Most MCP scanners only look at public endpoints. v1.1.0 lets MCP Trust Checker scan authenticated remote MCP servers — including the growing class of servers gated behind OAuth.
✨ New
--login— OAuth 2.0 browser sign-in. Point it at an auth-gated endpoint and it runs the whole MCP authorization flow for you: discovery → dynamic client registration → PKCE (S256) → loopback redirect → code-for-token exchange → an authenticated scan. Your browser opens, you sign in, the scan runs.mcptrustchecker scan https://api.example.com/mcp --login --scope mcp:tools
--header "Authorization: Bearer <token>" — static auth for endpoints you already hold a token for (repeatable).
mcptrustchecker scan https://api.example.com/mcp --header "Authorization: Bearer <token>"
🔒 Credential-safe by design
- Tokens stay in memory for the scan only — nothing is written to disk (no account, still local-first).
- Auth is contained to the target origin: the credential is stripped on any cross-origin redirect — different host, HTTPS→HTTP downgrade, or different port — so a malicious or misconfigured server can't bounce your token to another host. The SSRF guard runs on every request hop, and the loopback callback is CSRF-
stateprotected.
Install
npx mcptrustchecker@1.1.0
The deterministic, offline core is unchanged — live and authenticated scanning stay opt-in. MIT · https://mcptrustchecker.com