Skip to content

MCP Vendor Presets

One-click registration for 17 popular MCP servers. Each preset bundles the canonical URL, transport, auth shape, and default tool ACLs with sensible risk levels.

Find them at /dashboard/mcp/registry→ "Quick-add from preset", or via the API at GET /api/v1/mcp/presets.

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI agents call external tools: a GitHub server exposes tools like create_issue, a Stripe server exposes refund.create, and so on. Each tool call is a JSON-RPC tools/call request against an MCP server. EvalGuard does not replace those servers — it sits in front of them as a gateway. You register each upstream server once, then route agent tool calls through POST /api/v1/mcp/invoke, where every call is role-checked, rate-limited, and audited before it reaches the upstream. The default is zero-trust: a tool with no permission row is denied (deny_no_permission).

Transports

A server's transport tells the gateway how to reach it. The gateway forwards tool calls over three network transports: http (streamable HTTP), sse (Server-Sent Events), and websocket.

stdio is a valid registration transport but the multi-tenant gateway does not spawn local subprocesses — invoking a stdio server returns a 501. To use one of the stdio presets below (Slack, Stripe, Postgres, and the other CLI-style servers), run a small local HTTP companion that exposes the stdio server over HTTP, then register that HTTP endpoint instead.

Auth shapes

Each server carries an authType plus a typed authConfig. Credentials are never stored inline — secret fields hold vault:// references. Registration accepts:

  • none — no outbound credential.
  • bearer — a static bearer token on the outbound Authorization header.
  • api-key — a custom header name plus a vault:// value reference.
  • oauth2 — issuer, token endpoint, client id, and a vaulted client secret.
  • jwt — validate a presented JWT against the server's jwksUri (default algorithms RS256 / ES256).

The pipeline additionally understands two advanced outbound modes for self-hosted setups: mtls (mutual-TLS client certs) and token-exchange (RFC 8693 on-behalf-of delegation, so an agent calls the downstream server as the user rather than forwarding a confused-deputy credential).

Register a server, then invoke a tool

# 1. Register the upstream MCP server (transport + auth stored per-server)
POST /api/v1/mcp/servers
{
  "name": "GitHub (prod)",
  "url": "https://api.githubcopilot.com/mcp/",
  "transport": "http",
  "authType": "bearer"
}

# 2. Route a tool call THROUGH the gateway
POST /api/v1/mcp/invoke
{
  "serverId": "<mcp_servers.id>",
  "toolName": "create_issue",
  "arguments": { "repo": "acme/api", "title": "Broken login" },
  "jwt": "<optional bearer JWT, forwarded when authType='jwt'>"
}

# Allowed -> 200
{ "success": true,
  "data": {
    "decision": "allow",
    "reason": "all RBAC + rate-limit checks passed",
    "response": { },
    "latencyMs": 128
  }
}

# Denied -> 403 (role not in the tool's allowed_roles)
{ "success": false,
  "error": {
    "message": "caller role(s) [viewer] not in tool's allowed_roles [owner]",
    "code": "DENY_ROLE_NOT_ALLOWED"
  }
}

The code on a blocked call is the enforcement decision uppercased — DENY_NO_PERMISSION, DENY_ROLE_NOT_ALLOWED, DENY_RATE_LIMITED, or DENY_DISABLED. The presets below pre-load each server's tools with sensible allowed_rolesand risk levels so you don't hand-write these permission rows.

Authoritative defaults for destructive tools

The test-enforced bar covers specific delete, charge, and refund tools, which are either denied by default or restricted to owner-only. Some other sensitive tools — on-call paging via create_incident, and certain money tools like Stripe's invoice.finalize and payment_link.create — default to admin+owner rather than owner-only or denied. A unit test in packages/coreblocks any future preset from regressing this bar. The dashboard surfaces every default ACL on the Quick-add review screen so operators see what they're enabling before they click confirm.

Productivity + Issue tracking

GitHubofficialhttpbearer

Repos, issues, pull requests, code search, file ops.

https://api.githubcopilot.com/mcp/

12 default tool ACLsVendor docs ↗
Linearofficialsseoauth2

Issues, projects, teams, cycles, comments.

https://mcp.linear.app/sse

10 default tool ACLsVendor docs ↗
Atlassianofficialsseoauth2

Jira issues + transitions, Confluence pages + search.

https://mcp.atlassian.com/v1/sse

11 default tool ACLsVendor docs ↗
Notionofficialhttpoauth2

Search, fetch pages, query databases, create + update blocks.

https://mcp.notion.com/mcp

10 default tool ACLsVendor docs ↗

Communication + Design

Slackcommunitystdiobearer

Post messages, search history, manage threads + reactions.

npx -y @modelcontextprotocol/server-slack

9 default tool ACLsVendor docs ↗
Figmaofficialhttpoauth2

Read files + frames + components, export images, list team projects.

https://mcp.figma.com/mcp

7 default tool ACLsVendor docs ↗

Finance + Database

Stripecommunitystdioapi-key

Customers, charges, refunds, subscriptions, invoices, payment links.

npx -y @stripe/agent-toolkit

13 default tool ACLsVendor docs ↗
Postgrescommunitystdioapi-key

Read-only SQL queries + schema introspection.

npx -y @modelcontextprotocol/server-postgres

3 default tool ACLsVendor docs ↗
MongoDBcommunitystdioapi-key

Read-mostly access to MongoDB collections + Atlas cluster ops.

npx -y mongodb-mcp-server

12 default tool ACLsVendor docs ↗

Observability + Infra

Sentryofficialsseoauth2

Issues, events, releases, replays — pull error context into agents.

https://mcp.sentry.dev/sse

10 default tool ACLsVendor docs ↗
PagerDutycommunitystdioapi-key

List/create/acknowledge incidents, query schedules + escalation policies.

npx -y @pagerduty/mcp-server

10 default tool ACLsVendor docs ↗
Datadogcommunitystdioapi-key

Query metrics, search logs, list + mute monitors, fetch dashboards.

npx -y @winor30/mcp-server-datadog

10 default tool ACLsVendor docs ↗
Cloudflareofficialsseoauth2

Workers, R2 buckets, D1 databases, KV namespaces, DNS records.

https://api.mcp.cloudflare.com/sse

14 default tool ACLsVendor docs ↗
Vercelcommunitystdioapi-key

List + manage deployments, projects, env vars, custom domains.

npx -y @nganiet/mcp-vercel

12 default tool ACLsVendor docs ↗

Telephony + Email + Identity

Twiliocommunitystdioapi-key

Send SMS, place calls, manage messaging services + phone numbers.

npx -y @ankri/twilio-mcp-server

10 default tool ACLsVendor docs ↗
Resendcommunitystdioapi-key

Send transactional email, manage audiences, query email delivery status.

npx -y @ykhli/mcp-server-resend

9 default tool ACLsVendor docs ↗
Auth0communitystdioapi-key

Manage users, roles, applications, connections, tenant settings.

npx -y @auth0/auth0-mcp-server

10 default tool ACLsVendor docs ↗

Programmatic access

The catalog is available via REST + CLI:

# REST
GET /api/v1/mcp/presets
GET /api/v1/mcp/presets?id=<vendor-id>

# CLI
evalguard mcp presets           # short summary table
evalguard mcp preset stripe     # full setup guide + tool ACL matrix
evalguard mcp servers           # list servers registered to your org

Adding your own preset

Self-hosted operators can drop a <vendor>.ts file in packages/core/src/mcp-gateway/presets/ following the shape of the bundled ones and append to the MCP_PRESETS tuple in index.ts. The catalog test asserts shape + id-uniqueness; the destructive-default rule unit test asserts that a fixed list of six specific named tools ( delete_repository, delete_issue, delete_block, jira_delete_issue, charge.create, and refund.create) are denied or owner-only. It is not a delete_* wildcard, and archive_* tools are not covered.