// mcp debugging + security

Debug MCP servers like you mean it.

MCPRadar is the only tool that combines MCP debugging AND security scanning in one place. Inspect tool calls, replay requests, trace SSE streams — and automatically scan every server for prompt injection, path traversal, and command injection risks before they reach production.

Open Playground Get early access

🔍 13 security checks

⚡ Instant scan on connect

🛡 Free forever

→ Connecting to http://localhost:3001/mcp

✓ Handshake complete

→ Discovered 4 tools

{
  "method": "tools/call",
  "params": {
    "name": "create_ticket",
    "arguments": {
      "title": "Fix SSE transport bug",
      "priority": "high"
    }
  }
}

✓ Response: 200 OK (42ms)

Built for MCP developers

🛡

Security Scanner

Automatically scans every server you connect to. Detects prompt injection, permissive file paths, command injection risks, sensitive data exposure, and performance issues. Get a security grade (A-F) in seconds.

13 checks

⚡

Live Tool Call Inspector

See every MCP tool invocation in real time — request body, response, latency, token counts.

real-time

🔌

Multi-Transport Support

Connect via Streamable HTTP, SSE, or direct browser fallback. Works with local and remote servers.

HTTP · SSE · Browser

🔄

Request Replay

Replay any captured tool call with one click. Edit params, re-send, diff outputs.

replay · diff

🔒

Auth Header Management

Store and inject Bearer tokens, API keys, or custom headers per connection profile.

local storage

📡

Handshake Validator

Validates MCP protocol compliance on connect. Surfaces capability mismatches immediately.

MCP 2024-11-05

📚

Connection Profiles

Save and switch between server configs. Claude Desktop, Cline, remote agents — one place.

✓ available

// security scanner

Know what you're connecting to before your agent does.

Every MCP server you connect to is automatically scanned for security vulnerabilities. MCPRadar checks for the same attack vectors documented in real-world MCP breaches — prompt injection, path traversal, command execution risks, and more.

🔴

Prompt injection detection

Scans tool descriptions for hidden instructions that could hijack your AI agent's behavior.

🟠

File path & command risks

Flags tools that accept unrestricted file paths or execute commands without input validation.

🟡

Performance analysis

Identifies tools that will timeout during agent runs before they cause silent failures in production.

See all 13 checks → /docs/scoring

Security + Health Scan

82/100

🟠 1 High

🟡 2 Medium

✅ 10 Passed

HIGHSecurity

Permissive File Paths

Tool: read_file

path param has no constraints

💡 Recommendation

Add pattern validation

How it works

Connect your server

Paste your MCP server URL — Streamable HTTP and SSE transport supported. Handshake and capability discovery happen automatically.

Browse & invoke tools

Your tool registry loads instantly. Fill params via form or raw JSON, then fire.

Inspect the trace

Every wire message captured — frames, timing, errors, full payloads.

Iterate fast

Edit params, replay calls, compare diffs. Catch bugs before they break agents in production.

Connecting your server

Recommended

Streamable HTTP

Most modern MCP servers built after early 2025. Try this first.

Examples:

• @modelcontextprotocol/server-everything

• Most new community servers

SSE (Legacy)

Servers built before 2025 or older community servers. Use this if Streamable HTTP fails.

No server yet? Try MCPRadar instantly

Run this command to start a test server:

npx @modelcontextprotocol/server-everything streamableHttp

Then connect to:

http://localhost:3001/mcp

How to use MCPRadar

Server Test Mode

Paste your MCP server URL into the input field

Select transport — Streamable HTTP for modern servers, SSE for older ones

Click Connect — MCPRadar runs the handshake and discovers all tools, resources, and prompts automatically

Browse the Tools tab — click any tool to expand its input form

Fill in the arguments and click Send

See the full response on the right — formatted JSON, errors highlighted

Check History at the bottom right to revisit previous calls

Also supports Resources and Prompts tabs — browse everything your MCP server exposes, not just tools.

http://localhost:3001/mcp

HTTP

SSE

Tools (4)

create_ticket

get_user

send_notification

search_docs

✓ Response

{ "status": "ok" }

Agent Debug Mode

Go to the Debug tab

Click Start Session — MCPRadar generates a unique proxy URL

Copy the proxy URL

In your AI agent or MCP client, replace your MCP server URL with the MCPRadar proxy URL

Run your agent as normal

Watch every tool call appear in the waterfall in real time

Click any step to inspect the full request and response payload

Pause mid-execution

Edit arguments live

Replay any step

Your Agent

Claude Desktop / Cline

MCPRadar Proxy

Captures & inspects

MCP Server

Your actual server

Common Questions

Which transport should I use?▸

Try Streamable HTTP first — it works with most servers built after early 2025. If connection fails, switch to SSE. SSE is used by older servers and some community servers built before 2025.

My server requires authentication. How do I add headers?▸

Expand the Headers section below the URL input before connecting. Add any headers your server needs — Authorization: Bearer your-token, API keys, or custom headers. They are sent with every request.

What is the proxy URL used for?▸

The proxy URL is for Agent Debug Mode only. Point your AI agent at the proxy URL instead of your real MCP server URL. MCPRadar sits in the middle and captures every tool call your agent makes so you can inspect and debug them.

Can I use MCPRadar with local servers?▸

Yes. For HTTP and SSE local servers, MCPRadar connects directly from your browser — no installation needed. For stdio servers, run npx mcpradar-bridge on your machine to enable the connection.

Does MCPRadar work with Claude Desktop?▸

Yes — in Agent Debug Mode. Replace your MCP server URL in Claude Desktop's config with the MCPRadar proxy URL. Every tool call Claude makes will appear in the debug waterfall.

Compatible servers

Slack

send_messagelist_channels

Linear

create_issueupdate_issue

Notion

create_pagequery_database

Puppeteer

navigatescreenshot

Express/FastAPI

your_custom_tool

Your MCP server

any_toolyou_define

GET /sse HTTP/1.1

event: endpoint

POST /messages HTTP/1.1

{
  "method": "tools/list"
}

event: message

✓ tools/list returned 12 tools

If it speaks MCP, MCPRadar connects to it. Any server that implements the spec — official SDK, community package, or hand-rolled — works out of the box.

npx @modelcontextprotocol/create-server my-server

vs MCP Inspector

MCP Inspector is a great protocol explorer for a quick sanity check. But it has no security scanning, no replay, and no history. MCPRadar gives you the full picture — debugging and security in one tool.

Capability	MCPRadar	MCP Inspector
Security scanningkey differentiator	✓ 13 automated checks, A-F grade	✗ No security analysis
Prompt injection detection	✓ Scans all tool descriptions	✗ Not available
Performance analysis	✓ Latency warnings + timeout risk	✗ Not available
Security report	✓ Exportable with findings + fixes	✗ Not available
Request replay	✓ Replay any call, edit params, re-send	✗ No replay — fire once and re-type
Connection profiles	✓ Named profiles with saved auth + URL	✗ Single connection, no saved state
Auth header management	✓ Bearer tokens, API keys per profile	~ Manual headers only, not persisted
Transport support	✓ HTTP · SSE · browser fallback	~ SSE only, browser requires local process
Install required	✓ Open in browser — nothing to install	✗ npx @modelcontextprotocol/inspector
Full wire trace	✓ Every frame, timing, protocol errors	~ Request/response only, no frame-level view
Response diffing	✓ Diff two call outputs side by side	✗ Not available
Handshake validation	✓ Flags non-compliant capability responses	~ Connects but won't surface protocol issues
Remote server testing	✓ Works with any reachable URL	~ Primarily designed for localhost
Built for iteration	✓ Designed for the debug → fix → re-test loop	✗ Built to explore, not iterate

The honest take:Use MCP Inspector when you want to quickly poke at a server you didn't write. Use MCPRadar when you're building the server — replaying broken calls, tracking down handshake failures, switching between configs without restarting anything.

Get early access

MCPRadar is in active development. Drop your email to get notified on new features, vote on the roadmap, and help shape what gets built next.

✓

Feature request voting

✓

Early access to new transports

✓

Changelog updates

HTTP transportoperational

SSE transportoperational

Browser fallbackoperational

Remote serversoperational