MCP Server Overview

The MCP server lets AI assistants — Claude Code, Cursor, OpenCode, Codex, Claude Web, Claude Desktop — read your Vygl data and trigger AI verification, all without leaving the editor. Authenticate with an API key for editor clients or via OAuth for web clients (no key needed).

Tools exposed

Tool	What it does
`list_projects`	List all projects in your organization
`search_findings`	Search findings with filters — severity, status, scan type, file path, project, rule, AI verdict
`get_finding_detail`	Full context on a finding — snippet, AI verdict, reasoning, history, comments
`get_security_posture`	Org-wide summary — severity counts, MTTR, AI coverage
`get_project_health`	Per-project health score with severity breakdown
`list_container_images`	All scanned images with CVE counts
`get_container_image_detail`	Image layer breakdown and vulnerable packages
`search_container_findings`	CVE findings in container images
`get_container_correlations`	Source dependencies that match container CVEs
`get_container_analysis`	Cached AI risk summary for an image
`ai_verify_finding`	Trigger AI verification on a finding (the only write tool)

All other tools are read-only. ai_verify_finding runs an LLM call and returns verdict + reasoning + suggested fix.

Authentication

Client	Auth
Claude Code, Cursor, OpenCode, Codex	API key (Bearer token)
Claude Web, Claude Desktop	OAuth 2.1 Dynamic Client Registration

Editor clients use the same API keys you generate in Settings → API Keys. Web clients click “Add custom integration” in Claude, enter the Vygl MCP URL, and complete a browser OAuth flow — no key management.

Data scoping

Every MCP request is scoped to the organization that owns the API key (or the user’s signed-in org for OAuth). Permissions and rate limits match the API key’s scopes — the MCP server is not a privilege bypass.

What’s next

See IDE Setup for ready-to-paste configs for every supported client.