/ 100

1 day ago

glama

mcp4openapi

Turn any OpenAPI specification into a smaller, LLM-friendly MCP server. Enables interaction with REST APIs through MCP tools using profiles to reduce complexity.

→ davidruzicka/mcp4openapi · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Hardcoded credentials detected

1 live-looking API key in source: 1 OpenAI API key

🚨

Known vulnerabilities in dependencies: 1 critical, 1 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 7 credentials: GITLAB_TOKEN, MCP4_API_TOKEN, MCP4_OAUTH_CLIENT_SECRET, MCP_PROXY_CLIENT_SECRET, TEST_FACTORY_E2E_KEY, UPSTREAM_SECRET, YOUTRACK_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configENTERPRISE_ALLOWED_ALGS

configENTERPRISE_AUDIENCE

configENTERPRISE_CATEGORIES

configENTERPRISE_CLAIM_MAPPINGS

configENTERPRISE_DEFAULT_SCOPES

configENTERPRISE_ISSUER

configENTERPRISE_MODE

🔐 secretGITLAB_TOKEN— Profile auth env vars: Use profile-specific names for value_from_env (for example, , YOUTRACK_TOKEN) instead of the generic MCP4_API_TOKEN.

configIMPLEMENTOR_COMMAND

configIMPLEMENTOR_FALLBACK_COMMAND

configIMPLEMENTOR_LEASE_TTL_MINUTES

configIMPLEMENTOR_TASK_JSON

configMCP4_ALLOWED_ORIGINS— Comma-separated origins (supports exact, wildcard .domain.com, CIDR 192.168.1.0/24)

configMCP4_ALLOWED_UNREGISTERED_REDIRECT_URIS— Comma-separated approved redirect URI rules for unregistered OAuth clients, e.g. http://localhost,cursor:// (optional)

configMCP4_ALLOW_PROFILES— Comma-separated profile ids/names/aliases allowed for routed profiles.

configMCP4_ALLOW_PROFILES_REGEX— Regex for allowed profile ids/names/aliases (applies only when routing is enabled).

configMCP4_ALLOW_UNREGISTERED_CLIENTS— Allow authorize requests for unregistered OAuth clients when redirect URIs match the approved allowlist (optional, default: false)

configMCP4_API_BASE_URL— Override OpenAPI server URL

🔐 secretMCP4_API_TOKEN— export =your_token

configMCP4_FILTER_MAX_VALUES— Max values per filtering key (default: 10)

configMCP4_HELP

configMCP4_HIDDEN_PROFILES— Comma-separated profile ids/names/aliases to hide from the index page (profiles remain fully functional).

configMCP4_HOST— Bind address (default: 127.0.0.1)

configMCP4_HTTP_PROFILE_ROUTING— Enable profile routing (/profile/:id/mcp). If enabled without a default profile, /mcp is not registered.

configMCP4_LIST_PROFILES

configMCP4_LOG_FORMAT— console (default) or json

configMCP4_LOG_LEVEL— debug, info (default), warn, error

configMCP4_OAUTH_AUTHORIZATION_URL— 1. Explicit URLs: , MCP4_OAUTH_TOKEN_URL (highest priority)

configMCP4_OAUTH_CLIENT_ID— export =your_dcr_client_id

🔐 secretMCP4_OAUTH_CLIENT_SECRET— export =your_dcr_client_secret

configMCP4_OAUTH_CLIENT_STORE_MAX_CLIENTS— Max dynamic OAuth clients stored in memory (default: 1000)

configMCP4_OAUTH_ISSUER— 2. Explicit issuer: (auto-derives standard OAuth paths)

configMCP4_OAUTH_RATE_LIMIT_MAX— Max OAuth requests per window (default: 10)

configMCP4_OAUTH_RATE_LIMIT_WINDOW_MS— OAuth rate limit window (default: 60000 = 1 minute)

configMCP4_OAUTH_REDIRECT_URI— export =http://127.0.0.1:3003/oauth/callback

configMCP4_OAUTH_REFRESH_THRESHOLD_MS— Refresh access tokens this many ms before expiry (default: 60000 = 60s)

configMCP4_OAUTH_SESSION_TIMEOUT_MS— OAuth session timeout for sessions with refresh tokens (default: 86400000 = 24h, 0 = unlimited)

configMCP4_OAUTH_TOKEN_URL— 1. Explicit URLs: MCP4_OAUTH_AUTHORIZATION_URL, (highest priority)

configMCP4_OPENAPI_SPEC_PATH— export =./incomplete-spec.yaml

configMCP4_PARAM_FILTER— Baseline parameter filter using the same format as X-Mcp4-Params

configMCP4_PORT— Port (default: 3003)

configMCP4_PROFILE— Profile ID for resolving profiles from a directory (used by --profile)

configMCP4_PROFILES_DIR— Profiles are resolved from ./profiles path by default. If that directory is missing, the bundled npm package profiles are used. Override with --profiles-dir or .

configMCP4_PROFILE_PATH— Profile JSON path (default: auto-generate tools from OpenAPI spec; warning logged if tool exceeds 60 parameters)

configMCP4_SSRF_ALLOW_PRIVATE_NETWORK— Set to true to allow private/loopback/link-local targets in SSRF validation paths, including bootstrap URL checks.

configMCP4_TOKEN_MAX_LENGTH— Maximum token length in characters (default: 4096, raised from 1000 in Phase 03.4 to accommodate encrypted token envelopes)

configMCP4_TOOLNAME_MAX— Maximum tool name length (default: 45)

configMCP4_TOOLNAME_MIN_LENGTH— Minimum length in chars for balanced strategy (default: 20)

configMCP4_TOOLNAME_MIN_PARTS— Minimum parts for balanced strategy (default: 3)

configMCP4_TOOLNAME_SIMILARITY_THRESHOLD— Similarity threshold for warning examples (default: 0.75)

configMCP4_TOOLNAME_SIMILAR_TOP— How many similar operationId pairs to show in warnings (default: 3)

configMCP4_TOOLNAME_STRATEGY— Shortening strategy: nonebalancediterativehashauto (default: none)

configMCP4_TOOLNAME_WARN_ONLY— Only warn, don't shorten: truefalse (default: true)

configMCP4_TOOL_FILTER_ALLOW_CATEGORIES— Comma-separated operation categories to allow (list and/or read). Composite tools are allowed only if all steps are within the allowed categories.

configMCP4_TOOL_FILTER_ALLOW_NAMES— Comma-separated tool names to keep (exact match, case-sensitive)

configMCP4_TOOL_FILTER_ALLOW_NAME_REGEX— Comma-separated regex patterns to allow (auto-anchored unless already wrapped with ^ and $)

configMCP4_TOOL_FILTER_DENY_NAMES— Comma-separated tool names to exclude

configMCP4_TOOL_FILTER_DENY_NAME_REGEX— Comma-separated regex patterns to exclude (auto-anchored)

configMCP4_TOOL_FILTER_WARN_THRESHOLD_PCT— Warn when filtered percentage exceeds this threshold (default: 90)

configMCP4_TRANSPORT— stdio (default) or http

configMCP4_TRUST_BOOTSTRAP_URLS— Set to true to skip SSRF checks for bootstrap URL fetches (remote OpenAPI spec loading and OAuth metadata discovery). Default is secure mode (false).

configMCP4_VERSION

configMCP_PROXY_CLIENT_ID

🔐 secretMCP_PROXY_CLIENT_SECRET

configMERGE_EXECUTOR_METHOD

configTEST_API_KEY_A

configTEST_API_KEY_B

configTEST_AUTH_URL

🔐 secretTEST_FACTORY_E2E_KEY

configTEST_GATE_MODE

configTEST_ISSUER

configTEST_TOKEN_URL

🔐 secretUPSTREAM_SECRET

configUPSTREAM_SECRET_TEST_VAR

🔐 secretYOUTRACK_TOKEN— Profile auth env vars: Use profile-specific names for value_from_env (for example, GITLAB_TOKEN, ) instead of the generic MCP4_API_TOKEN.

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/davidruzicka-mcp4openapi-1e1mq2)](https://m8ven.ai/mcp/davidruzicka-mcp4openapi-1e1mq2)

commit: e9f85d21f2577e27a11b5b4cef25248b30ab9785

code hash: 34955fc6db21baef81aba6a32d96652a86714adbcd8c5ca7d3b3ca9dd6bf32a5

verified: 6/2/2026, 12:23:56 PM

view raw JSON →