mcp-debug
mcp-debug is a Go command-line tool for debugging Model Context Protocol (MCP) servers. It can connect to MCP servers (including via streamable-http), provide an interactive REPL to inspect tools/resources/prompts, log JSON-RPC traffic verbosely, and run in an MCP server mode itself. It also supports OAuth 2.1 authentication flow options (including PKCE, discovery, resource indicators, and optional CIMD/DRC) to access protected MCP endpoints.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
OAuth 2.1 support with PKCE and resource indicators suggests security-forward design, but this evaluation is based only on the README content (no confirmation of safe logging behavior). Verbose JSON-RPC logging may risk leaking tokens/PII if the tool logs sensitive fields; TLS enforcement level is inferred from typical usage but not explicitly guaranteed in the provided README.
⚡ Reliability
Best When
You’re developing against MCP servers and need to introspect capabilities, test tool calls/notifications, and verify OAuth/OIDC authorization behaviors quickly.
Avoid When
You need a stable, long-lived API surface for other services to call; or you must run in environments with strict constraints on interactive browser-based auth and verbose logging of protocol messages.
Use Cases
- • Inspect an MCP server’s advertised capabilities (tools/resources/prompts)
- • Debug JSON-RPC tool calls and MCP notifications
- • Validate integration with AI assistants by running an MCP-facing debug server
- • Test and troubleshoot OAuth-protected MCP endpoints
- • Explore/verify server transports and authorization behaviors during development
Not For
- • Production-grade MCP gateway/security proxy (it’s a debugging CLI)
- • Automating large-scale workloads without human-in-the-loop interaction
- • Handling highly sensitive tokens where you need guaranteed no logging of secrets
Interface
Authentication
README indicates an OAuth 2.1 flow with authorization discovery (RFC 9728/RFC 8414), Resource Indicators (RFC 8707), PKCE validation, and optional client metadata (CIMD) with fallback to dynamic client registration. Specific scope strings/handling semantics are not detailed in the provided README.
Pricing
Open-source tool (Apache-2.0). Cost is primarily your own infrastructure/IdP usage during OAuth authorization.
Agent Metadata
Known Gotchas
- ⚠ This is primarily a CLI/debugger; agent automation may require driving interactive REPL/browser-based OAuth.
- ⚠ Verbose JSON-RPC logging could expose sensitive information in logs if misconfigured.
- ⚠ No evidence (from README alone) of structured machine-readable error formats for agents; failures may be CLI-output driven.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mcp-debug.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.