The cURL MCP Server enables LLMs to execute HTTP requests through a safe, structured interface with comprehensive control over requests and responses.
Core HTTP Capabilities:
Execute HTTP requests using all standard methods (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)
Send data in multiple formats including JSON bodies and multipart form data
Authenticate using Basic auth, Bearer tokens, or custom headers
Define custom HTTP headers and User-Agent strings
Request Control:
Manage redirects (follow/disable, up to 50 max)
Configure timeouts (1-300 seconds)
Control SSL verification and compression
Customize response output with headers, verbose details, or JSON metadata (exit codes, success status)
Built-in Resources:
Access documentation via
curl://docs/apiMCP resourceUse pre-built prompts for API testing and discovery
Support for stdio transport (Claude Desktop/Code) and HTTP transport
Security Features:
Structured parameter validation preventing arbitrary command execution
Shell injection prevention
SSL verification enabled by default
Automatic response size limits (1MB) and timeout constraints
Enables execution of HTTP requests through a structured interface with support for multiple authentication methods, custom headers, form data, request body data, and response control options like redirects and compression.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@cURL MCP Serverfetch the latest posts from the Reddit API with a custom user agent"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
cURL MCP Server
A security-hardened MCP server that gives LLMs the ability to make HTTP requests via cURL. Use it as a standalone server, extend it programmatically, or define APIs declaratively with YAML.
Key features:
Security-first — SSRF protection, DNS rebinding prevention, rate limiting, input validation
Extensible —
McpCurlServerclass with hooks, custom tools, and configurationYAML-driven — Define API endpoints declaratively and generate MCP tools automatically
Two tools —
curl_executefor HTTP requests,jq_queryfor querying saved JSON files
Quick Start: MCP Server
Claude Code
claude mcp add curl -- npx -y github:sixees/mcp-curlOr add to .mcp.json:
{
"mcpServers": {
"curl": {
"command": "npx",
"args": [
"-y",
"github:sixees/mcp-curl"
]
}
}
}Claude Desktop
Add to your config file:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"curl": {
"command": "npx",
"args": [
"-y",
"github:sixees/mcp-curl"
]
}
}
}Quick Start: Standalone
# Stdio transport (default)
npx -y github:sixees/mcp-curl
# HTTP transport
TRANSPORT=http PORT=3000 npx -y github:sixees/mcp-curl
# HTTP with authentication
TRANSPORT=http PORT=3000 MCP_AUTH_TOKEN=your-secret npx -y github:sixees/mcp-curlOr clone and build locally:
git clone https://github.com/sixees/mcp-curl.git
cd mcp-curl && npm install && npm run build
npm startTools
curl_execute
Execute HTTP requests with structured parameters. Supports all common HTTP methods, authentication (basic, bearer), headers, form data, redirects, and timeouts.
{
"url": "https://api.github.com/users/octocat",
"bearer_token": "ghp_xxx",
"jq_filter": ".name,.email,.location"
}Responses exceeding max_result_size (default 500KB) are automatically saved to file. Use jq_filter to extract
specific data before the size limit is checked.
jq_query
Query saved JSON files without making new HTTP requests:
{
"filepath": "/path/to/saved_response.txt",
"jq_filter": ".users[0:5]"
}Files must be in the temp directory, MCP_CURL_OUTPUT_DIR, or current working directory.
jq_filter syntax
Syntax | Example | Description |
|
| Object property |
|
| Array index (non-negative only) |
|
| Array slice |
|
| Bracket notation |
|
| Multiple paths (returns array) |
Programmatic API
Install as a library and build custom MCP servers:
npm install mcp-curlimport { McpCurlServer } from "mcp-curl";
const server = new McpCurlServer()
.configure({
baseUrl: "https://api.example.com",
defaultHeaders: {"Authorization": `Bearer ${process.env.API_TOKEN}`},
defaultTimeout: 60,
})
.beforeRequest((ctx) => {
console.log(`${ctx.tool}: ${ctx.params.url}`);
})
.afterResponse((ctx) => {
console.log(`Response: ${ctx.response.length} bytes`);
});
await server.start("stdio");See the library documentation for the full API reference, including hooks, custom tools, instance utilities, and lifecycle management.
YAML Schema
Define API endpoints declaratively and generate MCP tools:
import { createApiServer } from "mcp-curl";
const server = await createApiServer({
definitionPath: "./my-api.yaml",
});
await server.start("stdio");apiVersion: "1.0"
api:
name: my-api
baseUrl: https://api.example.com
endpoints:
- id: list_items
path: /items
method: GET
title: List Items
description: Get all items
parameters:
- name: page
in: query
type: integer
required: falseSee YAML Schema Reference for the full specification including authentication, defaults, response filtering, and parameter types.
Fork Workflow
If you fork this repo to build an API-specific server, use the configs/ directory for your definitions:
# 1. Fork and clone
git clone https://github.com/your-org/mcp-curl.git
cd mcp-curl && npm install && npm run build
# 2. Copy the template
cp configs/example.yaml.template configs/my-api.yaml
# 3. Edit your API definition
# See docs/api-schema.md for the full YAML specification
# 4. Create your entry point (configs/*.ts is gitignored)
# See configs/README.md for a full TypeScript template
# 5. Run your server (using tsx to run the TS file directly)
npx tsx configs/my-api.tsFiles in configs/ matching *.yaml, *.yml, *.ts, *.js are gitignored, so pulling upstream changes
(git pull upstream main) won't conflict with your application-specific configuration.
Alternatively, install mcp-curl as an npm dependency in a separate project — see
Getting Started.
Security Highlights
SSRF protection — blocks private IPs, cloud metadata endpoints, DNS rebinding services, internal TLDs
DNS rebinding prevention — DNS resolved before validation, cURL pinned to validated IP via
--resolveProtocol whitelist — only
http://andhttps://allowed;file://,ftp://, etc. blockedRate limiting — 60 req/min per host, 300 req/min per client
Input validation — Zod schemas, CRLF injection prevention,
--data-raw/--form-stringto block@file readsNo shell execution — commands spawned via
spawn()without shell; allowlist permits onlycurlFile access control —
jq_queryrestricted to temp dir,MCP_CURL_OUTPUT_DIR, and cwd; symlinks resolvedResource limits — 10MB response cap, 100MB global memory, 100ms jq parse timeout, 30s default request timeout
Secure file permissions — temp dirs 0o700, files 0o600 (owner-only)
Environment Variables
Variable | Description |
| Transport mode: |
| HTTP transport port (default: 3000) |
| Bearer token for HTTP transport auth |
| Default directory for saved responses |
| Set |
Documentation
Guide | Description |
| |
Step-by-step setup guide | |
All configuration options | |
Request/response interception | |
Creating custom MCP tools | |
API definition format |
Examples
Working example projects in examples/:
basic/— Minimal custom serverwith-hooks/— Authentication and logging hooksfrom-yaml/— Server from YAML API definition
MCP Resources & Prompts
Resource:
curl://docs/api— Built-in API documentationPrompts:
api-test(test an endpoint),api-discovery(explore a REST API)
License
MIT
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.