ClickUp-MCP-Server
Verified Safeby Polaralias
Overview
A Model Context Protocol (MCP) server for the ClickUp API, enabling AI agents to interact with a ClickUp workspace for task and project management.
Installation
docker-compose up -d --buildEnvironment Variables
- MASTER_KEY
- POSTGRES_PASSWORD
- PORT
- BASE_URL
- API_KEY_MODE
- MCP_API_KEY
- MCP_API_KEYS
- REDIRECT_URI_ALLOWLIST
- REDIRECT_URI_ALLOWLIST_MODE
- NODE_ENV
Security Notes
The codebase demonstrates strong security practices. It explicitly requires a `MASTER_KEY` environment variable for encryption of sensitive data (like ClickUp API keys), and validates it during startup, even refusing to start in production with insecure values. OAuth flows implement PKCE (Proof Key for Code Exchange) and enforce a configurable `REDIRECT_URI_ALLOWLIST`. Rate limiting is applied to API key issuance and OAuth endpoints. Secure cookie options (`httpOnly`, `sameSite: strict`, `secure`) are used. User-bound API keys expire after 30 days of inactivity. All API key comparisons use `timingSafeEqual` to prevent timing attacks. Robust logging is in place for requests and authentication failures. `app.set("trust proxy", true)` is correctly used for deployments behind a reverse proxy. The primary area for potential improvement is the broad `origin: "*"` CORS policy, although `credentials: false` mitigates some risks.
Similar Servers
mcp-devcontainers
Provides a Model Context Protocol (MCP) server for integrating with and managing devcontainer environments via the devcontainers CLI.
mcp-server
A web-based Docker management platform for deploying, managing, and building custom AI tools (MCP servers) for integration with language models.
clickup-mcp-server
Facilitate AI-enabled applications interacting with the ClickUp API through a standardized Model, Capability, Protocol (MCP) server.
pulse-tm
Pulse is a terminal-based task manager designed for developers to manage projects and tasks, offering CLI, TUI, and seamless integration with AI agents via the Model Context Protocol (MCP).