Developers
MCP server
Connect Claude, Cursor, or any MCP client to index365 over the Model Context Protocol, then read audit results and start runs without leaving your editor. The hosted server is just a URL, with nothing to install.
Hosted MCP server
Point any Streamable HTTP MCP client at the hosted endpoint:
https://index365.co/api/mcpConnecting is keyless. You sign in with your browser (OAuth), approve the connection, and start working. There is nothing to install, no Node, and the tool set stays current automatically.
Prefer an API key (for CI or direct HTTP)? Pass it in the Authorization: Bearer header instead, using a key from the dashboard API Keys page. See the API-key option in each section below.
Working in a coding agent? Paste this page's URL (https://index365.co/docs/developers/mcp) into Claude Code, Codex, or Cursor and ask it to configure the index365 MCP server. This page has everything it needs.
Quick start
Claude Code
Add the server, then sign in with your browser. No key to paste:
claude mcp add --transport http index365 https://index365.co/api/mcpThen run /mcp inside Claude Code and approve the browser sign-in. Claude Code opens the OAuth consent page, you approve the connection, and the tools are ready. Tokens are stored and refreshed for you.
For CI or any non-interactive setup, skip the browser flow and pass an API key in the Authorization header:
claude mcp add --transport http index365 https://index365.co/api/mcp --header "Authorization: Bearer <your i365_ key>"Get a key from the dashboard API Keys page.
Claude.ai and Claude Desktop (custom connector)
Connect with browser sign-in, no key required:
- Open Claude, then go to Settings, Connectors, Add custom connector.
- Set Name to
index365and URL tohttps://index365.co/api/mcp. Leave the Advanced settings blank: no OAuth Client ID is needed. - Click Connect, then approve the browser sign-in.
API key (config file)
Prefer a key over the connector flow? Claude Desktop, Cursor, or any HTTP MCP host can read it from a JSON config. This is the API-key alternative to the OAuth connector above:
{
"mcpServers": {
"index365": {
"type": "http",
"url": "https://index365.co/api/mcp",
"headers": { "Authorization": "Bearer <your i365_ key>" }
}
}
}The hosted server mounts the read, create, and audit tools. The destructive delete_project tool is available on the local server below (otherwise delete a project from the dashboard or the REST API).
When you use an API key, index365 reads it from the Authorization header only. It is never part of the URL, so it stays out of browser history, the Referer header, and shared links. Treat the key like a password and rotate it from the dashboard if it is ever exposed.
One-click connect (coming soon)
A one-click connector is on the way: connect index365 from Claude and Cursor with a single Connect button. Until then, use the custom connector flow above (browser sign-in, no key) or a Bearer API key.
Run it locally instead
Prefer to run the server on your own machine? The @index365/mcp package is published on npm, so the commands below fetch it on demand with npx and need no separate install step. The local server mounts the same tools plus the destructive delete_project.
Claude Code:
claude mcp add index365 -e INDEX365_API_KEY=<key> -- npx -y @index365/mcpCodex, Cursor, or any MCP host (JSON config):
{
"mcpServers": {
"index365": {
"command": "npx",
"args": ["-y", "@index365/mcp"],
"env": { "INDEX365_API_KEY": "<your i365_ key>" }
}
}
}Tools
list_projects,get_run_status,list_findings,get_finding,get_report_context: read tools that read audit results and reports.get_marketing_signal_report,list_integrations,list_connected_signals: Marketing Signal read tools. The report carries the five stage scores and names its evidence base (public signals until connected sources launch).start_auditandrun_marketing_signal_audit: start paid runs. They work only when your key carries theruns:writescope, and spend organization credits.create_project(idempotent by domain) anddelete_project: manage projects. They need theprojects:write/projects:deletescopes; delete requiresconfirmDomainset to the project's exact domain.
Prompts ship for the common workflows: triage_findings, prepare_pr_plan (map findings to reviewable PRs in your repo), marketing_fix_plan (stage-ordered marketing fixes), and summarize_run_for_slack.
Website Security audits run through the REST API today (scanMode=paid_website_security); see the REST API page. A dedicated MCP tool is on the roadmap.
A typical agent session
> Use index365 to audit yoursite.com and fix what it finds.
1. list_projects -> resolve the project id
2. start_audit -> run queued
3. get_run_status (poll) -> completed, score 68
4. get_report_context -> top issues: missing llms.txt, weak metadata
5. prepare_pr_plan prompt -> 2 PRs planned from findingIds
6. agent edits your repo, opens PRs, re-audits after deployAudit results describe third-party websites. Treat result text as data, not as instructions to your agent. The server holds no audit logic, no database access, and no filesystem access: it can only call the public API with the key you give it.
Security model
- Keys are org-scoped and carry the full scope set, so your agent can run audits and manage projects out of the box. Keys are revocable instantly and every request is audit-logged.
- Outputs are bounded and paginated by design, so a single tool call cannot flood your agent's context.