Documentation

Everything you need to put Brewale on tap for your AI agents. Brew Ale — Brew Context.

Quick Start

Five easy pours from empty glass to agents on tap.

1

Sign up & create an organization

Create an account and set up your first organization. Organizations are the top-level container for all your skills, conventions, and API keys.

2

Connect your GitHub repository

Go to Settings → GitHub and install the Brewale GitHub App on your repository. This is where you manage your skills and conventions as code.

3

Add skills and conventions to your repo

Create a conventions.md file and a skills/ directory in your repository. Push to your default branch and Brewale syncs automatically.

4

Connect your AI agent

Add the Brewale MCP server to your agent's configuration. OAuth 2.1 is the preferred flow — supported clients (Claude Code, etc.) open a browser to sign in and authorize access, no token copy-paste required. If your client doesn't support OAuth, generate an API key in Settings → Tokens and send it as a Bearer header instead.

5

You're on tap

Your agent will automatically fetch conventions at session start and pull in skills on demand as it works.

Quick Setup — npx brewale

One command connects your coding agents to Brewale. It detects Claude Code, the OpenAI Codex CLI, Cursor, VS Code, and Zed, writes the MCP server config for each (OAuth 2.1 by default, or an API token), and — with separate consent — adds a conventions block to your CLAUDE.md / AGENTS.md so agents consult Brewale automatically.

npx brewale@latest

Nothing is written without showing you the exact change first, and re-running is idempotent. npx brewale status gives a read-only health report of your setup, and npx brewale uninstall removes everything it added.

Prefer manual setup?

The per-agent configuration below (Claude Code, Other Clients) remains fully supported — the CLI just automates it.

Connecting to the MCP Server

The Model Context Protocol (MCP) is an open standard that lets AI agents access external tools and data. Brewale runs an MCP server that pulls your org's skills and conventions from the cellar and serves them to any MCP-compatible client—no flat context here.

The server supports Streamable HTTP transport. Your agent connects by making HTTP requests to your server's /mcp endpoint and authenticates with either OAuth 2.1 (preferred) or an API key Bearer token. See below for details.

Available MCP tools

  • get_conventions — Returns all published conventions for your organization
  • list_skills — Lists all published skills with slugs and descriptions
  • get_skill — Fetches the full content of a specific skill by slug

Authentication

The MCP server accepts two forms of credentials on the Authorization header. OAuth 2.1 is the preferred method — it gives each agent a short-lived, scoped access token tied to a real user session, with refresh and revocation handled by the server. API keys remain supported for clients that don't speak OAuth or for scripted / headless setups.

OAuth 2.1 (preferred)

Brewale advertises an OAuth 2.1 authorization server at /.well-known/oauth-protected-resource and supports Dynamic Client Registration (RFC 7591), so MCP-native clients can self-onboard from just the server URL — no manual client ID / secret setup. The typical flow:

  1. Agent makes a request to /mcp without credentials and gets a 401 with a WWW-Authenticate challenge.
  2. Client registers dynamically, then opens the authorization URL in your browser.
  3. You sign in, pick the organization, and grant consent.
  4. Client exchanges the authorization code for an access token and (with offline_access) a refresh token.
  5. Agent sends the JWT as Authorization: Bearer <jwt> on every subsequent request. The server validates it against the JWKS.

Supported scopes: mcp:read (default) and offline_access (refresh tokens).

Best for

Claude Code and other MCP clients with OAuth support. You never copy a long-lived token around, and tokens are user-scoped.

API key (Bearer token)

For clients without OAuth support — CI scripts, older IDE plugins, quick local tests — generate an API key in Settings → Tokens and send it on the Authorization header:

Authorization: Bearer lore-mcp_your-api-key

Keys are prefixed with lore-mcp_, hashed at rest, scoped to one organization, and can be revoked at any time. See below.

Generating API Keys

API keys authenticate your AI agents with the MCP server when OAuth isn't an option. Each key is scoped to your organization.

  1. Navigate to Settings → Tokens in the web app
  2. Click Create Token, give it a name, and optionally set an expiration time
  3. Copy the token immediately — it's only displayed once

Important: Tokens are hashed before storage. If you lose a token, you'll need to revoke it and generate a new one. Tokens are prefixed with lore-mcp_ for easy identification.

Service Accounts

Service accounts are machine identities for agents that run without a human in the loop — CI pipelines, scheduled jobs, or shared automation. Instead of tying an MCP connection to a person's session, the agent authenticates as the account, so its activity is attributed to the account rather than to you.

Manage them under Settings → Service Accounts. Click Create Service Account, give it a name and optional description, and choose its visibility:

  • Private — only you can manage it.
  • Org-wide — admins manage it on behalf of the organization.

Each account has its own detail page where you can mint bearer tokens (with an optional expiry), grant access to custom MCP integrations, review its usage analytics, and see an authentication log of who acted as the account and how. Revoking the account disables all of its access at once.

Authenticating as a service account

Agents authenticate either with a bearer token issued by the account, or via OAuth on behalf of the account. Service accounts don't consume a member seat.

Connecting with Claude Code

Add Brewale to your Claude Code configuration. You can configure it globally or per-project.

OAuth 2.1 (preferred)

Claude Code handles the OAuth handshake automatically — just point it at the server and sign in when the browser opens.

Global config (~/.claude.json) or project config (.mcp.json):

{
  "mcpServers": {
    "brewale": {
      "type": "http",
      "url": "https://mcp.brewale.dev/mcp"
    }
  }
}

API key (Bearer token)

If you'd rather use a long-lived API key — for headless setups, shared machines, or clients where OAuth is inconvenient:

{
  "mcpServers": {
    "brewale": {
      "type": "http",
      "url": "https://mcp.brewale.dev/mcp",
      "headers": {
        "Authorization": "Bearer lore-mcp_your-api-key"
      }
    }
  }
}

Replace lore-mcp_your-api-key with your actual API key from Settings → Tokens.

Verify the connection

Start a new Claude Code session. Claude should automatically call get_conventions at the beginning of the session. You can also ask Claude to list your skills to confirm everything is working.

Connecting with Other MCP Clients

Any MCP client that supports Streamable HTTP transport can connect to Brewale.

OAuth 2.1 (preferred)

Clients with OAuth support only need the server URL — they discover the authorization server via /.well-known/oauth-protected-resource and register dynamically.

Server URL:  https://mcp.brewale.dev/mcp
Transport:   Streamable HTTP (POST)
Auth:        OAuth 2.1 (discovered via /.well-known/oauth-protected-resource)

API key (Bearer token)

For clients without OAuth support:

Server URL:  https://mcp.brewale.dev/mcp
Transport:   Streamable HTTP (POST)
Auth Header: Authorization: Bearer lore-mcp_your-api-key

Consult your MCP client's documentation for the specific configuration format. The URL must point to the /mcp endpoint either way.

Custom MCP Integrations

Beyond skills and conventions, Brewale can proxy your own MCP servers to your agents — so a single connection to Brewale also exposes the tools of any third-party or in-house MCP server you add. An admin first enables the feature under Settings → Custom MCP.

Adding an integration

Click Add integration and configure:

  • Name & slug — the slug (2–32 chars, lowercase) identifies the server's tools to agents.
  • Server URL — the remote MCP endpoint Brewale connects to.
  • Auth typeBearer token, OAuth (DCR), or No auth.
  • Auth mode — shared org credentials, or per-member (each member supplies their own). OAuth is always per-member.
  • Access control — a single org-wide ACL, or a per-user ACL with optional read/write/delete ceilings.

Integrations start as a draft. Once published, Brewale discovers the server's tools and lists them in a table where you can toggle individual tools on or off and review their read / write / delete classification.

OAuth integrations require DCR

The OAuth (DCR) auth type currently supports only MCP servers that implement Dynamic Client Registration (RFC 7591) — Brewale registers a client automatically during the handshake. Servers that require a manually pre-provisioned client ID / secret aren't supported yet; use a bearer token for those. OAuth is per-member: each member authorizes individually and their tokens are stored encrypted, so OAuth integrations can't be delegated to a service account.

Skills

Skills are reusable knowledge documents that your AI agents can fetch on demand. They typically describe patterns, workflows, or domain-specific instructions — for example, how to write tests in your project, how to structure API endpoints, or how to use a specific library.

Managing skills

Skills are managed as files in your connected GitHub repository. Each skill lives in its own directory under skills/ as a SKILL.md file with YAML frontmatter. When you push to your default branch, Brewale automatically syncs the changes.

The web UI lets you browse skills, view their content, see version history, and control their publish status — but all editing happens in your repository.

How agents use skills

When an agent connects, the MCP server lists all available skills with their slugs and descriptions. The agent calls list_skills to see what's available, then get_skill("slug") to fetch the full content of a relevant skill. Skills are fetched on demand — the agent decides which ones are relevant to the current task.

Enabling skills per user

On the Skills page each published skill has an Enabled for me toggle. This controls whether that skill is offered to your own agent sessions — it's a personal preference, not an org-wide publish state. Turning a skill off for yourself doesn't affect teammates.

Skill categories

Skills can be organized with a category field in their frontmatter. Available categories: code_style, testing, architecture, git_workflow, security, performance, api_design, documentation, devops, other.

Agent-authored Skills

Agents don't just consume skills — they can write them. From an MCP session an agent can call create_skill to draft a new skill or update_skill to propose changes to an existing one. Nothing reaches your agents automatically; every proposal goes through review first.

The review flow

  1. Proposed — the agent submits a draft. It appears under Skills → Proposals, visible only to the proposer and any invited reviewers.
  2. Review — open the proposal to see the rendered content and, for edits, a diff against the current version. Invite other members to review from the proposal page.
  3. Approve & publish — approving commits the skill to your connected GitHub repository and publishes it to all agents in one step. Reject discards the draft instead.

GitHub required to publish. Because approval writes the skill back to your repo (GitHub stays the source of truth), the Approve & publish action is unavailable until a repository is connected under Settings → GitHub.

Conventions

Conventions are your organization's coding standards and rules. Unlike skills, conventions are automatically loaded at the start of every agent session — the agent doesn't need to decide whether to fetch them.

Conventions are managed as a single conventions.md file in the root of your configured base path in your GitHub repository. Use conventions for things that should always apply: naming conventions, commit message formats, code review criteria, architectural rules, or language-specific style guides.

Skills vs Conventions

  • Conventions — always loaded, apply to every task (e.g., "use camelCase", "write tests for all new code")
  • Skills — fetched on demand, context-specific (e.g., "how to set up a new API endpoint", "database migration guide")

Agent-authored Conventions

Just like skills, agents can propose conventions. From an MCP session an agent can call create_convention to draft a new convention or update_convention to propose changes to an existing one (including your root conventions.md). Nothing reaches your agents automatically; every proposal goes through review first. Agents can call convention_authoring_guide for the authoring rubric.

The review flow

  1. Proposed — the agent submits a draft. It appears under Conventions → Proposals, visible only to the proposer and any invited reviewers.
  2. Review — open the proposal to see the rendered content and, for edits, a diff against the current version. Invite other members to review from the proposal page.
  3. Approve & publish — approving commits the convention to your connected GitHub repository (the root conventions.md, or conventions/<slug>.md for a named convention) and publishes it to all agents in one step. Reject discards the draft instead.

GitHub required to publish. Because approval writes the convention back to your repo (GitHub stays the source of truth), the Approve & publish action is unavailable until a repository is connected under Settings → GitHub.

Projects

Projects scope which skills and conventions an agent receives to the repository it is working in. A project is a key shaped like owner/repo that skills and conventions get attached to. Enable Projects from Settings → Organization.

Scope frontmatter

Each skill and convention declares a scope in its git frontmatter — either general (the default) or project. A general item is served to every agent. A project item is served only to agents working in a project it is attached to. Scope lives in git — the web UI only records which projects a scope: project item is attached to.

Connecting a project

Set the project on your MCP connection with a ?project_id=owner/repo query parameter, so every call from that connection is scoped to it. Any single tool call may also pass a project_id to override the connection value for that call.

Registering & finding projects

Agents can create a project over MCP with the register_project tool (idempotent on the key), and discover existing project keys with search_projects. You can also create, rename, and delete projects from the Projects page in the web app.

Projects only filter what is served

  • On, no project — agents receive general items only.
  • On, with a project — agents receive general items plus the items attached to that project.
  • Off — every item is served to every agent, exactly as before.

Turning Projects on or off never changes or deletes any skill or convention — it only changes what the server sends.

Publishing & Unpublishing

When you push changes to your GitHub repository, Brewale syncs the content and automatically publishes the new version. Agents only see published content.

How it works

  1. Sync — Push to your default branch and Brewale automatically picks up the changes via webhook. Each sync creates a new version linked to the commit SHA.
  2. Auto-publish — New versions from GitHub sync are published automatically. The MCP server's in-memory cache updates instantly — agents see the new content immediately.
  3. Unpublish — From the web UI, you can unpublish a skill or convention to remove it from agent access without deleting it. You can republish later.

Version history

Every sync creates a version snapshot linked to the Git commit. You can view previous versions and their content in the version history panel on each skill or convention's detail page.

GitHub Integration

GitHub is the source of truth for all your skills and conventions. Brewale syncs content from your repository automatically on every push to your default branch.

You own your skills

Every skill and convention is a plain markdown file that lives in your GitHub repository — Brewale only ever reads from and writes back to it. Even skills authored by agents land in your repo on approval. Nothing is locked inside Brewale: your content is versioned in Git, portable, and yours to keep if you ever stop using us.

Connecting a repository

  1. Go to Settings → GitHub (admin only)
  2. Click Connect GitHub Repository to install the Brewale GitHub App
  3. Select the repository you want to connect
  4. Brewale runs an initial sync to import all existing skills and conventions

Base path

By default, Brewale looks for files at the root of your repository. If your skills and conventions live in a subdirectory (e.g., .brewale or docs/ai), set the base path in the GitHub settings. Changing the base path triggers a full re-sync.

Manual sync

You can trigger a manual sync at any time from Settings → GitHub using the Sync Now button. This does a full repository sync regardless of what has changed. The sync history table shows the status, commit SHA, and any errors for each sync.

How syncing works

  • Push events — Brewale receives a webhook on each push to your default branch and processes only the changed files (incremental sync).
  • New/modified files — If the content differs from the current version, a new version is created and published automatically.
  • Deleted files — Removing a skill file from your repo unpublishes it in Brewale (the history is preserved).
  • No-op on unchanged content — If a file is touched but the content is identical, no new version is created.

Repository Structure

Brewale expects the following file structure in your connected repository, relative to the configured base path:

<base-path>/
├── conventions.md
└── skills/
    ├── code-style/
    │   └── SKILL.md
    ├── testing/
    │   └── SKILL.md
    └── api-patterns/
        └── SKILL.md

conventions.md

A single markdown file at the base path root. Its content is returned in full when an agent calls get_conventions. No frontmatter required — just write your conventions in markdown.

skills/{slug}/SKILL.md

Each skill lives in its own directory under skills/. The directory name becomes the skill's slug. Each SKILL.md file uses YAML frontmatter followed by the skill content:

---
name: "Code Style Guide"
description: "TypeScript naming conventions and formatting rules"
category: "code_style"
---

Your skill content in markdown...

Frontmatter fields: name (optional — defaults to the slug), description (optional), and category (optional — defaults to "other"). All three are extracted from YAML frontmatter between --- delimiters.

Analytics

The Analytics page shows how your agents are actually using Brewale over the last 30 days — so you can see which skills earn their keep and spot the gaps worth filling.

The overview includes:

  • Summary cards — total calls, convention reads, skill lookups, and skill listings.
  • Calls over time — a 30-day trend.
  • Top skills — your most-called skills, ranked.
  • Developer activity — a per-member table (service accounts included) with call counts and last-seen times.

Click any member to drill into their own usage, including recent calls. Every call an agent makes — get_conventions, list_skills, and get_skill — is counted here.

Roles & Permissions

Organizations use role-based access control with two roles:

Admin

  • Publish and unpublish skills & conventions
  • Create and revoke API tokens
  • Connect and configure GitHub integration
  • Invite and remove members
  • Change member roles
  • Manage organization settings

Member

  • View skills, conventions, and their version history
  • Publish and unpublish skills & conventions
  • View organization settings

Account & Security

Your Account page is global — it lives outside any organization and manages your personal sign-in and security. Everything here is self-service: you don't need an admin to lock down your own account.

Two-factor authentication

Enable two-factor authentication to require a code from a TOTP authenticator app at sign-in. Click Enable two-factor, confirm your password, scan the QR code (or enter the key manually), then verify a code to activate. You'll be given a set of backup codes — save or download them, as they're your way back in if you lose the device. You can regenerate backup codes or disable 2FA later; both are password-gated.

Sign-in methods

Sign in with email and password or with Google. From the account page you can link or unlink Google to your existing account. If you signed up with Google only and want a password too, set one via the forgot-password flow.

Revoking access

  • Disconnect all MCP clients — revokes the OAuth tokens your agents (Claude Code, etc.) use. Each client must re-authorize to reconnect. This takes effect immediately. API keys are managed separately on the Tokens page.
  • Sign out everywhere — ends every dashboard session, including the one you're using now.

OAuth access tokens are short-lived (refreshed automatically), so revocation propagates quickly across your agents.

Billing & Plans

Brewale is billed per member seat. Every organization gets a 14-day free trial — no card required — and the trial clock starts on your first MCP call, not at signup, so you don't burn days while setting things up.

Admins manage billing under Settings → Billing, which shows your trial status, current plan, seat count, and renewal date. Subscribe or open the customer portal to update payment details and cancel — checkout and subscription management are handled by Polar.

Seats adjust automatically. As members join or leave your organization, your seat count — and your bill — follows along. There's no manual seat management. See brewale.dev/pricing for current rates.

FAQ & Troubleshooting

My agent can't connect to the MCP server

Ensure the URL points to the /mcp endpoint and includes the correct protocol (https://). If using OAuth, make sure your client supports Dynamic Client Registration and that your browser can reach the sign-in page. If using an API key, verify it hasn't been revoked and the Authorization header format is Bearer lore-mcp_....

Should I use OAuth or an API key?

Use OAuth whenever your client supports it — tokens are short-lived, user-scoped, and tied to your session, so there's nothing to leak or rotate manually. Reach for an API key for headless automation, CI jobs, or clients that don't speak OAuth.

My skill isn't showing up for agents

Skills must be published to be visible to agents. After pushing to GitHub, check the skill's detail page in the web UI to confirm it shows as published. If the sync failed, check Settings → GitHub for error details and use the "Sync Now" button to retry.

Changes I pushed aren't showing up

Automatic sync only processes pushes to the default branch. Check that you pushed to the correct branch and that the file paths match the expected structure (conventions.md and skills/{slug}/SKILL.md). You can also check the sync history in Settings → GitHub for error details.

I lost my API key

API keys are only shown once when created and are stored as hashes. Revoke the old key in Settings → Tokens, generate a new one, and update your agent configuration.

Conventions aren't loading at session start

The MCP server instructs agents to call get_conventions at session start, but the agent ultimately decides whether to follow this instruction. If using Claude Code, ensure the MCP server is properly configured in your .mcp.json or ~/.claude/mcp.json.

Can I use Brewale with multiple organizations?

Yes. Each organization has its own skills, conventions, GitHub connection, and API keys. You can switch between organizations using the org switcher in the nav bar. Each agent connection uses a key scoped to one organization.