MCP Submission Audit

Submission-ready for Claude and OpenAI?

Three layers: wire-level checks, per-tool invocation, source-side AST. Catches the mismatches reviewers reject MCPs over — in 30 seconds, not 30 days.

What we test

OAuth 2.1 + PKCE

Dynamic client registration, authorize, token exchange, refresh

MCP protocol

initialize, tools/list, tools/call, malformed-body + unknown-method resilience

Per-tool invocation

Every safe-to-invoke tool is actually called with synthesized args

Idempotency probe

Tools claiming idempotentHint:true get called twice and compared

Source-side AST

Optional: GitHub repo URL → AST check that handlers match annotations

README parity

README mentions every tool declared in source

Response cross-check

Response language analyzed for vocabulary that contradicts annotations

Per-directory tags

Every finding is tagged with which directory cares — Claude or OpenAI

Common questions

What URL do I paste?

The HTTPS endpoint of your deployed MCP server (Streamable HTTP transport). It should respond to JSON-RPC tools/list. If your server has OAuth, we'll also test the full auth flow.

How do you handle my server / code?

Pre-flight only probes your live endpoint — we don't touch any code. If you afterwards index your MCP on the M8ven Trust Index, we clone the repo in an isolated sandbox, analyze, and delete. Source is never stored or used for training. Full policy at /verified/source-handling.

Why does OAuth authorize fail?

The most common cause: your authorize endpoint redirects to a login page. MCP clients are machines — they can't log into a browser. Auto-approve registered clients instead.

Why does token exchange fail?

Check that your token endpoint accepts application/x-www-form-urlencoded (OAuth standard). Some servers only accept JSON, which breaks OpenAI's connector.

Do I need OAuth?

Claude and OpenAI directories require it for listed MCPs. Anonymous-only servers can still work via direct connection, but won't get listed in their directories.

What's the OpenAI domain challenge?

OpenAI requires a file at /.well-known/openai-apps-challenge that returns a verification token. You get the token from the OpenAI developer dashboard when you submit.

How long does directory review take?

OpenAI: 2-4 weeks. Claude: varies. That's why you should test here first — a rejection means starting the wait over.