// docs / mcp

MCP server

Plug FixVibe into Claude Desktop, Cursor, or any client that speaks the Model Context Protocol. Your AI agent gets typed access to your scans, findings, and the same templated fix prompts that power the dashboard's Copy fix prompt button.

Mint an API token

Visit /account/api-tokens and create a token named, e.g., claude-desktop. Copy the plaintext value — it's shown once.

Tokens are bearer credentials: anyone with the string can read your scans and start new ones. Store it like a password.

Point your MCP client at /api/mcp

Claude Desktop / Cursor / Continue / Zed:

{
  "mcpServers": {
    "fixvibe": {
      "transport": "streamable-http",
      "url": "https://fixvibe.app/api/mcp",
      "headers": {
        "Authorization": "Bearer fxv_YOUR_TOKEN_HERE"
      }
    }
  }
}

Restart the client. The fixvibe server should appear in its MCP server list.

Try it out

Ask your agent things like:

“List my last 10 FixVibe scans.”
“Show me the critical findings on the most recent scan.”
“Start a passive scan against https://staging.example.com.”
“For each high-severity finding on scan X, write a fix.”
“Are there any open live-threat alerts on my domains?”
Type /fixvibe-fix with a finding id to drop the templated remediation prompt straight into the chat.

Tools

list_scansread: Returns up to 100 most-recent scans with status + finding counts. Args: limit?: 1..100.
get_scanread: Scan envelope + per-category severity summary by default. Set include_findings=true for the full report (large for noisy scans — prefer list_findings + filters). Args: scan_id (uuid), include_findings?: boolean.
list_findingsread: Paginated findings across all your scans. Args: severity?: list, check_id?, since? (ISO 8601), limit?: 1..200.
start_scanwrite: Enqueues a scan and returns an id with status queued; poll get_scan to await completion. Passive mode is always available through MCP. Active mode requires a paid plan plus verified-domain authorization from the dashboard. Args: target (URL or hostname), mode? (passive|active).
list_alertsread: Live-threat alerts (CT log diffs, DNS changes, threat-intel listings). Available on the Unlimited plan only; Hobby and Pro plans return an empty list. Args: domain_id?, active_only?, limit?: 1..200.
get_alertread: Single alert with the relevant domain, severity, type, and event details. Args: alert_id (uuid).
dismiss_alertwrite · idempotent: Mark an alert dismissed. Idempotent — re-dismissing is a no-op. Args: alert_id (uuid).

Resources

Resources let your client attach FixVibe data into the conversation directly, instead of the agent re-fetching it on every turn. In Claude Desktop, click the @ menu → fixvibe.

fixvibe://scan/{scan_id}/reportjson: Full FixVibe scan report including every check and every finding.
fixvibe://finding/{finding_id}json: A single finding (severity, title, description, evidence, remediation, CWE).

Slash commands

/fixvibe-fixprompt: Renders a server-side remediation prompt for a finding, using scan context when available and falling back to generic guidance otherwise. Args: finding_id (uuid). No third-party LLM API call is made by FixVibe.

→ Quotas, RLS, and severity gating apply identically to MCP and REST calls.