74
/ 100
8 days ago
glama

thalovant-mcp

MCP server for Thalovant control-plane and hub runtime APIs, supporting local stdio and remote Streamable HTTP with authentication and per-principal credentials.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
1 flow detected: MCP_OAUTH_INTROSPECTION_URL. We can’t prove the destination matches the brand the credential belongs to.
🚨
Known vulnerabilities in dependencies: 1 critical
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
⚠️
Tests do not pass
Either the test suite is broken or the code regressed. Either way the published behaviour can’t be verified by the publisher’s own tests.
🔐
You'll be asked for 6 credentials: MCP_AUTH_TOKEN, MCP_HTTP_AUTH_TOKEN, MCP_OAUTH_CLIENT_SECRET, THALOVANT_ACCESS_KEY, THALOVANT_ACCESS_TOKEN, THALOVANT_PASSWORD
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 critical

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@3.2.4GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configBENCH_RUNS
configMCP_ALLOWED_HOSTS
configMCP_ALLOWED_ORIGINS
configMCP_AUDIT_INCLUDE_ARGSexport ="false"
configMCP_AUDIT_LOGexport ="stderr" # off, stderr, file, or both
configMCP_AUDIT_LOG_FILEexport ="/var/log/thalovant-mcp/audit.jsonl"
🔐 secretMCP_AUTH_TOKEN
configMCP_EVENT_STORE_FILEexport ="/var/lib/thalovant-mcp/events.jsonl"
configMCP_HTTP_ALLOWED_HOSTSexport ="127.0.0.1:3000,localhost:3000"
configMCP_HTTP_ALLOWED_ORIGINSexport ="https://agent.example.com"
configMCP_HTTP_ALLOW_CLIENT_CREDENTIAL_PATHSRuntime identityFile, configPath, profile, and fromEnv tool arguments are disabled for remote principals by default. Set =true only for trusted private deployments.
configMCP_HTTP_ALLOW_UNAUTHENTICATEDBearer auth is required unless =true is explicitly set.
configMCP_HTTP_AUTH_MODEexport ="jwt"
🔐 secretMCP_HTTP_AUTH_TOKENexport ="$(openssl rand -hex 32)"
configMCP_HTTP_AUTH_TOKENSexport ="token-a,token-b"
configMCP_HTTP_ENABLE_JSON_RESPONSE
configMCP_HTTP_HOSTexport ="127.0.0.1"
configMCP_HTTP_MAX_BODY_BYTESRequest bodies are capped by , defaulting to 1 MiB.
configMCP_HTTP_PATH
configMCP_HTTP_PORTexport ="3000"
configMCP_HTTP_PUBLIC_URL
configMCP_HTTP_RATE_LIMIT_MAX
configMCP_HTTP_RATE_LIMIT_WINDOW_MS
configMCP_HTTP_SESSION_TTL_MS
configMCP_HTTP_TRUST_PROXY
configMCP_OAUTH_AUDIENCEexport ="https://mcp.example.com/mcp"
configMCP_OAUTH_AUTHORIZATION_SERVERSexport ="https://auth.example.com/"
configMCP_OAUTH_CLIENT_IDexport ="mcp-server-client"
🔐 secretMCP_OAUTH_CLIENT_SECRETexport ="..."
configMCP_OAUTH_INTROSPECTION_URLexport ="https://auth.example.com/oauth2/introspect"
configMCP_OAUTH_ISSUERexport ="https://auth.example.com/"
configMCP_OAUTH_JWKS_URLexport ="https://auth.example.com/.well-known/jwks.json"
configMCP_OAUTH_REQUIRED_SCOPESexport ="mcp:thalovant"
configMCP_OAUTH_SCOPES_SUPPORTED
configMCP_PUBLIC_URLexport ="https://mcp.example.com"
configMCP_RESOURCE_URL
configMCP_TRANSPORTexport ="http"
🔐 secretTHALOVANT_ACCESS_KEY
🔐 secretTHALOVANT_ACCESS_TOKENexport ="..."
configTHALOVANT_ALLOW_DEFAULT_PRINCIPAL_CREDENTIALS
configTHALOVANT_ALLOW_SHARED_CREDENTIALSexport ="false"
configTHALOVANT_API_URLexport ="https://api.thalovant.com"
configTHALOVANT_EMAILexport ="you@example.com"
configTHALOVANT_IDENTITY
🔐 secretTHALOVANT_PASSWORDexport ="..."
configTHALOVANT_PRINCIPAL_CREDENTIALS_DIRexport ="/run/secrets/thalovant-principals"
configTHALOVANT_PRINCIPAL_CREDENTIALS_FILEexport ="/run/secrets/thalovant-principals.json"
configTHALOVANT_PROFILEexport ="prod"
configTHALOVANT_SCOPE
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/thalovant-thalovant-mcp-1cyhb4)](https://m8ven.ai/mcp/thalovant-thalovant-mcp-1cyhb4)
commit: 4fae0400b236f6dd3d4c72c450dc2c04bc60d52c
code hash: f54402e13959a05666535c2aa015c061adb989cfc49f5e29a9481d8bde184700
verified: 7/7/2026, 9:59:14 AM
view raw JSON →