@@ -17,6 +17,9 @@ This tool validates MCP servers by:
1717## Features
1818
1919- ✅ ** Protocol Validation** : Complete MCP handshake and capability testing
20+ - ✅ ** Multi-Transport Support** : stdio, HTTP, and SSE transports with full OAuth 2.0 support
21+ - ✅ ** OAuth 2.0 Authentication** : Full OAuth 2.0 Dynamic Client Registration (RFC 7591)
22+ - ✅ ** Automatic Browser Opening** : Seamless OAuth authentication flow
2023- ✅ ** Security Scanning** : Integrated mcp-scan vulnerability analysis
2124- ✅ ** JSON Reports** : Comprehensive validation reports with linked security scans
2225- ✅ ** Step-by-Step Logging** : Real-time validation progress with detailed feedback
@@ -45,11 +48,11 @@ pip install mcp-validation
4548### Basic Validation
4649
4750``` bash
48- # Validate a Python MCP server
49- mcp-validate python server.py
51+ # Validate a Python MCP server (stdio transport)
52+ mcp-validate -- python server.py
5053
51- # Validate a Node.js MCP server
52- mcp-validate node server.js
54+ # Validate a Node.js MCP server (stdio transport)
55+ mcp-validate -- node server.js
5356
5457# Validate npx packages (use -- separator for flags)
5558mcp-validate -- npx -y kubernetes-mcp-server@latest
@@ -58,6 +61,98 @@ mcp-validate -- npx -y kubernetes-mcp-server@latest
5861mcp-validate -- podman run -i --rm hashicorp/terraform-mcp-server
5962```
6063
64+ ### HTTP Transport Validation
65+
66+ ``` bash
67+ # Validate HTTP MCP servers with OAuth 2.0 Dynamic Client Registration
68+ mcp-validate --transport http --endpoint https://example.com/api/mcp
69+
70+ # With pre-registered OAuth credentials
71+ mcp-validate --transport http --endpoint https://gitlab.com/api/v4/mcp \
72+ --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET
73+
74+ # With personal access token
75+ mcp-validate --transport http --endpoint https://api.example.com/mcp \
76+ --auth-token YOUR_ACCESS_TOKEN
77+
78+ # Local HTTP server
79+ mcp-validate --transport http --endpoint http://localhost:3000/mcp
80+ ```
81+
82+ ### SSE Transport Validation
83+
84+ ``` bash
85+ # Validate SSE endpoints with Bearer token authentication
86+ mcp-validate --transport sse --endpoint https://mcp.example.com/sse --auth-token YOUR_TOKEN
87+
88+ # SSE endpoint without authentication
89+ mcp-validate --transport sse --endpoint https://public.mcp.example.com/sse
90+ ```
91+
92+ ### Authentication
93+
94+ The tool supports different authentication methods depending on the transport:
95+
96+ ** SSE Transport** : Simple Bearer token authentication
97+ ** HTTP Transport** : Full OAuth 2.0 support with three authentication methods:
98+
99+ #### 1. Dynamic Client Registration (Automatic)
100+ ``` bash
101+ # No credentials needed - automatic registration with the OAuth server
102+ mcp-validate --transport http --endpoint https://gitlab.com/api/v4/mcp
103+
104+ # The tool will:
105+ # - Automatically register a new OAuth client with the server
106+ # - Open your browser for authorization
107+ # - Handle the OAuth callback automatically
108+ # - Continue with MCP validation
109+ ```
110+
111+ #### 2. Pre-registered OAuth Application
112+ ``` bash
113+ # Use your existing OAuth application credentials
114+ mcp-validate --transport http --endpoint https://api.example.com/mcp \
115+ --client-id " your_oauth_app_client_id"
116+ --client-secret " your_oauth_app_secret"
117+
118+ # For GitLab, create an application at:
119+ # https://gitlab.com/-/profile/applications
120+ # - Scopes: api, read_user
121+ # - Redirect URI: http://localhost:3333/callback
122+ ```
123+
124+ #### 3. Personal Access Token
125+ ``` bash
126+ # Use a personal access token for direct authentication
127+ mcp-validate --transport http --endpoint https://api.example.com/mcp \
128+ --auth-token " your_personal_access_token"
129+
130+ # Note: Token must have appropriate scopes for MCP access
131+ ```
132+
133+ ** Authentication Process:**
134+ - ** Browser opens automatically** for OAuth flows
135+ - ** Callback server** starts on localhost:3333 to handle OAuth redirects
136+ - ** Secure token exchange** using PKCE (Proof Key for Code Exchange)
137+ - ** 5-minute timeout** for user authentication
138+
139+ ### With Profiles and Advanced Features
140+
141+ ``` bash
142+ # Use specific validation profile
143+ mcp-validate --profile security_focused -- python server.py
144+
145+ # List available profiles and validators
146+ mcp-validate --list-profiles
147+ mcp-validate --list-validators
148+
149+ # Custom configuration with selective validators
150+ mcp-validate --config ./custom-config.json --enable ping --disable security -- node server.js
151+
152+ # Repository validation for OSS compliance
153+ mcp-validate --repo-url https://github.com/user/mcp-server -- python server.py
154+ ```
155+
61156### With Environment Variables
62157
63158``` bash
@@ -84,14 +179,17 @@ mcp-validate \
84179 -- npx -y some-mcp-server@latest
85180```
86181
87- ### Security Analysis Options
182+ ### Advanced Debugging and Analysis
88183
89184``` bash
185+ # Enable detailed debug output for troubleshooting
186+ mcp-validate --debug -- python server.py
187+
90188# Skip mcp-scan for faster validation
91189mcp-validate --skip-mcp-scan python server.py
92190
93- # Full validation with security scan
94- mcp-validate --timeout 120 --json-report report.json python server.py
191+ # Full validation with security scan and detailed reporting
192+ mcp-validate --debug -- timeout 120 --json-report report.json python server.py
95193```
96194
97195### Programmatic Usage
@@ -126,12 +224,26 @@ asyncio.run(test_server())
126224
127225| Option | Description | Example |
128226| --------| -------------| ---------|
129- | ` command ` | Command and arguments to run the MCP server | ` python server.py ` |
227+ | ` command ` | Command and arguments to run the MCP server (stdio) | ` -- python server.py ` |
228+ | ` --transport TYPE ` | Transport type: ` stdio ` (default), ` http ` , or ` sse ` | ` --transport sse ` |
229+ | ` --endpoint URL ` | HTTP/SSE endpoint URL (required for http/sse transports) | ` --endpoint https://api.example.com/mcp ` |
230+ | ` --auth-token TOKEN ` | OAuth Bearer token for HTTP/SSE authentication | ` --auth-token your_token ` |
231+ | ` --client-id ID ` | OAuth client ID for pre-registered applications | ` --client-id your_client_id ` |
232+ | ` --client-secret SECRET ` | OAuth client secret (used with --client-id) | ` --client-secret your_secret ` |
233+ | ` --config FILE ` | Configuration file path | ` --config ./my-config.json ` |
234+ | ` --profile NAME ` | Validation profile to use | ` --profile security_focused ` |
130235| ` --env KEY=VALUE ` | Set environment variables (repeatable) | ` --env HOST=localhost ` |
131- | ` --timeout SECONDS ` | Validation timeout in seconds (default: 30) | ` --timeout 60 ` |
236+ | ` --enable VALIDATOR ` | Enable specific validator | ` --enable ping ` |
237+ | ` --disable VALIDATOR ` | Disable specific validator | ` --disable security ` |
238+ | ` --list-profiles ` | List available validation profiles | ` --list-profiles ` |
239+ | ` --list-validators ` | List available validators | ` --list-validators ` |
240+ | ` --timeout SECONDS ` | Global timeout override in seconds | ` --timeout 60 ` |
132241| ` --verbose ` | Show detailed output including warnings | ` --verbose ` |
242+ | ` --debug ` | Enable detailed debug output with execution tracking | ` --debug ` |
133243| ` --skip-mcp-scan ` | Skip mcp-scan security analysis | ` --skip-mcp-scan ` |
134244| ` --json-report FILE ` | Export detailed JSON report to file | ` --json-report report.json ` |
245+ | ` --repo-url URL ` | Repository URL to validate for OSS compliance | ` --repo-url https://github.com/user/repo ` |
246+ | ` --runtime-command CMD ` | Runtime command to validate (auto-detected if not specified) | ` --runtime-command uv ` |
135247
136248## Validation Process
137249
0 commit comments