{"id":"vercel-mcp-handler","name":"mcp-handler","homepage":"https://www.npmjs.com/package/mcp-handler","repo_url":"https://github.com/vercel/mcp-handler","category":"ai-ml","subcategories":[],"tags":["mcp","nextjs","nuxt","sse","streamable-http","tool-calling","typescript","vercel"],"what_it_does":"mcp-handler is a Vercel/Next.js (and Nuxt) adapter that lets you expose Model Context Protocol (MCP) servers over web transports such as Streamable HTTP and Server-Sent Events (SSE). It provides a createMcpHandler wrapper to register MCP tools with input schemas and handler functions, then exports Next.js route handlers for GET/POST.","use_cases":["Expose custom MCP tools from a Next.js API route","Connect desktop/IDE MCP clients (via Streamable HTTP or SSE) to an app-backed tool registry","Build tool-calling features with typed inputs using zod validation"],"not_for":["A public, unauthenticated MCP endpoint for untrusted clients","Environments that require first-class enterprise features (contract testing, detailed SLAs) without additional infrastructure"],"best_when":"You want a lightweight way to host MCP tool endpoints inside a web framework (Next.js/Nuxt) and have clients connect via HTTP/SSE.","avoid_when":"You cannot implement appropriate authentication/authorization and input constraints for tool execution, or you need a standalone MCP server binary/service with robust ops tooling.","alternatives":["mcp-remote (for connecting clients to an MCP endpoint)","Direct use of @modelcontextprotocol/sdk to build a custom MCP server","Other community MCP server frameworks/adapters for your runtime (e.g., Node/Express-based MCP servers)"],"af_score":51.8,"security_score":52.0,"reliability_score":31.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:26:47.572297+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["OAuth and token verification (documented in docs/AUTHORIZATION.md)"],"oauth":true,"scopes":false,"notes":"README indicates an Authorization doc exists, but the provided content does not include concrete auth method details, scope model, or required headers/query parameters."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided; appears to be an open-source npm package."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":51.8,"security_score":52.0,"reliability_score":31.2,"mcp_server_quality":70.0,"documentation_accuracy":60.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":55.0,"rate_limit_clarity":15.0,"tls_enforcement":70.0,"auth_strength":55.0,"scope_granularity":30.0,"dependency_hygiene":55.0,"secret_handling":50.0,"security_notes":"README warns about a vulnerability in @modelcontextprotocol/sdk versions prior to 1.26.0, which is a positive signal. However, the provided content does not specify how authentication is enforced in the handler, what authorization primitives/scopes exist, how errors are serialized (possible info leakage), or how rate limits are configured. TLS enforcement is assumed via typical Next.js/Vercel HTTPS defaults, but not explicitly documented in the excerpt.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":40.0,"error_recovery":30.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Tool handler side effects: idempotency is not documented, so retries could duplicate actions unless your tool logic is safe.","SSE resumability depends on optional Redis integration; without Redis behavior may differ under reconnects.","Authentication requirements are likely important for safe public deployment, but the provided README excerpt does not show enforcement details."]}}