// docs / mcp

MCP server

Plug FixWeb into Claude Desktop, Cursor, or any client that speaks the Model Context Protocol. Your AI agent gets typed access to your scans, findings, and the same templated fix prompts that power the dashboard's Copy fix prompt button.

Mint an API token

Visit /account/api-tokens and create a token named, e.g., claude-desktop. Copy the plaintext value — it's shown once.

Tokens are bearer credentials: anyone with the string can read your scans and start new ones. Store it like a password.

Point your MCP client at /api/mcp

Claude Desktop / Cursor / Continue / Zed:

{
  "mcpServers": {
    "fixweb": {
      "transport": "streamable-http",
      "url": "https://fixweb.app/api/mcp",
      "headers": {
        "Authorization": "Bearer fxw_YOUR_TOKEN_HERE"
      }
    }
  }
}

Restart the client. The fixweb server should appear in its MCP server list.

Try it out

Ask your agent things like:

“List my last 10 FixWeb scans.”
“Show me the critical findings on the most recent scan.”
“Start a passive scan against https://staging.example.com.”
“For each high-severity finding on scan X, write a fix.”
“Are there any open live-threat alerts on my domains?”
Type /fixweb-fix with a finding id to drop the templated remediation prompt straight into the chat.

Tools

list_scansread: Returns up to 100 most-recent scans with status + finding counts. Args: limit?: 1..100.
get_scanread: Scan envelope + per-category severity summary by default. Set include_findings=true for the full report (large for noisy scans — prefer list_findings + filters). Args: scan_id (uuid), include_findings?: boolean.
list_findingsread: Paginated findings across all your scans. Args: severity?: list, check_id?, since? (ISO 8601), limit?: 1..200.
start_scanwrite: Enqueues a passive scan. Returns an id with status queued; poll get_scan to await completion. Owner-depth mode is gated behind on-site attestation and not exposed via MCP. Args: target (URL or hostname).
list_alertsread: Live-threat alerts (CT log diffs, DNS changes, threat-intel listings). Available on the Unlimited plan only; Hobby and Pro plans return an empty list. Args: domain_id?, active_only?, limit?: 1..200.
get_alertread: Single alert with full payload (DNS diff, new certs, listing detail). Args: alert_id (uuid).
dismiss_alertwrite · idempotent: Mark an alert dismissed. Idempotent — re-dismissing is a no-op. Args: alert_id (uuid).

Resources

Resources let your client attach FixWeb data into the conversation directly, instead of the agent re-fetching it on every turn. In Claude Desktop, click the @ menu → fixweb.

fixweb://scan/{scan_id}/reportjson: Full FixWeb scan report including every check and every finding.
fixweb://finding/{finding_id}json: A single finding (severity, title, description, evidence, remediation, CWE).

Slash commands

/fixweb-fixprompt: Renders a templated remediation prompt for a finding. Detects the codebase framework from the scan's tech-fingerprint and injects framework-specific advice when available; falls back to a generic recipe otherwise. Args: finding_id (uuid). No Claude API call — templated server-side.

→ Quotas, RLS, and severity gating apply identically to MCP and REST calls.