vikunja-mcp

MCP server that exposes Vikunja task/project/workflow functionality as subcommand-style tools, with session-based token/JWT authentication, validation, rate limiting, and retry/circuit-breaking for resilience.

Evaluated Mar 30, 2026 (21d ago)

Repo ↗ Automation mcp vikunja task-management automation typescript productivity ai-tools

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

README claims Zod-based input validation, DoS protection, express-rate-limit rate limiting, and centralized/typed error handling. It also recommends using env vars for configuration. JWT extraction steps increase the chance of token exposure in the operator workflow; the package appears to manage tokens automatically but scope granularity and secret logging behavior are not fully verifiable from the provided content.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You want an MCP-compatible assistant to operate Vikunja with typed inputs, pagination, and guardrails against abusive requests.

Avoid When

You cannot securely provision/store API tokens/JWTs or you cannot constrain the assistant’s tool use to least-privilege operations.

Use Cases

• Let AI assistants create, list, update, and delete tasks in a Vikunja instance
• Automate task workflows (labels, assignees, comments, reminders, relations)
• Manage projects and teams via MCP tools
• Bulk import tasks from CSV/JSON with validation and dry-run
• Export project data or request/download user export

Not For

• Highly sensitive deployments that require zero exposure of end-user tokens to an external agent runtime
• Use where you need a fully standard REST/GraphQL/SDK integration surface instead of MCP tools
• Environments that cannot provide access to the Vikunja instance API endpoint

Interface

REST API

GraphQL

gRPC

MCP Server

Yes

SDK

Webhooks

Yes

Authentication

Methods: API token authentication (tk_*) JWT authentication (eyJ* tokens)

OAuth: No Scopes: No

Auth is session-based/automatic token management per README. JWT appears to be user-context capable and expires (likely ~24h); API tokens are more limited (not user-specific endpoints). Scope granularity is not described.

Pricing

Free tier: No

Requires CC: No

No pricing information for the MCP package itself is provided in the supplied data.

Agent Metadata

Pagination

cursor-less pagination (page/perPage)

Idempotent

False

Retry Guidance

Documented

Known Gotchas

⚠ JWT token expiry: the assistant/operator may need to refresh/reprovide JWT periodically.
⚠ Different tool availability/capabilities depending on API token vs JWT (users/export likely JWT-only).
⚠ Bulk operations may have limits (e.g., bulk create/delete max 100); agents should respect these constraints to avoid failures.
⚠ Filtering syntax is passed as a string; malformed filters may be rejected by validation/parsing.

Alternatives

Use Vikunja REST API directly Use a different MCP-to-task integration (e.g., generic productivity/task MCPs if available) Write a custom MCP server around the official Vikunja API for your specific subset of operations

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for vikunja-mcp.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.