Back to Home
davidruzicka icon

mcp4openapi

Verified Safe

by davidruzicka

View Source

Overview

Universal MCP server that transforms any OpenAPI specification into LLM-friendly tools, enabling agents to interact with APIs without writing code.

Installation

Run Command
npx mcp4openapi

Environment Variables

  • MCP4_OPENAPI_SPEC_PATH
  • MCP4_PROFILE_PATH
  • MCP4_API_TOKEN
  • MCP4_API_BASE_URL
  • MCP4_LOG_FORMAT
  • MCP4_LOG_LEVEL
  • MCP4_TOOLNAME_MAX
  • MCP4_TOOLNAME_STRATEGY
  • MCP4_TOOLNAME_WARN_ONLY
  • MCP4_SESSION_TIMEOUT_MS
  • MCP4_HEARTBEAT_ENABLED
  • MCP4_METRICS_ENABLED
  • MCP4_METRICS_PATH
  • MCP4_ALLOWED_ORIGINS
  • MCP4_HTTP_RATE_LIMIT_ENABLED
  • MCP4_HTTP_RATE_LIMIT_WINDOW_MS
  • MCP4_HTTP_RATE_LIMIT_MAX_REQUESTS
  • MCP4_HTTP_RATE_LIMIT_METRICS_MAX
  • MCP4_OAUTH_RATE_LIMIT_MAX
  • MCP4_OAUTH_RATE_LIMIT_WINDOW_MS
  • MCP4_TOKEN_MAX_LENGTH
  • MCP4_SSL_CERT_FILE
  • MCP4_SSL_KEY_FILE
  • MCP4_OAUTH_SESSION_TIMEOUT_MS
  • MCP4_OAUTH_REFRESH_THRESHOLD_MS
  • MCP4_TOOL_FILTER_ALLOW_NAMES
  • MCP4_TOOL_FILTER_ALLOW_NAME_REGEX
  • MCP4_TOOL_FILTER_DENY_NAMES
  • MCP4_TOOL_FILTER_DENY_NAME_REGEX
  • MCP4_TOOL_FILTER_ALLOW_CATEGORIES
  • MCP4_TOOL_FILTER_SESSION_MAX_TOOLS
  • MCP4_TOOL_FILTER_WARN_THRESHOLD_PCT
  • MCP4_AUTH_FORCE
  • MCP4_AUTH_TYPE
  • MCP4_AUTH_QUERY_PARAM
  • MCP4_AUTH_HEADER_NAME
  • MCP4_AUTH_ENV_VAR
  • MCP4_OAUTH_ISSUER
  • MCP4_OAUTH_AUTHORIZATION_URL
  • MCP4_OAUTH_TOKEN_URL
  • MCP4_OAUTH_REDIRECT_URI
  • MCP4_OAUTH_CLIENT_ID
  • MCP4_OAUTH_CLIENT_SECRET
  • MCP4_OAUTH_SCOPES
  • MCP4_TRANSPORT
  • MCP4_HOST
  • MCP4_PORT

Security Notes

The project demonstrates a strong focus on security, implementing explicit safeguards against common web vulnerabilities. Key measures include: DNS rebinding protection, robust prototype pollution prevention (`isSafePropertyName`), ReDoS protection in regex handling, comprehensive sensitive data redaction in logs and HTTP requests, and strict policy enforcement (including private network access control, MIME type validation, and size limits) for proxy downloads to mitigate SSRF and LFI. Payload size limits are enforced for incoming requests. Authentication is flexible, supporting OAuth 2.0 (with PKCE, state parameter, redirect URI validation) and various token-based methods. Input validation is performed using a schema validator. Tool filtering further reduces the attack surface by controlling API exposure.

Similar Servers

mcpo

3742

Exposes Model Context Protocol (MCP) tools as OpenAPI-compatible HTTP servers.

Other
7
$Low

mcphub

1728

An orchestration hub that aggregates, manages, and routes Model Context Protocol (MCP) servers and their tools, providing a centralized interface, user management, OAuth 2.0 authorization server capabilities, and AI-powered tool discovery and routing.

Other
5
$Medium

mcp-omnisearch

261

Provides a unified interface for various search, AI response, content processing, and enhancement tools via Model Context Protocol (MCP).

Other
9
$Medium

mcp-openapi-server

212

A Model Context Protocol (MCP) server that exposes OpenAPI endpoints as MCP tools, along with optional support for MCP prompts and resources, enabling Large Language Models to interact with REST APIs.

Other
9
$Medium

Stats

Interest Score0
Security Score9
Cost ClassMedium
Avg Tokens500
Stars0
Forks0
Last Update2026-01-19

Tags

OpenAPILLMAPI GatewayToolingOrchestrationAI Agent