Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP WorkBoard CrunchToolsshow me my current goals"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP WorkBoard CrunchTools
A secure MCP (Model Context Protocol) server for WorkBoard OKR and strategy execution platform.
Overview
This MCP server is designed to be:
Secure by default - Comprehensive threat modeling, input validation, and token protection
No third-party services - Runs locally via stdio, your API token never leaves your machine
Cross-platform - Works on Linux, macOS, and Windows
Automatically updated - GitHub Actions monitor for CVEs and update dependencies
Containerized - Available at
quay.io/crunchtools/mcp-workboardbuilt on Hummingbird Python base image
Naming Convention
Component | Name |
GitHub repo | |
Container |
|
Python package (PyPI) |
|
CLI command |
|
Module import |
|
Why Hummingbird?
The container image is built on the Hummingbird Python base image from Project Hummingbird, which provides:
Minimal CVE exposure - Built with a minimal package set, dramatically reducing attack surface
Regular updates - Security patches applied promptly
Optimized for Python - Pre-configured with uv package manager
Production-ready - Proper signal handling and non-root user defaults
Features
User Management (4 tools)
workboard_get_user- Get a user by ID or the current authenticated userworkboard_list_users- List all users (Data-Admin role required)workboard_create_user- Create a new user (Data-Admin role required)workboard_update_user- Update an existing user
Goal Management (2 tools)
workboard_get_goals- Get all goals for a userworkboard_get_goal_details- Get details for a specific goal
Installation
With uvx (Recommended)
With pip
With Container
Configuration
Getting a WorkBoard API Token
Log in to your WorkBoard instance
Navigate to Admin Settings > API Configuration
Generate a JWT API token
Copy the token immediately - store it securely
Add to Claude Code
Or for the container version:
Usage Examples
Get Current User
List All Users
Get User Goals
Get Goal Details
Security
This server was designed with security as a primary concern. See SECURITY.md for:
Threat model and attack vectors
Defense in depth architecture
Token handling best practices
Input validation rules
Key Security Features
Token Protection
Stored as SecretStr (never accidentally logged)
Environment variable only (never in files or args)
Sanitized from all error messages
Input Validation
Pydantic models for all inputs
Positive integer validation for IDs
Email validation for user creation
API Hardening
Hardcoded API base URL (prevents SSRF)
TLS certificate validation
Request timeouts
Response size limits
Automated CVE Scanning
GitHub Actions scan dependencies weekly
Automatic issues for security updates
Dependabot alerts enabled
Development
Setup
Run Tests
Lint and Type Check
Build Container
License
AGPL-3.0-or-later
Contributing
Contributions welcome! Please read SECURITY.md before submitting security-related changes.