. Registering it with `app.component(C)` merges all of that into the container in one call. ## Guides - [Build a REST API](https://agentback.dev/docs/guides/build-a-rest-api.md): Build a Zod-validated REST service that auto-emits OpenAPI 3.1 and serves Swagger UI. By the end you'll have controllers, validation, dependency injection, auth, and a browsable spec. - [Build an MCP server](https://agentback.dev/docs/guides/build-an-mcp-server.md): Expose tools, resources, and prompts that an MCP client — Claude Desktop, the Vercel AI SDK, your own agent — can discover and call. It's the same decorator-on-a-class, schema-on-the-decorator shape as REST, so if you've read the REST guide this will feel familiar. - [Build a hybrid app](https://agentback.dev/docs/guides/build-a-hybrid-app.md): The payoff of "servers are components over one container": run a **REST API and an MCP server in the same process**, often backed by the **same Zod schemas and the same services**. One business rule, two surfaces — an HTTP endpoint for apps and an MCP tool for agents — with no duplicated logic. - [Composition & extensibility](https://agentback.dev/docs/guides/composition-and-extensibility.md): This is the guide that makes the "modular, extensible, composable" promise concrete. The framework gives you five tools, ordered here from "reach for first" to "deepest hook." Pick the lightest one that does the job. - [Testing](https://agentback.dev/docs/guides/testing.md): How to test an AgentBack application: the harness, the four client surfaces it hands you, and the conventions the workspace itself follows. - [Secure MCP over HTTP](https://agentback.dev/docs/guides/secure-mcp-over-http.md): The threat model in one paragraph: an unauthenticated `/mcp` lets anyone who can reach the port enumerate and call your tools; a browser-reachable one is additionally exposed to DNS-rebinding (a malicious web page POSTing JSON-RPC to `http://localhost`). The defenses below layer: transport auth decides _who_ is calling, `@authorize`/scopes decide _what they see and may call_, and the hardening options bound the blast radius. - [Deploy to production](https://agentback.dev/docs/guides/deploy-to-production.md): This guide takes an AgentBack service from `pnpm start` on a laptop to a container behind a load balancer: configuration, probes, metrics, tracing, graceful shutdown, and the multi-instance gotchas. ## Architecture - [Overview](https://agentback.dev/docs/architecture/overview.md): How the pieces fit, how a request flows, and how the packages layer. If you've read the concepts, this ties them together. - [Metering & payments](https://agentback.dev/docs/architecture/metering-and-payments.md): How every REST and MCP call gets **counted** (and attributed to a billable identity), and how the calls that must be paid for get **gated** or **billed**. Two small packages sit on top of the dispatch seams: ## Design - [Boundary coherence thesis](https://agentback.dev/docs/agent-ergonomics.md): **Status:** Draft, captures findings from the May 2026 redesign of `@agentback/{rest, mcp, openapi}`. **Audience:** Future contributors (human or AI) deciding what to add or change in this framework, and downstream users evaluating whether to adopt it for AI-led codebases. **Last revised:** 2026-05-21. - [Database story](https://agentback.dev/docs/db-story.md): **Status:** Drizzle recipe implemented; MCP Toolbox remains a follow-up proposal. **Audience:** Framework contributors evaluating the DB story, and downstream users picking an ORM. **Last revised:** 2026-06-10. **Related:** agent-ergonomics.md — the boundary-coherence thesis this builds on. ## Coding-agent skill - [SKILL.md](https://agentback.dev/skills/agentback/SKILL.md): teaches an agent the decorator patterns, slot-0 input bundle, DI, auth, and client conventions. Install: `npx skills add ninemindai/agentback` ## Blog - [Blog index](https://agentback.dev/blog/index.html): design notes — boundary coherence, errors agents can fix, tool-surface budgets, per-call pricing, schema-shared clients.