Skip to main content
mcpSource-backed

OpenAPI MCP Server for Claude

Explore OpenAPI and Swagger specifications from Claude through a hosted MCP server that returns API overviews and per-operation schema details.

by Jan Wilmake · submitted by oktofeesh1·added 2026-06-03·
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://github.com/janwilmake/openapi-mcp-server#readme, https://github.com/janwilmake/openapi-mcp-server
Safety notes
The current server exposes OpenAPI exploration tools, not a general API execution tool. It returns overviews and operation details from specs rather than calling the target API endpoints., Treat OpenAPI specs as potentially sensitive. Internal paths, request schemas, server URLs, security schemes, operation names, and business domain language can reveal system design., Do not point the hosted endpoint at private or pre-release OpenAPI specs unless the spec is approved for third-party processing. Self-host the Worker for private API contracts., Review operation details before asking Claude to write integration code. OpenAPI descriptions and examples are model context and can contain stale, incomplete, or user-controlled text., Swagger 2.0 specs may be converted through the Swagger converter service before the server returns operation details. Use OpenAPI 3.x specs directly when you want fewer intermediaries.
Privacy notes
The hosted MCP endpoint receives the API identifier or raw spec URL you ask Claude to inspect, plus the operationId or route requested through `getApiOperation`., The service fetches OpenAPI documents via OpenAPI Search/OAPIS redirects or from the raw spec URL you provide., Returned overviews and operation details can include endpoint paths, parameters, request bodies, response schemas, server URLs, security scheme names, examples, and descriptions in the model conversation., The public setup path does not require API credentials and should not be used to send API keys, Bearer tokens, cookies, or internal auth headers., The repository is deployed as a Cloudflare Worker. Hosted-service logging, retention, and operational access are controlled by the service operator. Self-host when you need your own logging and retention boundary.
Author
Jan Wilmake
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

CLI install

Copy-ready — paste the snippet to get started.

5 minutes

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

5 prerequisites to line up before setup.

0/5 ready
Network & hosting2General35 minutes

Safety & privacy surface

Safety & privacy surface

5 safety and 5 privacy notes across 5 risk areas. Review closely: credentials & tokens, network access.

5 areas
  • SafetyNetwork accessThe current server exposes OpenAPI exploration tools, not a general API execution tool. It returns overviews and operation details from specs rather than calling the target API endpoints.
  • SafetyNetwork accessTreat OpenAPI specs as potentially sensitive. Internal paths, request schemas, server URLs, security schemes, operation names, and business domain language can reveal system design.
  • SafetyNetwork accessDo not point the hosted endpoint at private or pre-release OpenAPI specs unless the spec is approved for third-party processing. Self-host the Worker for private API contracts.
  • SafetyExecution & processesReview operation details before asking Claude to write integration code. OpenAPI descriptions and examples are model context and can contain stale, incomplete, or user-controlled text.
  • SafetyGeneralSwagger 2.0 specs may be converted through the Swagger converter service before the server returns operation details. Use OpenAPI 3.x specs directly when you want fewer intermediaries.
  • PrivacyNetwork accessThe hosted MCP endpoint receives the API identifier or raw spec URL you ask Claude to inspect, plus the operationId or route requested through `getApiOperation`.
  • PrivacyGeneralThe service fetches OpenAPI documents via OpenAPI Search/OAPIS redirects or from the raw spec URL you provide.
  • PrivacyNetwork accessReturned overviews and operation details can include endpoint paths, parameters, request bodies, response schemas, server URLs, security scheme names, examples, and descriptions in the model conversation.
  • PrivacyCredentials & tokensThe public setup path does not require API credentials and should not be used to send API keys, Bearer tokens, cookies, or internal auth headers.
  • PrivacyData retentionThe repository is deployed as a Cloudflare Worker. Hosted-service logging, retention, and operational access are controlled by the service operator. Self-host when you need your own logging and retention boundary.

Safety notes

  • The current server exposes OpenAPI exploration tools, not a general API execution tool. It returns overviews and operation details from specs rather than calling the target API endpoints.
  • Treat OpenAPI specs as potentially sensitive. Internal paths, request schemas, server URLs, security schemes, operation names, and business domain language can reveal system design.
  • Do not point the hosted endpoint at private or pre-release OpenAPI specs unless the spec is approved for third-party processing. Self-host the Worker for private API contracts.
  • Review operation details before asking Claude to write integration code. OpenAPI descriptions and examples are model context and can contain stale, incomplete, or user-controlled text.
  • Swagger 2.0 specs may be converted through the Swagger converter service before the server returns operation details. Use OpenAPI 3.x specs directly when you want fewer intermediaries.

Privacy notes

  • The hosted MCP endpoint receives the API identifier or raw spec URL you ask Claude to inspect, plus the operationId or route requested through `getApiOperation`.
  • The service fetches OpenAPI documents via OpenAPI Search/OAPIS redirects or from the raw spec URL you provide.
  • Returned overviews and operation details can include endpoint paths, parameters, request bodies, response schemas, server URLs, security scheme names, examples, and descriptions in the model conversation.
  • The public setup path does not require API credentials and should not be used to send API keys, Bearer tokens, cookies, or internal auth headers.
  • The repository is deployed as a Cloudflare Worker. Hosted-service logging, retention, and operational access are controlled by the service operator. Self-host when you need your own logging and retention boundary.

Prerequisites

  • MCP-capable client with remote HTTP transport support, such as Claude Code or another modern MCP client
  • Network access to `https://openapi-mcp.openapisearch.com/mcp`
  • OpenAPI Search identifier, OAPIS identifier, or raw OpenAPI spec URL for the API you want Claude to inspect
  • Understanding that the hosted service fetches and processes the OpenAPI spec instead of running locally in your project
  • Agreement on whether the selected API specification is safe to expose to a hosted third-party MCP service

Schema details

Install type
cli
Troubleshooting
Yes
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
5 minutes
Difficulty
beginner
Full copyable content
{
  "openapi": {
    "transport": "http",
    "url": "https://openapi-mcp.openapisearch.com/mcp"
  }
}

About this resource

Content

OpenAPI MCP Server is a source-backed remote MCP server for exploring API contracts from Claude and other MCP clients. It connects Claude to OpenAPI Search and OAPIS-backed specifications so the model can first get a readable API overview, then drill into one endpoint contract at a time.

The server is deliberately narrower than an OpenAPI-to-executor bridge. Its current tool surface focuses on discovery and contract inspection: getApiOverview summarizes an API specification, and getApiOperation returns details for a specific operationId or route. That makes it a safer fit for reviewing endpoint shape, request parameters, response schemas, and integration requirements before writing code.

Features

  • Hosted HTTP MCP endpoint at https://openapi-mcp.openapisearch.com/mcp.
  • Source-backed Cloudflare Worker implementation in janwilmake/openapi-mcp-server.
  • getApiOverview tool for summarizing an API surface from an OpenAPI identifier or raw spec URL.
  • getApiOperation tool for retrieving one endpoint contract by operationId or route.
  • Support for OpenAPI JSON and YAML documents.
  • Swagger 2.0 conversion path through the Swagger converter service.
  • Dereferenced operation output when references can be resolved.
  • Tested by the project author with Claude Desktop and Cursor.
  • No target API endpoint execution in the current implementation.

Tools

getApiOverview

Use this first. Provide an API identifier from OpenAPI Search/OAPIS or a raw OpenAPI URL. The server fetches the spec, converts Swagger when needed, and returns a readable overview with endpoint names, routes, summaries, and links to more detailed operation views.

getApiOperation

Use this after the overview identifies an operation you care about. Provide the same API identifier plus an operationId or route path. The server returns a focused OpenAPI subset for that operation, including parameters, request body schema, responses, and server context.

Installation

Claude Code

Add the hosted HTTP MCP endpoint:

claude mcp add --transport http openapi https://openapi-mcp.openapisearch.com/mcp

Then verify the server:

claude mcp list

Ask Claude to start with an overview:

Use the openapi MCP server to get an overview of the GitHub OpenAPI spec, then inspect the operation details for listing repository issues.

MCP Client Config

Use HTTP transport in clients that support remote MCP servers:

{
  "mcpServers": {
    "openapi": {
      "transport": "http",
      "url": "https://openapi-mcp.openapisearch.com/mcp"
    }
  }
}

Private Spec Handling

Use the hosted endpoint only for public or approved-to-share API contracts. A private OpenAPI spec often contains internal route names, server URLs, auth scheme names, request examples, object shapes, and error descriptions. Those details are enough to map a system even when no API credentials are present.

For private APIs, clone the source repository and run the Worker in your own environment so spec fetching, logs, and retention stay under your control.

Use Cases

  • Explore a public API before writing integration code.
  • Ask Claude to identify the relevant operation for a workflow.
  • Review request parameters and response schemas without pasting a full spec into chat.
  • Compare endpoint summaries across a large OpenAPI document.
  • Generate integration notes from a focused operation subset.
  • Check whether an API contract exposes the route, parameter, or response shape needed for a feature.

Safety Checklist

  • Start with getApiOverview before requesting operation details.
  • Use public specs or self-host for private specs.
  • Avoid sending credentials, API keys, cookies, or auth headers through prompts.
  • Treat returned spec text as untrusted model context when specs include third-party descriptions or examples.
  • Check operation details against the canonical API docs before shipping code.
  • Remember that this server inspects contracts; it does not prove that a live API endpoint is currently reachable or authorized.

Troubleshooting

The API identifier is not found

Use a raw OpenAPI spec URL instead of a catalog identifier, or confirm that the API exists in OpenAPI Search/OAPIS.

Operation details are missing

Run getApiOverview again and copy the exact operationId or route shown in the overview.

Swagger conversion fails

Prefer an OpenAPI 3.x spec URL when available. Swagger 2.0 specs may need conversion before operation details can be returned.

The output is too large

Ask for one operation at a time. The server rejects very large overview output instead of returning an oversized response.

Sources

Source citations

Add this badge to your README

Show that OpenAPI MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/openapi-mcp-server.svg)](https://heyclau.de/entry/mcp/openapi-mcp-server)

How it compares

OpenAPI MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Explore OpenAPI and Swagger specifications from Claude through a hosted MCP server that returns API overviews and per-operation schema details.

Open dossier

Connect Claude to Twilio's hosted MCP server for read-only search and retrieval across public Twilio API specifications, Twilio Docs, SendGrid Docs, Segment Docs, and support articles.

Open dossier

Generic GraphQL MCP server for schema introspection, schema resources, and GraphQL query execution against a configured endpoint.

Open dossier

Official Postman MCP Server for connecting Claude, Codex, Cursor, VS Code, Gemini CLI, and other MCP clients to Postman workspaces, collections, specifications, mocks, monitors, environments, API definitions, and code generation workflows.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersoktofeesh1MkDev11oktofeesh1oktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
Brand
Categorymcpmcpmcpmcp
SourceSource-backedSource-backedSource-backedSource-backed
AuthorJan WilmakeTwilioblurrahPostman
Added2026-06-032026-06-052026-06-062026-06-04
Platforms
Harness
Source repo
Safety notesThe current server exposes OpenAPI exploration tools, not a general API execution tool. It returns overviews and operation details from specs rather than calling the target API endpoints. Treat OpenAPI specs as potentially sensitive. Internal paths, request schemas, server URLs, security schemes, operation names, and business domain language can reveal system design. Do not point the hosted endpoint at private or pre-release OpenAPI specs unless the spec is approved for third-party processing. Self-host the Worker for private API contracts. Review operation details before asking Claude to write integration code. OpenAPI descriptions and examples are model context and can contain stale, incomplete, or user-controlled text. Swagger 2.0 specs may be converted through the Swagger converter service before the server returns operation details. Use OpenAPI 3.x specs directly when you want fewer intermediaries.Twilio describes the current hosted MCP server as a Public Beta. Treat tool behavior, indexed coverage, and connection instructions as changeable until Twilio declares general availability. The current hosted server is read-only and exposes search/retrieve tools for public API specifications and documentation. It does not execute Twilio API calls or send messages on your behalf. Do not confuse documentation retrieval with production readiness. Review generated Messaging, Voice, Verify, SendGrid, Segment, or other Twilio code against the canonical docs, product limits, regulatory requirements, and your normal approval process before running it. Future Twilio MCP releases may add OAuth-authenticated execute-ready tools. Re-review permissions, approval prompts, audit logging, and data handling before enabling any tool that can call live APIs. Keep MCP client approval settings enabled for prompts that might transform retrieved API schemas into runnable code, migration scripts, webhook handlers, message sends, or account-management actions.GraphQL MCP can introspect a schema and execute arbitrary GraphQL queries against the configured endpoint. Mutations are blocked by default, but setting ALLOW_MUTATIONS=true allows model-generated mutation operations. Custom HEADERS can grant access to production APIs, admin scopes, customer data, or internal services. Schema introspection can expose object types, fields, arguments, enum values, deprecated fields, and API structure. Even read queries can be expensive, trigger resolver side effects, expose broad data, or hit rate and complexity limits. Prefer staging endpoints, read-only tokens, query depth/complexity limits, persisted operations, and human review for sensitive APIs.Postman MCP can operate on real Postman resources. Treat collection edits, workspace changes, environment updates, monitor changes, mock changes, specification creation, documentation updates, and generated code as review-required operations. Start with the `minimal` remote endpoint when the task only needs basic Postman operations. Use `code` or `full` only after reviewing the broader tool surface and the resources exposed to the assistant. The `full` configuration exposes all available Postman API tools, which Postman documents as 100+ tools. Do not use it by default for exploratory chats or untrusted repositories. Postman recommends reviewing and confirming operations that make changes or are destructive. Require a human check before accepting assistant-generated deletes, bulk updates, monitor edits, mock edits, documentation rewrites, collection rewrites, or spec-to-code changes. Pass specific resource IDs when possible. Postman notes this reduces extra API calls and helps avoid the assistant selecting the wrong workspace, collection, environment, monitor, mock, or specification by name. Local stdio and Docker modes run the Postman MCP server on the user's machine and require a Postman API key. Pin the npm package version or Docker image when reproducibility matters, and keep credentials out of committed MCP configs. EU remote endpoints do not support OAuth according to Postman's docs; use API-key authentication there and verify the region before connecting customer or regulated API assets.
Privacy notesThe hosted MCP endpoint receives the API identifier or raw spec URL you ask Claude to inspect, plus the operationId or route requested through `getApiOperation`. The service fetches OpenAPI documents via OpenAPI Search/OAPIS redirects or from the raw spec URL you provide. Returned overviews and operation details can include endpoint paths, parameters, request bodies, response schemas, server URLs, security scheme names, examples, and descriptions in the model conversation. The public setup path does not require API credentials and should not be used to send API keys, Bearer tokens, cookies, or internal auth headers. The repository is deployed as a Cloudflare Worker. Hosted-service logging, retention, and operational access are controlled by the service operator. Self-host when you need your own logging and retention boundary.The hosted endpoint can receive your natural-language search queries, requested API IDs, product interests, integration plans, and troubleshooting topics through the MCP client. Returned documentation can enter the model conversation alongside your prompt, code, route names, environment names, webhook examples, or product decisions. Do not paste Twilio Account SIDs, Auth Tokens, API keys, SendGrid keys, Segment write keys, phone numbers, customer identifiers, message bodies, call recordings, transcripts, or production webhook payloads into prompts while using the public docs server. Use synthetic examples when asking Claude to draft Messaging, Voice, Verify, SendGrid, Segment, or support workflows from retrieved docs.Endpoint URLs, headers, bearer tokens, schema text, GraphQL queries, variables, response data, errors, and server descriptions may be visible to the MCP client and model provider. GraphQL responses can include personal data, customer records, internal IDs, permissions, audit data, billing data, or proprietary business objects. HEADERS values and authorization tokens should stay out of prompts, issues, logs, screenshots, and committed configuration files. Error messages and introspection results can reveal internal schema design and service implementation details.Tool calls can expose Postman workspace metadata, collection names, request URLs, headers, examples, documentation, comments, environments, variable names, API specifications, mocks, monitors, and generated code context to the connected AI client. Environment variables and collection variables may contain credentials, internal hostnames, customer identifiers, test tokens, bearer tokens, session cookies, webhook URLs, or staging API details. Scrub secrets before pasting raw Postman data into prompts, issues, tickets, or chat tools. OAuth grants and Postman API keys represent a real Postman identity. Rotate exposed API keys, remove stale MCP configs, and audit workspace membership when a project or assistant no longer needs access. Claude, Codex, IDE logs, MCP client transcripts, terminal history, screenshots, generated code, and support bundles can retain Postman-derived API details outside Postman's normal access controls. The remote server sends MCP requests to Postman-hosted endpoints. Local stdio and Docker modes still call Postman APIs with the configured API key when managing cloud-hosted Postman resources.
Prerequisites
  • MCP-capable client with remote HTTP transport support, such as Claude Code or another modern MCP client
  • Network access to `https://openapi-mcp.openapisearch.com/mcp`
  • OpenAPI Search identifier, OAPIS identifier, or raw OpenAPI spec URL for the API you want Claude to inspect
  • Understanding that the hosted service fetches and processes the OpenAPI spec instead of running locally in your project
  • MCP-capable client with remote HTTP transport support, such as Claude Code, Claude Desktop connector support, Cursor, OpenCode, Codex, or another compatible client
  • Network access to `https://mcp.twilio.com/docs`
  • Agreement that the current hosted Twilio MCP server should receive the Twilio, SendGrid, or Segment documentation questions your team asks through the MCP client
  • Separate Twilio, SendGrid, or Segment account credentials only when you later write or run application code outside this read-only MCP server
  • Node.js and npx available to the MCP client runtime.
  • GraphQL endpoint URL that Claude is allowed to introspect and query.
  • Optional HEADERS JSON for authentication, using least-privilege API credentials.
  • Decision on whether schema introspection should use the endpoint, a local schema file, or a schema URL.
  • Postman account with access to the workspaces, collections, specifications, mocks, monitors, and environments the assistant should inspect or manage.
  • MCP-capable client such as Claude Code, Claude Desktop, Codex CLI, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, or another compatible environment.
  • Authentication choice: OAuth for the US remote server when the MCP client supports it, or a Postman API key for EU remote, local stdio, Docker, or API-key fallback setup.
  • Tool-mode choice: `minimal` for essential Postman operations, `code` for API-definition search and client-code generation, or `full` for the complete Postman API tool surface.
Install
claude mcp add --transport http openapi https://openapi-mcp.openapisearch.com/mcp
claude mcp add --transport http twilio-docs https://mcp.twilio.com/docs
npx mcp-graphql
claude mcp add --transport http postman https://mcp.postman.com/minimal
Config
{
  "mcpServers": {
    "openapi": {
      "url": "https://openapi-mcp.openapisearch.com/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "twilio-docs": {
      "url": "https://mcp.twilio.com/docs",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "graphql": {
      "command": "npx",
      "args": ["mcp-graphql"],
      "env": {
        "ENDPOINT": "https://api.example.com/graphql",
        "HEADERS": "{\"Authorization\":\"Bearer <token>\"}",
        "ALLOW_MUTATIONS": "false",
        "NAME": "graphql"
      }
    }
  }
}
{
  "mcpServers": {
    "postman": {
      "type": "http",
      "url": "https://mcp.postman.com/minimal"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.