MCP

System online

{} vibeleak-mcp.config.json+

Format: JSON

vibeleak-mcp.config.json

Live

{  "mcpServers": {    "vibeleak": {      "url": "https://www.vibeleak.app/api/mcp",      "auth": "oauth",      "fallback": "scoped API key",      "timeout": 180,      "connectTimeout": 60    }  }}_

VibeLeak MCP

Install VibeLeakwhere youragents work.

Connect IDEs and AI operators to trust scans, VibeSignal, VibeRank, reports, monitoring, and checkout.

Public tools stay redacted. Owner workflows use OAuth 2.1 PKCE or a scoped API key fallback.

Get API Key Discovery JSON

Get started in 3 steps

Add endpoint

Add the VibeLeak MCP endpoint to your IDE, agent, or MCP client.

Authorize owner tools

Use OAuth 2.1 PKCE for owner features or fall back to a scoped API key.

Run trust workflow

Scan domains, review findings, fix issues, monitor, export, and upgrade.

Sample agent command timeline

Real-time

00:01:01> get_connection_statussuccess

00:02:28> scan_domainsuccess

00:03:01> get_private_findingssuccess

00:04:28> get_remediation_actionssuccess

00:05:01> enable_score_watchsuccess

00:06:28> export_markdown_reportsuccess

Works with your favorite agents and IDEs

Claude Code

Codex

OpenCode

Kilo Code

BlackBox AI

OpenClaw

Hermes Agent

Cursor

Windsurf

Qwen CLI

Antigravity

Factory

17 tools online

EVERYTHING YOUR AGENT CAN CALL.

VibeLeak MCP exposes secure, scoped tools for trust signals, scans, remediation, reports, monitoring, and billing.

Auth & connection

OAuth 2.1 PKCE preferredbrowser login + consent

Scoped API key fallbackleast-privilege by design

Raw keys shown oncehashes stored server-side

Public tools

Redacted status, grade-card, VibeSignal, export, and Trust Index visibility calls.

>get_connection_status
>get_public_grade_card
>get_vibesignal
>get_vibesignal_and_export
>get_trust_index_visibility_status

Safe by default. No private data.

Owner scans and reports

Private scan execution, findings, remediation, history, monitoring, and Markdown handoff.

>scan_domain
>scan_domain_and_export
>get_scan_result
>get_private_findings
>get_remediation_actions
>export_markdown_report
>list_scan_history
>enable_score_watch

Requires owner authorization.

AI visibility

VibeRank, VibeRank export, and domain ownership status for agent-readable trust posture.

>run_viberank
>run_viberank_and_export
>verify_domain_ownership_status

Owner scope or API key.

Billing

Allowlisted Stripe Checkout subscription sessions for upgrade and monitoring workflows.

>create_checkout_session

Scoped to billing:write.

Hermes OAuthCursorClaude bridgeHTTP fallback

Client config example

{  "mcpServers": {    "vibeleak": {      "url": "https://www.vibeleak.app/api/mcp",      "auth": "oauth",      "oauth": {        "discovery": "https://www.vibeleak.app/.well-known/mcp.json",        "pkce": true      },      "fallback": "scoped_api_key"    }  }}

Discovery & protocol

MCP Discoveryhttps://www.vibeleak.app/.well-known/mcp.json

Agent Discoveryhttps://www.vibeleak.app/.well-known/agent.json

Protocol headerMCP-Protocol-Version: 2025-03-26

Give your operator a real security workflow

Plug VibeLeak MCP into your agent and start shipping safe, trusted outcomes.

Get API Key Docs

Auth model

OAUTH FIRST. SCOPED KEYS WHEN CLIENTS NEED THEM.

Owner tools fail closed without matching scopes. Public calls stay redacted. Raw API keys are shown once and stored only as hashes.

Start with connection status

Agents should call get_connection_status first. It reports auth state, available auth methods, account capabilities, and never returns raw API keys.

Prefer OAuth for owner tools

Hermes can connect to the hosted HTTP MCP server with auth: oauth. VibeLeak exposes protected-resource metadata, dynamic client registration, Authorization Code + PKCE, and a token endpoint.

Browser login and consent

The OAuth flow opens VibeLeak login when needed, shows an MCP consent page, then exchanges the PKCE code for a scoped bearer token stored hashed server-side.

Use scoped key fallback

If a client cannot do OAuth, users can create a scoped key at /dashboard/api-keys. Raw keys are shown once; VibeLeak stores only hashes.

Hermes OAuth

Preferred hosted client path

1hermes mcp add vibeleak --url https://www.vibeleak.app/api/mcp --auth oauth2hermes mcp test vibeleak3 4mcp_servers:5  vibeleak:6    url: "https://www.vibeleak.app/api/mcp"7    auth: oauth8    timeout: 1809    connect_timeout: 60

Cursor remote MCP

Scoped key fallback

1{2  "mcpServers": {3    "vibeleak": {4      "url": "https://www.vibeleak.app/api/mcp",5      "headers": {6        "Authorization": "Bearer ${VIBELEAK_API_KEY}"7      }8    }9  }10}

Claude Desktop bridge

Remote bridge fallback

1{2  "mcpServers": {3    "vibeleak": {4      "command": "npx",5      "args": ["mcp-remote", "https://www.vibeleak.app/api/mcp"],6      "env": {7        "VIBELEAK_API_KEY": "vlk_live_..."8      }9    }10  }11}

Generic HTTP

Direct MCP POST

1POST https://www.vibeleak.app/api/mcp2Authorization: Bearer <VIBELEAK_API_KEY>3Content-Type: application/json4MCP-Protocol-Version: 2025-03-26

Generic stdio

Local repo only

1{2  "command": "npm",3  "args": ["run", "mcp:stdio"],4  "env": {5    "VIBELEAK_API_KEY": "vlk_live_..."6  }7}

Agent handoff prompt

Copy into an operator chat

1Use https://www.vibeleak.app/mcp to connect VibeLeak MCP.2Call get_connection_status first.3Use OAuth for https://www.vibeleak.app/api/mcp when available.4If OAuth is unavailable, store a scoped API key as VIBELEAK_API_KEY.

>_ MCP

System online

Auth model

OAUTH FIRST. SCOPED KEYS WHEN CLIENTS NEED THEM.

Owner tools fail closed without matching scopes. Public calls stay redacted. Raw API keys are shown once and stored only as hashes.

1Start with connection status

2Prefer OAuth for owner tools

3Browser login and consent

4Use scoped key fallback

Client configs

HermesCursorClaudeHTTP

hermes oauth

Live

1hermes mcp add vibeleak --url https://www.vibeleak.app/api/mcp --auth oauth2hermes mcp test vibeleak3 4mcp_servers:5  vibeleak:6    url: "https://www.vibeleak.app/api/mcp"7    auth: oauth8    timeout: 1809    connect_timeout: 60

MCP Discovery

/.well-known/mcp.json

Agent Discovery

/.well-known/agent.json

Protocol

2025-03-26

Agent workflow

FROM PROMPTTO PROTECTEDWORKFLOW.

Turn a domain into a grade, fix queue, monitoring path, checkout path, and Markdown report.

Docs

Operator runbook

run_vibeleak_workflow --domain production

Execution traceSession ID: vlk_run_live_9f7c2a1bLive

1Check connection statusVerify endpoint reachability and auth.OK00:00:01

2Scan a production domainRun trusted scans and gather signals.OK00:00:08

3Summarize grade + VibeSignalCompute grade, VibeSignal, and insights.OK00:00:21

4Prioritize remediationBuild prioritized fix queue.READY00:00:29

5Create checkout pathStripe session for upgrade/monitoring.QUEUED00:00:31

6Save Markdown exportGenerate and store Markdown report.OK00:00:34

7Enable Score WatchActivate score monitoring and alerts.READY00:00:37

8Export handoffCreate agent-ready handoff package.OK00:00:41

Discovery + FAQ

Discovery manifest/.well-known/mcp.json

Agent manifest/.well-known/agent.json

Docs anchor/docs#mcp-server

Protocol version2025-03-26

1Which clients work?

Any MCP-compatible client can call the hosted endpoint. Hermes gets the preferred OAuth flow; Cursor, Claude bridge, and generic clients can use scoped key fallback.

2Do public tools need a key?

No. Public calls stay redacted and never expose private remediation detail. Owner tools require OAuth or a scoped bearer key.

3Can an agent upgrade an account?

Owner-authorized billing tools can create allowlisted Stripe Checkout subscription sessions for VibeLeak plans.

>_ MCP

System online

Agent workflow

FROM PROMPT TO PROTECTED WORKFLOW.

Domain to grade, fix queue, monitoring, checkout, and Markdown export.

run_vibeleak_workflow

1Check connection statusOK

2Scan a production domainOK

3Summarize grade + VibeSignalOK

4Prioritize remediationREADY

5Create checkout pathQUEUED

6Save Markdown exportOK

7Enable Score WatchREADY

8Export handoffOK

Discovery + FAQ

Discovery manifest/.well-known/mcp.json

Agent manifest/.well-known/agent.json

Docs anchor/docs#mcp-server

Protocol version2025-03-26

1Which clients work?

Any MCP-compatible client can call the hosted endpoint. Hermes gets the preferred OAuth flow; Cursor, Claude bridge, and generic clients can use scoped key fallback.

2Do public tools need a key?

No. Public calls stay redacted and never expose private remediation detail. Owner tools require OAuth or a scoped bearer key.

3Can an agent upgrade an account?

Owner-authorized billing tools can create allowlisted Stripe Checkout subscription sessions for VibeLeak plans.

Docs

Agent-ready trust layer

Run trusted workflows inside your agent.

OAuth handles owner actions. Public tools stay redacted. VibeLeak MCP turns scans, remediation, checkout, monitoring, and Markdown export into one operator workflow.

Endpointhttps://www.vibeleak.app/api/mcp

Get API Key Docs

Leak field

Duality core

OAuth owner pathRedacted public toolsOne MCP core

vibeleak@public-console:~$ mcp --endpoint https://www.vibeleak.app/api/mcp --protocol 2025-03-26