MCP Integration

Security inside
your AI editor.

Add Flowpatrol to Claude Code, Cursor, or Windsurf. One config line. Your AI assistant can scan your app for real vulnerabilities while you build.

1Open your project in Claude Code
2Create a file called .mcp.json in the project root
3Paste the config below and save

.mcp.json

{
  "mcpServers": {
    "flowpatrol": {
      "type": "url",
      "url": "https://api.flowpatrol.ai/mcp",
      "headers": {
        "Authorization": "Bearer fp_live_your_api_key"
      }
    }
  }
}

Replace fp_live_your_api_key with your key from the dashboard.

Three tools. One integration.

Everything your AI needs to
find what matters.

flowpatrol_probe

1 credit30–60 seconds

Quick security check. Scans JavaScript bundles for leaked secrets, audits HTTP headers, checks for exposed paths, and tests Supabase RLS — all without leaving your editor.

Exposed API keys and credentials

Missing security headers

Open .env / .git / admin paths

Supabase tables readable without auth

flowpatrol_scan

1–8 credits2–30 minutes

Full DAST scan. An AI agent explores your running app like a real attacker — crawling routes, testing auth flows, probing APIs, and chaining findings together.

Broken access control (IDOR, privilege escalation)

Auth bypass and session flaws

Business logic bugs (payment tampering, etc.)

Injection vulnerabilities (SQLi, XSS, SSRF)

flowpatrol_report

FreeInstant

Pull results from any previous scan. Filter by severity, get fix suggestions inline, and share findings with your team — all from the chat.

Severity-ranked findings with CWE codes

Copy-paste fix suggestions for your stack

Endpoint evidence and reproduction steps

Scan metadata and timing

Why DAST?

Code scanners miss
what actually breaks.

Every other MCP security tool needs access to your source code. Flowpatrol tests the real, running application — like an attacker would. Your codebase stays private.

DASTSAST

Tests a running app—

Finds business logic bugs—

Tests auth flows end-to-end—

Catches IDOR / broken access control—

Verifies Supabase RLS is enforced—

Works regardless of language/framework—

Zero access to your codebase required—

Finds code-level issues (unused vars, etc.)—

DAST = Dynamic Application Security Testing (tests a live app). SAST = Static Analysis (reads source code).

Free

to get started

3 probes / month

1 credit

per probe

1–8 credits

per scan

to view reports

Ship with confidence.

Get an API key, drop one line of config, and your AI assistant becomes security-aware. Takes under a minute.

Get your API key How it works

MCP Integration

Security inside
your AI editor.

Add Flowpatrol to Claude Code, Cursor, or Windsurf. One config line. Your AI assistant can scan your app for real vulnerabilities while you build.

1Open your project in Claude Code
2Create a file called .mcp.json in the project root
3Paste the config below and save

.mcp.json

{
  "mcpServers": {
    "flowpatrol": {
      "type": "url",
      "url": "https://api.flowpatrol.ai/mcp",
      "headers": {
        "Authorization": "Bearer fp_live_your_api_key"
      }
    }
  }
}

Replace fp_live_your_api_key with your key from the dashboard.

Three tools. One integration.

Everything your AI needs to
find what matters.

flowpatrol_probe

1 credit30–60 seconds

Quick security check. Scans JavaScript bundles for leaked secrets, audits HTTP headers, checks for exposed paths, and tests Supabase RLS — all without leaving your editor.

Exposed API keys and credentials

Missing security headers

Open .env / .git / admin paths

Supabase tables readable without auth

flowpatrol_scan

1–8 credits2–30 minutes

Full DAST scan. An AI agent explores your running app like a real attacker — crawling routes, testing auth flows, probing APIs, and chaining findings together.

Broken access control (IDOR, privilege escalation)

Auth bypass and session flaws

Business logic bugs (payment tampering, etc.)

Injection vulnerabilities (SQLi, XSS, SSRF)

flowpatrol_report

FreeInstant

Pull results from any previous scan. Filter by severity, get fix suggestions inline, and share findings with your team — all from the chat.

Severity-ranked findings with CWE codes

Copy-paste fix suggestions for your stack

Endpoint evidence and reproduction steps

Scan metadata and timing

Why DAST?

Code scanners miss
what actually breaks.

Every other MCP security tool needs access to your source code. Flowpatrol tests the real, running application — like an attacker would. Your codebase stays private.

DASTSAST

Tests a running app—

Finds business logic bugs—

Tests auth flows end-to-end—

Catches IDOR / broken access control—

Verifies Supabase RLS is enforced—

Works regardless of language/framework—

Zero access to your codebase required—

Finds code-level issues (unused vars, etc.)—

DAST = Dynamic Application Security Testing (tests a live app). SAST = Static Analysis (reads source code).

Free

to get started

3 probes / month

1 credit

per probe

1–8 credits

per scan

to view reports

Ship with confidence.

Get an API key, drop one line of config, and your AI assistant becomes security-aware. Takes under a minute.

Get your API key How it works

Security insideyour AI editor.

Everything your AI needs tofind what matters.

Code scanners misswhat actually breaks.

Ship with confidence.

Security insideyour AI editor.

Everything your AI needs tofind what matters.

Code scanners misswhat actually breaks.

Ship with confidence.

Security inside
your AI editor.

Everything your AI needs to
find what matters.

Code scanners miss
what actually breaks.

Security inside
your AI editor.

Everything your AI needs to
find what matters.

Code scanners miss
what actually breaks.