42Crunch MCP. Audit APIs and manage API collections via conversation.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
42Crunch. Automate API security testing and governance using any AI agent. This server lets you manage API collections, run static security audits, and get detailed conformance reports by calling tools like `list_collections` and `trigger_audit`.
It brings security risk assessment directly into your conversational workflow, eliminating manual dashboard navigation for API compliance.
What your AI agents can do
Delete api
Removes a specified API definition from the platform's collections.
Get api
Retrieves the detailed metadata and security score for a single API definition.
Get audit report
Downloads the complete static security audit report for an API definition.
Find all API collections and check their aggregated security scores using list_collections.
Bring OpenAPI or Swagger definitions into a collection using import_api, or remove them entirely with delete_api.
Initiate a fresh security audit on an API definition using trigger_audit and get the results with get_audit_report.
Get detailed reports on historical API behavior and conformance issues by calling get_scan_report after listing scans with list_scans.
Retrieve the current security score and metadata for a specific API using get_api or a collection using get_collection.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
42Crunch MCP Server: 10 Tools for API Security
These tools let your AI agent manage the full API security lifecycle, from importing specs and running audits to retrieving historical compliance reports.
019d7541delete api
Removes a specified API definition from the platform's collections.
019d7541get api
Retrieves the detailed metadata and security score for a single API definition.
019d7541get audit report
Downloads the complete static security audit report for an API definition.
019d7541get collection
Retrieves the metadata and security score for an entire API collection.
019d7541get scan report
Pulls detailed results from a dynamic conformance scan, highlighting implementation flaws.
019d7541import api
Adds an OpenAPI definition file into a specified API collection.
019d7541list apis
Lists every API definition within a collection, showing its unique ID and current security score.
019d7541list collections
Lists all API collections available in the platform, helping you find the correct ID for operations.
019d7541list scans
Shows a history of dynamic conformance scans run against a live API.
019d7541trigger audit
Runs a fresh static security audit on an API definition after its specification has been updated.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with 42Crunch, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Yo, hook up your AI client to the 42Crunch MCP Server. You can audit and govern your APIs without leaving the chat window. You'll get to run full static and dynamic security checks and keep track of compliance history, all just by talking to your agent.
Managing API Collections
Start by finding all the API collections on the platform; you use list_collections for that. Once you know the collection ID, you can check its overall metadata and security score by calling get_collection.
Handling API Definitions
To get an API spec into a collection, you use import_api to bring in the OpenAPI or Swagger definition file. Need to clean up? delete_api removes a specific API definition, and get_api lets you check the detailed metadata and security score for just one API.
Running Static Security Audits
When you update an API spec, you run a fresh static security audit using trigger_audit. After it runs, you grab the complete static security audit report for that API definition with get_audit_report.
Reviewing Dynamic Scan Results
Check the history of dynamic conformance scans by calling list_scans. To pull detailed results on how an API behaved—like finding implementation flaws or undocumented behavior—you use get_scan_report.
Tracking APIs
You can see every API definition inside a collection using list_apis, which shows you the unique ID and current security score for each one. You can also pull detailed results from any dynamic conformance scan using get_scan_report.
Basically, your agent handles the whole process. You tell it what you need—like, 'Run a static audit on the User Management API'—and it calls the right tools, gets the data, and spits out the results for you in plain English. No more clicking around dashboards.
Getting Started
Just subscribe to the server and drop your 42Crunch API Token in. Your AI client then uses the tools to do the heavy lifting. It’ll read the data and format the whole thing for you. It’s straightforward.
How 42Crunch MCP Works
- 1 First, you connect your 42Crunch API Token to the MCP Server.
- 2 Next, you direct your AI agent to list collections using
list_collectionsto find the target scope. - 3 Finally, you ask the agent to trigger an audit using
trigger_audit, and then retrieve the findings withget_audit_report.
The bottom line is that your AI client manages the entire security audit lifecycle—from listing assets to triggering and reviewing reports—using a single chat interface.
Who Is 42Crunch MCP For?
The DevSecOps Engineer who gets tired of switching between the CI/CD dashboard, the API gateway, and a dedicated security tool. This is for Platform Teams managing microservices and Backend Developers who need to quickly compare security grades across multiple API iterations.
Runs continuous security audits, asks for specific remediation steps for OWASP vulnerabilities, and tracks security hygiene across an entire microservice collection.
Governs the entire microservices ecosystem, ensuring uncompliant endpoints are spotted and security scores are tracked for every collection.
Imports new API specs, triggers a scan immediately, and compares the security grade evolution without leaving their IDE or chat.
What Changes When You Connect
- Audit APIs and collections without leaving your chat. Instead of manually uploading specs to a separate dashboard, you tell your agent to run
trigger_auditand get results immediately. - See the security score evolution instantly. When you use
get_apiorget_collection, you get a current score alongside the metadata, allowing you to track degradation over time. - Get historical context on compliance.
list_scansshows you every dynamic conformance scan, andget_scan_reportpulls the detailed report so you don't have to dig through old logs. - Simplify asset management. Use
list_collectionsto see all your API groups and instantly find the collection ID, which is often the hardest part of setting up an audit. - Maintain a single source of truth for specs. You can use
import_apito add definitions anddelete_apito clean up decommissioned endpoints, all from one prompt. - Speed up developer iteration. Developers can use
import_apiandtrigger_auditback-to-back, comparing the new security grade against the previous one without context switching.
Real-World Use Cases
Initial Security Assessment
A new platform team needs to audit 12 microservices. They ask their agent to run list_collections. The agent provides the IDs, and the team then uses get_collection to get the score for the 'Internal Microservices' collection, immediately identifying the lowest-scoring area for focus.
Post-Deployment Compliance Check
A developer updates an API spec. Instead of manually resubmitting it, they prompt the agent to run trigger_audit on the specific API ID. The agent waits for the job to finish and then calls get_audit_report, returning a list of critical CWE-307 issues.
Root Cause Analysis for Failures
The system shows an unexpected behavioral flaw. A platform lead asks the agent to run list_scans to see the history, then calls get_scan_report for the last run. This provides a detailed report on undocumented behavior, pointing the team to the exact code gap.
Cleaning Up Decommissioned APIs
A service is retired. The backend developer asks the agent to run list_apis to confirm the API ID, and then calls delete_api to formally remove the definition, ensuring the security collection remains clean.
The Tradeoffs
Manually checking API status
Going to the 42Crunch dashboard, manually finding the API ID, clicking the 'Audit' button, and waiting for the page to load the score.
→
Ask your agent to run list_apis first. Then, tell it to trigger_audit and finally, call get_audit_report to get the score and findings instantly.
Forgetting the scan history
Assuming the current security score is enough, ignoring the fact that the API might have failed compliance checks last month.
→
Use list_scans to see the full history of dynamic scans. Then, call get_scan_report to review the detailed findings from a specific date.
Over-relying on single tool calls
Calling get_api and getting a score, but failing to check if the API definition is linked to an active collection.
→
Always start by running list_collections to establish the scope, and then use get_collection to validate the context before calling get_api.
When It Fits, When It Doesn't
Use this server if your primary pain point is managing security compliance across dozens of APIs and collections, and you need to run audits and track history without changing tools. You must have OpenAPI/Swagger definitions ready to import. Don't use this if your goal is simply to track API usage metrics (e.g., request counts); you need a dedicated API Gateway tool for that. If you only need to delete one API, you can use delete_api, but for any serious auditing or lifecycle management, you need the sequence: list_collections -> get_collection -> trigger_audit -> get_audit_report.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by 42Crunch. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Security audits shouldn't require navigating five different dashboards.
Right now, checking an API's security grade means logging into the 42Crunch dashboard. You find the API, manually select the collection, click 'Audit,' wait 10 minutes for the job to complete, and then download the report. It's a tedious cycle of clicking, waiting, and copy-pasting.
With the 42Crunch MCP Server, you just ask your agent to audit the API. It runs `trigger_audit` in the background, pulls the results, and gives you the full report immediately. The entire process stays in your chat, making compliance checks fast and conversational.
42Crunch MCP Server: Get security reports with `get_audit_report`
Before, getting a full static audit report meant manually finding the correct API ID and running the job, often leading to stale or incomplete data. You'd have to track the report link across multiple tabs.
Now, you ask your agent to trigger the audit and then call `get_audit_report`. It fetches the definitive report, scoring design risks and listing exactly which CWE vulnerabilities need fixing. It's direct, specific, and requires zero context switching.
Common Questions About 42Crunch MCP
How do I use the `list_collections` tool in 42Crunch? +
You ask your agent to run list_collections. It shows you all the API collections in the platform, including their unique IDs and current security scores, so you know what you're working with.
Can I check an API's score using `get_api`? +
Yes, get_api pulls the detailed metadata and security score for a specific API. It's useful when you know the API ID but need to verify its current standing.
What does `trigger_audit` do for an API definition? +
trigger_audit initiates a fresh static security audit on the API definition. It's the command you run when you know the specification has changed and needs a fresh security check.
How do I get a report of previous scans using `list_scans`? +
list_scans lists all historical dynamic conformance scans against a live API. Use this list to identify the scan you want, and then call get_scan_report for the full details.
Is `import_api` the right tool to start with? +
No. import_api only adds a definition. You should first use list_collections to confirm the target collection exists, and then proceed with the audit workflow.
How do I check the security score for all APIs using `list_apis`? +
The list_apis tool provides a summary of all definitions, including their unique ID and security score. It's great for quickly assessing the overall hygiene of a collection without running a full audit.
What is the purpose of the `get_collection` tool? +
The get_collection tool retrieves metadata and the aggregate security score for a specific API collection. Use it when you need to understand the overall security health of a group of APIs before diving into individual definitions.
When should I use `get_scan_report` versus `get_audit_report`? +
Use get_audit_report for static security checks on an OpenAPI spec. Conversely, get_scan_report pulls detailed results from a dynamic conformance scan, showing actual usage patterns and implementation flaws.
Can my AI agent explain the vulnerabilities found in a 42Crunch audit? +
Yes. After retrieving an audit report using your agent, you can ask the agent to act as a DevSecOps engineer. It can break down exactly why you received a low score, explain specific OWASP findings, and write the YAML or JSON patch needed to fix your OpenAPI spec instantly.
How do I test a new API update before merging? +
Simply paste your updated OpenAPI definitions into your AI agent's chat context. Ask the agent to import the new API definition into a staging collection. The platform will automatically run a static security audit upon import, and your agent can report back the new security score before you hit merge.
What is the difference between static audits and dynamic conformance scans? +
Audits strictly verify the design of your JSON/YAML contract against security best practices without making network calls. Scans, however, send live HTTP traffic against your implemented endpoint to make sure your back-end truly conforms to what you wrote. Your agent can retrieve both reports for side-by-side comparison.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Urlbox
Render websites as high-quality screenshots and PDFs with a cloud API that handles responsive layouts and dynamic content.
Integrate.io (ETL & Data Integration)
Manage data pipelines via Integrate.io — list pipelines, monitor job runs, and audit data transformations.
Date Utils Engine
Stop AI from hallucinating dates, missing leap years, or failing timezone conversions. Offloads all calendar math to the deterministic date-fns engine.
You might also like
NASA Open Data
Universal space intelligence — access NASA APOD, Mars photos, and NEO feed via AI.
Pulumi
Manage cloud infrastructure via Pulumi — list stacks, track deployments, audit outputs and tag resources from any AI agent.
BannerBite
Dynamic image and video generation — generate media from templates and manage projects via AI.