MCP Integration Guide

Connect Your AI Assistant to Hextrap

Set up Hextrap's MCP server so Claude, ChatGPT, and other AI tools automatically check packages against your firewall before installing them.

What is the Model Context Protocol?

MCP is an open standard that lets AI assistants connect to external tools. When you connect Hextrap via MCP, your AI assistant will automatically check every package it wants to install against your firewall's security policies.

Block Malicious Packages

Your AI assistant checks every package against Hextrap's typosquat detection and your allow/deny lists before suggesting it.

Enforce Soak Time

Newly published packages are held until they pass your configured soak period, preventing zero-day supply chain attacks.

Full Audit Trail

Every package check is logged in your firewall's activity feed, giving you complete visibility into what your AI is installing.

Quick Start

Get up and running in three steps.

1

Create an API Key

Sign in to Hextrap and navigate to Dashboard → API Keys. Click Create Key and give it a descriptive name like "Claude Code" or "ChatGPT".

Copy the key immediately — it won't be shown again.

2

Add the MCP Configuration

Add Hextrap to your project's .mcp.json or global ~/.claude.json. The exact format depends on your client — see the setup guides below.

{
  "mcpServers": {
    "hextrap": {
      "type": "http",
      "url": "https://hextrap.com/mcp/",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}
3

Start Using It

Ask your AI assistant to install a package. It will automatically check the package against your Hextrap firewall before proceeding.

Try saying: "Install the requests library for Python"

Setup Guides

Choose your AI assistant to see specific configuration instructions.

Claude Code Setup

Claude Code uses streamable HTTP transport (type: http) to connect to MCP servers.

Option 1: Project Config (Recommended)

Add to your project's .mcp.json in the repository root to share with your team:

{
  "mcpServers": {
    "hextrap": {
      "type": "http",
      "url": "https://hextrap.com/mcp/",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Option 2: Global Config

Add to ~/.claude.json to make Hextrap available across all projects:

{
  "mcpServers": {
    "hextrap": {
      "type": "http",
      "url": "https://hextrap.com/mcp/",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Option 3: CLI Command

Or use the Claude Code CLI to add it directly:

claude mcp add hextrap --transport http https://hextrap.com/mcp/ \
  --header "Authorization: Bearer YOUR_API_KEY"
Tip: After adding the config, restart Claude Code. You can verify the connection by running /mcp or asking Claude to "list my Hextrap firewalls".

Claude Desktop Setup

Claude Desktop uses SSE transport (type: sse) to connect to MCP servers.

Configuration File Location

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Configuration

{
  "mcpServers": {
    "hextrap": {
      "type": "sse",
      "url": "https://hextrap.com/mcp/",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}
Tip: After saving the config file, restart Claude Desktop to pick up the changes. You should see "hextrap" listed in the tools menu.

ChatGPT and Other MCP Clients

Any MCP-compatible client can connect to hextrap. The MCP endpoint is:

https://hextrap.com/mcp/

Connection Details

Endpoint https://hextrap.com/mcp/
Transports Streamable HTTP, SSE
Authentication Bearer token in Authorization header
Protocol Version 2024-11-05

Consult your MCP client's documentation for the specific configuration format. Most clients support setting the URL and authentication header.

Available Tools

These tools become available to your AI assistant once connected.

check_package

Check if a package is allowed by your firewall and verify it is not a suspected typosquat. Your AI assistant calls this before suggesting any dependency.

name - Package name registry - pypi, npm, or go firewall_id - Your firewall ID
list_firewalls

List all firewalls you have access to, including their IDs, names, and configurations.

No parameters required
add_to_allowlist

Add a package to a firewall's allowlist. Once added, the package will be permitted through the firewall.

firewall_id - Firewall ID package_name - Package name registry - pypi, npm, or go
add_to_denylist

Add a package to a firewall's denylist. Denied packages will be blocked from installation.

firewall_id - Firewall ID package_name - Package name registry - pypi, npm, or go
get_activity

View recent package installation activity for a firewall, including allowed, blocked, and flagged attempts.

firewall_id - Firewall ID limit - Max records (default 20)
remove_from_allowlist

Remove a package from a firewall's allowlist.

firewall_id - Firewall ID package_name - Package name
remove_from_denylist

Remove a package from a firewall's denylist.

firewall_id - Firewall ID package_name - Package name
get_proxy_config

Get proxy credentials and package manager configuration for a firewall. Creates a credential if none exists, or confirms the existing one is active.

firewall_id - Firewall ID
roll_proxy_credential

Regenerate your proxy credential password. Invalidates the previous password and returns new setup commands for all package managers.

firewall_id - Firewall ID
create_service_credential

Create a named service credential for CI/CD pipelines. Each pipeline should have its own credential for auditability.

firewall_id - Firewall ID name - Credential name (e.g. "GitHub Actions")

Usage Examples

Here's what it looks like when your AI assistant uses hextrap.

Checking a Package Before Installing

You
Install the requests library for Python
Claude calls check_package
{"name": "requests", "registry": "pypi", "firewall_id": "abc123"}
Hextrap responds
{"allowed": true, "on_allowlist": true, "typosquat": false}
Claude
The package "requests" is approved by your Hextrap firewall. Installing now...

Blocking a Typosquat

You
Install reqeusts for Python
Claude calls check_package
{"name": "reqeusts", "registry": "pypi", "firewall_id": "abc123"}
Hextrap responds
{"allowed": false, "typosquat": true, "similar_to": "requests", "similarity": 0.93}
Claude
Hextrap blocked "reqeusts" — it's a suspected typosquat of "requests" (93% similarity). Did you mean requests?

Listing Firewalls

You
List my Hextrap firewalls
Claude calls list_firewalls
{}
Claude
You have 2 firewalls:
1. production (ID: abc123) — 45 packages on allowlist
2. staging (ID: def456) — 12 packages on allowlist

Frequently Asked Questions

What is an MCP server?

MCP (Model Context Protocol) is an open standard created by Anthropic that lets AI assistants like Claude and ChatGPT connect to external tools and data sources. Hextrap's MCP server lets your AI assistant check packages against your firewall before installing them, manage allow/deny lists, and view installation activity.

Which AI assistants support Hextrap's MCP server?

Hextrap's MCP server works with Claude Code, Claude Desktop, ChatGPT, and any other MCP-compatible client. Claude Code uses streamable HTTP transport, while Claude Desktop uses SSE (Server-Sent Events) transport. Both are supported.

Is Hextrap's MCP server free to use?

Yes. Hextrap's free Open Source tier includes MCP server access with up to 2 firewalls. The MCP server is available on all plans including Small Team and Enterprise.

What package registries does Hextrap support?

Hextrap supports PyPI (Python), npm (JavaScript/Node.js), and Go modules. The MCP server can check packages, manage allow/deny lists, and view activity for all three registries.

How do I get an API key for the MCP server?

Sign in to Hextrap, go to Dashboard → API Keys, and click Create Key. Give it a descriptive name and copy the key immediately — it won't be shown again. Use this key in your MCP configuration's Authorization header.

Can I use different API keys for different projects?

Yes. You can create multiple API keys with different names to organize access across projects. Each key has the same permissions tied to your user account.

What happens if a package is blocked?

When your AI assistant checks a package that isn't on your allowlist, or that is flagged as a typosquat, Hextrap returns a blocked status. Your AI assistant will inform you and suggest alternatives. All blocked attempts are logged in your firewall's activity feed.

How do I find my firewall ID?

Ask your AI assistant to "list my Hextrap firewalls" or find it in the Hextrap dashboard. The firewall ID is the public identifier shown on the firewall overview page.

Protect Your AI Coding Workflow

Set up Hextrap in under 2 minutes and stop malicious packages before they reach your codebase.