Universal MCP server for the Avito API (Russia's largest classifieds marketplace), built for autonomous AI agents to operate an account hands-free — 145 tools across 18 domains (listings, messenger, orders, delivery, promotion, autoload, reviews, analytics). Safe-by-default: dry-run, idempotency, structured errors, confirmation flow.
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
process.env. You'll be asked to provide them before it can run.AVITO_BASE_URLAVITO_ENV_FILEAVITO_MCP_ALLOWED_UPLOAD_DIRS— + =… 145 (+1 upload)AVITO_MCP_ALLOW_TOOLS— Multi-agent swarm — separate agents for "support", "promotion", "logistics", each holding only the tools they need (via / safety modes).AVITO_MCP_CONFIRMATION_MODE— off −3 (hides meta__action)AVITO_MCP_CONFIRMATION_SECRETAVITO_MCP_CONFIRMATION_TTL_SECAVITO_MCP_DENY_TOOLS— AVITO_MCP_ALLOW_TOOLS / — per-tool gating. Deny wins over allow.AVITO_MCP_DRY_RUN_DEFAULT— You can flip the default for the entire server: =true or --dry-run. Then every destructive tool short-circuits unless the agent explicitly passes dryRun: false.AVITO_MCP_EXPOSE_AUTH_TOOLS— + =1 147 (+3 auth)AVITO_MCP_HTTP_ALLOWED_HOSTS— derived CSV — DNS-rebinding protection (accepted Host values). When unset, derived from the public URL + bind address — protection is on by default (off only for a wildcard bind with no public URL)AVITO_MCP_HTTP_ALLOWED_ORIGINS— derived CSV — DNS-rebinding protection (accepted Origin values). Same derivation as aboveAVITO_MCP_HTTP_ALLOW_NO_AUTH— 0 Allow auth=none on a non-loopback host (discouraged)AVITO_MCP_HTTP_AUTH— oauth # oauth (default) bearer noneAVITO_MCP_HTTP_AUTH_TOKEN— bearer mode: shared secret(s), comma-separatedAVITO_MCP_HTTP_HOST— 127.0.0.1 # Node always binds loopback; TLS is the proxy's jobAVITO_MCP_HTTP_MAX_SESSIONS— 100 Max concurrent Streamable HTTP sessions — initialize beyond it → 503AVITO_MCP_HTTP_PORT— 3000 Listen portAVITO_MCP_HTTP_PUBLIC_URL— Public TLS base used to build OAuth issuer / resource metadata. No trailing slash.AVITO_MCP_HTTP_SESSION_IDLE_SEC— 1800 Sessions idle longer than this are reaped (clients that vanished without DELETE)AVITO_MCP_IDEMPOTENCY_TTL_SEC— This is the simplest reliable defence against duplicate sends after retries, crashes, or race conditions between concurrent agents. TTL via (default 1 hour).AVITO_MCP_MAX_BINARY_MBAVITO_MCP_MAX_UPLOAD_MBAVITO_MCP_MODE— Default (=full_access, no opt-ins) 144AVITO_MCP_OAUTH_OWNER_PASSWORD— … # REQUIRED in oauth mode — the only person who can mint a tokenAVITO_MCP_OAUTH_STORE_FILE— Optional file to persist issued tokens/clients across restartsAVITO_MCP_OAUTH_TOKEN_TTL_SEC— 5. The client exchanges the code at /token for a bearer token (TTL , default 3600s), and that token guards every /mcp request.AVITO_MCP_TOKEN_LOCK_TIMEOUT_MSAVITO_MCP_TRANSPORT— avito-mcp --http --both # =http bothAVITO_MCP_WEBHOOK_BUFFER— =100 # ring-buffer size (events kept in memory)AVITO_MCP_WEBHOOK_ENABLED— 1 when a secret is set Explicit toggle: set 0 to disable without unsetting the secret. 1 without a secret does nothing (warned at startup)AVITO_MCP_WEBHOOK_LOG_FILE— =/var/log/avito-webhook.jsonl # optional JSONL audit logAVITO_MCP_WEBHOOK_PATH— =/avito/webhook # defaultAVITO_MCP_WEBHOOK_PUBLIC_URL— POST {}{AVITO_MCP_WEBHOOK_PATH}/{AVITO_MCP_WEBHOOK_SECRET}AVITO_MCP_WEBHOOK_SECRET— … # enables the receiver; becomes a secret path segmentAVITO_SAFE_MODEAVITO_TOKEN_FILE— Override with . Delete the file to force a refresh.CALL_USER_INFOCLIENT_IDCLIENT_SECRETClient_id— 1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): , Client_secret, and your Profile_id (your numeric account ID, shown on the same page).Client_secret— 1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): Client_id, , and your Profile_id (your numeric account ID, shown on the same page).LOG_LEVELPROFILE_IDProfile_id— 1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): Client_id, Client_secret, and your (your numeric account ID, shown on the same page).XDG_STATE_HOME— Linux: $/avito-mcp/token.json (≈ ~/.local/state/avito-mcp/token.json)[](https://m8ven.ai/mcp/elchin92-avito-mcp-14jvek)