{ "info": { "name": "mcpsafe-prod", "_postman_id": "a1c5d6e7-2b3f-4d9a-c5e8-mcpsafeprod01", "description": "MCPSafe API \u2014 production environment (https://api.mcpsafe.io). Set the `api_key` collection variable to a key from /api-keys; default Authorization is Bearer {{api_key}}. Public read endpoints work without a key. See https://mcpsafe.io/docs/api for the full reference.", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" }, "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{api_key}}", "type": "string" } ] }, "variable": [ { "key": "base_url", "value": "https://api.mcpsafe.io", "type": "string" }, { "key": "api_key", "value": "mcpsafe_REPLACE_ME", "type": "string", "description": "Mint at https://mcpsafe.io/api-keys. Default scopes scan:list + scan:get; add scan:submit for the POST endpoint." }, { "key": "scan_id", "value": "", "type": "string", "description": "Returned by POST /api/v1/scan; reused by the scan-read requests." } ], "item": [ { "name": "Scans", "item": [ { "name": "POST /api/v1/scan \u2014 submit a scan", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json" } ], "url": { "raw": "{{base_url}}/api/v1/scan", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "scan" ] }, "body": { "mode": "raw", "raw": "{\n \"input\": \"@modelcontextprotocol/server-everything\",\n \"mode\": \"fast\",\n \"scan_visibility\": \"public\"\n}", "options": { "raw": { "language": "json" } } }, "description": "Submit a fast or deep scan. Required scope: scan:submit (or scan:write umbrella). Body fields:\n- input (required): npm:pkg, pypi:pkg, github URL, docker image, or MCP registry ID\n- mode: \"fast\" (default) or \"deep\" \u2014 deep includes LLM consensus\n- scan_visibility: \"public\" (default) or \"private\" \u2014 private requires paid plan\n- force_rescan: true to bypass cache (rate-limited 10/hr/user, 3/hr/repo)\n\nResponse contains scan_id; save it to the {{scan_id}} variable for the read requests below." }, "response": [] }, { "name": "GET /scan/{id} \u2014 read scan result", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/scan/{{scan_id}}", "host": [ "{{base_url}}" ], "path": [ "scan", "{{scan_id}}" ] }, "description": "Fetch the cached ScanCacheItem by scan_id. Public \u2014 no auth required (counts toward per-user aggregate cap if Authorization is supplied)." }, "response": [] }, { "name": "GET /scan/{id}/consensus \u2014 LLM judge panel", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/scan/{{scan_id}}/consensus", "host": [ "{{base_url}}" ], "path": [ "scan", "{{scan_id}}", "consensus" ] }, "description": "Per-judge LLM consensus verdicts. Only populated for deep-mode scans. Public \u2014 no auth required." }, "response": [] }, { "name": "GET /scan/{id}/stream \u2014 SSE progress stream", "request": { "method": "GET", "auth": { "type": "noauth" }, "header": [ { "key": "Accept", "value": "text/event-stream" } ], "url": { "raw": "{{base_url}}/scan/{{scan_id}}/stream", "host": [ "{{base_url}}" ], "path": [ "scan", "{{scan_id}}", "stream" ] }, "description": "Server-Sent Events stream of scan progress. Postman's request runner doesn't keep SSE connections open well \u2014 use curl --no-buffer to test." }, "response": [] }, { "name": "GET /api/v1/scans \u2014 list my scan history", "request": { "method": "GET", "url": { "raw": "{{base_url}}/api/v1/scans?limit=25", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "scans" ], "query": [ { "key": "limit", "value": "25" }, { "key": "cursor", "value": "", "disabled": true, "description": "Opaque cursor from the previous response's next_cursor" } ] }, "description": "Paginated list of the authenticated user's public scan submissions. Required scope: scan:list (or scan:read umbrella)." }, "response": [] }, { "name": "GET /versions \u2014 package version history", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/versions?source=npm&package=@modelcontextprotocol/server-everything", "host": [ "{{base_url}}" ], "path": [ "versions" ], "query": [ { "key": "source", "value": "npm" }, { "key": "package", "value": "@modelcontextprotocol/server-everything" } ] }, "description": "Returns each known version of a package alongside its scan summary if any." }, "response": [] } ] }, { "name": "Registry", "item": [ { "name": "GET /api/v1/registry \u2014 browse public registry", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/registry?limit=20", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "registry" ], "query": [ { "key": "limit", "value": "20" }, { "key": "cursor", "value": "", "disabled": true }, { "key": "source", "value": "", "disabled": true, "description": "Filter by ecosystem: npm | pypi | github | docker" } ] }, "description": "Paginated browse of the public registry. No auth required. registry:read scope counts toward aggregate quota if a key is supplied." }, "response": [] }, { "name": "GET /api/v1/registry/{source}/{package} \u2014 single record", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/registry/npm/@modelcontextprotocol/server-everything", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "registry", "npm", "@modelcontextprotocol", "server-everything" ] }, "description": "Detail view for a single registry entry. Public." }, "response": [] }, { "name": "GET /api/v1/scans/recent \u2014 recent scans feed", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/scans/recent?limit=10", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "scans", "recent" ], "query": [ { "key": "limit", "value": "10" } ] }, "description": "Most-recently-completed public scans. Public." }, "response": [] }, { "name": "GET /api/v1/rules/catalog \u2014 live rule catalog", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/rules/catalog", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "rules", "catalog" ] }, "description": "Snapshot of mcp_rules_registry \u2014 every rule_id, version, severity, MCP-Top10 mapping, and shadow-mode status. Public." }, "response": [] } ] }, { "name": "Stats & Compare", "item": [ { "name": "GET /api/v1/stats \u2014 homepage counters", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/stats", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "stats" ] }, "description": "Aggregate counters used by the homepage (servers scanned, rules live, etc.). Public." }, "response": [] }, { "name": "GET /api/v1/stats/state-of-mcp \u2014 research dataset", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/stats/state-of-mcp", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "stats", "state-of-mcp" ] }, "description": "Backing dataset for the State of MCP Security report. Public." }, "response": [] }, { "name": "GET /api/v1/compare \u2014 side-by-side comparison", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/compare?a=npm:@modelcontextprotocol/server-everything&b=npm:@modelcontextprotocol/server-github", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "compare" ], "query": [ { "key": "a", "value": "npm:@modelcontextprotocol/server-everything" }, { "key": "b", "value": "npm:@modelcontextprotocol/server-github" } ] }, "description": "Compare two packages' security posture. Public." }, "response": [] }, { "name": "GET /api/v1/compare/recommendation \u2014 picker", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v1/compare/recommendation?candidates=npm:@modelcontextprotocol/server-everything,npm:@modelcontextprotocol/server-github", "host": [ "{{base_url}}" ], "path": [ "api", "v1", "compare", "recommendation" ], "query": [ { "key": "candidates", "value": "npm:@modelcontextprotocol/server-everything,npm:@modelcontextprotocol/server-github" } ] }, "description": "Returns the recommended pick from a candidate list with a one-line rationale. Public." }, "response": [] } ] }, { "name": "Status", "item": [ { "name": "GET /status \u2014 health check", "request": { "method": "GET", "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/status", "host": [ "{{base_url}}" ], "path": [ "status" ] }, "description": "Service health overview. Public." }, "response": [] } ] } ] }