Initial Checks
Bug Description
We are testing the falcon-mcp (stdio) integration.
Facts:
- OAuth2 client-credentials flow succeeds (access_token returned from /oauth2/token)
- Using parent CID: confirmed by the API key settings
- Base URL: https://api.crowdstrike.com
- Minimal module set tested: detections only (even though I provisioned that and more)
- Environment vars passed explicitly (CLIENT_ID, CLIENT_SECRET, BASE_URL)
- Running via uvx in VS Code MCP
Problem happens in VS Code Insiders & Copilot CLI.
Result:
falcon-mcp exits at startup with:
"Failed to authenticate with the Falcon API"
This occurs AFTER token issuance, which suggests CID binding or backend entitlement validation rather than credential failure.
Question:
Is falcon-mcp expected to work with a parent CID, or does it require a child/member CID for API calls even when OAuth succeeds? I tested with and without CID and still fails.
Happy to provide logs or test patches if needed.
Steps to Reproduce
Environment
macOS
Visual Studio Code Insiders
GitHub Copilot enabled
MCP configured via user-level mcp.json opened using
MCP: Open User Configuration in VS Code Insiders
Falcon MCP executed via stdio using uvx
API Client Setup
CrowdStrike Falcon API client created internally by our organization administrators with read access (for example: alerts/detections read)
OAuth2 client‑credentials flow succeeds:
Calling the OAuth token endpoint returns a valid access_token
A parent CID is explicitly provided via the --member-cid argument (value intentionally omitted)
VS Code MCP Configuration
Falcon MCP is configured in VS Code Insiders mcp.json as follows
{
"servers": {
"falcon": {
"type": "stdio",
"command": "uvx",
"args": [
"falcon-mcp",
"--modules",
"detections",
"--member-cid",
""
],
"env": {
"FALCON_CLIENT_ID": "",
"FALCON_CLIENT_SECRET": "",
"FALCON_BASE_URL": "https://api.crowdstrike.com"
}
}
}
}
Steps
Open Copilot Chat in VS Code Insiders
Switch to Agent mode
Open Tools → MCP Servers
Click Start on the falcon MCP server
Observed Behavior
Falcon MCP initializes
Immediately exits with:
Failed to authenticate with the Falcon API
VS Code reports the MCP process exited with code 1
Additional Notes
OAuth token issuance succeeds independently using the same client credentials (a valid access_token is returned).
The failure occurs during falcon-mcp startup (after initialization), and the process exits with code 1.
We tested both with and without the --member-cid argument; the behavior is the same in both cases (startup fails with “Failed to authenticate with the Falcon API”).
The issue reproduces in two clients:
VS Code Insiders MCP (user-level mcp.json, stdio server executed via uvx)
Copilot CLI using the same credentials and the same stdio command
Reducing the configuration to a single module (for example detections) does not change the behavior; the server still fails at startup.
Environment variables are explicitly set (client ID, client secret, base URL) inside the MCP configuration and not inherited implicitly from the shell.
Installation Method
uvx run falcon-mcp
Environment Details
Operating System: macOS
Python version: 3.11
MCP Client(s) tested: Visual Studio Code Insiders (Copilot Chat, Agent mode, MCP configured via user-level mcp.json) GitHub Copilot CLI
MCP transport: stdio (local execution via uvx)
Falcon MCP execution method: uvx falcon-mcp
Falcon API region: us‑1
Enabled modules tested: detections only (single-module test)
Authentication method: OAuth2 client‑credentials (client ID / client secret via environment variables)
Error Logs (Optional)
2026-04-17 13:23:28.036 [info] Starting server falcon
2026-04-17 13:23:28.036 [info] Connection state: Starting
2026-04-17 13:23:28.036 [info] Starting server from LocalProcess extension host
2026-04-17 13:23:28.043 [info] Connection state: Starting
2026-04-17 13:23:28.043 [info] Connection state: Running
2026-04-17 13:23:30.292 [warning] [server stderr] Downloading pydantic-core (1.9MiB)
2026-04-17 13:23:30.723 [warning] [server stderr] Downloaded pydantic-core
2026-04-17 13:23:30.769 [warning] [server stderr] Installed 34 packages in 45ms
2026-04-17 13:23:33.045 [info] Waiting for server to respond to `initialize` request...
2026-04-17 13:23:33.708 [warning] [server stderr] 2026-04-17 13:23:33,707 - falcon_mcp.server - INFO - Initializing Falcon MCP Server
2026-04-17 13:23:34.405 [warning] [server stderr] 2026-04-17 13:23:34,404 - falcon_mcp.server - ERROR - Failed to authenticate with the Falcon API
2026-04-17 13:23:34.405 [warning] [server stderr] 2026-04-17 13:23:34,404 - falcon_mcp.server - ERROR - Runtime error: Failed to authenticate with the Falcon API
2026-04-17 13:23:34.485 [info] Connection state: Error Process exited with code 1
Additional Context (Optional)
No response
Initial Checks
Bug Description
We are testing the falcon-mcp (stdio) integration.
Facts:
Problem happens in VS Code Insiders & Copilot CLI.
Result:
falcon-mcp exits at startup with:
"Failed to authenticate with the Falcon API"
This occurs AFTER token issuance, which suggests CID binding or backend entitlement validation rather than credential failure.
Question:
Is falcon-mcp expected to work with a parent CID, or does it require a child/member CID for API calls even when OAuth succeeds? I tested with and without CID and still fails.
Happy to provide logs or test patches if needed.
Steps to Reproduce
Environment
macOS
Visual Studio Code Insiders
GitHub Copilot enabled
MCP configured via user-level mcp.json opened using
MCP: Open User Configuration in VS Code Insiders
Falcon MCP executed via stdio using uvx
API Client Setup
CrowdStrike Falcon API client created internally by our organization administrators with read access (for example: alerts/detections read)
OAuth2 client‑credentials flow succeeds:
Calling the OAuth token endpoint returns a valid access_token
A parent CID is explicitly provided via the --member-cid argument (value intentionally omitted)
VS Code MCP Configuration
Falcon MCP is configured in VS Code Insiders mcp.json as follows
{
"servers": {
"falcon": {
"type": "stdio",
"command": "uvx",
"args": [
"falcon-mcp",
"--modules",
"detections",
"--member-cid",
""
],
"env": {
"FALCON_CLIENT_ID": "",
"FALCON_CLIENT_SECRET": "",
"FALCON_BASE_URL": "https://api.crowdstrike.com"
}
}
}
}
Steps
Open Copilot Chat in VS Code Insiders
Switch to Agent mode
Open Tools → MCP Servers
Click Start on the falcon MCP server
Observed Behavior
Falcon MCP initializes
Immediately exits with:
Failed to authenticate with the Falcon API
VS Code reports the MCP process exited with code 1
Additional Notes
OAuth token issuance succeeds independently using the same client credentials (a valid access_token is returned).
The failure occurs during falcon-mcp startup (after initialization), and the process exits with code 1.
We tested both with and without the --member-cid argument; the behavior is the same in both cases (startup fails with “Failed to authenticate with the Falcon API”).
The issue reproduces in two clients:
VS Code Insiders MCP (user-level mcp.json, stdio server executed via uvx)
Copilot CLI using the same credentials and the same stdio command
Reducing the configuration to a single module (for example detections) does not change the behavior; the server still fails at startup.
Environment variables are explicitly set (client ID, client secret, base URL) inside the MCP configuration and not inherited implicitly from the shell.
Installation Method
uvx run falcon-mcp
Environment Details
Error Logs (Optional)
Additional Context (Optional)
No response