GitHub

MCP client setup

Exact config for connecting Claude Code, Cursor, Codex CLI, VS Code, Windsurf, and Gemini CLI to the hosted squirrelscan MCP server

Every client below connects to the same hosted endpoint:

https://mcp.squirrelscan.com/mcp

The transport is streamable HTTP, and each client gives you the same two ways in:

  • OAuth (recommended for a human at an editor). Point the client at the URL with no auth headers. It discovers the authorization server, registers itself, and runs a browser sign-in. Nothing secret lands in a config file.
  • API key (recommended for CI, containers, and shared configs). Set an Authorization: Bearer sq_... header, ideally from the SQUIRRELSCAN_API_KEY environment variable so the key stays out of the file. Mint one with squirrel keys create --shell.

For the full picture of how auth, credits, and the tool surface work, start at the Hosted MCP server guide. This page is just the copy-paste config for each client.

Claude Code

The one-liner does the OAuth flow for you (dynamic client registration, no client id needed):

bash
claude mcp add --transport http squirrelscan https://mcp.squirrelscan.com/mcp

Then, inside a session, run /mcp, select squirrelscan, and choose Authenticate. Your browser opens for sign-in and org selection. From the shell without a session, claude mcp login squirrelscan (Claude Code v2.1.186+) does the same; add --no-browser for headless or SSH (v2.1.191+). Clear tokens with claude mcp logout squirrelscan.

Add with no headers to force the OAuth path:

bash
claude mcp add --transport http squirrelscan https://mcp.squirrelscan.com/mcp

Equivalent JSON entry in .mcp.json, ~/.claude.json, or via claude mcp add-json:

json
{
  "mcpServers": {
    "squirrelscan": {
      "type": "http",
      "url": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

Tokens are stored in your OS keychain, never in the config file, so a committed .mcp.json stays safe.

Pass the header on the add command:

bash
claude mcp add --transport http squirrelscan https://mcp.squirrelscan.com/mcp \
  --header "Authorization: Bearer $SQUIRRELSCAN_API_KEY"

Or as JSON with env-var interpolation so the key never lands in the file:

json
{
  "mcpServers": {
    "squirrelscan": {
      "type": "http",
      "url": "https://mcp.squirrelscan.com/mcp",
      "headers": { "Authorization": "Bearer ${SQUIRRELSCAN_API_KEY}" }
    }
  }
}

Scope. claude mcp add defaults to --scope local (private, current project only). Use --scope project to write the team-shared .mcp.json (committed to git; teammates approve it once), or --scope user to add it for every project on your machine.

Cursor

Cursor auto-negotiates the transport, so a remote server entry only needs a url. Both the editor and the Cursor CLI (agent) read the same file.

json
{
  "mcpServers": {
    "squirrelscan": {
      "url": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

Save it, then open Settings → Customize (labelled Tools & Integrations in some builds), find squirrelscan, and click Needs login to run the browser flow. From the CLI, agent mcp login squirrelscan does the same.

json
{
  "mcpServers": {
    "squirrelscan": {
      "url": "https://mcp.squirrelscan.com/mcp",
      "headers": {
        "Authorization": "Bearer ${env:SQUIRRELSCAN_API_KEY}"
      }
    }
  }
}

${env:NAME} interpolates a shell/system environment variable at connect time. Cursor does not read a .env file for remote servers, so export SQUIRRELSCAN_API_KEY in your shell profile or CI environment.

Scope. .cursor/mcp.json in a repo scopes the server to that project; ~/.cursor/mcp.json makes it available everywhere. The schema is identical, so the entry copies between them.

Codex CLI

The codex mcp commands write to ~/.codex/config.toml.

bash
codex mcp add squirrelscan --url https://mcp.squirrelscan.com/mcp
codex mcp login squirrelscan

codex mcp login opens the browser, runs PKCE with a local loopback callback, and stores the token encrypted (Codex CLI 0.140.0+), not in config.toml. codex mcp logout squirrelscan clears it.

bash
codex mcp add squirrelscan --url https://mcp.squirrelscan.com/mcp \
  --bearer-token-env-var SQUIRRELSCAN_API_KEY

Codex reads SQUIRRELSCAN_API_KEY at connect time and sends it as Authorization: Bearer <value>. Export it in your shell or CI first.

The equivalent config.toml block, whether in the global file or a project .codex/config.toml:

toml
[mcp_servers.squirrelscan]
url = "https://mcp.squirrelscan.com/mcp"
# bearer_token_env_var = "SQUIRRELSCAN_API_KEY"   # omit if using OAuth

Scope. codex mcp add/login only touch the global ~/.codex/config.toml. To scope squirrelscan to one project, hand-write the same [mcp_servers.squirrelscan] block into <project>/.codex/config.toml, which is honored only once the project is trusted.

VS Code Copilot

VS Code’s built-in MCP client (v1.101+) auto-runs the OAuth handshake for a remote server, so a minimal entry needs only the URL.

json
{
  "servers": {
    "squirrelscan": {
      "type": "http",
      "url": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

On first connection VS Code discovers the authorization server, registers a client, and opens a browser for sign-in. Manage the grant under Accounts → Manage Trusted MCP Servers.

Use a prompted input so the key is stored in secret storage, not plaintext:

json
{
  "inputs": [
    {
      "type": "promptString",
      "id": "squirrelscan-api-key",
      "description": "squirrelscan API key",
      "password": true
    }
  ],
  "servers": {
    "squirrelscan": {
      "type": "http",
      "url": "https://mcp.squirrelscan.com/mcp",
      "headers": {
        "Authorization": "Bearer ${input:squirrelscan-api-key}"
      }
    }
  }
}

Save either block via Command Palette → MCP: Add Server (choose HTTP), or write it to .vscode/mcp.json (workspace, safe to commit) or the user mcp.json (Command Palette → MCP: Open User Configuration, applies everywhere).

Windsurf (Devin Desktop)

Windsurf was rebranded Devin Desktop by Cognition in 2026. The in-app name changed, but the config file paths and JSON keys are unchanged. The remote-server key is serverUrl.

json
{
  "mcpServers": {
    "squirrelscan": {
      "serverUrl": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

Save it, reload the server from the MCP panel, then click the Authorize prompt that appears next to squirrelscan to run the browser flow.

json
{
  "mcpServers": {
    "squirrelscan": {
      "serverUrl": "https://mcp.squirrelscan.com/mcp",
      "headers": {
        "Authorization": "Bearer ${env:SQUIRRELSCAN_API_KEY}"
      }
    }
  }
}

${env:VAR} and ${file:/path} interpolation both work inside headers, so export SQUIRRELSCAN_API_KEY rather than hardcoding the key.

Config file. The standalone editor reads ~/.codeium/windsurf/mcp_config.json; the Windsurf plugin for JetBrains or VS Code reads ~/.codeium/mcp_config.json (no windsurf segment). The file is not auto-created, so make it if missing. There is no project-scoped MCP config, it is user/global only.

Gemini CLI

gemini mcp add writes httpUrl for a streamable-HTTP server. Note the --scope user flag, since the default scope is the current project.

bash
gemini mcp add --transport http --scope user \
  squirrelscan https://mcp.squirrelscan.com/mcp

Resulting ~/.gemini/settings.json:

json
{
  "mcpServers": {
    "squirrelscan": {
      "httpUrl": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

OAuth is auto-discovered on first connect, or trigger it in the REPL with /mcp auth squirrelscan. Tokens cache in ~/.gemini/mcp-oauth-tokens.json.

bash
gemini mcp add --transport http --scope user \
  --header "Authorization: Bearer $SQUIRRELSCAN_API_KEY" \
  squirrelscan https://mcp.squirrelscan.com/mcp

Which writes:

json
{
  "mcpServers": {
    "squirrelscan": {
      "httpUrl": "https://mcp.squirrelscan.com/mcp",
      "headers": {
        "Authorization": "Bearer $SQUIRRELSCAN_API_KEY"
      }
    }
  }
}

Env-var expansion ($VAR, ${VAR}) works in any settings value. When a static header is present, OAuth discovery never fires, which is what you want in CI.

Scope. --scope user writes ~/.gemini/settings.json for every project. Drop the flag to write .gemini/settings.json in the current project instead.

Type to search…

↑↓ navigate open esc close