@authpass.ai/mcp
v0.1.1
Published
Model Context Protocol server for AuthPass — query findings and submit false-positive feedback from Claude Code.
Maintainers
Readme
@authpass.ai/mcp
A Model Context Protocol server for AuthPass. It lets you query AuthPass findings and submit false-positive feedback directly from Claude Code — no dashboard round-trips:
"Hey Claude, review the AuthPass findings on this PR and dismiss the false positives."
The server is a thin wrapper over the AuthPass REST API. Every call is authenticated with your Personal Access Token (PAT).
Tools
| Tool | What it does | REST endpoint |
|---|---|---|
| list_pr_findings(pr_url) | Open findings for a pull request URL | GET /api/v1/findings?pr_url=… |
| list_open_findings(repo?, severity?) | Open findings, optionally filtered by repo / severity | GET /api/v1/findings?… |
| submit_feedback(finding_id, verdict, reason_code, reason_detail?) | Record a triage verdict (e.g. mark a false positive) | POST /api/v1/findings/{id}/feedback |
| get_repo_context(repo) | The repo's .authpass/context.yaml (trust boundary, admin routes, compliance, dev-only paths) | GET /api/v1/repositories/{repo}/context |
| regenerate_context(repo) | Manually trigger context regeneration — scores two candidate contexts against existing findings and opens a PR with the better one | POST /api/v1/repositories/{repo}/context/regenerate |
verdict is one of false_positive, wont_fix, confirmed.
reason_code is required and is one of:
| code | meaning |
|---|---|
| out_of_scope | Code path doesn't run in prod (dev scripts, tests, examples) |
| compensating_control | Mitigated upstream (backend ABAC, WAF, IdP, gateway) |
| authorized_pattern | Intentional, permission-gated access (admin views, support tools) |
| compliance_required | The "violation" is mandated by FERPA/HIPAA/SOC2/etc. |
| other | Free-text only — use reason_detail to explain |
Setup
1. Mint a Personal Access Token (PAT)
- Sign in to the AuthPass dashboard.
- Go to Settings → API.
- Click Create API key, give it a name (e.g.
claude-code-laptop), and create it. - Copy the token immediately — it starts with
ap_live_and is shown only once. AuthPass stores only a hash; you cannot retrieve it later. (Tokens default to a 90-day expiry and can be revoked anytime from the same screen.)
Prefer the API?
POST /api/v1/api-keyswith your dashboard session returns the token once in its response.
2. Add the server to Claude Code
Add this to your Claude Code MCP config (claude mcp add or your
.mcp.json / settings):
{
"mcpServers": {
"authpass": {
"command": "npx",
"args": ["-y", "@authpass.ai/mcp"],
"env": {
"AUTHPASS_API_KEY": "ap_live_...",
"AUTHPASS_API_URL": "https://api.authpass.ai"
}
}
}
}| Env var | Required | Default | Notes |
|---|---|---|---|
| AUTHPASS_API_KEY | yes | — | Your ap_live_… PAT. The server exits with a clear message if it's missing. |
| AUTHPASS_API_URL | no | https://api.authpass.ai | API base. You may include or omit the /api/v1 suffix — both work. |
AUTHPASS_API_KEYmust live in the MCP server'senvblock (above), not in a.envfile. Claude Code launches the MCP server as a subprocess and does not load.envfiles, so a key sitting in.envis never seen and every call fails withInvalid API key.Put it in theenvblock shown above, or export it in the shell that launches Claude Code (export AUTHPASS_API_KEY=ap_live_…) and reference it from the config — e.g. drop theenvvalue and let the inherited shell environment provide it.
If the default URL doesn't reach your AuthPass instance, set
AUTHPASS_API_URLexplicitly. The defaulthttps://api.authpass.aitargets the hosted AuthPass API. Self-hosted or differently-routed deployments should point this at their own base (with or without the/api/v1suffix).
Restart Claude Code (or reload MCP servers). You should see the authpass
tools become available.
3. Sample prompts
Once configured, try:
Triage a PR:
"Use AuthPass to list the open findings on https://github.com/acme/web/pull/128, then explain which look like real issues versus false positives."
Dismiss false positives with rationale:
"These AuthPass findings are all in
tests/fixtures and never run in prod. Submitfalse_positivefeedback for each with reason_codeout_of_scope."Review a repo's posture before triaging:
"Show me the AuthPass context for
acme/web, then list all open high-severity findings and flag any that contradict the repo's declared trust boundary."
Errors
If your PAT is invalid, expired, or revoked, tools return a clean error
message telling you to mint a new key under Settings → API — never a stack
trace. Network failures (wrong AUTHPASS_API_URL, no connectivity) report the
unreachable URL.
Development
npm install
npm run build # compile TypeScript → dist/
npm test # build + smoke test + integration test (mock API)src/index.ts— entry point; sets up the MCP server over stdio.src/client.ts— typed REST client wrapping the AuthPass API.src/tools.ts— the four tool definitions and handlers.test/smoke.mjs— drives the built server over stdio (initialize, tools/list, tools/call).test/integration.mjs— runs every tool against a local mock API and asserts each hits the right endpoint.
