obsidian-web-mcp
obsidian-web-mcp is a Python MCP server that exposes an Obsidian vault over HTTPS so remote MCP clients (e.g., Claude web/phone) can read and write Markdown files. It provides tools for reading/writing files, updating YAML frontmatter, searching (body and frontmatter), listing directories, moving/renaming, and soft-deleting to a .trash folder. It claims OAuth 2.0 (authorization code flow with PKCE), bearer-token validation per request, Cloudflare Tunnel-based exposure, path traversal protections, and atomic writes to avoid partial file states that could break Obsidian Sync.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
The materials claim HTTPS via MCP over Streamable HTTP and Cloudflare Tunnel exposure (outbound-only), OAuth 2.0 with PKCE for client auth, and bearer-token validation per request. It also claims robust path traversal protections (reject escape via .., symlinks, null bytes, dotfiles like .obsidian/.git/.trash) and atomic writes via temp+rename to prevent partial-file corruption. Safety limits are described (write size cap, batch size cap, search max). However, details are marketing-level/README-level: no explicit coverage of token storage practices, logging/redaction behavior, rate-limit headers, CSRF/auth endpoint hardening, or dependency vulnerability posture are provided.
⚡ Reliability
Best When
You want a persistent MCP endpoint to access a single Obsidian vault remotely with strong operational safety (atomic writes, traversal blocking) and OAuth-based authorization, and you are comfortable running a local service plus Cloudflare Tunnel for exposure.
Avoid When
You need a zero-ops hosted SaaS (this is a self-hosted server), you cannot safely handle OAuth secrets/tokens, or you require comprehensive audit/log retention guarantees not described in the provided materials.
Use Cases
- • Remote editing and content updates to an Obsidian vault from LLM clients outside the local machine
- • Searching an Obsidian vault by full text or YAML frontmatter fields via MCP
- • Automation workflows that update Obsidian notes/frontmatter programmatically with safety limits
- • Enabling Claude web/mobile integrations to access a local Obsidian vault over a tunneled HTTPS service
Not For
- • Use cases requiring high-scale multi-tenant access (it appears designed for a single user/vault directory)
- • Situations where you cannot deploy or manage a Cloudflare Tunnel (remote access path described depends on it)
- • Use as a general-purpose public file server for arbitrary directories (it is scoped to a configured vault root)
Interface
Authentication
Materials describe OAuth-based integration plus per-request bearer token validation, but do not mention fine-grained MCP tool scopes/permissions. A separate VAULT_MCP_TOKEN bearer token is also configured as an environment variable.
Pricing
Self-hosted (MIT) with dependencies like cloudflared; any costs would be infrastructure/tunnel related, not subscription pricing.
Agent Metadata
Known Gotchas
- ⚠ Write/delete operations are destructive in effect (soft-delete via .trash for delete; move/rename can change paths). Agents should avoid unintended writes and set confirm=true for delete.
- ⚠ Batch limits exist (e.g., batch operations capped at 20 files/request; search capped at 50 matches) which may require chunking large tasks.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for obsidian-web-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.