Quickstart
Get a user from zero to verified MCP server in under 5 minutes.
Prerequisites
Before You Begin, ensure you have:
- Go 1.22+ (for
go install) OR download a pre-built binary - Node.js 18+ (only if testing with
npxservers) - A terminal
Installation
Option A: Go Install (Recommended for developers)
go install github.com/mcptrust/mcptrust/cmd/mcptrust@latestOption B: Binary Download
macOS (Apple Silicon)
curl -L https://github.com/mcptrust/mcptrust/releases/latest/download/mcptrust-darwin-arm64 -o mcptrust
chmod +x mcptrust
sudo mv mcptrust /usr/local/bin/Verify Installation
mcptrust --version
# Output: mcptrust v0.1.1The 60-Second Demo: Your First Lock
Step 1: Scan a Server
mcptrust scan -- "npx -y @modelcontextprotocol/server-filesystem /tmp"What happens: MCPTrust starts the server, interrogates it via JSON-RPC, and outputs a security report.
Expected output (truncated JSON):
{
"server_info": { "name": "filesystem", "version": "0.5.1" },
"tools": [
{ "name": "read_file", "risk_level": "MEDIUM" },
{ "name": "write_file", "risk_level": "HIGH" }
]
}Step 2: Lock the Server
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"What happens: Creates mcp-lock.json with cryptographic hashes of each tool.
Show the lockfile:
{
"version": "3.0",
"server_command": "npx -y @modelcontextprotocol/server-filesystem /tmp",
"tools": {
"read_file": {
"description_hash": "sha256:a1b2c3...",
"input_schema_hash": "sha256:d4e5f6...",
"risk_level": "MEDIUM"
}
}
}Step 3: Verify (Happy Path)
mcptrust check -- "npx -y @modelcontextprotocol/server-filesystem /tmp"
# Output: ✅ No drift detectedStep 4: Simulate an Attack
# Manually edit mcp-lock.json to change a hash
sed -i '' 's/a1b2c3/TAMPERED/g' mcp-lock.jsonStep 5: Detect the Attack
mcptrust check -- "npx -y @modelcontextprotocol/server-filesystem /tmp"
# Output: ❌ Drift detected: description_hash mismatch for tool "read_file"
# Exit code: 1Next Steps
[!TIP]
- 📖 Learn about Capability Identity
- 🔐 Set up Cryptographic Signing
- 🚀 Deploy with the GitHub Action