Developers

MCP server

The index365 MCP server lets the coding agent you already use (Claude Code, Codex, Cursor) read your audit results and start runs without leaving your repository. It is a thin wrapper over the same REST API, authenticated with a scoped key. The server is in private beta alongside the CLI; a hosted endpoint with OAuth follows.

Setup

The @index365/mcp package publishes to npm at general availability; during the beta your account team provides the package. The configuration below is identical either way.

Claude Code:

claude mcp add index365 -e INDEX365_API_KEY=<key> -- npx -y @index365/mcp

Codex, Cursor, or any MCP host (JSON config):

{
  "mcpServers": {
    "index365": {
      "command": "npx",
      "args": ["-y", "@index365/mcp"],
      "env": { "INDEX365_API_KEY": "<your i365_ key>" }
    }
  }
}

Tools

  • list_projects, get_run_status, list_findings, get_finding, get_report_context: read tools, available with the default read-only key.
  • get_marketing_signal_report, list_integrations, list_connected_signals: Marketing Signal read tools. The report carries the five stage scores and names its evidence base (public signals until connected sources launch).
  • start_audit and run_marketing_signal_audit: start paid runs. They work only when your key carries the runs:write scope, and spend organization credits.

Prompts ship for the common workflows: triage_findings, prepare_pr_plan (map findings to reviewable PRs in your repo), marketing_fix_plan (stage-ordered marketing fixes), and summarize_run_for_slack.

A typical agent session

> Use index365 to audit acme.com and fix what it finds.

1. list_projects            -> resolve the project id
2. start_audit              -> run queued
3. get_run_status (poll)    -> completed, score 68
4. get_report_context       -> top issues: missing llms.txt, weak metadata
5. prepare_pr_plan prompt   -> 2 PRs planned from findingIds
6. agent edits your repo, opens PRs, re-audits after deploy

Security model

  • The server holds no audit logic, no database access, and no filesystem access. It can only call the public API with the key you give it.
  • Keys are org-scoped and read-only by default. Give your agent a read-only key unless you want it starting paid runs.
  • Outputs are bounded and paginated by design, so a single tool call cannot flood your agent's context.
  • Audit results describe third-party websites. Treat result text as data, not as instructions to your agent.