Cal.com MCP server

This registry entry separates the three inspected Cal.com MCP surfaces:

Hosted remote

The hosted remote MCP endpoint is https://mcp.cal.com/mcp. It uses Streamable HTTP and OAuth 2.1. MCP clients connect directly to this URL and complete Cal.com authorization through the hosted service; no local package environment variables or API key are supplied to the hosted remote configuration.

Published npm package: @calcom/[email protected]

The reviewed package target is the published npm package @calcom/cal-mcp version 0.0.6. Its documented MCP client launch is represented as a pinned reviewed command:

npx @calcom/[email protected]

The package README requires Node.js >= 18, an MCP client, and a Cal.com API key. The package source only reads CAL_API_KEY from the environment and passes it as the Cal.com API Authorization header. By default, the package enables 9 core tools: getBooking, getBookings, createBooking, rescheduleBooking, cancelBooking, getEventTypes, getEventTypeById, updateEventType, and deleteEventType.

The package also documents optional --all-tools and -a flags. These are package arguments with includeInLaunch: false because they are optional and are not part of the default launch. When supplied, the package exposes the broader generated Cal.com OpenAPI tool set bundled in the npm tarball.

Source-built apps/mcp-server implementation

The source repository also contains a separate workspace package at apps/mcp-server named @calcom/mcp-server. That source-built implementation is not the published @calcom/[email protected] package target. It documents Node.js >= 22, Bun workspace build commands, dual stdio/http transports, self-hosted OAuth 2.1, source-only HTTP/OAuth environment variables, and 54 registered tools in the current README and register-tools.ts.

Source-only variables such as MCP_TRANSPORT, CAL_OAUTH_CLIENT_ID, CAL_OAUTH_CLIENT_SECRET, TOKEN_ENCRYPTION_KEY, MCP_SERVER_URL, DATABASE_URL, CAL_OAUTH_SCOPES, rate/session/proxy/CORS settings, and OPENAI_APPS_CHALLENGE_TOKEN are captured in sourceReview.environmentVariables as source-built/self-hosted evidence, but they are intentionally not included in the published npm package target metadata because @calcom/[email protected] does not read them.

The current upstream source default for CAL_OAUTH_SCOPES includes ORG_BOOKING_READ and TEAM_BOOKING_READ.

Limitations

Hosted mode requires an OAuth-capable remote MCP client. The published npm package requires a user-supplied Cal.com API key and defaults to the 9 core tools unless --all-tools or -a is supplied. The source-built apps/mcp-server implementation has separate build and deployment requirements and should not be treated as the same runtime as @calcom/[email protected].