api-mcp
Detects Angular HttpClient calls to discover API endpoints in Angular codebases.
Detects axios HTTP requests, including custom instances, to discover API endpoints.
Detects http, Dio, Retrofit-dart, and Chopper calls in Dart code to discover API endpoints.
Reads .env files to auto-detect the API base URL.
Detects Express router routes to discover server-side API endpoints.
Detects FastAPI route decorators to discover API endpoints.
Detects Fastify router routes to discover API endpoints.
Detects Flask route decorators to discover API endpoints.
Detects http, Dio, and other HTTP calls in Flutter apps to discover API endpoints.
Detects jQuery $.get, $.post, $.ajax calls to discover API endpoints.
Detects Koa router routes to discover API endpoints.
Detects Retrofit @GET and other annotations in Kotlin code to discover API endpoints.
Detects NestJS decorators (@Get, @Post, etc.) to discover API endpoints.
Detects Spring @GetMapping, @PostMapping, etc., to discover API endpoints.
Detects Alamofire requests in Swift code to discover API endpoints.
Detects SWR hook usage to discover API endpoints.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@api-mcpRun a QA audit on this project with role logins."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
api-mcp
📦 Published on npm:
@hassanjamal/api-mcp— install withnpm i -g @hassanjamal/api-mcp(no cloning or building needed).
An MCP (Model Context Protocol) server you plug into any codebase — React Native, web, Flutter, or a backend — that:
Discovers every API endpoint in the code (client calls and server routes)
Reads or generates an OpenAPI / Swagger spec (if none exists, it builds one)
Generates test cases + edge cases for each endpoint, based on its HTTP method and params
Auto-logs in per role (from just credentials — finds the login endpoint, extracts the token)
Harvests real IDs from responses + JWTs and injects the right resource id into each path param
Executes them against your running server — like Postman — scoped to each role's real permissions
Reports everything as PDF + XLSX (per-role + an overall audit + the endpoint inventory)
The QA one-call (qa_audit) does all of it from a project path + role logins. All artifacts are
written to a .api-mcp/ folder inside the project you point it at.
What it detects
Platform | Frameworks / libraries detected |
Web |
|
React Native |
|
Flutter / Dart |
|
Mobile native | Retrofit (Android/Kotlin |
Backend routes | Express / Fastify / Koa |
Detection is text/pattern based, so it works on any language without running the code, and
handles both :param / {param} / <param> styles and JS ${...} / Dart $var interpolation.
Every framework above is covered by the regression suite (npm test) so accuracy can't silently
regress.
Related MCP server: REST API MCP Server
Install
Install once, globally — this gives a fast, reliable api-mcp command:
npm i -g @hassanjamal/api-mcpRequires Node.js 18+. Global install is recommended over
npxbecausenpxre-checks the registry on every launch (~6s) and can trip a host's connection health-check; the global binary starts in ~1s.
Connect it to a host
An MCP server does nothing on its own — a host (the app you chat with an AI in) connects to it and exposes its tools. Pick your host:
Claude Code
Register it once for all your projects (user scope):
claude mcp add -s user api-mcp -- api-mcpVerify: claude mcp list → api-mcp - ✔ Connected. (Mind the spacing: -- api-mcp.)
Cursor
Settings → MCP → Add new server, or edit ~/.cursor/mcp.json:
{
"mcpServers": {
"api-mcp": { "command": "api-mcp" }
}
}Claude Desktop
Edit claude_desktop_config.json (Windows: %APPDATA%\Claude\claude_desktop_config.json):
{
"mcpServers": {
"api-mcp": { "command": "api-mcp" }
}
}Restart the host after editing config. The tools (and the /qa-audit, /scan slash commands)
then appear to the AI.
Updating: npm i -g @hassanjamal/api-mcp@latest
Slash commands (Claude Code)
Two guided entry points show up as slash commands:
Command | Does |
| Prompts for base URL + role logins, then runs the full read-only per-role audit |
| Scans the current project and summarizes the endpoints found |
You can also just ask in natural language (see below) — the slash commands are a convenience.
Tools exposed
Tool | What it does |
| Scan a project and list every endpoint found. Writes |
| Report any existing Swagger/OpenAPI spec in the project. |
| Build an OpenAPI 3.0 spec from the code (JSON or YAML). Reuses an existing spec unless told otherwise. |
| Produce happy-path / edge / negative / security test cases. Writes |
| Execute the tests against your live server and save responses + a report. |
| One call that runs the entire pipeline end-to-end. |
| Regenerate the HTML report + colorful XLSX from already-saved JSON. |
| Auto-detect the API base URL from |
| Auto-detect the login endpoint, post credentials, and extract the token. |
| QA one-call: role credentials → auto-login → role-scoped, precise-ID testing → PDF + XLSX reports. |
Once connected, just ask the AI in natural language, e.g.:
"Run a full API audit on this project against http://localhost:3000 using my API_TOKEN."
The AI will call full_audit with the right arguments.
QA workflow (the easy path)
A QA engineer provides only credentials per role — the tool figures out the rest (base URL, login endpoint, token extraction, per-role runs):
"Run a qa_audit on this project with admin
a@x.com / pw, teachert@x.com / pw, students@x.com / pw."
qa_audit then:
Detects the API base URL from the code (
.env, axios/DartbaseURL) — or you passbaseUrlLogs in as each role, extracting the token from the response or the JWT (
token,accessToken,data.token,jwt…)Harvests real resource IDs from every response + each JWT and injects the correct id into each path param (
{courseId}← a real course id; a bare{id}← that endpoint's own resource), preferring ids the current role can access — turning wrong-id404s into real200sScopes each role to endpoints its route-guard permits (reads
authorizeAdmin(),@Roles('teacher')…), so you get more200s and far less403/404noiseSkips session-breaking endpoints (logout/refresh/delete-account/password/register) so a test can't revoke its own token, and paces around rate limits (marks throttled requests not tested, not failed)
Writes PDF + XLSX only — overall
qa-audit.pdf, per-roleqa-report-{role}.pdf/.xlsx, andendpoints.pdf/.xlsx
Read-only by default. Useful arguments:
Argument | Default | Effect |
| — |
|
| auto-detect | API base URL |
|
| also run POST/PUT/PATCH/DELETE (throwaway/staging only) |
|
| test each role only on endpoints its guard permits ( |
|
| also test logout/refresh/delete-account/password/register |
|
| max pacing wait per request; raise (e.g. |
Web vs mobile — what to provide
The tool always tests the HTTP API, so the inputs are the same for both. The only difference is which source files get scanned for endpoints.
Web app | Mobile app (React Native / Flutter / native) | |
Provide | API base URL* + role credentials | API base URL* + role credentials — same |
Base URL source | frontend | the app's config/constants (the backend it calls) |
What's scanned | JS/TS ( | Dart ( |
Execution | identical | identical |
Understanding the results (why not all 200s?)
A healthy API returns a mix of status codes under automated testing — that's it correctly guarding itself, not a sign it's broken. Each request passes gates in order; the status tells you which gate stopped it:
Status | Meaning | A problem? |
200 | Worked — returned data | ✅ success |
400 | Request incomplete/malformed (missing query param, wrong id type) | ❌ No — validation working |
401 | Wrong identity for that endpoint | ❌ No — auth working |
403 | Role/owner not permitted | ❌ No — RBAC working (the inverse curve across roles proves it) |
404 | That resource doesn't exist for this user | ❌ No — correct "not found" |
500 | Server crashed (unhandled exception) | 🔴 Yes — the real bug to fix |
You can't (and shouldn't) get all-200s from automated testing — that would mean the API accepts
anything. Only the 500s indicate actual defects.
*The base URL is auto-detected when possible; a mobile app has no "app URL" of its own — you give the backend API URL it talks to (which lives in the app's config).
Configuration
Live execution needs to know your server URL and auth. Provide it either per tool call
(baseUrl, bearerToken, headers arguments) or via a config file in the target project root.
Copy api-mcp.config.example.json to api-mcp.config.json:
{
"baseUrl": "http://localhost:3000",
"bearerToken": "${API_TOKEN}",
"headers": { "X-Api-Key": "${API_KEY}" },
"timeoutMs": 15000,
"sampleValues": { "id": 1, "body": { "name": "example" } }
}${ENV_VAR} references are expanded from the environment, so secrets stay out of the file.
Secret-looking headers are redacted in saved reports.
Output artifacts (.api-mcp/)
File | Contents |
|
File | Contents |
| Overall report — KPIs, role matrix, and a "how to read the statuses" guide |
| Per-role results (status summary + full request/response table) |
| The discovered-endpoint inventory |
The other tools (scan_endpoints, generate_openapi, run_tests, full_audit) also write:
File | Contents |
| Endpoint inventory (Markdown + color-coded web page) |
| Structured endpoint list |
| Generated OpenAPI 3.0 spec (open in https://editor.swagger.io) |
| The full generated test plan |
| Pass/fail summary + status codes + failure details |
| Colorful multi-sheet spreadsheet — Summary, Endpoints, Test Results |
| Full request/response record for every test |
The HTML & XLSX outputs
.htmlreports are self-contained (no internet needed), color-coded by result and status code, and adapt to light/dark themes. Just double-click to open in any browser.test-report.xlsxis a styled workbook with three sheets:Summary — totals, pass/fail counts, and a status-code distribution
Endpoints — every endpoint with method color badges
Test Results — one row per test with complete data (request/response bodies, headers, status, duration, errors), color-coded green/red/amber, with auto-filters enabled.
Open it in Excel, Google Sheets, or LibreOffice. Secret-looking header values are redacted.
Already have results.json from a previous run and just want the pretty output? Ask the AI to
run export_report — it rebuilds the HTML + XLSX from the saved JSON without re-running anything.
Test categories generated
happy-path — valid request with sample params/body; expects success
edge-case — non-existent resources, malformed params, empty bodies
negative — malformed JSON, wrong HTTP method (expects 4xx/405)
security — same request with credentials stripped (expects 401/403)
Develop from source (contributors)
git clone https://github.com/Hassan-Jamal/Automated_API_MCP.git
cd Automated_API_MCP
npm install
npm run build # compile to dist/
npm test # 63 tests: detectors, scanner, auth, schema, harvesting, PDF, etc.The examples/sample-app/ folder has JS, Dart, and Express files demonstrating the detectors.
Do I need to run my app first?
Depends on the step:
Step | App/server running? |
Scan, generate Swagger, generate tests | No — reads source code statically |
Execute tests ( | Yes — sends real HTTP requests |
For a React Native or web app, what must be running is the backend API server the app
talks to (e.g. http://localhost:3000) — not the emulator or the web frontend. This tool
calls the API directly, the same API your app calls. Point baseUrl at that server.
If your project is the backend (Express/NestJS/FastAPI/Flask), start it, then run the tests.
Tip: use
dryRun: trueonrun_teststo preview the requests without sending any — handy before pointing it at a real server.
Onboarding a new QA (2 commands)
No cloning, no building — the package is on npm. On each machine (needs Node.js 18+ and a host):
npm i -g @hassanjamal/api-mcp # install once
claude mcp add -s user api-mcp -- api-mcp # register for all projectsVerify with claude mcp list → ✔ Connected. Then open an app folder and either use the
/qa-audit slash command or ask in natural language. To update later:
npm i -g @hassanjamal/api-mcp@latest.
Notes & limits
Detection is heuristic (regex-based). It finds string-literal paths; fully dynamic URLs built from variables may be partially normalized (
${expr}→{param}).Generated request bodies are placeholders — refine them via
sampleValuesin config for endpoints with strict validation.The executor sends real requests. Point it at a dev/staging server, not production.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hassan-Jamal/Automated_API_MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server