API & MCP

MCP Server Setup

Install and configure the APVISO MCP server for use with AI coding assistants like Cursor, Windsurf, and more.

What Is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI assistants interact with external tools and services. APVISO provides an MCP server that exposes self-hosted BYOK control-plane actions as tools: runner readiness, target management, pentest creation, findings, reports, and schedules.

Why Use APVISO MCP?

With APVISO MCP, you can ask your AI assistant questions like:

  • "Are any self-hosted runners online for staging?"

  • "Create a localhost target for my preview environment."

  • "Estimate whether a high-depth pentest can start now."

  • "Show the critical findings from the last pentest and generate the PDF report."

The assistant calls APVISO tools behind the scenes and returns the results in your conversation.

Installation

Use npx from your MCP-compatible assistant configuration:

npx -y @apviso/mcp

Environment Variables

The MCP server requires a user API key:

export APVISO_API_KEY="apvk_your_key_here"

Optionally set the API origin or API base URL for local, regional, or dedicated deployments. Values ending in /api or /api/v1 are normalized automatically.

export APVISO_API_URL="https://api.apviso.com"

Configuring with Claude Code

{
  "mcpServers": {
    "apviso": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@apviso/mcp"],
      "env": {
        "APVISO_API_KEY": "apvk_your_key_here"
      }
    }
  }
}

Available Tools

The MCP server exposes 25 tools across seven categories:

  • License: get_quota.

  • Runners: list_runners, get_runner_readiness, create_runner_enrollment_token.

  • Targets: list_targets, get_target, create_target, deprecated compatibility verification tools, and delete_target.

  • Pentests: list_scans, get_scan, create_scan, estimate_scan_readiness, cancel_scan.

  • Findings: list_findings, update_finding_status, reorder_findings.

  • Reports: get_report, generate_report_pdf.

  • Schedules: list_schedules, get_schedule, create_schedule, update_schedule, delete_schedule.

Security

The MCP server runs locally and communicates with the APVISO API over HTTPS using your API key. Runner daemons use runner-scoped tokens (apvr_...), not user API keys. BYOK model-provider secrets and target application credentials stay on the self-hosted runner and are not passed to MCP tools.

Back to Knowledge Base