Trust Data, The Full Picture
Integrate MCP trust scores into your tools, agents, and workflows.
Free tier included. No credit card required.
Get Access
Free
100 requests / day
$0 forever
- All endpoints
- Rate limit headers included
- Personal projects & evaluation
Your API key:
Save this now — it cannot be retrieved again.
Pro
10,000 requests / day
Coming soon
- All endpoints
- Rate limit headers included
- Personal projects & evaluation
- Production integrations & SaaS
- Bulk server lookups
- Score change notifications
- Priority support
Coming Soon
Quick Start
REST API
Base URL for all API requests:
https://api.mcp-scorecard.ai/v1
Example request:
curl -H "X-API-Key: your_key" \
https://api.mcp-scorecard.ai/v1/stats
MCP Server
Give your AI agent direct access to trust scores. The mcp-scorecard-server package wraps this API as an MCP tool — no HTTP calls needed in your code.
Add to your Claude Code config (.mcp.json):
{
"mcpServers": {
"mcp-scorecard": {
"command": "uvx",
"args": ["mcp-scorecard-server"],
"env": {
"SCORECARD_API_KEY": "your_key"
}
}
}
}
Available tools:
| Tool | Description |
|---|
| check_server_trust | Look up trust score, flags, and install info for a specific server |
| search_servers | Search servers by keyword (min 2 chars) |
| list_servers | Browse and filter servers by score, flags, platform, or namespace |
| get_ecosystem_stats | Aggregate stats — total servers, score distribution, flag summary |
Works with any MCP-compatible client — Claude Code, Cursor, Windsurf, or your own agent.
Authentication
All endpoints except /v1/health require an API key passed via the X-API-Key header.
# Authenticated request
curl -H "X-API-Key: sk_your_key_here" \
https://api.mcp-scorecard.ai/v1/servers
# Health check (no auth needed)
curl https://api.mcp-scorecard.ai/v1/health
Invalid or missing keys return 401 Unauthorized.
Endpoints
Health Check
GET /v1/health
Service status. No authentication required.
{
"data": { "status": "ok", "timestamp": "2026-03-02T12:00:00.000Z" },
"meta": { "cached": false }
}
Ecosystem Statistics
GET /v1/stats
Aggregate statistics across all scored servers.
{
"data": {
"total_servers": 2889,
"average_score": 42.3,
"median_score": 40,
"score_distribution": { "High Trust": 312, "Moderate Trust": 891, ... },
"flag_summary": { "NO_SOURCE": 234, "DEAD_ENTRY": 156, ... },
"verified_publishers": 48
},
"meta": { "cached": false }
}
List Servers
GET /v1/servers
List and filter servers. Paginated.
| Parameter | Type | Description |
|---|
| limit | int | Results per page. 1–200, default 50. |
| offset | int | Pagination offset. Default 0. |
| sort | string | Sort field: trust_score, name, namespace, provenance, maintenance, popularity, permissions, scored_at. |
| order | string | Sort direction: asc or desc. Default desc. |
| min_score | int | Filter by minimum trust score. |
| flags | string | Filter by flag name, e.g. SENSITIVE_CRED_REQUEST. |
| target | string | Filter by platform target, e.g. PostgreSQL. |
| namespace | string | Filter by publisher namespace. |
# Top 10 high-trust servers
curl -H "X-API-Key: your_key" \
"https://api.mcp-scorecard.ai/v1/servers?min_score=80&limit=10"
Get Server
GET /v1/servers/:namespace/:id
Detailed trust data for a single server.
# Look up a specific server
curl -H "X-API-Key: your_key" \
https://api.mcp-scorecard.ai/v1/servers/io.github.pgEdge/postgres-mcp
{
"data": {
"name": "io.github.pgEdge/postgres-mcp",
"trust_score": 68,
"trust_label": "Moderate Trust",
"scores": { "provenance": 75, "maintenance": 67, "popularity": 26, "permissions": 95 },
"flags": [],
"badges": [],
"verified_publisher": false,
"targets": ["PostgreSQL"],
"scored_at": "2026-03-02T08:00:00Z",
"install": {
"repo_url": "https://github.com/pgEdge/pgedge-postgres-mcp",
"version": "1.0.0",
"package_types": ["docker"],
"transport_types": ["stdio"]
}
},
"meta": { "cached": false }
}
Search
GET /v1/search?q=
Search servers by name. Minimum 2 characters.
| Parameter | Type | Description |
|---|
| q | string | Search query. Required, min 2 characters. |
| limit | int | Max results. 1–200, default 20. |
curl -H "X-API-Key: your_key" \
"https://api.mcp-scorecard.ai/v1/search?q=postgres"
Rate Limits
Rate limits reset daily at midnight UTC. Every response includes headers to track your usage:
X-RateLimit-Limit: 100 # Your daily limit
X-RateLimit-Remaining: 87 # Requests left today
X-RateLimit-Reset: 1709424000 # UTC midnight epoch
When you exceed your limit, the API returns 429 Too Many Requests with a Retry-After header indicating seconds until reset.
Response Format
All responses use a standard envelope:
{
"data": { ... }, # The response payload
"meta": { # Request metadata
"cached": true, # Whether this was a cache hit
"total": 2889, # Total matching records (list endpoints)
"limit": 50, # Page size
"offset": 0 # Current offset
}
}
Responses may be cached for up to 1 hour. The meta.cached field indicates a cache hit. CORS is enabled for all origins.
Errors
Errors follow a consistent format:
{
"error": {
"message": "Rate limit exceeded",
"status": 429
}
}
| Status | Meaning |
|---|
| 400 | Bad request — missing or invalid parameters |
| 401 | Unauthorized — missing or invalid API key |
| 404 | Not found — server or route doesn't exist |
| 429 | Rate limit exceeded — wait for reset |
| 502 | Upstream error — Supabase is unreachable |
Use Cases
MCP Clients
Check trust scores before granting a server access to credentials.
CI/CD Pipelines
Gate MCP server additions on minimum trust thresholds.
Security Dashboards
Monitor trust signals across your fleet of MCP servers.
AI Agents
Evaluate server trust programmatically before tool selection.