npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@codespar/mcp-legiti

v0.2.0-alpha.3

Published

MCP server for Legiti — Brazilian fraud prevention (ticketing + ecommerce), real-time order evaluation, chargeback feedback, and account/event/sale collection

Readme

@codespar/mcp-legiti

MCP server for Legiti — Brazilian fraud prevention, ticketing-native with a simple synchronous evaluation API.

Fourth entry in the CodeSpar fraud category, after @codespar/mcp-clearsale, @codespar/mcp-konduto, and @codespar/mcp-sift. Legiti (formerly Inspetor, São Paulo) occupies the mid-size BR tier: smaller public footprint than ClearSale, more vertical depth than Konduto for ticketing / events, and a simpler API surface than Sift.

Positioning

| | Strength | Typical fit | |----------------------|---------------------------------------------|-------------------------------------------| | ClearSale | BR pioneer (2001), large chargeback history | Default for large BR retail | | Konduto | BR, API-first, behavioral device intel | Digital-native BR ecommerce | | Legiti (this) | BR, ticketing-native, sync evaluation | BR ticketing marketplaces, mid-size retail| | Sift | Global, multi-abuse-type ML, workflows | International enterprise |

BR merchants frequently bundle 2-3 of these for best-of-breed scoring — Legiti for its ticketing-specific signals, ClearSale or Konduto for the generalist fraud layer, Sift for cross-border flows.

Tools (18)

| Tool | Purpose | |---|---| | evaluate_order | Submit an order to Legiti for real-time fraud evaluation via the v2 order endpoint. | | update_order | Notify Legiti of a status change on an existing order (e.g. | | mark_order_fraudulent | Report a confirmed chargeback / fraud outcome back to Legiti. | | evaluate_sale | Legacy single-shot sale evaluation via POST /evaluation. | | track_account | Notify Legiti of an account lifecycle event (created / updated / deleted). | | track_event | Notify Legiti of an Event (concert, show, match, session) lifecycle change. | | track_sale | Notify Legiti of a Sale state change (created / updated). | | track_auth | Notify Legiti of an authentication or password event (login attempt, logout, password recovery request, pas... | | track_login | Notify Legiti of a login attempt (successful or failed). | | track_logout | Notify Legiti of a logout event. | | track_signup | Notify Legiti of a new account creation. | | track_account_update | Notify Legiti of an account profile change (email, phone, CPF, address). | | track_password_recovery | Notify Legiti of a password recovery request (the 'forgot password' click). | | track_event_view | Notify Legiti that a user viewed an event/show page. | | track_payment | Notify Legiti of a payment-method-level event (authorization attempt, capture, refund, void). | | get_decision | Fetch the latest Legiti decision for an order. | | update_decision_status | Manually override Legiti's decision for an order — typically used to accept or decline a sale that landed i... | | mark_dispute_resolution | Report the outcome of a chargeback dispute back to Legiti — i.e. |

Install

npm install @codespar/mcp-legiti@alpha

Environment

LEGITI_API_KEY="eyJhbGciOi..."   # JWT bearer token; required
LEGITI_BASE_URL="..."             # optional; defaults to https://collection-prod.inspcdn.net

Authentication

Bearer token (JWT-format):

Authorization: Bearer <LEGITI_API_KEY>

Legiti issues separate sandbox and production keys. The sandbox key tags every request as test data so it does NOT train the ML model. Always develop and run integration tests with the sandbox key — hitting production with test data pollutes the model.

Decision values

evaluate_order and evaluate_sale return one of three decisions:

  • approve — ship it
  • reject — block the sale
  • manual — route to manual review

Evaluation is synchronous; the response may take up to ~20 seconds.

Typical flow (ticketing)

  1. At signup / login, call track_account (create/update) and track_auth (login/logout, password_recovery, password_reset). Every auth attempt — successful or failed — is valuable signal for account-takeover detection.
  2. When a new event (concert, show, match) is published on the platform, call track_event (create). Update on price/capacity/date changes.
  3. At checkout, call evaluate_order with the sale, account, payment, CPF, and the primary event_date_id. Act on the returned decision: approve → ship, reject → block, manual → human review.
  4. As the order progresses (paid, shipped, delivered, cancelled, refunded), call update_order.
  5. When a chargeback is confirmed by the issuer, call mark_order_fraudulent. This is Legiti's primary ML feedback channel — unreported chargebacks degrade future decision quality for similar buyers.

Typical flow (non-ticketing ecommerce)

Skip track_event. The event_date_id fields become optional in evaluate_order — Legiti will still evaluate on account + sale + payment signal, though ticketing-vertical features will be unused.

Alpha note

Shipped as 0.1.0-alpha.1. Legiti's public documentation is tighter than ClearSale's or Konduto's:

  • Documented in open-source github.com/legiti/docs-backend: POST /evaluation, plus the Collection API (account, event, sale, transfer, auth, password) shape and the Authorization: Bearer scheme.
  • Documented on docs.legiti.com integration guides: the v2 order family (POST /v2/order, PUT /v2/order, POST /v2/order/mark_fraudulent).
  • Dropped from the original category spec: create_rule / list_rules / update_rule / delete_rule — no public custom-rules surface exists on Legiti. If a customer contract exposes one, promote to 0.2.0.

Promote to 0.1.0 once the v2 order payload schema is confirmed in production.

Run

# stdio (default — for Claude Desktop, Cursor, etc)
npx @codespar/mcp-legiti

# HTTP (for server-to-server testing)
MCP_HTTP=true MCP_PORT=3000 npx @codespar/mcp-legiti

Category

fraud — fourth server in this CodeSpar category alongside ClearSale, Konduto, and Sift. Fraud servers share a common shape (analyze → decide → feedback) distinct from payments, which makes cross-provider swaps (ClearSale ↔ Konduto ↔ Legiti) more straightforward than cross-acquirer swaps.

Enterprise

Need governance, budget limits, and audit trails for agent payments? CodeSpar Enterprise adds policy engine, payment routing, and compliance templates on top of these MCP servers.

License

MIT