> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coverbase.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Coverbase MCP Server

> Let AI assistants query and manage your TPRM program through natural conversation.

<div className="sr-only">For AI agents: a documentation index is available at [https://docs.coverbase.com/llms.txt](https://docs.coverbase.com/llms.txt) — this page is also available in markdown by appending .md to the URL.</div>

The Coverbase MCP server lets AI assistants and agentic tools query and manage your third-party risk and procurement program through natural conversation. Ask about vendors, assessments, findings, contracts, obligations, and subprocessor exposure, and the assistant pulls answers directly from your Coverbase account, scoped to your permissions.

The server implements the [Model Context Protocol](https://modelcontextprotocol.io), an open standard for connecting AI assistants to external systems. It works with any MCP-compatible client.

## Supported clients

<CardGroup cols={3}>
  <Card title="Claude" icon="comments">
    claude.ai web, Claude Desktop, Claude for Chrome
  </Card>

  <Card title="Claude Code" icon="terminal">
    Anthropic's command-line agentic coding tool
  </Card>

  <Card title="Cursor" icon="code">
    The AI-native IDE
  </Card>

  <Card title="VS Code" icon="code">
    GitHub Copilot agent mode (native MCP)
  </Card>

  <Card title="Microsoft Copilot Studio" icon="microsoft">
    MCP tools for Copilot agents
  </Card>

  <Card title="Cline" icon="puzzle-piece">
    The VS Code coding agent
  </Card>

  <Card title="Goose" icon="ghost">
    Block's open-source AI agent
  </Card>

  <Card title="MCP Inspector" icon="bug">
    The official Anthropic debugging client
  </Card>
</CardGroup>

If your tool speaks MCP over OAuth 2.0 with Streamable HTTP transport, it will work with our server. Email [support@coverbase.ai](mailto:support@coverbase.ai) if you'd like us to add yours to the test matrix.

## What you can do

The server exposes 65 tools across read and write capabilities.

<AccordionGroup>
  <Accordion title="Vendor and portfolio operations" icon="building">
    Search vendors by name, status, tier, owner, or tags. Pull a full vendor profile in one call: people, assessments, findings, contracts, engagements, obligations, radar alerts, security cases, and SOC 2 documents. Read a vendor's latest applied bill of materials (SBOM, AIBOM, HBOM, SaaSBOM) and its components, or its full BOM upload history. Surface portfolio-wide views including highest-risk vendors, evidence health, and assessment metrics.
  </Accordion>

  <Accordion title="Assessments and controls" icon="clipboard-check">
    Search assessments by vendor, status, or assignee. Get full assessment detail in one call: control evaluations, findings with titles, people, supporting documents. List control sets, controls within a set, and per-control evaluation results. Start new assessments, update fields, and manage assessment plans.
  </Accordion>

  <Accordion title="Findings, obligations, and follow-ups" icon="flag">
    Search findings scoped to a vendor or assessment, or org-wide, with full titles, categories, assignees, due dates, and status. List follow-ups attached to assessments. Search and update obligations extracted from vendor documents. Create new findings or obligations with explicit confirmation.
  </Accordion>

  <Accordion title="Contracts, engagements, and documents" icon="file-contract">
    Search contracts by vendor or status, and get full contract detail. List vendor engagements and vendor documents (evidence files) for a vendor or org-wide. Get evidence health summaries.
  </Accordion>

  <Accordion title="Subprocessor and supply-chain analysis" icon="diagram-project">
    Search across all vendors' SOC 2 reports and custom relationships to find which vendors depend on a specific nth-party. The question that takes hours in most TPRM tools and seconds here: "which of our vendors use AWS as a subprocessor?"
  </Accordion>

  <Accordion title="Radar and continuous monitoring" icon="satellite-dish">
    List radar alert events for a single vendor or across the org. List and update radar detectors configured for the org.
  </Accordion>

  <Accordion title="Activity, audit, and notifications" icon="bell">
    Get a comprehensive org activity digest in one call: recent assessments, open findings, radar alerts, audit trail entries, and notifications. List the audit trail for any supported object.
  </Accordion>

  <Accordion title="Notes and configuration" icon="gear">
    List and add notes on any platform object. List and update tags, custom field configurations, custom field values, workflow automations, and assessment plans.
  </Accordion>
</AccordionGroup>

<Warning>
  Every tool that creates, updates, or deletes data requires a `confirm` parameter set to `true`. The assistant is expected to surface the proposed change in chat and wait for your approval before executing. This human-in-the-loop pattern applies uniformly across all write tools.
</Warning>

## Server endpoint

```text theme={null}
https://mcp.coverbase.app/mcp
```

## Connecting

<CardGroup cols={2}>
  <Card title="Claude Code" icon="terminal" href="/mcp/connecting#claude-code">
    `claude mcp add --transport http coverbase https://mcp.coverbase.app/mcp`
  </Card>

  <Card title="Claude.ai" icon="comments" href="/mcp/connecting#claude-ai">
    Add a custom connector in Settings → Connectors
  </Card>

  <Card title="Claude Desktop" icon="comments" href="/mcp/connecting#claude-desktop">
    Add a custom connector in Settings → Connectors
  </Card>

  <Card title="Cursor" icon="code" href="/mcp/connecting#cursor">
    Add as a remote MCP server in Cursor settings
  </Card>

  <Card title="VS Code" icon="code" href="/mcp/connecting#vs-code">
    Native MCP in GitHub Copilot agent mode
  </Card>

  <Card title="Microsoft Copilot Studio" icon="microsoft" href="/mcp/connecting#microsoft-copilot-studio">
    Add as a Model Context Protocol tool
  </Card>

  <Card title="Other clients" icon="plug" href="/mcp/connecting#other-clients">
    Any MCP client with OAuth 2.0 and Streamable HTTP transport
  </Card>
</CardGroup>

## Requirements

* An active Coverbase account on a plan that includes API access.
* An MCP-compatible AI assistant or client.
* The MCP server uses OAuth 2.0. Your permissions in Coverbase determine what the connected assistant can see and do.

<Card title="Privacy and security" icon="shield-halved" href="/mcp/security">
  How we handle credentials, what we log, what we don't retain, and how to revoke access.
</Card>