MCP Vendor Presets
One-click registration for 17 popular MCP servers. Each preset bundles the canonical URL, transport, auth shape, and default tool ACLs with sensible risk levels.
Find them at /dashboard/mcp/registry→ "Quick-add from preset", or via the API at GET /api/v1/mcp/presets.
What is MCP?
The Model Context Protocol (MCP) is an open standard that lets AI agents call external tools: a GitHub server exposes tools like create_issue, a Stripe server exposes refund.create, and so on. Each tool call is a JSON-RPC tools/call request against an MCP server. EvalGuard does not replace those servers — it sits in front of them as a gateway. You register each upstream server once, then route agent tool calls through POST /api/v1/mcp/invoke, where every call is role-checked, rate-limited, and audited before it reaches the upstream. The default is zero-trust: a tool with no permission row is denied (deny_no_permission).
Transports
A server's transport tells the gateway how to reach it. The gateway forwards tool calls over three network transports: http (streamable HTTP), sse (Server-Sent Events), and websocket.
stdio is a valid registration transport but the multi-tenant gateway does not spawn local subprocesses — invoking a stdio server returns a 501. To use one of the stdio presets below (Slack, Stripe, Postgres, and the other CLI-style servers), run a small local HTTP companion that exposes the stdio server over HTTP, then register that HTTP endpoint instead.
Auth shapes
Each server carries an authType plus a typed authConfig. Credentials are never stored inline — secret fields hold vault:// references. Registration accepts:
none— no outbound credential.bearer— a static bearer token on the outboundAuthorizationheader.api-key— a custom header name plus avault://value reference.oauth2— issuer, token endpoint, client id, and a vaulted client secret.jwt— validate a presented JWT against the server'sjwksUri(default algorithmsRS256/ES256).
The pipeline additionally understands two advanced outbound modes for self-hosted setups: mtls (mutual-TLS client certs) and token-exchange (RFC 8693 on-behalf-of delegation, so an agent calls the downstream server as the user rather than forwarding a confused-deputy credential).
Register a server, then invoke a tool
# 1. Register the upstream MCP server (transport + auth stored per-server)
POST /api/v1/mcp/servers
{
"name": "GitHub (prod)",
"url": "https://api.githubcopilot.com/mcp/",
"transport": "http",
"authType": "bearer"
}
# 2. Route a tool call THROUGH the gateway
POST /api/v1/mcp/invoke
{
"serverId": "<mcp_servers.id>",
"toolName": "create_issue",
"arguments": { "repo": "acme/api", "title": "Broken login" },
"jwt": "<optional bearer JWT, forwarded when authType='jwt'>"
}
# Allowed -> 200
{ "success": true,
"data": {
"decision": "allow",
"reason": "all RBAC + rate-limit checks passed",
"response": { },
"latencyMs": 128
}
}
# Denied -> 403 (role not in the tool's allowed_roles)
{ "success": false,
"error": {
"message": "caller role(s) [viewer] not in tool's allowed_roles [owner]",
"code": "DENY_ROLE_NOT_ALLOWED"
}
}The code on a blocked call is the enforcement decision uppercased — DENY_NO_PERMISSION, DENY_ROLE_NOT_ALLOWED, DENY_RATE_LIMITED, or DENY_DISABLED. The presets below pre-load each server's tools with sensible allowed_rolesand risk levels so you don't hand-write these permission rows.
Authoritative defaults for destructive tools
The test-enforced bar covers specific delete, charge, and refund tools, which are either denied by default or restricted to owner-only. Some other sensitive tools — on-call paging via create_incident, and certain money tools like Stripe's invoice.finalize and payment_link.create — default to admin+owner rather than owner-only or denied. A unit test in packages/coreblocks any future preset from regressing this bar. The dashboard surfaces every default ACL on the Quick-add review screen so operators see what they're enabling before they click confirm.
Productivity + Issue tracking
Repos, issues, pull requests, code search, file ops.
https://api.githubcopilot.com/mcp/
Issues, projects, teams, cycles, comments.
https://mcp.linear.app/sse
Jira issues + transitions, Confluence pages + search.
https://mcp.atlassian.com/v1/sse
Search, fetch pages, query databases, create + update blocks.
https://mcp.notion.com/mcp
Communication + Design
Post messages, search history, manage threads + reactions.
npx -y @modelcontextprotocol/server-slack
Read files + frames + components, export images, list team projects.
https://mcp.figma.com/mcp
Finance + Database
Customers, charges, refunds, subscriptions, invoices, payment links.
npx -y @stripe/agent-toolkit
Read-only SQL queries + schema introspection.
npx -y @modelcontextprotocol/server-postgres
Read-mostly access to MongoDB collections + Atlas cluster ops.
npx -y mongodb-mcp-server
Observability + Infra
Issues, events, releases, replays — pull error context into agents.
https://mcp.sentry.dev/sse
List/create/acknowledge incidents, query schedules + escalation policies.
npx -y @pagerduty/mcp-server
Query metrics, search logs, list + mute monitors, fetch dashboards.
npx -y @winor30/mcp-server-datadog
Workers, R2 buckets, D1 databases, KV namespaces, DNS records.
https://api.mcp.cloudflare.com/sse
List + manage deployments, projects, env vars, custom domains.
npx -y @nganiet/mcp-vercel
Telephony + Email + Identity
Send SMS, place calls, manage messaging services + phone numbers.
npx -y @ankri/twilio-mcp-server
Send transactional email, manage audiences, query email delivery status.
npx -y @ykhli/mcp-server-resend
Manage users, roles, applications, connections, tenant settings.
npx -y @auth0/auth0-mcp-server
Programmatic access
The catalog is available via REST + CLI:
# REST GET /api/v1/mcp/presets GET /api/v1/mcp/presets?id=<vendor-id> # CLI evalguard mcp presets # short summary table evalguard mcp preset stripe # full setup guide + tool ACL matrix evalguard mcp servers # list servers registered to your org
Adding your own preset
Self-hosted operators can drop a <vendor>.ts file in packages/core/src/mcp-gateway/presets/ following the shape of the bundled ones and append to the MCP_PRESETS tuple in index.ts. The catalog test asserts shape + id-uniqueness; the destructive-default rule unit test asserts that a fixed list of six specific named tools ( delete_repository, delete_issue, delete_block, jira_delete_issue, charge.create, and refund.create) are denied or owner-only. It is not a delete_* wildcard, and archive_* tools are not covered.