The MCP Inspector is a visual testing and debugging tool for Model Context Protocol servers, built with TypeScript and available at https://modelcontextprotocol.io. It provides developers with an interactive interface to test, inspect, and debug MCP server implementations across different transport protocols.
The tool consists of two main architectural components working in tandem. The MCP Inspector Client (MCPI) is a React-based web UI that offers an interactive testing interface, while the MCP Proxy (MCPP) is a Node.js server that functions as a protocol bridge. The proxy connects the web UI to MCP servers using various transport methods including stdio, Server-Sent Events (SSE), and streamable HTTP. Importantly, the proxy is not a network traffic interceptor but rather operates as both an MCP client connecting to target servers and an HTTP server hosting the web UI, enabling browser-based interaction with MCP servers regardless of their underlying transport protocol.
Running the inspector requires Node.js version 22.7.5 or higher. The tool can be launched in multiple ways: directly via npm for immediate UI access at localhost:6274, through a Docker container, or via npx from an MCP server repository without cloning the inspector itself. The inspector runs both the MCPI client UI on port 6274 and the MCPP server on port 6277, with these ports derived from T9 dialpad mappings as a mnemonic device. Users can customize these ports as needed.
A notable feature is the servers file export functionality, which provides convenient buttons to export server launch configurations for use in clients like Cursor, Claude Code, or the Inspector's CLI. Users can export either individual server entries to add to existing mcp.json files or complete configuration files with the current server configuration included as default-server. The inspector supports all three transport types in these exports: stdio, SSE, and streamable HTTP.
The inspector includes bearer token authentication for SSE connections, allowing users to enter tokens in the UI that are sent in the Authorization header. The proxy server requires authentication by default, generating a random session token on startup that must be included as a Bearer token in the Authorization header for all requests. The inspector automatically opens the browser with the token pre-filled in the URL. For development scenarios, authentication can be disabled via the DANGEROUSLY_OMIT_AUTH environment variable, though this is strongly discouraged due to critical security risks including potential remote code execution vulnerabilities.
Security measures include local-only binding by default for both proxy and client services, preventing network access from other devices. DNS rebinding attack protection validates the Origin header on incoming requests, with configurable allowed origins via the ALLOWED_ORIGINS environment variable. The tool supports extensive configuration options including request timeouts, proxy address settings, and automatic browser opening preferences, all adjustable through the UI and persisting across sessions.
According to GitGenius activity tracking, the repository shows strong engagement with a median issue and pull request response latency of 0.0 hours and a mean latency of 38.0 hours across 696 tracked items. The most active labels are bug with 242 occurrences, v2 with 195, and enhancement with 134. Primary contributors cliffhall and olaservo each logged 949 and 944 events respectively, with jspahrsummers contributing 48 events. The repository overlaps with contributors from pytorch/pytorch, quarkusio/quarkus, and microsoft/vscode, indicating cross-project collaboration within the broader development ecosystem.