A multi-provider MCP server that acts as a unified bridge for Tavily, Brave Search, and GrokSearch APIs. It features a comprehensive Admin UI for managing API key rotation, client authentication, and real-time usage monitoring across all search providers.
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry β install directly from whichever one you prefer.
Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.
When Vitest UI server is listening, arbitrary file can be read and executed
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
process.env. You'll be asked to provide them before it can run.ADMIN_API_TOKENβ Edit .env to set your and other configurationsADMIN_KEYS_EXPORT_RATE_LIMIT_PER_MINUTEADMIN_KEYS_IMPORT_RATE_LIMIT_PER_MINUTEADMIN_KEY_REVEAL_RATE_LIMIT_PER_MINUTEβ Max key reveal attempts per minute in the Admin UI. 20ADMIN_REGISTRATION_IMPORT_RATE_LIMIT_PER_MINUTEADMIN_REGISTRATION_RUN_RATE_LIMIT_PER_MINUTEBRAVE_API_KEYβ A Brave Search API key. If set, this single key will be used. For multi-key support, add keys via the Admin UI. ""BRAVE_HTTP_TIMEOUT_MSβ Per-request HTTP timeout for the Brave API. 20000BRAVE_MAX_QPSβ Max requests per second to the Brave API to stay within rate limits. 1BRAVE_MAX_QUEUE_MSβ Max time a request can wait in the queue before failing or falling back to Tavily. 30000BRAVE_MIN_INTERVAL_MSβ Overrides BRAVE_MAX_QPS with a fixed minimum interval between requests. ""BRAVE_OVERFLOWβ Behavior when the request queue is full: fallback_to_tavily (default), queue (wait), or error. fallback_to_tavilyBRAVE_USAGE_CLEANUP_PROBABILITYBRAVE_USAGE_HASH_SECRETBRAVE_USAGE_LOG_MODEBRAVE_USAGE_RETENTION_DAYSBRAVE_USAGE_SAMPLE_RATEDATABASE_URLβ Connection string for the database. Node runtime now requires PostgreSQL semantics. postgresql://mcp_nexus:mcp_nexus_dev@localhost:5432/mcp_nexus?schema=publicDEFAULT_PARAMETERSENABLE_QUERY_AUTHβ If true, enables MCP client token authentication for the /mcp endpoint. falseENABLE_TAVILY_CREDITS_CHECKFIRECRAWL_API_KEYβ Optional Firecrawl API key used for supplemental source/fetch fallback. ""FIRECRAWL_API_URLβ Optional Firecrawl API base URL override. https://api.firecrawl.dev/v1GROK_API_KEYGROK_API_URLβ Optional Grok-compatible API base URL override. https://api.x.ai/v1GROK_COOLDOWN_MSGROK_EXTRA_SOURCES_DEFAULTβ Default extra supplemental source count for web_search. 0GROK_HTTP_TIMEOUT_MSGROK_MAX_RETRIESGROK_MODEL_DEFAULTβ Default Grok model used by web_search when caller does not override model. grok-4.2-betaGROK_SEARCH_ENABLEDβ Enables/disables Grok tool exposure (web_search, get_sources, web_fetch, web_map). falseGROK_SEARCH_SOURCE_MODEβ Grok supplemental source mode: tavily_only, brave_only, combined, brave_prefer_tavily_fallback. combinedGROK_USAGE_CLEANUP_PROBABILITYGROK_USAGE_HASH_SECRETβ Optional secret for keyed query hashing in Grok usage telemetry. ""GROK_USAGE_LOG_MODEβ Grok usage logging mode: none, hash, preview, full. previewGROK_USAGE_RETENTION_DAYSGROK_USAGE_SAMPLE_RATEβ Optional sample rate (0-1) for Grok usage telemetry. ""HOSTβ The host address for the server to listen on. 0.0.0.0KEY_ENCRYPTION_SECRETβ A 32-byte (256-bit) secret key used for encrypting and decrypting upstream API keys stored in the database. (generated in example)MCP_COOLDOWN_MSβ Cooldown period in milliseconds for an upstream API key after a failure. 60000MCP_GLOBAL_RATE_LIMIT_PER_MINUTEβ Max requests per minute across all clients. 600MCP_MAX_RETRIESβ Maximum number of retries for failed upstream requests. 2MCP_RATE_LIMIT_PER_MINUTEβ Max requests per minute per client token. 60PORTβ The port for the server to listen on. 8787REGISTRATION_AUTOMATION_ENABLEDREGISTRATION_COOLDOWN_MSREGISTRATION_MAX_RETRIESSEARCH_SOURCE_MODEβ When =combined:SERVER_SETTINGS_REFRESH_MSTAVILY_BRIDGE_MCP_TOKENβ "": "<client_token>"TAVILY_CREDITS_CACHE_TTL_MSβ Duration to cache Tavily credit information before it's considered stale. 60000TAVILY_CREDITS_COOLDOWN_MSβ Cooldown duration for a key that has fallen below the minimum credit threshold. 300000 (5m)TAVILY_CREDITS_MIN_REMAININGβ Credit threshold at which a Tavily key will be automatically put into cooldown status. 1TAVILY_CREDITS_REFRESH_LOCK_MSβ Lock duration to prevent concurrent credit refreshes for the same key. 15000TAVILY_CREDITS_REFRESH_MAX_RETRIESTAVILY_CREDITS_REFRESH_RETRY_DELAY_MSTAVILY_CREDITS_REFRESH_TIMEOUT_MSβ Timeout for the upstream Tavily credits API request. 5000TAVILY_CREDITS_STALE_GRACE_MSTAVILY_KEY_SELECTION_STRATEGYTAVILY_RESEARCH_ENABLEDTAVILY_USAGE_CLEANUP_PROBABILITYβ The probability (0.0 to 1.0) that a cleanup of old usage logs is triggered on a new usage event. 0.001TAVILY_USAGE_HASH_SECRETβ Optional secret for creating a keyed HMAC-SHA256 hash of queries instead of a plain SHA256. Recommended for privacy. ""TAVILY_USAGE_LOG_MODEβ Log level for Tavily tool usage: none, hash (query hash only), preview (redacted query), or full query. previewTAVILY_USAGE_RETENTION_DAYSβ Optional retention period for usage logs. If set, old logs will be periodically cleaned up. ""TAVILY_USAGE_SAMPLE_RATEβ Optional sampling rate (0.0 to 1.0) for logging usage events. Empty string means log all events. ""TEST_AES_KEYVITE_ADMIN_UI_PROXY_TARGET[](https://m8ven.ai/mcp/xydong-web-mcp-nexus-1luma7)