Skip to content

v1.1.0 — Scan OAuth-protected remote MCP servers

Latest

Choose a tag to compare

@illiahaidar illiahaidar released this 13 Jul 19:14

Most MCP scanners only look at public endpoints. v1.1.0 lets MCP Trust Checker scan authenticated remote MCP servers — including the growing class of servers gated behind OAuth.

✨ New

  • --login — OAuth 2.0 browser sign-in. Point it at an auth-gated endpoint and it runs the whole MCP authorization flow for you: discovery → dynamic client registration → PKCE (S256) → loopback redirect → code-for-token exchange → an authenticated scan. Your browser opens, you sign in, the scan runs.
    mcptrustchecker scan https://api.example.com/mcp --login --scope mcp:tools
    

--header "Authorization: Bearer <token>" — static auth for endpoints you already hold a token for (repeatable).

mcptrustchecker scan https://api.example.com/mcp --header "Authorization: Bearer <token>"

🔒 Credential-safe by design

  • Tokens stay in memory for the scan only — nothing is written to disk (no account, still local-first).
  • Auth is contained to the target origin: the credential is stripped on any cross-origin redirect — different host, HTTPS→HTTP downgrade, or different port — so a malicious or misconfigured server can't bounce your token to another host. The SSRF guard runs on every request hop, and the loopback callback is CSRF-state protected.
    Install
npx mcptrustchecker@1.1.0

The deterministic, offline core is unchanged — live and authenticated scanning stay opt-in. MIT · https://mcptrustchecker.com