MCP Inspector
Paste an MCP server config and Inspector audits it: structural errors, missing fields, hardcoded secrets, over-broad access, and typos. All in your browser, nothing uploaded.
What Inspector checks
A broken or risky MCP config usually fails for a small set of reasons. Inspector reads your config locally and flags them:
- Structure, valid JSON, the
mcpServersobject, and each server having acommand(local) orurl(remote). - Field types,
argsas an array,envas an object, and unrecognized keys that hint at a typo. - Secrets, values that look like live tokens hardcoded into the file, which leak the moment you share it.
- Access, over-broad filesystem paths (like
/) that grant far more than you meant to.
Need to create a config instead of check one? Use the MCP Config Generator. New to the protocol? Start with what MCP is.
FAQ
Is my config uploaded anywhere?
No. The check runs entirely in your browser with JavaScript on the page. Your config, including any secrets in it, never leaves your device and is never sent to KB Cafe.
Why does it flag secrets if MCP env vars are normal?
Putting a token in env is fine to run locally. The flag is about sharing: configs get pasted into issues, chats, and gists, and a hardcoded token goes with them. Inspector nudges you to use a placeholder and set the real value in your environment.
Does a clean result mean it will work?
It means the structure is sound and nothing obvious is wrong. It can’t confirm the server package exists, your token is valid, or the path is correct, those are runtime checks. Inspector catches the config-level mistakes before you even start the server.
Related
Build one with the MCP Config Generator, learn the protocol in What is MCP, or browse AI Explained.