{"id":"mandar-p-mcp-server-openapi","name":"mcp-server-openapi","homepage":null,"repo_url":"https://github.com/mandar-p/mcp-server-openapi","category":"api-gateway","subcategories":[],"tags":["mcp","openapi","tool-generation","rest-api","claude-desktop","go"],"what_it_does":"Provides an MCP server that reads an OpenAPI 3.0/3.1 specification (JSON) and dynamically generates MCP tools for each API endpoint/method. When called by an MCP client (e.g., Claude Desktop), it validates parameters, constructs the HTTP request (including path/query/header/body), applies an optional configured Authorization header, and returns formatted JSON responses with errors.","use_cases":["Expose any REST API described by an OpenAPI spec as MCP tools for an LLM assistant","Rapidly integrate internal or third-party REST APIs into Claude Desktop via MCP","Generate tool schemas and argument validation automatically from OpenAPI","Provide a generic “API caller” interface for agents without writing bespoke tool wrappers"],"not_for":["APIs that require complex auth flows not representable as a single static header/token","Non-REST or non-OpenAPI-described functionality (e.g., custom RPC protocols, streaming-only APIs)","Production deployments where you need a fully specified, reviewed MCP server contract, test coverage evidence, and explicit operational SLAs"],"best_when":"You have a reasonably complete OpenAPI JSON spec for a REST API and can authenticate using a static header value (Bearer/API key/custom header) configured at startup.","avoid_when":"Your OpenAPI specs are incomplete/incorrect (e.g., missing operationId, parameter schemas) or you need OAuth2 flows, pagination semantics, retries/idempotency guarantees, and comprehensive rate-limit handling documented by the server.","alternatives":["Manually build MCP tools (custom Go/TS) for each endpoint for stronger control and testing","Use an OpenAPI-to-client generator (e.g., OpenAPI Generator) plus an MCP wrapper you control","Use cloud/API integration platforms or agent tool frameworks that support OpenAPI ingestion with richer runtime controls"],"af_score":61.2,"security_score":53.2,"reliability_score":22.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T21:20:48.512711+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Static Authorization header (configurable via -auth) for Bearer tokens, API keys, or custom headers"],"oauth":false,"scopes":false,"notes":"Auth appears to be passed as a single configured header value; there is no indication of OAuth2 or fine-grained scope enforcement."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided; this appears to be an open-source/self-hosted MCP server."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":61.2,"security_score":53.2,"reliability_score":22.5,"mcp_server_quality":78.0,"documentation_accuracy":70.0,"error_message_quality":null,"error_message_notes":"README mentions 'Pretty-prints JSON responses with proper error handling' and 'Detailed error messages without exposing sensitive data', but there are no documented error formats, MCP error codes, or examples to verify consistency.","auth_complexity":85.0,"rate_limit_clarity":10.0,"tls_enforcement":80.0,"auth_strength":55.0,"scope_granularity":20.0,"dependency_hygiene":50.0,"secret_handling":60.0,"security_notes":"README claims a 30-second timeout and 'Detailed error messages without exposing sensitive data' plus parameter validation and URL/header escaping. However, there is no provided evidence for TLS enforcement details, secure secret storage/logging behavior, dependency audit status, or defense against SSRF/path traversal via OpenAPI-defined URLs.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":20.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guidance is documented. Dynamic tool mapping may call non-idempotent methods depending on OpenAPI operations.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Tool names depend on operationId; missing/duplicate operationId may lead to less stable/less predictable tool naming.","The server accepts OpenAPI JSON only (YAML not supported), so specs may need conversion.","Static header auth (-auth) may not work for APIs requiring OAuth2 token exchange/refresh flows.","Rate limiting behavior is not documented; agents may need to implement backoff outside the MCP layer.","Spec completeness matters: incorrect parameter schemas or missing required fields can cause tool call failures."]}}