http-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| HTTP_TIMEOUT | No | Per-hop timeout in ms. Each redirect hop gets its own timeout. Total wall-clock budget = HTTP_TIMEOUT × (max_redirects + 1). | 30000 |
| HTTP_MAX_BODY | No | Maximum response body size in bytes (default 2 MiB). | 2097152 |
| HTTP_USER_AGENT | No | Default User-Agent header value. | http-mcp/<package version> |
| HTTP_SESSION_MAX | No | Maximum number of concurrent sessions. | 256 |
| HTTP_SESSION_TTL | No | Session idle TTL in ms. Sessions older than this are automatically evicted. | 3600000 |
| HTTP_DOWNLOAD_MAX | No | Maximum download size in bytes (default 1 GiB). Separate from HTTP_MAX_BODY. | 1073741824 |
| HTTP_ALLOW_PRIVATE | No | Set to '1' to disable SSRF guard and allow private IPs (loopback, 10/8, 172.16/12, 192.168/16, 169.254/16, IPv6 ULA, localhost, *.internal, etc.). | |
| HTTP_DOWNLOAD_ROOT | No | Allowed directory for download output. If not set, the download action will fail. | |
| HTTP_ALLOW_INSECURE_TLS | No | Set to '1' to respect reject_unauthorized: false. Otherwise, TLS verification is enforced. | |
| HTTP_ALLOW_INSECURE_OAUTH | No | Set to '1' to allow HTTP URLs for OAuth2 token/device authorization endpoints (not recommended except for testing). |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| httpA | HTTP client for LLMs. curl-equivalent + OAuth2 + sessions + retry. Response bodies: textual types decoded with charset awareness; binary types base64-encoded; capped at HTTP_MAX_BODY (default 2 MiB) with body_truncated flag. status >= 400 sets MCP isError. BODY SELECTION (choose one per request): json | form | body | body_base64. AUTH: basic_auth | bearer | oauth2_* flows that cache tokens and can feed into 'bearer' of a subsequent request. SESSIONS: cookie jars keyed by session id. Pass 'session' on request/get/post/etc to send and store cookies per domain. Manage with session_create / session_list / session_close. Caller-supplied ids are hashed; idle sessions evicted after HTTP_SESSION_TTL ms. RETRY: retry={max, on_status, backoff_ms, max_backoff_ms}. Exponential backoff on transient 5xx by default. SECURITY: SSRF guard blocks loopback / private networks unless HTTP_ALLOW_PRIVATE=1. reject_unauthorized=false ignored unless HTTP_ALLOW_INSECURE_TLS=1. download requires HTTP_DOWNLOAD_ROOT. Actions:
|
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cUDGk/http-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server