// docs / mcp

MCP servidor

Plug FixWeb into Claude Desktop, Cursor, térã any client that speaks pe Model Context Protocol. Your AI agent gets typed access pe ne scan-kuéra, jejuhu-kuéra, ha pe same templated fix prompts that power pe dashboard's Mbohasaha fix prompt button.

Mint an API token

Visit /cuenta/api-tokens ha create a token named, e.g., claude-desktop. Mbohasaha pe plaintext value — it's shown once.

Tokens hína bearer credentials: anyone ndive pe string ikatu read ne scan-kuéra ha start pyahu ones. Store it like a password.

Point ne MCP client at /api/mcp

Claude Desktop / Cursor / Continue / Zed:

{
  "mcpServers": {
    "fixweb": {
      "transport": "streamable-http",
      "url": "https://fixweb.app/api/mcp",
      "headers": {
        "Authorization": "Bearer fxw_YOUR_TOKEN_HERE"
      }
    }
  }
}

Restart pe client. The fixweb server should appear in its MCP servidor list.

Try it out

Ask ne agent things like:

“List my last 10 FixWeb scan-kuéra.”
“Show me pe critical jejuhu-kuéra on pe most recent scan.”
“Start a passive scan against https://staging.example.com.”
“For each high-severity jejuhu on scan X, write a fix.”
“Are there any open live-threat alerta-kuéra on my dominio-kuéra?”
Type /fixweb-fix ndive a jejuhu id pe drop pe templated remediation prompt straight into pe chat.

Tembiporu

list_scansread: Returns up pe 100 most-recent scan-kuéra ndive status + jejuhu counts. Args: limit?: 1..100.
get_scanread: Scan envelope + per-category severity summary by default. Set include_findings=true guarã pe full informe (large guarã noisy scan-kuéra — prefer list_findings + filters). Args: scan_id (uuid), include_findings?: boolean.
list_findingsread: Paginated jejuhu-kuéra across all ne scan-kuéra. Args: severity?: list, check_id?, since? (ISO 8601), limit?: 1..200.
start_scanwrite: Enqueues a passive scan. Returns an id with status queued; poll get_scan to await completion. Owner-depth mode is gated behind on-site attestation and not exposed via MCP. Args: target (URL or hostname).
list_alertsread: Aviso amenaza ára añópe (CT log iñambue, DNS ojeguero'ã, threat intel ñepehẽ). Oĩ plan Unlimited-pe año; plan Hobby ha Pro omyengoviave lista nandi. Args: domain_id?, active_only?, limit?: 1..200.
get_alertread: Single alerta ndive full payload (DNS diff, pyahu certs, listing detail). Args: alert_id (uuid).
dismiss_alertwrite · idempotent: Mark an alerta dismissed. Idempotent — re-dismissing ha'e a nahániri-op. Args: alert_id (uuid).

Recurso-kuéra

Recurso-kuéra let ne client attach FixWeb dato into pe conversation directly, instead of pe agent re-fetching it on peteĩteĩ turn. In Claude Desktop, click pe @ menu → fixweb.

fixweb://scan/{scan_id}/reportjson: Full FixWeb scan informe including peteĩteĩ check ha peteĩteĩ jejuhu.
fixweb://finding/{finding_id}json: A single jejuhu (severity, title, description, evidence, remediation, CWE).

Slash commands

/fixweb-fixprompt: Renders a templated remediation prompt guarã a jejuhu. Detects pe codebase framework gui pe scan's tech-fingerprint ha injects framework-specific advice oĩ jave available; falls back pe a generic recipe otherwise. Args: finding_id (uuid). No Claude API call — templated server-side.

→ Quotas, RLS, ha severity gating apply identically pe MCP ha REST calls.