Connect AI assistants

Add TimeFlow to Claude, Cursor, Windsurf, or any MCP-aware AI client. Your assistant signs in with your TimeFlow account — no passwords or API keys.

What is MCP?

The Model Context Protocol is the emerging standard for letting AI assistants talk to tools and data sources. TimeFlow ships a remote MCP server so any compatible client can manage your tasks and projects from inside an AI conversation.

Install

Claude Code

claude mcp add --transport http timeflow https://www.usetimeflow.com/api/mcp

The first tool call opens a browser for OAuth. Approve once and the integration is live.

Cursor

Add this to your ~/.cursor/mcp.json(or create the file if it doesn’t exist):

{
  "mcpServers": {
    "timeflow": {
      "url": "https://www.usetimeflow.com/api/mcp"
    }
  }
}

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json on macOS (or the equivalent path on your OS):

{
  "mcpServers": {
    "timeflow": {
      "url": "https://www.usetimeflow.com/api/mcp",
      "transport": "http"
    }
  }
}

Windsurf, ChatGPT Desktop, and other clients

Use the same endpoint https://www.usetimeflow.com/api/mcp with whichever MCP transport setting your client exposes. The server speaks the standard Streamable HTTP transport and OAuth 2.1.

What your AI can do

  • List your tasks, filtered by status, project, or due date.
  • Create new tasks (with priority, deadlines, and time estimates).
  • Update existing tasks — including marking them complete.
  • Delete tasks you no longer want.
  • List your projects and their phases.

What your AI cannot do

  • Read or modify your calendar events or schedules.
  • Touch your habits, time tracker, or AutoScheduler settings.
  • See data outside the workspaces you belong to. RLS enforces this server-side, so even a compromised client can’t reach another user’s data.
  • Read your email, billing details, or anything outside TimeFlow.

Security

  • Authentication uses OAuth 2.1 with PKCE. Your AI client never sees your TimeFlow password.
  • Tokens are short-lived. Revoking access in Settings → Connected Apps cuts the AI off within seconds.
  • Every action runs as you. The audit trail in Settings → Privacy shows what changed.

Troubleshooting

Always use the www. prefix in the URL. The canonical resource is https://www.usetimeflow.com/api/mcp. Registering with the bare usetimeflow.com apex will fail with “Protected resource does not match expected” — OAuth 2.1 resource binding (RFC 8707) locks the identifier at registration time and refuses any later mismatch. The apex redirects to www in the browser, but strict OAuth clients won’t follow that for metadata discovery.

If the OAuth dance still fails, double-check your client supports Streamable HTTP transport (the current MCP wire format, spec dated 2025-06-18). Older clients that only speak the legacy SSE transport will not work — upgrade to a recent build.

Found a bug? Report it here.