turn-mcp

turn-mcp-web provides a self-hosted MCP server exposing a human-in-the-loop tool (turn.wait/turn_wait) that pauses an agent and forwards control to an operator via a browser console. It also exposes related REST endpoints for pending waits, responding/canceling/extending waits, and real-time updates via SSE.

Evaluated Mar 30, 2026 (0d ago)

Repo ↗ Ai Ml mcp human-in-the-loop ai-agent checkpoint browser-console sse nodejs

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Supports API key auth with operator/viewer roles and HMAC-SHA256 signing for outbound webhooks. TLS enforcement is not stated (README shows localhost HTTP and container host binding), so HTTPS/network protections are assumed to be handled externally. Auth is disabled by default, so secure configuration and network isolation are important. Rate limiting is documented per-IP sliding window.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need a local/self-hosted checkpoint mechanism for agent turns with an operator UI and want to integrate with common MCP-capable clients.

Avoid When

You cannot control access to the server (operator/viewer API keys) or you need hardened production-grade security like OIDC, IP allowlisting, or audited data handling.

Use Cases

• Human-in-the-loop checkpoints for agent decisions
• Safely requiring confirmation before risky actions (e.g., destructive DB operations)
• Interactive workflows where an operator replies to the agent across multiple turns
• IDE/agent client integration via MCP (streamable HTTP or stdio)
• Operator-visible session history and queue management for agent interventions

Not For

• Public internet deployment without additional network controls
• Environments requiring strong enterprise auth standards (no OAuth/OIDC described)
• Use cases needing guaranteed exactly-once semantics or strict transactional idempotency

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

Yes ↗

SDK

Yes

Webhooks

Yes

Authentication

Methods: API key via x-turn-mcp-api-key header Bearer token via Authorization: Bearer <key>

OAuth: No Scopes: Yes

Two roles are described: operator (full access) and viewer (read-only + SSE). Auth is disabled by default unless TURN_MCP_API_KEY (and optionally TURN_MCP_VIEWER_API_KEY) is set.

Pricing

Free tier: No

Requires CC: No

Self-hosted open-source (MIT). No hosted pricing mentioned.

Agent Metadata

Pagination

count/total + pagination.hasMore (for paginated endpoints per README)

Idempotent

False

Retry Guidance

Not documented

Known Gotchas

⚠ Human replies are required via the browser console; without operator interaction, waits may time out.
⚠ Auth is disabled by default unless API keys are configured; unintended exposure can occur if bound to non-local interfaces.

Alternatives

Custom MCP server implementing a wait/approval tool Third-party human-in-the-loop orchestration platforms (if available for MCP) DIY REST-based approval gates with your agent framework (without MCP) Queue/approval systems integrated with agent runtime (custom middleware)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for turn-mcp.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.