74
/ 100
28 days ago
npm

actual-mcp-server

MCP server with 71 tools for AI-driven financial management with Actual Budget. HTTP and stdio transports for LibreChat, Claude Desktop, Cursor, VS Code, Gemini CLI

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 4 credentials: ACTUAL_BUDGET_PASSWORD, ACTUAL_PASSWORD, MCP_AUTH_TOKEN, MCP_HTTPS_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configACTUAL_API_CONCURRENCY5 No Max concurrent Actual API operations
🔐 secretACTUAL_BUDGET_PASSWORD_(none)_ No Optional encryption password for encrypted budgets
configACTUAL_BUDGET_SYNC_IDe =your_sync_id \
configACTUAL_DATA_DIR
🔐 secretACTUAL_PASSWORDe =your_password \
configACTUAL_SERVER_URLe =http://localhost:5006 \
configBANK_SYNC_TIMEOUT_MS
configBUDGET_DEFAULT_NAMENo "Default"
configDIRECT_SYNC_LOG_DIR
configDOTENV_CONFIG_QUIET
configLOG_LEVEL_(none)_ No Debug-detection toggle: set to debug to enable extra transport debug output. Distinct from MCP_BRIDGE_LOG_LEVEL (the winston level); has no default and is not itself a log level
configMAX_CONCURRENT_SESSIONS15 No Maximum concurrent MCP sessions allowed
🔐 secretMCP_AUTH_TOKEN
configMCP_BRIDGE_BIND_HOST0.0.0.0 No Host address to bind server to (0.0.0.0 = all interfaces)
configMCP_BRIDGE_DEBUG_TRANSPORTfalse No Enable transport-level debug logging
configMCP_BRIDGE_HTTP_PATHsame as MCP_HTTP_PATH No Advertised HTTP path shown to clients (set when a reverse proxy rewrites the path)
configMCP_BRIDGE_LOG_DIRapp/logs (beside the install) No Directory for log files (if STORE_LOGS=true). .env.example and Docker set it explicitly (e.g. ./logs, /app/logs)
configMCP_BRIDGE_MAX_FILES14d No Keep rotated logs for N days (e.g., 14d, 30d)
configMCP_BRIDGE_MAX_LOG_SIZE20m No Rotate when file reaches size (e.g., 20m, 100m)
configMCP_BRIDGE_PORTServer starts at http://localhost:3600/http by default (the listen port is , default 3600).
configMCP_BRIDGE_PUBLIC_HOSTauto-detected No Public hostname/IP for server (shown in logs)
configMCP_BRIDGE_PUBLIC_SCHEMEauto-detected No Public scheme (http or https)
configMCP_BRIDGE_ROTATE_DATEPATTERNYYYY-MM-DD No Date pattern for rotated log filenames
configMCP_BRIDGE_STORE_LOGSfalse No Enable file logging (vs console only)
configMCP_BRIDGE_USE_TLSfalse No Set to true to advertise https:// in the server URL (for reverse-proxy setups where TLS is terminated upstream)
configMCP_ENABLE_HTTPSfalse No Enable native TLS. Requires MCP_HTTPS_CERT and MCP_HTTPS_KEY
configMCP_HTTPS_CERTMCP_ENABLE_HTTPS false No Enable native TLS. Requires and MCP_HTTPS_KEY
🔐 secretMCP_HTTPS_KEYMCP_ENABLE_HTTPS false No Enable native TLS. Requires MCP_HTTPS_CERT and
configMCP_HTTP_PATH/http No HTTP endpoint routing path
configMCP_SERVER_URL
configMCP_STDIO_MODE
configMCP_TEST_BANK_SYNC
configMCP_TEST_CIRCUIT_THRESHOLD
configMCP_TEST_LEVEL
configMCP_TEST_MAX_RETRIES
configMCP_TEST_MAX_RUNTIME_MS
configMCP_TEST_MAX_SESSION_RETRIES
configSESSION_IDLE_TIMEOUT_MINUTES5 No Minutes before idle session cleanup
configUSE_CONNECTION_POOLtrue No Enable session-based connection pooling
configUSE_DOCKER_MCP_SERVER
configVERSIONauto-detected No Server version (auto-set by build/Docker)
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 1 concrete improvement we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/actual-mcp-server-vjoqa5)](https://m8ven.ai/mcp/actual-mcp-server-vjoqa5)
commit: 72c9a1f76d5f385624417134d6ba5300a0b8f559
code hash: a77e110b4288fc973418e27a7e9d697d076c55c2954273a2f67a66e0e4e6fe1c
verified: 6/15/2026, 12:58:27 PM
view raw JSON →