Levo MCP Server
Welcome to the Levo MCP Server - a Model Context Protocol (MCP) implementation that brings Levo's powerful API observability and security testing capabilities directly into your AI coding assistants.
What is MCP?
The Model Context Protocol (MCP) is an open standard for connecting AI assistants to external data sources and tools. This server enables your AI assistant to interact with Levo's API security platform, allowing you to:
- ๐ Discover applications and their API endpoints
- ๐ก๏ธ Analyze security vulnerabilities and test coverage
- ๐งช Execute security tests directly from your IDE
- ๐ Monitor API traces and security posture
- ๐ง Generate exploitation commands for found vulnerabilities
๐ Quick Start
Connection Setup
Choose your IDE and follow the setup instructions:
Cursor IDE
Add this configuration to your MCP settings:
{
"mcpServers": {
"levo": {
"url": "https://mcp.india-1.levo.ai/sse",
"headers": {
"x-levo-organization-id": "your-organization-id-here"
}
}
}
}
Setup Instructions:
- Open Cursor IDE
- Go to Settings > Tools & Integrations.
- Click New MCP Server to open mcp.json
- Add the configuration to the file.
- Save the file to start the MCP server connection.
- Click 'Needs Login'
VS Code
Add this configuration to your MCP settings:
{
"servers": {
"levo": {
"url": "https://mcp.india-1.levo.ai/sse",
"headers": {
"x-levo-organization-id": "your-organization-id-here"
}
}
}
}
Setup Instructions:
- Open VS Code
- Press Ctrl/Cmd + Shift + P to open command palette.
- Run 'MCP: Open User Configuration' command to open mcp.json
- Add the configuration to file
- Save the file and start/restart the MCP server connection.
Claude Desktop
Add this configuration to your MCP settings:
{
"mcpServers": {
"levo": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp.india-1.levo.ai/sse",
"--header",
"x-levo-organization-id: your-organization-id-here"
]
}
}
}
Setup Instructions:
- Open Claude Desktop
- Go to the Settings > Developer.
- Click on 'Edit Config' button to open the claude_desktop_config.json file.
- Add the configuration to the file.
- Saving the file and restart Claude Desktop will automatically start the MCP server connection.
Note: Ensure you're using Node.js 20 or later for optimal compatibility.
Authentication
How authentication works with the MCP server:
Initial Connection - When you first connect to the MCP server, you'll be redirected to the Levo OAuth login page.
Levo Account Authentication - Authenticate using your existing Levo account credentials. This ensures secure access to your organization's resources.
Access Granted - Once authenticated, you'll have full access to all MCP tools and can start using AI assistance for API observability & security and testing tasks.
๐ ๏ธ Available Tools
Application Management
levoGetApplications
Lists all applications in your specified environment.
Parameters:
- envName: Environment name (default: "staging")
levoGetApplicationDetails
Retrieves detailed information about a specific application.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
levoGetApplicationEndpoints
Lists all API endpoints for a specific application.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
Security Analysis
levoGetEndpointVulnerabilities
Discovers security vulnerabilities for a specific endpoint.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
levoGetRecentlyModifiedVulnerableEndpoints
Finds recently modified endpoints that have known vulnerabilities.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
levoGetVulnerabilityExploitableCommands
Generates commands that can exploit discovered vulnerabilities.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
Testing & Coverage
levoGetRecentlyModifiedUntestedEndpoints
Identifies recently modified endpoints that lack security test coverage.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
levoGetEndpointTestCoverage
Analyzes test coverage for a specific endpoint.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
levoGetTestRunCategories
Lists all available security test categories.
Available categories include:
- AUTHN (Authentication)
- AUTHZ (Authorization)
- CORS (Cross-Origin Resource Sharing)
- FUZZING (Input Fuzzing)
- SQL_INJECTION
- NOSQL_INJECTION
- OS_COMMAND_INJECTION
- IDOR (Insecure Direct Object References)
- SSRF (Server-Side Request Forgery)
- RCEs (Remote Code Execution)
- RATE_LIMIT
- ADVANCED_BOLA
- SCHEMA_CONFORMANCE
levoRunTest
Executes security tests on specific endpoints.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
- accessToken: Authentication access token
- refreshToken: Authentication refresh token
- testMode: "dataDriven" or "traces" (default: "dataDriven")
- onLevoCloud: Run on Levo Cloud (default: true)
- testRunCategory: Category of test to run
- targetUrl: Target URL for testing
- defaultUser: Default user for testing
levoGetTestRunStatus
Checks the status of running or completed tests.
Parameters:
- jobId: Test run job identifier
levoGetTestSuiteDetails
Retrieves detailed results from test suite execution.
Parameters:
- jobId: Test run job identifier
Monitoring & Analysis
levoGetEndpointTraces
Retrieves API traces for traffic analysis.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
levoGetEndpointSpec
Gets the OpenAPI specification for an endpoint.
Parameters:
- appName: Name of the application
- envName: Environment name (default: "staging")
- endpointMethod: HTTP method (default: "GET")
- endpointPath: API endpoint path
๐ก Sample Prompts
Here are some example prompts to get you started:
Discovery & Assessment
"Show me all applications in my staging environment"
"What endpoints does the user-service application have?"
"Find all recently modified endpoints in payment-api that haven't been tested"
"What vulnerabilities exist in the POST /api/users/login endpoint?"
Security Testing
"Run AUTHN tests on the GET /api/user/profile endpoint in user-service"
"Check test coverage for all endpoints in the payment-api application"
"Generate exploitation commands for vulnerabilities in POST /api/payment/process"
"What security test categories are available for testing?"
Monitoring & Analysis
"Show me recent API traces for the GET /api/orders endpoint"
"Get the OpenAPI spec for POST /api/users/register"
"What's the status of test job abc123-def456?"
"Show me detailed results from test suite xyz789"
Workflow Examples
"Find the most critical vulnerabilities across all my applications and generate exploitation commands"
"Identify all untested endpoints that were modified in the last week and run basic security tests"
"Analyze the authentication flow in user-service and test for common auth vulnerabilities"
๐ Learn More
- Levo Documentation: docs.levo.ai
- MCP Specification: modelcontextprotocol.io
- Support: Contact your Levo Support for organization-specific setup
๐ฏ Pro Tips
- Start Broad: Begin with
levoGetApplicationsto understand your environment - Focus Testing: Use
levoGetRecentlyModifiedUntestedEndpointsto prioritize security testing - Iterate: Combine vulnerability discovery with test execution for comprehensive security coverage
- Monitor: Regular use of trace analysis helps identify security patterns and anomalies
Ready to enhance your API security with AI-powered assistance? Connect your IDE and start exploring! ๐